Tag Archives: Breach reporting

Spam and Botnet Reputation Randomized Control Trials and Policy @ TPRC 41

How to do a ranking when you can’t present a rank list: use a distribution graph. Also how to do a randomized control trial when there are active enemy agents: five ways to find out if and how much they are affecting the results. This was in my apparently annual talk at TPRC 41, the Telecommunications Policy Research Conference in Arlington, Virginia.

With slides, abstract, full paper, and video. The sound is not good, though; it was taken with my smartphone. Why don’t conferences do their own video and put it on the web? There were a few sensitive presentations at this one, but they were few, and the rest could have gone up. They didn’t, so I got somebody to video with my phone.

-jsq

SIRA Security Event in VERIS Community Database of breaches

I’ve provoked an example breach report in the VERIS Community Database by the Verizon Risk Team, recorded in this JSON file, with this summary:

A secondary domain hosted by Bluehost was defaced by an opportunistic attack. We are consolidating the secondary domains in our primary provider and all domains will be pointing to our web site.

Last week I was looking to join SIRA’s email list and mistyped .com for .org. Finding www.societyinforisk.com had “HaCKeD By : brkod” on it, I mentioned that to SIRA. They fixed it as above.

The interesting part is that the VERIS Community Database is an effort to expand the annual Verizon Data Breach Investigations Report (DBIR) into something more timely and comprehensive: It’s not very big yet (63 commits and 1546 incidents), but it’s a welcome start. It doesn’t have nearly the comprehensiveness, frequency, nor regularity of the spam blocklist data underlying SpamRankings.net, but it has, or it can have, more depth in reporting what happened and why.

The VERIS Community Database

Continue reading

Syria and Yemen: 29 November 2012

At 10:30 AM GMT yesterday, 29 November 2012, routing to Yemen suddenly changed from London to Dubai through FLAG to New York to Dubai through ETISALAT, as shown in the animation here and detailed in the PerilWatch from InternetPerils. That timing closely matched the 10:26 AM GMT Syrian disconnect time reported by Renesys. This is very reminiscent of Mubarak disconnecting Egypt 22:30 GMT 20 January 2011. This tactic didn’t help Mubarak’s regime in Egypt, and it probably won’t help Assad’s regime in Syria; rather the opposite: people don’t like their Internet being turned off. And it tends to cause the international community to rally around the rebels.

-jsq

Microsoft, world leader in Internet security: and spamming?

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide. Other rankings don’t show Microsoft high, but does MSFT really want to show up in any of these rankings?

Rank (Previous)CountryPopulationSpam
Volume		Percent
of top 10
1 (3) US 310,232,863 673,30618.2%
2 (2) IN 1,173,108,018 506,39713.7%
3 (1) CN 1,330,044,000 413,08911.2%
    Total   3,689,376100%

These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL’s spam traps happened to be in the line of spam from Microsoft, while CBL’s were not.

And of course Microsoft probably doesn’t mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here’s hoping they clean it up soon!

-jsq