Terry Zink's Cyber Security Blog

How frequently do botnets reuse IP addresses?

tzink — Fri, 10 Feb 2012 20:00:06 GMT

I wonder how much botnets reuse IP addresses. Do they infect a system and spam, get blocked, discard the IP and move onto the next (new) one? This means that they have a nearly unlimited supply of IP addresses. Or do they infect a system and spam, get blocked, and then let it go dormant only to awaken it some time later? If

I decided to take a look. To do this, I made a list of all the IPs that sent us mail that I could identify as part of a botnet (excluding unknown ones) since July 2011, a time span of 7.5 months. I then took all of the IPs that sent us mail today (or rather, the past 24 hours), and ran them against this list. The IPs that were on the botnet list were eventually blocked as spam. If IPs that sent us mail today appear on this list of botnet IPs, that means that botnets do reuse their IPs.

The question is what is the average time displacement of time-to-block vs time-to-resurrect, and do some bots do it more than others? Here are the results:

Top 10 Botnets that Reuse IP addresses

cutwail [14.5]
darkmailer [7.3]
maazben [4.0]
asprox [3.2]
sendsafe [2.4]
lethic [2.3]
grum [1.7]
fivetoone [1.2]
festi [1.0]
spamsalot [1.0]

The numbers in square brackets are relative values compared to the lowest one. This means that if spamsalot reused 20 distinct IP addresses, then cutwail reused 14.5 x 20 = 290 distinct IPs. Or, to put it another way, an IP that sent us mail today was also used by cutwail once in the past 7.5 months. By contrast, 14.5 IPs that sent us mail today were used cutwail in the past 7.5 months.

In other words, cutwail reuses its IPs much more than any other botnet.

Digging deeper, and explaining it better because the above paragraph makes no sense, I took a look at where the biggest amount of reuse occurred. Of all the IPs that sent us mail today, that at one time sent mail for cutwail, 28% of them were on Oct 27. The next largest value, Dec 17, only comprises 3%. Thus, for cutwail, there is a lag of around 3.5 months before it tries to reuse the same IPs. Asprox shows a similar reuse pattern for Oct 27.

Thus, while botnets do reuse IPs to send spam after they have been blocked, they don’t do it a lot. Of the ones that do resend, they don’t use very many of them again.

Clearly, spammers know when they have been blocked and keep bringing up new troops.

Top bots in 2012 so far

tzink — Fri, 10 Feb 2012 01:18:38 GMT

Sometimes I read articles about the size of botnets. For example, this article on Krebs on Security is called “Who’s Behind the World’s Largest Spam Botnet?” Krebs names grum as the biggest botnet.

How is the size of the botnet measured? There are multiple ways, here are three:

Which botnet contains the most distinct sending IP addresses.
Which botnet sends the most spam messages.
Which botnet contains the most computers. These computers might be using the same IP or they may be dormant.

I collect statistics on (1) and (2), but not (3). Microsoft does collect malware statistics through its Microsoft Security Essentials A/V software, as well as the Malicious Software Removal Tool, but I can’t correlate its data with my own (we use two different sources to identify them).

But using this, which are the top 10 botnets by distinct number of IP addresses since Jan 1, 2012 (that have sent mail to our services, YMMV)?

Top Botnets by IP since Jan 1, 2012

[95.7] cutwail
[82.1]grum
[41.8] lethic
[23.7] bobax
[14.5] fivetoone
[11.3] darkmailer
[10.5] maazben
[2.0] gheg
[1.4] sendsafe
[1.0] s_torpig

The numbers in square brackets are the normalized values of number of IPs. For example, cutwail contains 95.7 times as many distinct IPs as s_torpig.

Top Botnets by # emails since Jan 1, 2012

[185.8] lethic
[33.4] cutwail
[32.0] grum
[11.2] darkmailer
[8.5] maazben
[7.0] bobax
[3.2] spamsalot
[3.1] gheg
[2.1] fivetoone
[1.0] phish

Going by these numbers, grum is the second largest by IP address and the third largest by volume of mail, but it is significantly smaller when it comes to volume of mail. It deserves the name of “one of the largest botnets” but by our data it is not the largest one that sends spam to us.

The biggest one is either cutwail or lethic. I’d list grum third.

Real or fake?

tzink — Fri, 10 Feb 2012 00:52:41 GMT

The other day, security writer/worker (what doesn’t that guy work on these days?) developed a handy-dandy little game called “Phish or Fake.” He wrote about it in his blog post here.

In the game, he shows you a domain like BANCOFAMERICAN.COM and asks you whether or not the domain really belongs to Bank of America? The game then shows you lots of domains, asking you Yes or No. There are a lot of domains out there that you would never think belong to BofA:

ATLANTAMORTGAGEADVISORS.COM
CREDITCARDINVITE.COM
MERRILLNETACCESS.COM
AFFILIATEDHOMELENDING.COM
DERIVDEALER.COM
COUNTRYWIDEREVERSEMORTGAGE.COM
BACMERRILLLYNCH.COM
XN--FIQZ9S5N9AK3P.COM

Looking at these domains above, you’d never be able to distinguish them from phishing domains:

COMBANKOFAMERICA.COM
MAXAMVBANKOFAMERICA.COM
BANKUFAMERICA.COM
BANKOFAMERICAPRIVACYASSIST.COM
BANKERSLIFEINSURANCECOMPANYOFAMERICA.COM
BANKOFAMERICA-LOAN-MODIFICATIONS.COM
BANK-OF-AMERICA-INCORPORATED-CO-OPERATIVE-BANK.COM
BANKOFAMERICA-LOAN-MODIFICATIONS.COM

When I first played this game, my score sucked. I tried to tell the difference between them by visual inspection alone. It cannot be done, there’s no rhyme or reason to it. If I, as a security professional, can’t tell the difference, how do we expect the average user to do it?

One way is to do a WHOIS lookup on all of the links. Of course, 0% of people on the Internet even know what a WHOIS lookup is (figure rounded down). If you get a message in your email from Bank of America and it contains a link that doesn’t point to something you recognize, how would you ever know that it’s legitimate simply by visual inspection?

You can’t.

However, it’s not as bad as it sounds. While Bank of America does have a lot of domains registered to them, it doesn’t mean they use all of them. They may buy them up in advance to avoid somebody else purchasing them, squatting on them and forcing them to pay up a lot more money later on.

Or, they may buy up whatever combinations they can think of so phishers cannot use them later on. That, of course, is a game they will never win because phishers can come up with an almost infinite number of domains that sound legitimate that BofA never thought to pre-acquire. They can also use HTML tricks to conceal the real URL direction (many users do not hover their mouse over the link to see where it actually goes).

I don’t know who BofA sends mail as; but going by the number of domains they have registered there is a lot they could send as.

Let’s hope they never do.

What do ordinary people think of the Gmail man?

tzink — Mon, 06 Feb 2012 23:28:32 GMT

A couple of days ago, I posted a link to a video by Microsoft parodying Gmail – the Gmail man. In it, the video pokes fun at Google’s habit of making advertisements more relevant to its user base by extracting keywords from emails and using them to serve ads that match those keywords.

I decided to ask a member of the regular public what they thought of such policy – my wife. We were driving in the car and I asked her a question: “What do you think about all of the ads that you see in your Gmail account? The ones that appear on the side of the window? Do you think they’d be useful to you if they were about topics that were of interest to you?” I then rattled off a couple of her interests.

