crime

Russian bot herders behind massive increase in spam

From Ryan Naraine’s “‘Pump-and-Dump’ Spam Surge Linked to Russian Bot Herders” (eWeek: 16 November 2006):

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. …

For starters, the Trojan comes with its own anti-virus scanner – a pirated copy of Kaspersky’s security software – that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

… the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 … machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft’s operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder’s control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop. …

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. …

“It’s a very enterprising operation and it’s interesting that they’re only doing pump-and-dump and penis enlargement spam. That’s probably because those are the most lucrative,” he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random “from” names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots – the botnet controls about 73,000 infected clients – are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a “massive distributed engine for sending spam,” without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day.

Russian bot herders behind massive increase in spam Read More »

A prison completely run by the inmates

From Mica Rosenberg’s “Guatemala forces end 10-year prisoner rule at jail” (The Washington Post: 25 September 2006):

Guatemalan security forces took over a jail run for over 10 years by inmates who built their own town on prison grounds complete with restaurants, churches and hard-drug laboratories.

Seven prisoners died when 3,000 police and soldiers firing automatic weapons stormed the Pavon prison just after dawn on Monday.

Corrupt guards would only patrol the prison’s perimeter and run the administration section while an “order committee” of hardened inmates controlled the rest. They smuggled in food, drink and luxury goods.

“The people who live here live better than all of us on the outside. They’ve even got pubs,” said soldier Tomas Hernandez, 25.

Pet dogs, including a whining puppy, roamed the deserted prison grounds after the raid. One inmate kept a spider monkey captive, national prison officials said.

But with army helicopters clattering overhead, police backed up by armored cars transferred Pavon’s 1,600 inhabitants to another prison, ending their lives of ease.

The inmates who died were killed in a shootout at the two-story wooden chalet of a convicted Colombian drug trafficker knows as “El Loco,” or “The Madman.”

Blood was splattered on the house’s walls and floor. The Colombian had a widescreen television and high-speed Internet.

Pavon was one of the worst prisons in Guatemala’s penitentiary system, where common criminals, rival “mara” street gangs and drug traffickers often battle for control.

Police had not been into Pavon, on the edge of the town of Fraijanes, since 1996.

It was originally built for 800 inmates as a farm prison where prisoners could grow their own food. But the prison population grew over time and inmates began to construct their own homes on the grounds.

Guards let prisoners bring in whatever they wanted and inmates set up laboratories to produce cocaine, crack and liquor inside Pavon. …

Inmates extorted and kidnapped victims on the outside by giving orders via cell phone. …

They also killed Luis Alfonso Zepeda, a convicted murderer who headed the “order committee.”

Zepeda earned around $25,000 a month from extortion, renting out prison grounds to other inmates and drug trafficking, police said.

His son Samuel lived illegally inside the prison to help run the crime empire, even though he was never sent there by a court. …

Inmates ran at least two churches, one Catholic and the other Evangelical, and restaurants serving typical fare like stews and tortillas.

Stores controlled by the prisoners sold soft drinks and potato chips brought in from the outside.

A prison completely run by the inmates Read More »

Warning signs of an incipient serial killer

From Wikipedia’s “MacDonald triad” (26 July 2006):

The MacDonald triad are three major personality traits in children that are said to be warning signs for the tendency to become a serial killer. They were first described by J. M. MacDonald in his article “The Threat to Kill” in the American Journal of Psychiatry.

  • Firestarting, invariably just for the thrill of destroying things.
  • Cruelty to animals. Many children can be cruel to animals, such as pulling the legs off of spiders, but future serial killers often kill larger animals, like dogs and cats, and frequently for their solitary enjoyment rather than to impress peers.
  • Bedwetting beyond the age when children normally grow out of such behaviour.

Warning signs of an incipient serial killer Read More »

How to wiretap

From Seth David Schoen’s “Wiretapping vulnerabilities” (Vitanuova: 9 March 2006):

Traditional wiretap threat model: the risks are detection of the tap, and obfuscation of content of communication. …

POTS is basically the same as it was 100 years ago — with central offices and circuit-switching. A phone from 100 years ago will pretty much still work today. “Telephones are a remarkable example of engineering optimization” because they were built to work with very minimal requirements: just two wires between CO and the end subscriber, don’t assume that the subscriber has power, don’t assume that the subscriber has anything else. There is a DC current loop that provides 48 V DC power. The current loop determines the hook switch state. There’s also audio signalling for in-band signalling from phone to CO — or from CO to phone — or for voice. It all depends on context and yet all these things are multiplexed over two wires, including the hook state and the audio signalling and the voice traffic.

