Showing posts with label botnets. Show all posts
Showing posts with label botnets. Show all posts

Saturday, July 25, 2009

Bad spammer neighborhoods

I've been collecting data about IPs that have been attempting to spam my mail server for the past few months, and today I decided to take a look at what neighborhoods of /24 networks are the most heavily populated with spamming IPs.

Here's the list of the top ten "worst neighborhoods" trying to send me spam, mostly with dictionary attacks against my domain. These are all blocked by the CBL, so none of this spam actually gets through, but it ties up my bandwidth.

I've put an asterisk (*) next to the ranges that are probably actually smaller than /24s based on the distribution of IPs.

Does anybody have a tool that already exists to identify likely bad ranges to block based on the distribution of known bad IPs? All I did here was count IPs within a /24, but it would be nicer to identify the likely ranges of badness at both a more fine-grained and broader level.

Note that these bad neighborhoods may be neighborhoods of poorly secured machines, or they may be neighborhoods of malicious machines. Either way, the providers are not doing a good job of cracking down on malicious activity from their networks.

1. 64.32.26.0/24 (25 IPs)
45 46 51 52 54 66 68 73 81 90 100 102 104 111 113 126 155 157 163 168 194 199 204 236 242
AS 46844 | 64.32.26.0 | ST-BGP - SHARKTECH INTERNET SERVICES
Upstream provider: AS 7922 | 64.32.26.0 | COMCAST-7922 - Comcast Cable Communications, Inc.

*2. 89.232.105.0/24 (24 IPs)
21 24 29 32 48 57 59 63 64 68 76 89 93 94 97 101 103 107 114 117 126 129 137 139
AS 28840 | 89.232.105.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

3. 208.84.243.0/24 (20 IPs)
13 30 63 68 78 92 99 123 148 150 175 176 179 185 196 199 216 219 226 250
AS 40260 | 208.84.243.0 | TERRA-NETWORKS-MIAMI - Terra Networks Operations Inc.
Upstream provider: AS 22364 | 208.84.243.0 | AS-22364 - Telefonica USA, Inc.

*4. 83.149.3.0/24 (17 IPs)
5 6 12 14 16 18 21 22 25 28 30 40 42 47 48 51 63
AS 31213 | 83.149.3.0 | MF-NWGSM-AS OJSC MegaFon Network
Upstream providers: AS 12389 | 83.149.3.0 | ROSTELECOM-AS JSC Rostelecom
AS 20485 | 83.149.3.0 | TRANSTELECOM JSC Company TransTeleCom

*5. 76.164.227.0/24 (16 IPs)
138 155 159 174 182 186 194 199 202 206 210 218 222 230 238 246
AS 36114 | 76.164.227.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

6. 76.164.232.0/24 (15 IPs)
13 21 24 33 36 38 40 43 48 57 198 206 218 232 234
AS 36114 | 76.164.232.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

7. 77.120.128.0/24 (15 IPs)
20 37 50 85 93 104 107 112 159 162 187 232 239 248 252
AS 43011 | 77.120.128.0 | DATASVIT-AS ISP Datasvit AS Number
Upstream provider: AS 25229 | 77.120.128.0 | VOLIA-AS Volia Autonomous System

*8. 78.138.170.0/24 (12 IPs)
66 68 77 78 160 166 178 189 190 193 202 211
AS 28840 | 78.138.170.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

9. 77.232.143.0/24 (12 IPs)
33 37 40 63 69 104 175 182 190 215 218 251
AS 42145 | 77.232.143.0 | BSTV-AS OOO Bryansk Svyaz-TV
Upstream provider: AS 20485 | 77.232.143.0 | TRANSTELECOM JSC Company TransTeleCom

*10. 95.154.113.0/24 (12 IPs)
140 178 181 185 193 195 197 206 218 246 248 254
AS 44724 | 95.154.113.0 | OCTOPUSNET-AS Octopusnet LTD
Upstream provider: AS 34470 | 95.154.113.0 | PTKOM-AS PortTelekom Autonomous system

Friday, June 26, 2009

Bad military botnet proposal still being pushed

I just came across an April 2009 BBC story which shows that USAF Col. Williamson is still promoting his idea of building a U.S. military botnet to engage in offensive denial of service attacks against foreign targets on the Internet.