“Uh,” she said and thought about. “I guess I’d like that but I never see them. I just see my message and my background image and never pay attention to those ads.” (I bet a lot of people say stuff like that).

I then asked a follow up question. “What do you think if Gmail were reading your email messages, looking for keywords, so they could match up to give you more relevant ads?” I explained that this was an automatic, not human process, and that they were using it to match words-to-topics.

“What?” she exclaimed in disbelief. “I don’t think they should be doing that!”

Based upon my sample size of 1 member of the general public, I bet almost all people would have issues with Gmail doing keyword extraction.

The Stratfor hack is not over yet

tzink — Mon, 06 Feb 2012 17:32:37 GMT

Thanks to Anonymous and their Christmas hacking of Stratfor, I have not only had to change my credit card number and sign up for identity theft protection, I am also the target of spear phishing attacks.

This past weekend, I got the following message in my personal email account:

From: Stratfor
To: Me
Date: Sunday, Feb 5, 2012
Subject: Stratfor: Beware of false communications

<No body of message>

Attachment: STRATFOR.pdf

The message body is empty but there is a pdf attachment that I have yet to open. This is a spam message because the sending IP is not Stratfor’s but instead is 81.26.219.53, da.yourchance.nl. The sending domain is historyofpop.nl which passes an SPF check. There are a couple of ways to interpret this but it’s possible that domain is compromised and the spammer is sending mail from it.

The message looked very suspicious to me. An empty body? Sure, it passed an SPF check, but an empty body and a pdf attachment? Stratfor never sends mail like that, ever.

I have not opened up the pdf attachment yet. I suspect it is some sort of phishing message but something in the back of my head has kicked my paranoid meter into overdrive. I’m worried that even though I am nobody special, the attachment could be an Advanced Persistent Threat. Wasn’t RSA hacked in a similar manner last year when someone dug a message similar to that out of their spam folder?

So now this message just sits in my Stratfor folder, waiting, waiting, waiting. For what, I am not sure. Perhaps I will open it up on my Mac and have a look there. Hopefully it’s just a phishing attempt and nothing more than that.

The Gmail man!

tzink — Fri, 03 Feb 2012 17:43:38 GMT

I have to admit that this advertisement by Microsoft, poking fun at Google and Gmail – with an advert for its Office 365 service – is pretty funny.

In it, they take shots at Google’s habit of scanning your email messages and extracting keywords and tokens in order to better target advertisements that cross your screen. So, if I were to email people about the broker I use, say, TD Ameritrade, and talk about the run up in the Nasdaq we’ve had since the start of the year, then Gmail would serve me ads about investment seminars and trading products and maybe even advertisements for cheaper brokers.

On the one hand, I like targeted advertisements that are relevant to me. There are certain things I care about:

Thai food
Magic books
Software that would make stock trading easier so I don’t have to write it all myself using tons of copy/pasting in Excel

But do I want Gmail reading my email, looking for keywords? Do I care about targeted advertising that much?

Which do I value more? Keeping my email private or having relevant products brought to me for my perusal? Which do you value more?

New email authentication protocol – DMARC

tzink — Tue, 31 Jan 2012 04:43:27 GMT

Today, a consortium of companies including Google, Microsoft, Facebook and Paypal announced that they were collaborating and coming up with a new protocol known as DMARC – the Domain-based Message Authentication, Reporting and Conformance.

What is DMARC?

This is very much a summary of DMARC in a nutshell (I will probably write an article about this in the future), but from the website:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

When I first heard about DMARC, I said to myself “Self, why do we need another email authentication protocol?” The answer is that DMARC is not another protocol but instead leverages existing email authentication protocols and provides feedback to the spoofed domain.

SPF already provides a way to say “If this message fails an SPF check, discard the message.” It’s called a Hard Fail. However, not all hard fails are illegitimate (there are significant false positives with SPF). DKIM, in itself, doesn’t provide a way to discard a message if it fails an authentication check. This makes it less useful in securing the Internet (i.e., it is a barrier to adoption).

Besides which, what happens if an SPF check asses but a DKIM check doesn’t? And if one of them fails, who should you tell? DMARC provides a mechanism that says “If one of these checks fails, discard the message.” But furthermore, it also provides a way to tell the responsible party that the message failed a check. For example, if security@paypal.com fails a DMARC check (either through SPF or DKIM), the email receiver can send the message to an email address that says “Hey, this message failed an SPF check. Was it legitimate or not?” If it is a false positive (perhaps a new server brought online), Paypal can add it to its SPF check. If it’s a phishing message, Paypal can investigate to have the website taken down.

The strength of DMARC is that it is a stronger way to protect a brand from being abused; receivers can discard spoofed messages and senders can figure out just who, exactly, is sending mail as them.

The weak point of DMARC is, unfortunately, the weak point of SPF and DKIM – spammers and phishers don’t need to spoof a domain in order to fool users into taking action. If a spammer sends mail from security@paypal.com.yakzas.com (a fictitious domain), many users just see that first part (paypal.com) without being more aware that there is more to the message.

And if a phisher signs up for a cloud service that issues temporary credentials, they can create the account paypale.onmicrosoft.com and send spam from there to avoid IP reputation blocking (and to the spammer that is abusing our Office 365 service, we know what you’re doing, you jackass) while hijacking the reputation of another brand in the From address.

The strength of DMARC is not so much that it combats phishing but that if a good domain is authenticated, mail user agents (like Gmail, Hotmail, Outlook, etc) can highlight that the sender is a trusted sender and highlight it in blue or put a little icon beside it. Since users use visual clues to make heuristic decisions, the lack of a trusted symbol can train people to be suspicious.

Anyhow, it’s nice to see that the authentication/validation protocols are consolidating.

Spam campaign morphs again

tzink — Wed, 25 Jan 2012 19:21:51 GMT

I earlier wrote about an eTrade spam campaign that morphed into a Bank of America spam campaign. Subsequent mutations saw this spammer use the same tactic over and over again, but slightly modify it. We saw LinkedIn spam and “You have a transaction” spam.

Now, the spammer has morphed again, no doubt because filters updated and blocked it. The newest technique is the following:

The spammer sends mail from a Yahoo account that is either compromised or he registered it himself.
The subject line contains something like “Net teller Payment ID” or Websterbank payment ID”. It next contains a bit of HTML code and then a link to an http://goo.gl shortened URL.
The message body is empty. This means that the entire payload is in the message subject.
The subject line is encoded in the ISO-8859-1 (Western European) charset, and uses quoted printable. This means that a subject line that looks like this to the user:

W: Re:Websterbank Payment ID,,,,<div class="ëéèhttp://goo.gl/<redacted>}(ìê779765289255

Looks like this to the spam filter:

=?iso-8859-1?Q?Re=3AWebsterbank_Payment_ID=2C=2C=2C=2C=3C
div_class=3D=22?= =?iso-8859-1?Q?=EB=E9=E8http=3A//
goo=2Egl/<redacted>=7D=28=EC=EA779765289255?=

This is the same guy who has been operating for a month, sending out new spam blitzes every couple of days. Yet his tactics have changed. Originally, he sent out spam by using his botnets to connect to a second set of botnets to relay spam directly. Now his first set of botnets connect to Yahoo and send out spam that way; he has streamlined it presumably in an effort to get around IP blocklists.