If you wanted to tap this: you could do it in three different ways.

* Via the local loop (wired or wireless/cellular).
* Via the CO switch (software programming).
* Via trunk interception (e.g. fiber, microwave, satellite) with demultiplexing.

How do LEAs do it? Almost always at local loop or CO. (By contrast, intelligence agencies are more likely to try to tap trunks.)

How to wiretap Read More »

The real solution to identity theft: bank liability

From Bruce Schneier’s “Mitigating Identity Theft” (Crypto-Gram: 15 April 2005):

The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. …

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. …

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. …

The second issue is the ease with which a criminal can use personal data to commit fraud. …

Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

… That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

… The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.

The real solution to identity theft: bank liability Read More »

Two-factor authentication: the good & the bad

From Bruce Schneier’s “More on Two-Factor Authentication” (Crypto-Gram: 15 April 2005):

Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

One way to think about this is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.

Two-factor authentication: the good & the bad Read More »

When people feel secure, they’re easier targets

From Bruce Schneier’s “Burglars and “Feeling Secure” (Crypto-Gram: 15 January 2005):

This quote is from “Confessions of a Master Jewel Thief,” by Bill Mason (Villard, 2003): “Nothing works more in a thief’s favor than people feeling secure. That’s why places that are heavily alarmed and guarded can sometimes be the easiest targets. The single most important factor in security — more than locks, alarms, sensors, or armed guards — is attitude. A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.”

The author, a burglar, found that luxury condos were an excellent target. Although they had much more security technology than other buildings, they were vulnerable because no one believed a thief could get through the lobby.

When people feel secure, they’re easier targets Read More »

What bots do and how they work

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the compromised host. The binary is started, and tries to connect to the hard-coded master IRC server. Often a dynamic DNS name is provided … rather than a hard coded IP address, so the bot can be easily relocated. … Using a special crafted nickname like USA|743634 or [UrX]-98439854 the bot tries to join the master’s channel, sometimes using a password to keep strangers out of the channel. …

Afterwards, the server accepts the bot as a client and sends him RPL_ISUPPORT, RPL_MOTDSTART, RPL_MOTD, RPL_ENDOFMOTD or ERR_NOMOTD. Replies starting with RPL_ contain information for the client, for example RPL_ISUPPORT tells the client which features the server understands and RPL_MOTD indicates the Message Of The Day (MOTD). …

On RPL_ENDOFMOTD or ERR_NOMOTD, the bot will try to join his master’s channel with the provided password …

The bot receives the topic of the channel and interprets it as a command: …

The first topic tells the bot to spread further with the help of the LSASS vulnerability. … the second example of a possible topic instructs the bot to download a binary from the web and execute it … And if the topic does not contain any instructions for the bot, then it does nothing but idling in the channel, awaiting commands. That is fundamental for most current bots: They do not spread if they are not told to spread in their master’s channel.
Upon successful exploitation the bot will message the owner about it, if it has been advised to do so. …

Then the IRC server (also called IRC daemon, abbreviated IRCd) will provide the channels userlist. But most botnet owners have modified the IRCd to just send the channel operators to save traffic and disguise the number of bots in the channel. …

The controller of a botnet has to authenticate himself to take control over the bots. …

… the “-s” switch in the last example tells the bots to be silent when authenticating their master. …

… Once an attacker is authenticated, they can do whatever they want with the bots … The IRC server that is used to connect all bots is in most cases a compromised box. … Only beginners start a botnet on a normal IRCd. It is just too obvious you are doing something nasty if you got 1.200 clients named as rbot-<6-digits> reporting scanning results in a channel. Two different IRC servers software implementation are commonly used to run a botnet: Unreal IRCd and ConferenceRoom:

  • Unreal IRCd (http://www.unrealircd.com/) is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs. Common modifications we have noticed are stripping “JOIN”, “PART” and “QUIT” messages on channels to avoid unnecessary traffic. … able to serve 80.000 bots …
  • ConferenceRoom (http://www.webmaster.com/) is a commercial IRCd solution, but people who run botnets typically use a cracked version. …

What bots do and how they work Read More »

Different types of Bots

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

… some of the more widespread and well-known bots.

