Tokyo in May: CeCOS II

26-27 May 2008 in Tokyo:

The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

— Counter-eCrime Operations Summit II, APWG Japan, 2008

The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.

-jsq

Media Security: Consolidation or Diversity?

Despite unanimous vote of the Senate Commerce Committee to delay, and direct question from one of its members, (not to mention overwhelming opposition in meetings across the country), FCC Chairman Kevin Martin plans to go ahead with the media consolidation vote scheduled for tomorrow, 18 December, which, given the 3-2 Republican-Democrat makeup of the Commission, will almost certainly result in more media consolidation.

Not only John Kerry, but even Trent Lott and Ted Stevens spoke against Martin's plan. Martin, pretending not to know that newspapers are one of the most profitable industries (and nobody on the Commerce Committee thought to ask him directly whether he knew that; they only asked him if he had seen a specific report that said that), claims that the only way to save newspapers is to let them buy television stations. The New York Times published Martin's op-ed to this effect. (Today the Times did at least publish their own editorial criticizing his position.)

Meanwhile, three members of the House Judiciary Committee have written an op-ed calling for the impeachment of vice-president Cheney, and no major newspaper will carry it, even though one of them, Wexler of Florida, collected more than 50,000 names for it over one weekend (up to 77,000 as of this writing).

Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter.

— Letter to Nathaniel Macon, Thomas Jefferson, January 12, 1819

What would Jefferson have thought about newspapers that wouldn't publish a call for impeachment by members of the committee that is supposed to bring such charges? And why, given such a press, is anyone even considering more media consolidation? Which is better for the security of the Republic: more media consolidation or less?

-jsq

Chinese Honeynet Project: Botnets Are Sneaky and Evolving; Need Adaptive Distributed Counter

The subject is my interpretation of a sixteen page paper by a joint Chinese-German project to examine botnets in China.

Botnets have become the first-choice attack platform for network-based attacks during the last few years. These networks pose a severe threat to normal operations of the public Internet and affect many Internet users. With the help of a distributed and fully-automated botnet measurement system, we were able to discover and track 3,290 botnets during a period of almost twelve months.

— Characterizing the IRC-based Botnet Phenomenon, Jianwei Zhuge1 , Thorsten Holz2 , Xinhui Han1 , Jinpeng Guo1 , and Wei Zou1 Peking University Institute of Computer Science and Technology Beijing, China, University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany, Reihe Informatik. TR-2007-010

The paper provides many interesting statistics, such as only a small percent of botnets are detected by the usual Internet security companies. But the main point is exactly that a distributed and adaptive honeypot botnet detection network was able to detect and observe botnets in action and to get data for all those statistics. Trying to deal with an international adaptive botnet threat via static software or occasional centralized patches isn't going to work.

Some readers conclude that this paper shows that reputation services don't work,because they don't show most botnets. I conclude that current reputation services don't work because they aren't using an adaptive distributed honeypot network to get their information, and because their published reputation information isn't tied to economic incentives for the affected ISPs and software vendors, such as higher insurance rates.

-jsq

Bot Buyin

Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:

(((I'm guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

— Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Free Burma!

Well, I hadn't been planning on posting more on the Myanmar or Burma situation, but within minutes of my posting yesterday, the Free Burma folks found my post and commented on it with a link back to their site.

I've got to admire their quick use of the Internet to amplify their activism. Their web pages say they only started Sunday. Looks like some of their supporters are actually astroturf web sites, but that just goes with the territory. Also, a lot of people can't type in their own web addresses correctly. However, they've collected a dozen more supporters while I've been typing this.

So, how could I refuse to post again on their requested date, which happened to be today?

-jsq

Simply Switched Off the Internet: Myanmar Junta v. Bloggers

When blogging is a revolutionary act:

Internet geeks share a common style, and Ko Latt and his four friends would not be out of place in cyber cafés across the world. They have the skinny arms and the long hair, the dark T-shirts and the jokey nicknames. But few such figures have ever taken the risks that they have in the past few weeks, or achieved so much in a noble and dangerous cause.

Since last month Ko Latt, 28, his friends Arca, Eye, Sun and Superman, and scores of others like them have been the third pillar of Burma’s Saffron Revolution. While the veteran democracy activists, and then the Buddhist monks, marched in their tens of thousands against the military regime, it is the country’s amateur bloggers and internet enthusiasts who have brought the images to the outside world.

Armed with small digital cameras, they have documented the spectacular growth of the demonstrations from crowds of a few hundred to as many as 100,000. On weblogs they have recorded in words and pictures the regime’s bloody crackdown, in a city where only a handful of foreign journalists work undercover. With downloaded software, they have dodged and weaved around the regime’s increasingly desperate attempts to thwart their work. Now the bloggers, too, have been crushed. Having failed to stop the cyber-dissidents broadcasting to the world, the authorities have simply switched off the internet.

— Bloggers who risked all to reveal the junta’s brutal crackdown in Burma, by Kenneth Denby, The Times, 1 October 2007

Unfortunately for the bloggers, they all had to register with the government to be allowed to blog in the first place. If the junta falls, they'll be heroes. If it survives, they'll probably be dead.

This is not the first time.

Mortgage Confusopoly Disintermediated

Adam Shostack finds a company distintermediating the other half of the house buying confusopoly, mortgages:

SmartHippo today launched the public beta version of the first ever web site that allows individuals to use the power of a community to save money and make better decisions when shopping for rates on financial products and services.

"The lending industry is in a state of transformation," said George Favvas, President of SmartHippo, "and consumers are demanding more control and transparency in their dealings with banks and mortgage companies."

SmartHippo allows any individual to post information and feedback on the rate they received, and to compare rates with other members of the community with similar profiles. This lessens the chance of consumers with the same lending and risk profile getting different rates on the same loan, which can happen currently.

— SmartHippo.com Launches World's First Community Comparison Shopping Site for Financial Services at TechCrunch40 Event; Founding Participating Banks Include QuickenLoans and Bank of Internet, PRWeb, 17 Sept 2007

This is different from companies like LendingTree that already facilitate getting multiple bids for mortages in that SmartHippo lets mortgage customers comment on their experiences. Participatory, if you will.

-jsq

Web Panopticons: China and U.S.

Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People's Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

— University Researchers Analyze China's Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

What It Will Take to Win

IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:

It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

...

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don't have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don't want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don't have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

— Secure Coding - Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Online Crime Pays

Why Internet security professionals are losing:

Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you've ever bought anything online, buying from them may be disconcertingly familiar. If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase.

You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you. As in many other industries, money has given rise to professionalism.

Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We're in a world where these guys might as well just incorporate," says David Parry, Trend Micro's Global Director of Security Education. "There's certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we're talking about hundreds of billions of dollars."

— Computer crime is slicker than you think, By David Raikow, CRN, 16 August 2007 08:04AM

Makes you wonder how long until traditional security companies get bought out by newly-IPOed offshore malware corps.

-jsq