The move to the subject line is curious. If it’s on purpose, and not because his malware is broken, he’s done that to avoid content filtering. However:

Why is there HTML code in the subject line? Was it copied-and-pasted from previous spam campaigns and not proofread before this one went out?
Why is there so much heavily encoded quoted printable in the subject line? Is this an attempt to evade filters?
What is the ROI for putting the http link in the subject line? Users cannot automatically click the subject line the way they could in the message body. With this campaign, they have to manually copy and paste it into a browser, and the fact is that the message is not readable.

I really wish Google and Yahoo would catch this guy and shut him down.

MegaUpload disrupted; Anonymous retaliates

tzink — Wed, 25 Jan 2012 06:16:55 GMT

In case you haven’t been following the news, the US Department of Justice seized the file-sharing site MegaUpload, taking its domain names, $50 million in assets, and coordinated with law enforcement officials in other countries to arrest key employees, as described by ars technica.

MegaUpload, as the name suggests, is (was) a file-sharing site that officially discouraged the uploading of copyrighted material. However, the government alleges that employees of the site knew full well that they were distributing infringing content. The government points to numerous internal e-mails and chat logs from employees showing that they were aware of copyrighted material on the site and even shared it with each other. Because of this, the government says that the site does not qualify for a “safe harbor” of the kind that protected YouTube from Viacom's $1 billion lawsuit.

The obvious question arises: why do we need bills like SOPA and PIPA if the federal government already has the authority to shut down illegal file sharing sites?

In response to the US government’s action to stop illegal file sharing and copyright infringement, and the takedown of MegaUpload, hacking group Anonymous released a message sharing its thoughts:

Click to view the video

Here are some excerpts from the transcript of the video:

We have been watching recent events as they have slowly but surely unfolded, from the distortion and destruction of the first amendment to legalize and justify political bribery, to the dawn of a new political struggle consisting of millions of citizens crying out in indignation at this misappropriation of the judicial system, and to the very proposal of the so called, "Stop Online Piracy Act", SOPA, without any concern to ethicality, morality, or responsibility.

Suffice to say, we are angry.

<snip>

Citizens of the Global Community, join us. Let us defend our home, the internet.

Operation Revenge, engaged.
Operation Megaupload, engaged.
Operation Blackout, engaged.

We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
To the United States Government, you should've expected us.

Yahoo News later reported Anonymous claimed responsibility for temporarily disrupting CBS.com (showing only a pixel on the screen) and earlier launching a DOS attack on the Department of Justice.

Yet Anonymous, while condemning the ethics of the US government, redefines its own set of morals. A version of Anonymous’s voluntary botnet software, known as LOIC (Low Orbit Ion Canon), was modified to make it not so voluntary, drafting unwary bystanders, journalists, and even anons who don’t support DDoS tactics into attacks on U.S. Justice Department. Those who happened to click on a shortened link on social media services, expecting information on the ongoing #opmegaupload retaliation for the U.S. Justice Department’s take down of popular file sharing site Megaupload. Instead they were greeted by a Javascript version of LOIC — already firing packets at targeted websites by the time their page was loaded.

Note the paradox of ethical conduct:

Shutting down a file sharing site that is knowingly breaking US law by distributing copyrighted material is wrong.
Secretly conscripting users into a DDOS attack is permissible.

While Anonymous’ actions are consistent with hacktivism and the hacker ethic, their brashness risks drawing the attention and ire of law enforcement.

In the stock market, there is a saying: There are old traders, and there are bold traders. But there are no old, bold traders.

Hackivists would do well to heed this advice.

Hotmail rolls out features to help deal with gray mail

tzink — Wed, 25 Jan 2012 05:48:21 GMT

In a story announced last week, Hotmail has released a new version of itself to help users deal with the problem of gray mail. Gray mail is marketing mail that straddles the line between spam and ham; to some it’s spam, but to others it is legitimate. This makes it difficult for filters to make a global decision because no matter what action the filters takes at a global level, users will either complain about missed spam or false positives (an example from back in the day were messages from reunion.com).

From the Hotmail blog:

When inbox spam was at 30%, our job was really clear—our enemy, clever as he remains, was impossible to miss. We made huge investments in SmartScreen and reduced spam to historic lows of less than 3%.

With spam at manageable levels, we began looking at the rest of the inbox, and what we found was pretty surprising.

We could easily tell which messages were person-to-person, and we identified spam getting past our filters. The majority of what was left was something we refer to as graymail, and when thinking about how to deal with graymail, it became clear that the fundamental problem wasn’t just which things to accept or reject. Unlike spam, which everyone wants to be rid of, there is no general agreement on how to deal with graymail.

<snip>

Using Hotmail’s categorization tool, you can change the categorization of a message—for example, marking or unmarking it as a newsletter. This generates feedback that the newsletter filter learns from, so it’s able to overcome previous mistakes as well as stay on top of new newsletters. This means the rules set up to deal with newsletters will not just apply to old ones, but also to new newsletters created after you’ve refined the rules to deal with newsletters. The best part is that SmartScreen learns from what customers do with their newsletters, and everyone benefits as the filter gets smarter!

The essence of the feature is that Hotmail’s spam filters are getting better and better trained to identify newsletters and allow its users to categorize the mails efficiently, visually marking them as such so users can navigate their inbox quicker.

Users can the mark or unmark newsletters depending on what they think the message is. This helps to build a more personalized inbox.

The feature is similar to Gmail’s Priority Inbox which has been around for a little over a year. It also is similar to our own feature for handling Bulk Mail, which we released 7 months ago.

Yet our feature is also different from Hotmail’s. Consider their definition of a newsletter:

To get Hotmail to identify newsletters for us, we began by making a list of newsletter characteristics and built a piece of software to extract them from incoming emails. This list forms the model of what makes newsletters different from all other mail and includes three aspects: presence of the List-Unsubscribe header, the sending email address, and what gets shown to the user.

Newsletters that have these characteristics are more often legitimate than not (well, in the past that was the case although it is less true today). By contrast, our bulk mail filter covers a wider range of email:

Spam …….—>……Bulk mail filter….<—…..….. Good mail

Thus, whereas Hotmail leans more towards legitimate mail, and so does Gmail, we lump dark gray-hat marketers in with lighter gray-hat marketers.

As I have written elsewhere on this blog, bulk mail (and snowshoe spam) is among the most complained about spam today. But it’s still difficult to differentiate. The future of spam filtering lies not in detecting malicious spam from botnets, but in personalizing the user experience so that the bulk mail they want does arrive in their inbox.

My views on SOPA

tzink — Thu, 19 Jan 2012 20:00:57 GMT

During my 4-part series write up on SOPA, I approached it with a neutral tone. I was hearing from everywhere that it was a horrible piece of legislation, but I wanted to find out for myself. The goal was to look at it from the technical perspective and compare it to what’s going on today from the abuse angle, and then look at it from the non-technical ramifications. Were the decries from everywhere overheated rhetoric? Or was there substance?

I then wanted to look at some of the criticisms and see whether or not they are valid. I have long since learned that if you’re firmly attached to one side of the debate, it becomes emotional. Once it becomes emotional, it doesn’t matter whether or not you are right or wrong; you just hold firmly to your position. In the past, I have done this very thing which is why I tried to avoid looking at it from the point of view that “SOPA is bad!” or “We need this to stop online piracy!”

I see from one of my commenters that I’ve been accused of being a shill for industry. I guess that comes from the subject line of my blog post not coming out against the legislation. It also comes with the territory of writing about controversial topics.