  • Agobot/Phatbot/Forbot/XtremBot

    … best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.

  • SDBot/RBot/UrBot/UrXBot/…

    This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.

  • mIRC-based Bots – GT-Bots

    We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.

  • DSNX Bots

    Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.

  • Q8 Bots

    only 926 lines of C-code. … written for Unix/Linux systems.

  • kaiten

    … lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

  • Perl-based bots

    … very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.

Different types of Bots Read More »

Uses of botnets

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

“A botnet is comparable to compulsory military service for windows boxes” – Stromberg

… Based on the data we captured, the possibilities to use botnets can be categorized as listed below. …

  1. Distributed Denial-of-Service Attacks

    Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem. … run commercial DDoS attacks against competing corporations … DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. … very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim’s website.

  2. Spamming

    open a SOCKS v4/v5 proxy … send massive amounts of bulk email … harvest email-addresses … phishing-mails

  3. Sniffing Traffic

    use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. … If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus it is possible to “steal” another botnet.

  4. Keylogging
  5. Spreading new malware

    In most cases, botnets are used to spread new bots. … spreading an email virus using a botnet is a very nice idea

  6. Installing Advertisement Addons and Browser Helper Objects (BHOs)

    setting up a fake website with some advertisements … these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. … hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser.

  7. Google AdSense abuse

    … leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.

  8. Attacking IRC Chat Networks

    attacks against Internet Relay Chat (IRC) networks. … so called “clone attack”: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network.

  9. Manipulating online polls/games

    Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets.

  10. Mass identity theft

    Bogus emails (“phishing mails”) … also host multiple fake websites pretending to be Ebay, PayPal, or a bank …

Uses of botnets Read More »

Who runs botnets?

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

An event that is not that unusual is that somebody steals a botnet from someone else. … bots are often “secured” by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. …

Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. …

Our observations showed that often botnets are run by young males with surprisingly limited programming skills. … we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and “sell” the services. A low percentage use their botnets for financial gain. …

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. … Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. …

… some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.

Who runs botnets? Read More »

An analysis of botnets

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

A botnet is a network of compromised machines that can be remotely controlled by an attacker. … With the help of honeynets we can observe the people who run botnets … Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. …

We have identified many different versions of IRC-based bots … The bot joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control this bot and use it for fun and also for profit. Attackers even go a step further and bring different bots together. Such a structure, consisting of many compromised machines which can be managed from an IRC channel, is called a botnet. IRC is not the best solution since the communication between bots and their controllers is rather bloated, a simpler communication protocol would suffice. But IRC offers several advantages: IRC Servers are freely available and are easy to set up, and many attackers have years of IRC communication experience.

… Even a relatively small botnet with only 1000 bots can cause a great deal of damage. These 1000 bots have a combined bandwidth (1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s) that is probably higher than the Internet connection of most corporate systems. In addition, the IP distribution of the bots makes ingress filter construction, maintenance, and deployment difficult. In addition, incident response is hampered by the large number of separate organizations involved. Another use for botnets is stealing sensitive information or identity theft: Searching some thousands home PCs for password.txt, or sniffing their traffic, can be effective.

The spreading mechanisms used by bots is a leading cause for “background noise” on the Internet, especially on TCP ports 445 and 135. … These malware scan large network ranges for new vulnerable computers and infect them, thus acting similar to a worm or virus. … most traffic targets the ports used for resource sharing on machines running all versions of Microsoft’s Windows operating system …

The traffic on these four ports [445/TCP, 139/TCP, 137/UDP, 135/TCP] cause more then 80 percent of the whole traffic captured. …

Lessons Learned

  • Number of botnets

    … able to track little more than 100 botnets during the last four months. … at the moment we are tracking about 35 active botnets.

  • Number of hosts

    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored. … If an IRCd is modified not to show joining clients in a channel, we don’t see IPs here. Furthermore some IRCds obfuscate the joining clients IP address and obfuscated IP addresses do not count as seen, too. … this would mean that more then one million hosts are compromised and can be controlled by malicious attackers.

