Tag Archives: botnet

Rip van Security

Ripvanwinkle.jpg Gunnar Peterson asks a question:
…how do you primarily rely on network security as we have done for the Web’s life, when the Cloud abstracts the network away?
Gunnar points out IT security has been using firewalls and SSL as primary security for every network acccess software change since 1995.
In 1999 when SOAP emerged as a firewall-friendly protocol designed for the explicit reason to go through the firewall, that should have been a wake up call to Information Security that the “firewall + SSL” security architecture was past its prime, but here 10 years later we are still hitting the snooze button.
Here many years after we lost email for everybody but aging geeks and banks, IT security continues to snooze like Rip van Winkle. While the world changes around it: Continue reading

VZ Port 587: Good Try

Back in February, Verizon announced it would start requiring outbound mail go through port 587 instead of port 25 during the next few months. It seemed like a good idea to squelch spam. Most other major ISPs did it. People applauded Verizon for doing it.

Unfortunately, it seems that if it had any effect it was short-lived. Looking at anti-spam blocklists on a daily basis, a couple of Verizon Autonomous Systems (ASes), AS-19262 and AS-701, do show dips in blocklist listings on the blocklist PSBL in March. But they don’t last.

Spammers are very adaptable, partly because the botnets they use are adaptable. Good try, Verizon.

This information is from an NSF-funded academic research project at the University of Texas at Austin business school. Thanks to PSBL for the blocklist data.

-jsq

APWG Atlanta Buckhead

apwgfall08.jpg Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that’s a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don’t want to go into too much detail, even though the bad guys don’t seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

Fast Flux Mapped

ffcrop.png Australian HoneyNet tracks Fast Flux nodes and maps them:
Below is the current locations of the storm Fast Flux hosts. This is updated every 15 minutes from our database.

I Had to change it to only show the last 6 hours of new nodes since GoogleMaps doesn't scale very well when your reaching past a few thousand markers on a map 🙂

Fast Flux Tracking, Australian HoneyNet Project, accessed 7 Aug 2008

Fast Flux, in case you're not familiar with it, refers to various techniques used by bot herders, spammers, phishers, and the like to evade blocking by rapidly changing which IP addresses are mapped to which domain names.

-jsq