I wasn’t explicit about which way I leaned in my blog posts, although if you read carefully you can figure it out.

I said that some criticisms were spurious, but I also said others were valid.
I said that the entertainment industry is going to have to change their business model.
I said that cracking down on copyright infringement would make the Internet boring, and I then posted a clip to a piece of copyrighted material.

Without resorting to hyperbole and looking at both sides, you should know where I stand.

What is SOPA? And is it as bad as everyone says it is? Part 4

tzink — Thu, 19 Jan 2012 00:15:51 GMT

Continuing on in my series on SOPA, here are some more arguments that people make against the legislation.

3. Other countries will get mad at the United States if they pass this legislation and retaliate

Does anyone really think that if we start blocking offshore sites arbitrarily, other countries won't follow suit?

The United States is not proposing blocking sites arbitrarily, these bills propose blocking websites that are violating the US Criminal Code.

This isn’t the same thing as a trade war where countries impose tariffs on one another’s goods in order to protect their own domestic goods. There are already lots of laws in place that restrict US companies from doing business abroad. The State Department lists various terrorist organizations and companies cannot do business with them. Companies cannot export certain kinds of products into or out of the US. Companies are already not allowed to sell illegal pharmaceuticals in the US even if they already are located offshore. And so forth. The US is proposing legislation to restrict online crime. What are other countries going to do, pass legislation of their own restricting online crime?

Well, I guess they might.

But this complaint is probably spurious.

4. The legislation is too broad

The major complaint against SOPA is that the legislation is too broad. Any plaintiff who owns a copyright can serve notice against another website, forcing them to remove the restricted content. After all:

"Facilitation" can often be argued as simply teaching or demonstrating how to do something. Under this definition, a site could be targeted for something as simple as describing how to rip a Blu-Ray. This language also makes it clear that the legislation is not solely targeting sites "dedicated to theft".

Critics claim that this is an attack on free speech because there is so much wriggle room. What does “facilitate” mean? If YouTube has videos of people posting how to rip a DVD, or on a discussion forum talking about how to share warez, or if Wikipedia has linked to articles that contain copyright infringed material (because of all of their citations), any one of these sites could be taken down for violating SOPA. Indeed, even discussing how to do it could be deemed “facilitating.”

That’s why opponents of the bill are so up in arms. It pretty much comes down to people fighting back against the Recording Industry or Movie Industry; us users are still mad that they shut down Napster and now we’re mad that they want to take away our free downloads.

Well, okay, that’s not entirely true. But the risk here is that even small infractions like images or songs or movie clips are subject to copyright violations even if they are considered innocuous. If someone is going to go crazy and force everyone to take down the websites, that ruins it for everyone. Websites would clamp down on user comments, blogs will too, and the Internet becomes read-only (since commenters can post to copyright infringing websites and the site owners have to moderate that). That would increase the Internet’s suckitude by a factor of 100. It’s already annoying when half the video clips I want to watch have been taken down.

Click for video about how an amendment becomes law!

Why the doomsday scenarios are probably overstated, the fact is that the SOPA legislation is broad. But at the same time, we don’t know what “facilitating” means. I don’t have the legal background or case history to interpret how this works.

Legislation works better when it is defined and clear, not broad. Does this matter? It usually does.

This complaint is valid, although the claims that it violates free speech are likely overstated. The claims that this will squeeze the life out of user creativity is probably correct. See this video at TED for a good summary.

5. It won’t stop piracy

Out of all of the criticisms of the legislation, this one is the strongest. For all of the web filtering and domain scrubbing that is required, there are a few ways to get around it. People will write browser extensions to circumvent DNS filtering. People can always use proxies and relays. And people will make their browsers more insecure in order to get around the blocks.

I read CircleID’s article about this and it’s too dense to discuss here, but the authors are right. It’s easy for users to navigate around the proposed legislation, and it does break some of the Internet’s security protocols. If it won’t solve the problem then it’s not even worth passing the bill.

This complaint is valid.

===============

The fight against SOPA and PIPA is similar to the fight for Network Neutrality. The Internet should be a dumb pipe that routes all content from source to destination, according to its optimal path, regardless of what that content contains. Any attempts to interfere with it must be resisted because future governments or corporations will take advantage of it to the detriment of its users.

So what will be the solution to online piracy and illegal pharmaceuticals? It’ll be the same things I mentioned above – companies like Google, Verizon and Paypal clamping down on people breaking the law while avoiding targeting its users.

The recording and entertainment industry is also probably going to have to accept the fact that their model is changing. Destroying Napster’s free giveaways didn’t send people back to CDs, but instead opened up the marketplace for 99 cent songs through Amazon and iTunes. Going after illegal movie downloaders will end up the same way – people are used to getting stuff for free… or almost free. Suing your user base is not a sustainable model (and ticks off Anonymous). Good thing we already have a service that provides movies on the web for a low price.

It’s called Netflix.

What is SOPA? And is it as bad as everyone says it is? Part 3

tzink — Thu, 19 Jan 2012 00:13:29 GMT

Critics have numerous complaints about SOPA. Here’s one that is designed to scare the daylights out of you:

Holy Festivus! The United States is the next China, Iran and Syria!

Here are a few of the complaints:

1. It will require deep packet inspection

The exact requirements will depend on what the removal order says. The Recording Industry Association of America says that SOPA could be used to force Internet providers to block by "Internet Protocol address" and deny "access to only the illegal part of the site." It would come as no surprise if copyright holders suggested wording to the Justice Department, which would in turn seek a judge's signature on the removal order.

Deep packet inspection, meaning forcing an Internet provider to intercept and analyze customers' Web traffic, is the only way to block access to specific URLs.

Deep Packet Inspection, or DPI, is anathema to Internet privacy advocates because it means that ISPs or network operators can take a look inside the Internet packets and make decisions about how to route the traffic. This is considered intrusive because an ISP can give users a degraded experience if they do things that aren’t in their own financial interests (e.g., if NBC owns Comcast, then they might route a user over a slower pipe if they view TV shows on abc.com).

DPI is not required, at least not in this case. URL/host resolution is required for every single Internet transaction when you are browsing the web. The only way for you to browse to a web page is for your ISP to convert URLs to IP addresses. Thus, if the ISP were to block your access to the IP, they don’t have to do anything more intrusive than they are already doing, they only need to make the decision to not resolve it and instead return an error or redirect you to another web page. Comcast does this if your computer is contacting C&C’s and they don’t use DPI.

This complaint is spurious.

2. It will cost the economy jobs

This argument says that entrepreneurs who try to start up web-based businesses will have to invest piles of money up front to deal with legal fees (to combat continual lawsuits) from plaintiffs who claim that they are infringing on their intellectual property. Because of the increase in possible legal feeds, people will not bother creating Internet companies. It just isn’t worth the effort. If you check out the Wikipedia article, there are a bunch of quotes from people who claim that it will hurt Internet commerce. Says Gary Shapiro, CEO of the Consumer Electronics Association, “The result will be more lawsuits, decreased venture capital investment, and fewer new jobs.”