  • Typical size of Botnets

    Some botnets consist of only a few hundred bots. In contrast to this, we have also monitored several large botnets with up to 50.000 hosts. … botnets with over several hundred thousands hosts have been reported in the past. … We know about a home computer which got infected by 16 (sic!) different bots, so its hard to make an estimation about world bot population here.

  • Dimension of DDoS-attacks

    From the beginning of November 2004 until the end of January 2005, we were able to observe 226 DDoS-attacks against 99 unique targets.

  • Spreading of botnets

    “.advscan lsass 150 5 0 -r -s” and other commands are the most frequent observed messages. Through this and similar commands, bots spread and search for vulnerable systems.

  • Harvesting of information

    … harvesting of information from all compromised machines. With the help of a command like “.getcdkeys” the operator of the botnet is able to request a list of CD-keys (e.g. for Windows or games) from all bots.

  • “Updates” within botnets

    … observed updates of botnets quite frequently. … bots are instructed to download a piece of software from the Internet and then execute it. … bots can be dynamically updated and be further enhanced. … In total, we have collected 329 binaries. … Most of the other binary files are either adware …, proxy servers … or Browser Helper Objects.

An analysis of botnets Read More »

To combat phishing, change browser design philosophy

From Federico Biancuzzi’s “Phishing with Rachna Dhamija” (SecurityFocus: 19 June 2006):

We discovered that existing security cues are ineffective, for three reasons:

1. The indicators are ignored (23% of participants in our study did not look at the address bar, status bar, or any SSL indicators).

2. The indicators are misunderstood. For example, one regular Firefox user told me that he thought the yellow background in the address bar was an aesthetic design choice of the website designer (he didn’t realize that it was a security signal presented by the browser). Other users thought the SSL lock icon indicated whether a website could set cookies.

3. The security indicators are trivial to spoof. Many users can’t distinguish between an actual SSL indicator in the browser frame and a spoofed image of that indicator that appears in the content of a webpage. For example, if you display a popup window with no address bar, and then add an image of an address bar at the top with the correct URL and SSL indicators and an image of the status bar at the bottom with all the right indicators, most users will think it is legitimate. This attack fooled more than 80% of participants. …

Currently, I’m working on other techniques to prevent phishing in conjunction with security skins. For example, in a security usability class I taught this semester at Harvard, we conducted a usability study that shows that simply showing a user’s history information (for example, “you’ve been to this website many times” or “you’ve never submitted this form before”) can significantly increase a user’s ability to detect a spoofed website and reduce their vulnerability to phishing attacks. Another area I’ve been investigating are techniques to help users recover from errors and to identify when errors are real, or when they are simulated. Many attacks rely on users not being able to make this distinction.

You presented the project called Dynamic Security Skins (DSS) nearly one year ago. Do you think the main idea behind it is still valid after your tests?

Rachna Dhamija: I think that our usability study shows how easy it is to spoof security indicators, and how hard it is for users to distinguish legitimate security indicators from those that have been spoofed. Dynamic Security Skins is a proposal that starts from the assumption that any static security indicator can easily be copied by attacker. Instead, we propose that users create their own customized security indicators that are hard for an attacker to predict. Our usability study also shows that indicators placed in the periphery or outside of the user’s focus of attention (such as the SSL lock icon in the status bar) may be ignored entirely by some users. DSS places the security indicator (a secret image) at the point of password entry, so the user can not ignore it.

DSS adds a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user’s personal image, it is safe for the user to enter his password. …

With security skins, we were trying to solve not user authentication, but the reverse problem – server authentication. I was looking for a way to convey to a user that his client and the server had successfully negotiated a protocol, that they have mutually authenticated each other and agreed on the same key. One way to do this would be to display a message like “Server X is authenticated”, or to display a binary indicator, like a closed or open lock. The problem is that any static indicator can be easily copied by an attacker. Instead, we allow the server and the user’s browser to each generate an abstract image. If the authentication is successful, the two images will match. This image can change with each authentication. If it is captured, it can’t be replayed by an attacker and it won’t reveal anything useful about the user’s password. …

Instead of blaming specific development techniques, I think we need to change our design philosophy. We should assume that every interface we develop will be spoofed. The only thing an attacker can’t simulate is an interface he can’t predict. This is the principle that DSS relies on. We should make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are – users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.