But I haven't seen him respond to any of the criticisms of his bad idea, including in the online forum of the journal where he published it.

I think a more effective idea would be to adjust the computer crime statutes to provide immunity to prosecution (or at the very least an affirmative defense to criminal charges) for private responses to attacks that meet certain criteria, so that ISPs, security researchers, and competent individuals could engage in offensive actions against compromised machines to disable malicious software or take them off the network. Perhaps some kind of licensing or bonding would do the trick, and ISPs could put an exception into their acceptable use policies for entities that met the criteria.

That's also my partial response to this more recent BBC story about "what rules apply in cyber-wars" which led me to find the Williamson article.

Tuesday, May 12, 2009

Tracking cyberspies through the web wilderness

Yesterday's New York Times has an interesting article about how security researchers at the University of Toronto have helped uncover online spy activity, apparently conducted by the Chinese government, against the Dalai Lama's office in India.

One odd comment in the article: "And why among the more than 1,200 compromised government computers representing 103 countries, were there no United States government systems?"

I find this particularly odd in that I've seen compromised U.S. government systems plenty of times in my information security career, including spam issued from military computers. I don't find it plausible that the U.S. government has recently improved the security of all of its computers and networks so that there are no more compromised systems.

In the context of the article, it's discussing more specifically compromises due to the particular spy ring being monitored. The preceding sentences point out that they weren't able to determine with certainty who was running it, and the immediately preceding sentence asks, "Why was the powerful eavesdropping system not password-protected, a weakness that made it easy for Mr. Villeneuve to determine how the system worked?"

The question should actually have asked why it wasn't encrypted, rather than "password-protected," but the possibilities suggested to me here are that (a) this particular activity is being run by amateurs or (b) this particular activity was intentionally detectible as either (i) a distraction from other, more hidden activity or (ii) to put the blame on China by somebody other than China.

Saturday, April 04, 2009

The Cybersecurity Act of 2009

There's FUD spreading about Sec. 14 of the Cybersecurity Act of 2009, maintaining that it amounts to an effective repeal of the 4th Amendment for the Internet. That's not so--the scope is restricted to "threat and vulnerability information" regarding the Internet, which I interpret to mean network service provider knowledge about compromised systems, botnets, etc., much of which is no doubt already being voluntarily shared with the government as is permissible under the Electronic Communications Privacy Act of 1986, when, in the course of a provider's normal service monitoring, it becomes aware of possible criminal activity.

I expect I'll have more to say after I have a chance to read through the whole bill (PDF).

Thursday, August 28, 2008

Military botnets article

I'm quoted in Peter Buxbaum's "Battling Botnets" article in the August 20, 2008 Military Information Technology. It didn't really fully capture the points I made in the interview, and I don't remember saying the statement at the end about using botnets as an offensive measure as "a nuclear option." I said that nullrouting is a much better method of denial of service for network service providers than flooding attacks, and made a point similar to Schneier's about military attacks on the infrastructure of another nation that the U.S. is at war with--it would be more useful to obtain access to their systems, monitor, and disrupt than to just shut off access completely, but those points weren't reflected in the article.

I've written more about military use of botnets at this blog.

Tuesday, May 13, 2008

Bad military botnet proposal

An article by Col. Charles W. Williamson III titled "Carpet bombing in cyberspace: Why America needs a military botnet" has been published by the Armed Forces Journal.

Col. Williamson, seeing that miscreants are using compromised machines all over the Internet to create botnets used for malicious purposes, has decided that the military needs to create its own, legitimate botnet. He proposes that this would be used in order to respond to online attacks from foreign countries by attacking the attackers, including both government and civilian attacking machines as necessary. He specifically proposes not using compromised machines (which would be illegal), but using machines on the af.mil (U.S. Air Force) network, including all hosts on the NIPRNet (Nonsecret IP Network).