The problem with saying that Legislation X will cost more jobs is that people are very poor at predicting the economic results of their actions. Even economists don’t do a very good job. No matter what happens, there is always somebody claiming that it will result in the end of the world and it doesn’t matter what side of the aisle you are on.
For example, people on the political right claim that higher regulations and taxes stifle the economy and put unnecessary burdens on businesses. As a result, more taxes and regulations are bad. Yet in the 1990’s for example, when the Glass-Steagall Act was in place, businesses did just fine. Similarly, studies done of countries with higher tax rates and lower tax rates (US, France, other European countries – see Ken Fisher’s book Debunkery) do not materially affect stock market returns.

On the other hand, people on the left flipped out (they got angrier than an environmentalist who sees an SUV with one driver) when they discovered that the NSA was intercepting phone calls to people in the US without a warrant. To them, this signaled that the US government was soon to turn on its own citizens and clamp down on individual rights. Of course, that never happened and the program was very contained (the NSA was too busy working on an industrial piece of mal—um, never mind).

Whether you agree with my political and economic statements or not, the fact is that we aren’t very good at predicting the economic implications of this legislation. You could argue that this will divert startups away from even bothering to try. But you could also argue that new startups will arise whose sole purpose it is to assist companies with compliance of this new legislation. In which case, this legislation will create new jobs! Which one is correct? Nobody knows, and that’s my point.

This complaint may or may not be spurious.

What is SOPA? And is it as bad as everyone says it is? Part 2

tzink — Thu, 19 Jan 2012 00:11:10 GMT

Continuing on from my previous post, the SOPA process is this:

A website based in China hosts a bunch of illegally obtained, copyrighted material. Let’s assume that these are all movies, and the website is called “http://myfreemovies.cn. The A-record for this website is 292.168.11.47. They make these movies available for free to anyone who logs in and downloads them (i.e., the Napster model). This is against US law.
The Attorney General discovers this web site and asks China to shut it down. The country of China responds with “GFY. And MYOB.”
The Attorney General issues notices to the following US corporations:
1. To Google, Yahoo and Microsoft, ordering them to exclude myfreemovies.cn from any search result.
2. To Google (again), ordering them to refuse serving up and taking any revenue from advertisements on myfreemovies.cn.
3. To Comcast, Verizon and RoadRunner, telling them to refuse resolution for any http request that points to 292.168.11.47.

None of the above sub-points are difficult to implement from a technical point of view. Indeed, we have been doing them for years:

Spam filters have long since used URL blocklists. Furthermore, they also perform URL/host resolution and keep track of spammy IP space. If spam messages point to bad IP space, they score the message as spam.
This technique is no longer novel. Search engines have filtered their search results for malicious links and fraudulent pharmaceuticals for years. This is in response to Black Search Engine Optimization.
ISPs have had options to do DNS filtering. 15 months ago, I wrote a post about the Response Policy Zone (RPZ) that discusses how to filter for bad URLs at the DNS level.
ISPs filtering their own users is also not new. 15 months ago, I wrote a post about how Comcast redirects users to a quarantine if their computer is accessing a known C&C.

Of course, spammers are equally familiar with these tactics which is why they rotate through domains and IPs so quickly, and why spam filters (and search engine and other types of filters) are so constantly updating their lists of abusive locations.

But the point is that this “censorship” has been voluntary by large services for a long time. It isn’t anything new; compliance with SOPA or PIPA simply means that in addition to keep track of bad guys, companies would have to keep track of one more additional list of copyright infringers.

That doesn’t sound so bad.

Does it?

What is SOPA? And is it as bad as everyone says it is? Part 1

tzink — Thu, 19 Jan 2012 00:08:55 GMT

Back in December, after I got back from New Zealand, I was off work for a week recovering from a medical procedure. As I was browsing through my antispam RSS feeds, I came across SOPA and PIPA. “Allo, wot’s dis?” I said in my New Zealand accent. I did some reading about it and planned to write a blog post, but like most of my ideas for blog posts, I procrastinated.

Well, today is as good a day as any to write about SOPA. As you’re no doubt aware, numerous services have protested the legislation on their web pages:

Wikipedia

Google

Reddit

Intrigued by all the predictions of doom if this bill passes, I decided to do some more research. I’ve read up Wikipedia’s summary (which isn’t blacked out), watched Vimeo’s summary, watched CNN’s summary, read a reddit blog post, checked out this infographic from American Censorship, read this article on TalkBizNews,read this one on CNET, checked out a whitepaper on CircleID, and read a few other links that I can’t remember (since I did them at the end of December).

There are plenty of summaries, many contained in all of those articles. The critics have overlapping criticisms while the proponents all focus on a narrow set of issues.

I said to myself when I started this post that I wasn’t going to summarize the SOPA legislation. Well, I’m going to break that promise because when I write about things, I understand them better. So without further ado, what is the deal with SOPA? And are the criticisms valid?

As you’re probably aware, SOPA is the Stop Online Piracy Act, which is a proposed bill sponsored in the US House of Representatives. The PIPA is the Protect IP Act, which is a similar bill sponsored by in the US Senate. Both are similar, although SOPA is a little more overreaching than PIPA.

Both bills are aimed at curbing illegal pirating of copyrighted material, such as Hollywood movies, and counterfeiting, such as Pfizer’s Viagra drug. Opponents of the bill will say that they agree with the spirit of the proposed law but that the bill is vague and will allow for abuses that will disrupt Internet commerce, clamp down on free speech and restrict creativity.

One thing that I did was go and read the text of the law. It’s in pdf format, and it’s not exactly easy reading. What surprises me about myself is that for someone who likes politics, I have historically read very few legislative bills. Shame on me!

Anyhow, starting on page 10 of the bill, it defines a section that allows the Attorney General to Protect US Customers and Prevent US support of foreign infringing sites. The goal in this section is to punish violators who are committing or facilitating the commission of the following articles under the United States Code, Section 18:

Section 2318 – Trafficking in counterfeit labels, illicit labels, or counterfeit documentation or packaging.
Section 2319 – Criminal infringement of a copyright.
Section 2319A - Unauthorized fixation of and trafficking in sound recordings and music videos of live musical performances.
Section 2319B - Unauthorized recording of Motion pictures in a Motion picture exhibition facility.
Section 2320 - Trafficking in counterfeit goods or services.
Chapter 90 – Protection of Trade Secrets.

Thus, any foreign website that is involved in any of the above is the target of this bill. But whereas the US government can clamp down on domestic websites who engage in illegal activities, they cannot usually clamp down on foreign websites because they do not have jurisdiction over there. For example, they cannot shut down online gambling websites based in the UK because online gambling is legal over there but is not in the US.

However, this bill allows the US government to turn the screws on the following types of US companies who can make a difference:

The registrant of the Internet site at the email or postal address. For example, if I have registered terryzink.com, the government can serve me notice.
To the website’s owner and operator, or, if none is listed, to the owner or operator of the IP address that allocated the IP where the web site points to.
To Internet Service Providers like Comcast, Verizon or RoadRunner.
To Internet Search Engines like Google, Yahoo, or Bing.
To payment network providers, like Paypal
To Internet advertising services, like Google (via Google’s AdSense)

The Attorney General can then serve an injunction against any US-based site that is found to be supporting a website that breaches the US Code, Section 18 defined above.

Some more on the Stratfor/Anonymous hack – protecting user data

tzink — Fri, 13 Jan 2012 02:35:32 GMT

Okay, this is my final post on the Stratfor/Anonymous hack. Probably.