To combat phishing, change browser design philosophy Read More »

Favelas, the slums of Rio De Janeiro

From Alex Bellos’s “Coke. Guns. Booty. Beats.” (Blender: June 2005):

In the slums of Rio De Janeiro, drug lords armed with submachine guns have joined forces with djs armed with massive sound systems and rude, raunchy singles. Welcome to the most exciting—and dangerous—underground club scene in the world. …

Rio de Janeiro, Brazil, is the glamorous city of Carnival, the statue of Christ the Redeemer and Copacabana beach. But the poorest fifth of its residents – about a million people, many of them black – live in the favelas, the claustrophobic brick shantytowns that cover the hills and sprawl chaotically out for miles into its outskirts. In the favelas, the city police have effectively relinquished control to armed drugs factions, who run their territory according to their own strict codes. Estimates put the number of young men involved in drug trafficking at between 20,000 and 100,000. It’s just like the movie City of God – only much more violent.

Favelas, the slums of Rio De Janeiro Read More »

FBI used OnStar for surveillance

From Charles R. Smith’s “Big Brother on Board: OnStar Bugging Your Car“:

GM cars equipped with OnStar are supposed to be the leading edge of safety and technology. …

However, buried deep inside the OnStar system is a feature few suspected – the ability to eavesdrop on unsuspecting motorists.

The FBI found out about this passive listening feature and promptly served OnStar with a court order forcing the company to give it access. The court order the FBI gave OnStar was not something out of the Patriot Act involving international terrorism or national security but a simple criminal case.

According to court records, OnStar complied with the order but filed a protest lawsuit against the FBI.

Yet the FBI was able to enforce the original legal order and completed its surveillance because OnStar’s lawsuit took nearly two years to pass through the court system.

The 9th Circuit Court of Appeals recently ruled in OnStar’s favor. The ruling was not based on invasion-of-privacy grounds or some other legitimate constitutional basis. The FBI lost because the OnStar passive listening feature disables the emergency signal, the very life-saving call for help that the advertisements tout as the main reason to purchase the system. …

The technical problem of blocking the emergency signal is clearly one that the FBI tech teams can overcome. Thus, under the current ruling, the FBI can resume using OnStar to monitor subject vehicles once it has solved the emergency issue.

FBI used OnStar for surveillance Read More »

PATRIOT Act greatly expands what a ‘financial institution’ is

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 January 2004):

Last month Bush snuck into law one of the provisions of the failed PATRIOT ACT 2. The FBI can now obtain records from financial institutions without requiring permission from a judge. The institution can’t tell the target person that his records were taken by the FBI. And the term “financial institution” has been expanded to include insurance companies, travel agencies, real estate agents, stockbrokers, the U.S. Postal Service, jewelry stores, casinos, and car dealerships.

PATRIOT Act greatly expands what a ‘financial institution’ is Read More »

A new fraud: faking an entire company

From David Lague’s “Next step in pirating: Faking a company” (International Herald Tribune: 28 April 2006):

At first it seemed to be nothing more than a routine, if damaging, case of counterfeiting in a country where faking it has become an industry.

Reports filtering back to the Tokyo headquarters of the Japanese electronics giant NEC in mid-2004 alerted managers that pirated keyboards and recordable CD and DVD discs bearing the company’s brand were on sale in retail outlets in Beijing and Hong Kong.

Like hundreds, if not thousands, of manufacturers now locked in a war of attrition with intellectual property thieves in China, the company hired an investigator to track down the pirates.

After two years and thousands of hours of investigation in conjunction with law enforcement agencies in China, Taiwan and Japan, the company said it had uncovered something far more ambitious than clandestine workshops turning out inferior copies of NEC products. The pirates were faking the entire company.

Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.

In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.

The Japanese company even received complaints about products – which were of generally good quality – that they did not make or provide with warranties.

NEC said it was unable to estimate the total value of the pirated goods from these factories, but the company believed the organizers had “profited substantially” from the operation.