I’m a subscriber, and yesterday we all got a note from Stratfor founder George Friedman about the hack. You can read it here if you so desire. In it, he describes the motives for the attack:

The attackers thought that Stratfor was part of a global conspiracy, providing custom consulting for various parties – foreign governments and private corporations. The reason they broke into Stratfor was to steal its emails which would presumably incriminate Stratfor as part of a villainous ring of deceit and nefarious plots (I’m embellishing in my summary). However, when they saw that they could also get the credit card numbers of their clients, well, that was just the icing on the cake. Part of a global conspiracy? Well, we’ll just charge a bunch of donations to a charity (why Anonymous would do this is bizarre because most credit cards have fraud prevention and ways to reverse fraudulent charges, even if they are to charitable organizations. Did they think they would get away with it?).

But more relevant to this blog, Stratfor failed to protect their customers’ credit card information:

Attacks against credit cards are common, our own failures notwithstanding. So are the thefts of emails. But the deliberate attack on our digital existence was a different order of magnitude. As the global media marveled at our failure to encrypt credit card information, my attention was focused on trying to understand why anyone would want to try to silence us.

This is a really big mess-up! Of course they marveled at that failure! If Neil Schwartman were reading this, he’d be spinning in his grave!*

I have written about this before. Microsoft has a good model for protecting users’ data. We classify data into low business intelligence (LBI), medium business intelligence (MBI) and high business intelligence (HBI). Information that is HBI must be encrypted and there are strict guidelines over who has access and how the data must be stored. HBI would be customer’s financial information. The full definitions:

HBI – Authentication and authorization credentials, government provisioned ID (Social Security or driver’s licenses), financial profiles (credit reports), medical profiles (medical records or biometric information). HBI must be encrypted while in transit and while stored and not in use.
MBI – Personally identifiable information that is not as sensitive as HBI. Examples are an individual’s race, ethnic origin, political orientation, physical health. This also includes contact information such as a name, address, email address, fax, etc. MBI must be encrypted while in transit. It does not have to be encrypted while stored and not in use. Encryption must be at least 128 bit.
LBI – These are typically intended to be widely published information like web pages, public cryptographic keys, and press releases. LBI does not need to be encrypted.

I know people like to blah, blah, blah regarding Microsoft and how it is a slow behemoth, but we’re really far ahead on defining processes on how to protect user privacy. That is something that the rest of the software world should adopt. Had Stratfor done so, then their users’ credit card information would have been protected. This is not fool-proof, but it would have helped.

* I use this phrase in jest as Neil Schwartzman is a strong advocate for protecting user privacy. I wonder if he’s reading this right now?

Even experts use bad passwords

tzink — Fri, 13 Jan 2012 02:19:57 GMT

Ever since I had my data hacked by Anonymous during the Stratfor hack (and updated my credit card… and subsequently some of my auto-payments at which point I sighed because I figured it was only a matter of time before I had to do it again), I’ve been reading articles about it.

One of the takeaways, according this article on Security News Daily entitled Stratfor Hack Shows Even Experts Use Bad Passwords, was that people used bad passwords. This isn’t news, hackers have exposed data all the time and we see many times that people use really easy-to-guess passwords. From the article:

Stratfor clients used easy-to-guess passwords such as, "123456, "11111111," and "123123." Other terribly insecure passwords: "111222333444," "12345678901," "administration," "123456789abc," "12345stratfor," "hello123," "lawenforcement" and "intelligence."

A batch of weak passwords played off the word itself, including, "password1234," "password101," "password123," "password122" and "Password999." In just under five hours, Haschat was able to crack 81,883 of the 860,160 leaked passwords.

"In the time it took to watch a movie, Hashcat smashed more than 80,000 passwords

Well, that’s pretty awful, now isn’t it? A bunch of weak, numeric-only passwords? Who would do such a thing!

You really have to wonder by what logic the article calls Stratfor subscribers “experts”? Anyone can sign up for Stratfor and read its delightfully entertaining articles. All you do is go to the site, create a username and password, and then go enter in your credit card information. Easy.

You don’t have to be an expert to do that, you just need to be interested in foreign policy. All this security breach told us (or rather, the point I am making in this post) is that people use insecure passwords.

But we don’t know that they use the same insecure password everywhere. One of these days somebody is going to have to do an analysis of that.

That’d be an article worth writing.

Taking shots at Windows 8’s new picture password

tzink — Fri, 13 Jan 2012 02:05:14 GMT

Blah, blah, blah.

I was reading in a short article on Network World that the father of two-factor authentication, Kenneth Weiss, doesn’t think that Windows 8’s new picture password is any good.

"I think it's cute," says Kenneth Weiss, who now runs a three-factor authentication business called Universal Secure Registry. "I don't think it's serious security."

The major downside of the picture password is that drawing a finger across a photo on a touch screen is easy to video record from a distance - making it relatively easy to compromise, he says. Designers of alpha-numeric passwords recognize this danger and have responded to it by having password characters appear as dots on the screen so the password can't be copied down.

Designers of Windows 8's picture login have made a traditional password an alternative, perhaps in acknowledgement of this shortcoming, he says.

Other problems include backing up the touch pattern that is the login. "To put down a description of the sequence is possible, but that's a lot of writing," he says.

All in all, "It's more like a Fisher-Price toy than a serious choice for secure computer access," he says.

If you’re unfamiliar with Windows 8’s new security feature and were too lazy to click the link above, basically what happens is that you are presented with a picture and you swerve your finger over it, pointing to various elements of the picture. For example, if it is a picture of your family, you might highlight your mom, brother and sister in the same zipping pattern each time. If it’s a picture of a sporting event, it might be of a puck going through the Toronto Maple Leafs’ goaltender’s legs. And so forth.

What’s wrong with a picture password?

Well, somebody could be looking over your shoulder and memorize the pattern that you are swiveling, or record it from a distance, says Weiss. That’s why password designers have dots instead of the actual numeric characters when you type in your password.

This criticism isn’t on the mark.

The fact is that even passwords are prone to memorization. I was at Home Depot one time and I saw a lady open up the register, and I memorized the numeric sequence. I sometimes watch people open up a door that is protected by a numeric keypad.

But doesn’t a password protect against that sort of thing? Of course not. If we’re worried about someone recording our hand gestures with a picture password, then we should also be worried about someone recording our finger keystrokes. If I were to see a recording of someone entering in their password, and it had audio, I could probably figure out eventually what their password is. It’s be blurry and hard to figure out if they are a fast typist, but I bet I could break enough of them to be taken seriously.

I don’t think anyone has solved the password problem. Not even Weiss himself. He’s the father of two factor authentication. That worked so well that he started a company that does three factor authentication. What’s next? Four factor? It’s a contest to see how long you can slow down users and make them annoyed at the piles of security that they have to wade through.

People in glass industries shouldn’t throw stones.

How Digital Detectives Deciphered Stuxnet – the Most Menacing Malware in History

tzink — Thu, 12 Jan 2012 23:42:04 GMT

This is a story that I missed when it was published last summer, but Wired has a great article about how the Stuxnet worm was discovered, analyzed, probable targets and probable authors. If you’ve been following the e-security world for the past couple of years, none of this will be new to you, but I still recommend reading it. It’s probably the biggest story I have seen since I started writing. If not the biggest, then definitely in the top 10.

Now, as a blogger here on MSDN, working for Microsoft, I generally have free reign about what I can write about. Stuxnet is one of those things that the legal department does not want me speculating on other than making a very narrow range of statements.

However, I can link to articles that others have written.

This is a pretty long article, over 24 pages if you copy/paste it into Word and adjust the font to Calibri, font size = 11. But, it is well worth reading.

How Digital Detectives Deciphered Stuxnet – the Most Menacing Malware in History.

Internet Explorer 6 finally on the way out… in the US

tzink — Fri, 06 Jan 2012 20:32:00 GMT

ComputerWorld has an article up where Microsoft is celebrating the fact that Internet Explorer 6 is now used by less than 1% of users in the United States. From ComputerWorld:

Microsoft today said its campaign to drive Internet Explorer 6 (IE6) into extinction had done its job in the U.S., where fewer than 1% of users ran the decade-old browser last month.

To celebrate, Microsoft posted a photograph of a cake frosted with the phrase, "Goodbye IE6!"

"IE6 has been the punch line of browser jokes for a while, and we've been as eager as anyone to see it go away," said Roger Capriotti, the head of IE marketing at the Redmond, Wash. developer, in a Tuesday blog.

Citing data from Web measurement company Net Applications, Capriotti said that IE6 usage in the U.S. had dipped below the 1% mark in the U.S., a new low for the browser that debuted in August 2001.

Net Applications said IE6 accounted for just 0.94% of all browsers used in the U.S. in December, 2011.

Microsoft has been trying to put a stake in the heart of IE6 for more than two years, starting in the summer of 2009 when an executive famously said, "Friends don't let friends use IE6."

Yes, Microsoft has been trying for years to get people off of that browser. It’s old, has too many vulnerabilities and nobody in the tech industry likes to support software 4 versions old. No one.

Notice that the words are carefully chosen, it is less than 1% in the United States. The article goes on to clarify:

According to Net Applications, IE6's share on desktop and notebook computers was 7.3% last month, down seven-tenths of a percentage point from the month before and 6.2 points fewer than a year earlier.

Most of the remaining copies of IE6 are run by Chinese users of Windows, said Microsoft. Almost one-in-four Chinese PCs used IE6 to access the Internet in December, while Chinese users accounted for 58% of all copies of IE6 run worldwide that month.

Experts have linked the higher rate of IE6 use in China to the country's reliance on Windows XP -- which included IE6 -- and its reputation as a haven for software piracy.

The latter, analysts believe, hinder upgrades to newer Microsoft browsers because users are afraid their counterfeits will be sniffed out when they use Windows Update. In fact, that's not the case: Microsoft allows users of counterfeit Windows to install IE7 or IE8, and to receive security patches via Windows Update.

But XP does have a lock on China. In reply to questions today, Net Applications' head of marketing, Vince Vizzaccaro, confirmed that Windows XP is on 70% of China's personal computers, more than twice XP's share of 29.6% in the U.S.

Having been to China, I can totally confirm that IE6 is used in a lot of places and Windows XP is everywhere. However, Windows XP is used everywhere in countries that are not the United States. Although, it’s used in a lot of places inside the US, too. When I’m at my doctor’s office, I peek over and see that they are running XP. When I’m checking into a hotel in Marahau, I can see that they are using XP. When wander past a restaurant in Barcelona, I can see them using XP.

That’s part of the problem of the success of Windows XP – it works so well, i.e., is good enough for what people need it for, that people don’t upgrade in it. And like the article says, in China people are concerned about upgrading because they don’t want Microsoft to come after them for pirating software. Or if they do upgrade, the software will be locked out of some features due to security restrictions, i.e., Windows detects that the software is pirated and therefore disables features A, B, and C.

It’s good that Microsoft is going to start auto-upgrading IE6 to more recent versions, at least to IE7 which has more security in it. It’s too bad that they can’t go to IE9 which has done very well in security test.

Maybe one day the rest of the developing world will start paying for its software.

IBM’s other prediction for 2016 – no passwords

tzink — Fri, 06 Jan 2012 19:12:00 GMT

Following up from my previous post, the other prediction that IBM made was that in 2016, we wouldn’t use passwords to get to our important information. Instead, we would use biometric data to authenticate ourselves.

We would choose to provide certain amounts of information about ourselves to our computers and to private networks such as a bank. When we want money, we’d walk up to an ATM and simply speak into it. The machine would authenticate against our biometric data and gives us our money. This would (a) save us the inefficiency of using our brains to remember reams of passwords (a fact that I have complained about in the past on this blog), and (b) be more secure because a hacker might be able to steal our username and password but they wouldn’t be able to steal our biometric data.

Or could they?

Obviously, the folks at IBM don’t watch enough Hollywood movies. How many films have you seen where people have to pass a retinal scan to get into some top secret location, and the bad guy or good guy still manages to do it? What if we used voice authentication? I can see spammers hacking into phone lines and recording conversations between people, or chatting with people online, or something (perhaps an adult chat website where the owner records the chats for their audio and then uses those to break into a bank account).

Biometric data is nothing new. It’s been around for a long time. My laptop has a fingerprint scanner on it which supposedly unlocks my laptop but I never use it. It’s kind of slow and I have to swipe it multiple times, most of the time, whenever I want to use it. I said to myself “Forget this. I rarely have to retype my password, and I can type in my password faster than it takes me to swipe the scanner. Not only that, but my hands are already on the keyboard. Oh, sweetness, I have just saved 1/4 of a second of the time it would take me to move my hand from the scanner to the keyboard.” And we all know how lazy computer folks are.

Regardless of the technical limitations or if they get solved, one thing I can say for sure is that there is no way this gets implemented in five years. Not in any sort of mass deployment around the world.

For one thing, people are paranoid about giving away their biometric information to private or public entities (and they probably should be, given how frequently everyone has gotten hacked this year).

Secondly, deploying new technology like this takes forever. People are still using Internet Explorer 6 and that came out over 10 years ago! And there’s been several versions since then! Technology adoption does not come quickly. There are some things that do (Facebook), but biometrics replacing passwords is not one of them.

You can take that to the bank.

Fallout from the Anonymous/Stratfor hack

tzink — Fri, 06 Jan 2012 18:22:39 GMT

As I wrote in my post on Christmas Day, Stratfor was hacked by Anonymous. Since that time, here are a couple of updates:

I signed up for Identity Theft protection from CSID. I got an alert the other day indicating that according to all of the monitoring they do, the email address I use for Stratfor was compromised. Oh, that’s just swell.
That very evening (Christmas Day, not the day I signed up at CSID), I cancelled my credit card and got a new one. As it turns out, that was a good idea. For you see, according to this website here, hacked Stratfor users can check to see if their information was leaked.

The ‘cc’ next to my name means that my credit card information was also leaked. Thanks, Anonymous. I appreciate you giving the world my financial data.

While I changed my credit card, I’m not sure what to do about my email address. I use it to login to a lot of sites. Luckily, the password I use is unique to Stratfor (I think). I have reused those two combinations in the past, but not in any websites that I currently care about. The fact that I don’t use it anymore is really a stroke of luck.

I suspect that the alert CSID sent me from point (1) has to do with the leaked email address from Anonymous. When I first got the alert, I was like “Shoot, what do I do?” Now that I think I know where it came from, I’m breathing a little easier since if that password is compromised, it doesn’t matter because I don’t use it with any website that is particularly important to me.
Stratfor released an update today about the status of what’s going on:

In monitoring fallout from the breach of security in Stratfor’s data systems, we have been made aware of false and misleading communications that could attempt to prey on the privacy concerns of our customers and friends. While Stratfor works to re-establish its data systems and web presence, we ask everyone to please consult the Stratfor Facebook page and Twitter feed for company-approved communications.