“These entities are part of a sophisticated ring, coordinated by two key entities based in Taiwan and Japan, which has attempted to completely assume the NEC brand,” said Fujio Okada, the NEC senior vice president and legal division general manager, in written answers to questions.

A new fraud: faking an entire company Read More »

Some surprising data isn’t encrypted in ATM transfers

From “Triple DES Upgrades May Introduce New ATM Vulnerabilities” (Payment News: 13 April 2006):

In a press release today, Redspin, an independent auditing firm based in Carpinteria, CA, suggests that the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into the ATM network environment – because of other changes that were typically made concurrently with the triple DES upgrades.

<begin press release>Redspin, Inc. has released a white paper detailing the problem. Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number.

“We were in the middle of an audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like — text that anyone can read,” explained Abraham.

Ironically, the problem came about because of a mandated security improvement in ATMs. The original standard for ATM data encryption (DES) was becoming too easy to crack, so the standard was upgraded to Triple DES. Like any home improvement project, many ATM upgrades have snowballed to include a variety of other enhancements, including the use of transmission control protocol/Internet protocol (TCP/IP) — moving ATMs off their own dedicated lines, and on to the banks’ networks. …

A hacker tapping into a bank’s network would have complete access to every single ATM transaction going through the bank’s ATMs.<end press release>

Some surprising data isn’t encrypted in ATM transfers Read More »

Another answer to “I have nothing to hide”

From John Twelve Hawks’s “ How We Live Now” (2005):

“And so what if they know all about me?” asks the honest citizen. “I’m good person. I’ve got nothing to hide.” This view assumes that the intimate personal information easily found in our computerized system is accurate, secure, and will only be used for your benefit. What if criminals access your information? What if corporations deny you insurance or employment because the wrong data has ended up in your file? What if you simply want to take control over who knows what about you?

Another answer to “I have nothing to hide” Read More »

Illegality practices by the US in the “War on Terror”

From Tony Judt’s “The New World Order” (The New York Review of Books: 14 July 2005):

The unrepublican veneration of our presidential “leader” has made it uniquely difficult for Americans to see their country’s behavior as others see it. The latest report from Amnesty International – which says nothing that the rest of the world doesn’t already know or believe but which has been denied and ridiculed by President Bush – is a case in point. The United States “renders” (i.e., kidnaps and hands over) targeted suspects to third-party states for interrogation and torture beyond the reach of US law and the press. The countries to whom we outsource this task include Egypt, Saudi Arabia, Jordan, Syria (!), Pakistan – and Uzbekistan. Where outsourcing is impractical, we import qualified interrogators from abroad: in September 2002 a visiting Chinese “delegation” was invited to participate in the “interrogation” of ethnic Uighur detainees held at Guantánamo.

At the US’s own interrogation centers and prisons in Iraq, Afghanistan, and Guantánamo Bay, at least twenty-seven “suspects” have been killed in custody. This number does not include extrajudicial, extraterritorial “targeted assassinations”: a practice inaugurated by Benito Mussolini with the murder of the Rosselli brothers in Normandy in 1937, pursued with vigor by Israel, and now adopted by the Bush administration. The Amnesty report lists sixty alleged incarceration and interrogation practices routinely employed at US detention centers, Guantánamo in particular. These include immersion in cold water to simulate drowning, forced shaving of facial and body hair, electric shocks to body parts, humiliation (e.g., being urinated upon), sex-ual taunting, the mocking of religious belief, suspension from shackles, physical exertion to the point of exhaus-tion (e.g., rock-carrying), and mock execution.

Any and all of these practices will be familiar to students of Eastern Europe in the Fifties or Latin America in the Seventies and Eighties – including the reported presence of “medical personnel.” But American interrogators have also innovated. One technique has been forcibly to wrap suspects – and their Korans – in Israeli flags: a generous gesture to our only unconditional ally, but calculated to ensure that a new generation of Muslims worldwide will identify the two countries as one and hate them equally.

All of these practices – and many, many others routinely employed at Guantánamo, at Kandahar and Bagram in Afghanistan, at al-Qaim, Abu Ghraib, and elsewhere in Iraq – are in breach of the Geneva Conventions and the UN Convention against Torture, to both of which the US is a signatory

Illegality practices by the US in the “War on Terror” Read More »