I haven’t seen any of this, but my bet is that spammers have been monitoring the story and have sent spoofed messages from Stratfor and Stratfor founder George Friedman. I’d further guess that the message contains links to malware, and that the spammers harvested the leaked emails that Anonymous posted and sent these targeted messages to Stratfor subscribers.

<1 minute later>

M’kay, I checked my spam folder just now and there are five messages from (spoofing) Stratfor, all sent yesterday. It is a scam asking the user to rate Stratfor’s Incident Response (which, btw, I think has been pretty good):

From: george.friedman@<redacted>
Subject: Rate Stratfor’s Incident Response
Date: Thursday, Jan 5, 2012

For the video announcement, please see http://www.youtube.com/<redacted>
Read full press release: http://bolt.thexfil.es/<redacted>
Rate Stratfor's incident response: http://<redacted>.imageshack.us/<redacted>

Hello loyal Stratfor clients,

We are still working to get our website secure and back up and running again
 as soon as possible.

To show our appreciation for your continued support, we will be making available
all of our premium content *as a free service* from now on.

We would like to hear from our loyal client base as to our handling of the 
recent intrusion by those deranged, sexually deviant criminal hacker terrorist 
masterminds. Please fill out the following form and return it to me

My mobile: 512-xxx-xxxx
My home phone: 512-xxx-xxxx

All of the messages come from an IP address in Germany. But it’s pretty clear that this is a targeted

attack (or rather, an opportunistic one). The spammers didn’t even have to do anything, just scrape together the list of email addresses and craft together a credible looking (ahem) spam campaign.

That’s the latest. I must say, this whole thing kind of ticks me off.

IBM predicts the future for 2016 – and it includes no spam

tzink — Fri, 06 Jan 2012 02:07:01 GMT

IBM published a video where it predicts what the world will look like in 2016 (see bottom of this post for the link). It includes the following five predictions:

You will make your own energy: Anything that moves has the potential to create energy. Your running shoes, your bicycle and even the water flowing through your pipes can create energy.
You will not need a password: Your biological makeup is the key to your individual identity, and soon, it will become the key to safeguarding it.
Mind reading is no longer science fiction: Scientists are researching how to link your brain to your devices, such as a computer or a smartphone, so you just need to think about calling someone and it happens.
The digital divide will cease to exist: In five years, the gap between information haves and have-nots will narrow considerably due to advances in mobile technology.
Junk mail will become priority mail: Think about how often we're flooded with advertisements we consider to be irrelevant or unwanted - it doesn't have to be that way anymore.

I want to start with the last one – that junk mail (i.e., spam) will disappear. You’ll need to watch the video to get the nuances of the prediction, but IBM says that in five years, Junk Mail will become a thing of the past. Instead, what will happen is that spam filters will become so good at knowing what type of mail you want to receive that it will filter out everything that it knows you don’t want and deliver you the mail it knows that you will want. In this way, junk mail becomes priority mail.

Imagine that your phone syncs up somewhere and sees that your favorite band is coming to town. Your personalized spam filter would know that you like this band and either (a) allow emails like this to pass through your spam filter to your inbox or (b) actively go out and find the information, delivering it to you.

How likely is this to occur?

Bold predictions about spam filters have occurred before. As everyone likes to point out, Bill Gates predicted in 2004 that spam would become a thing of the past. Yet here we are, 8 years later, and spam is still a problem.

But it’s not the same problem that it was before, now is it?

Let’s take a look at this. The spam problem - in email - has changed over the past few years. We used to see a lot of botnet spam with illegal content but we see much less botnet spam these days. If you read any report about the state of spam, you’ll know that it has declined considerably over the past year. However, what has replaced it (in terms of how annoying it is and how many complaints it generates) is snowshoe spam which is smaller and lighter and looks a lot like marketing mail. My prediction is that the next big revolution in antispam technology is figuring out a way to effectively deal with snowshoers (now that we’ve gotten pretty good at stopping botnet spam).

Snowshoe spam is annoying. But, if spam filters do get good at stopping snowshoe spam, in addition to remaining good at stopping botnet spam (or botnet spam stays down), then IBM’s prediction becomes possible. Just think about it for a moment:

Spam filters are good at blocking most spam so few people get it.
Spam filters are good at detecting legitimate marketing mail.
Social networks and search engines are becoming more and more personalized. When you login to Facebook, the ads are targeted to you. If a spam filter talked to a social network, then it would be able to automatically decide which marketing mail to get to your inbox based upon a best guess of the things you are interested in. For example, my wife and I regularly attend lecture series put on by National Geographic. If I “liked” National Geographic on Facebook, then if they ever sent mail to me, my spam filter (after talking to Facebook) would let the mail through to me. And I’d say “Hey, this upcoming talk looks pretty interesting!”
The principles we have learned over the past 10 years still apply. A spam filter would guess what the person would like to see, but the senders of the mail still need reputation to ensure their delivery. They’d need to sign their mail with DKIM, publish SPF records and have low levels of spam complaints, ensure opt-in best practices, and so forth.

Thus, the next big trend in spam filtering, according to IBM, is theoretically possible. Is it possible to do within 5 years?

Maybe.

Spam still hasn’t been totally solved. Just in the past week we’ve seen an eTrade spam blitz and then a Bank of America spam blitz, and these were cases of botnet spam with relays behind relays. We haven’t managed to eradicate that type of spam yet, but it isn’t the problem it once was.

But looking over how something like this might be accomplished, it’s not tough to visualize. Imagine someone (let’s say me) had a Gmail account and used their Google+ account actively. If they +1’ed things like Minyanville and TheStreet.com, and then went into Gmail and said “Bring me stuff that’s relevant,” it’s not difficult for Gmail to sift through their mountains of mail and bring you relevant things.

But on the other hand, there’s the problem of permission. Would you want Gmail to give you updates from financial services (for example) that you never subscribed to? For me personally, if I owned stock in Apple, I might want news alerts brought to me even if I never wanted to hear everything from The Motley Fool. But perhaps I’d want to hear everything from Minyanville when they talk about Apple. After all, I +1’ed Minyanville so I must like it. But Minyanville only sends mail to people who signed up. But I want Gmail to bring me stuff that is relevant. What do I do?

I’m sure people will figure it out eventually. It’s an area that is ripe for exploration.

Follow up from eTrade spam – Bank of America spam

tzink — Wed, 04 Jan 2012 18:47:58 GMT

Last week, I wrote about eTrade spam hitting inboxes. Today, we’re seeing the follow up from that: Bank of America spam.

This looks identical to the previous run with one difference: it’s spoofing Bank of America. Like the previous spam campaign, the message body contains only a link to a http://goo.gl redirector and the subject line contains all of the information.

Just like before, the spammer is using multiple bots. They’ve done a good job at evading Google’s controls and they are even sending some of the spam from Gmail’s outbound IPs. To put it one way, as my co-worker did, they’re abusing Google like a rented mule.

Most likely, it’s the same people doing it.

From: <redacted>
Sent: Wednesday, January 04, 2012 10:47 AM
To: <redacted>
Subject: Bank of America: Bill payment canceled

Read more about alerts

2012 is looking at lot like 2011.

Humor – Identity Theft

tzink — Mon, 02 Jan 2012 20:35:03 GMT