The proposal doesn't really make any sense to me.

First of all, attacks from hostile compromised machines on the Internet occur on a daily basis and are already handled by network service providers. These attacks are never likely to be initiated specifically from an individual attacking country's systems, but rather from compromised systems all over the world--sometimes including compromised systems belonging to the U.S. military. Second, the best way to respond to attacking systems is not by launching hostile traffic back at them, but by filtering them or nullrouting them. Again, network service providers already do this today, and cooperate with each other in addressing major attacks. Thirdly, if the U.S. military sets up a botnet and uses it to launch denial of service attacks, it will be in violation of its own contracts with its network service providers--I don't know of any network service provider that offers a military exception to its terms of service regarding denial of service attacks. Fourth, if all of the U.S. military bots are on its own network, their aggregate bandwidth still can't exceed the bandwidth of its connections to other networks. Fifth, if there are attacks coming from another country that the U.S. is at war with, the recent subsea cable outages in the Middle East suggest that there are other effective mechanisms for disabling their ability to engage in Internet attacks.

Finally, it's not clear to me what benefit would be obtained from the military setting up its own botnet on its own network using its own IPs. Botnets offer two main benefits--(1) offering a distributed platform for computing and traffic generation and (2) creating a buffer of separation between the agent performing an action and the action itself. The second benefit occurs because the miscreant doesn't own the machines that make up the botnet, lots of other people do. A botnet composed entirely of hosts on the military's network is relatively easy to identify, filter, and block--the second benefit doesn't exist. The first benefit is also mostly lost if you use your own network and hosts. The point of a distributed denial of service attack is to use up the other guy's bandwidth, but not your own. That's very easy to do if you're not using your own resources, which is why distributed denial of service attacks use compromised systems and, sometimes, methods to amplify attacks using other people's servers that send out responses that are larger than the requests that prompt them. But if you're using your own resources on your own networks, you're limited to the bandwidth you have at your network interconnection points, and multiplying hosts inside that perimeter gains you nothing except a guarantee that you can saturate your own internetwork connectivity and cut yourself off from the outside unless your target has less bandwidth than you do. It's ironic that Williamson complains about a "fortress mentality," while making a proposal to create a gigantic bot army inside the military's own perimeter. A million-man army doesn't help you if they're inside a fortress with exits that restrict its ability to be deployed, except when you can win the battle with the number of men who can leave the exits at any one time.

I've also posted a comment on the Armed Forces Journal article at the AFJ's forum where I make a few additional points. I also agree with many of the other critical remarks that have been made in the thread there. "Crass Spektakel"'s point that "Whoever controls BGP and the backbone routers controls the internet" and that most of the control of BGP routing and the routing registries resides in the U.S. is a good one. A similar point could be made about DNS.

Other posts on this subject:

Kevin Poulsen at the Wired blog
Jon Stokes at Ars Technica

UPDATE (May 14, 2008): I may take some heat for even suggesting this, but an idea which actually takes advantage of both of the characteristic benefits of botnets I listed above and would be far, far more effective than Williamson's proposal would be if the military produced bot software along the lines of SETI@Home and Folding@Home, which anyone could volunteer to download and run on their home or corporate machines (or better still, made available to run on XBoxes and Play Station 3s), for use by the military when needed. Some of the abuse worries could be defeated if the activation and deactivation of the software was fully under the control of the end user, and the military obtained appropriate permission from upstream ISPs for activities which would otherwise constitute AUP violations by end users.

I hasten to add that this is still a terrible idea--putting such software out in public makes it a certainty that it would be reverse-engineered, and the probability of it being compromised by third parties for their own abuses would correspondingly increase.

UPDATE: Looks like Paul Raven beat me to the "Milnet@Home" idea, as he dubs it. A commenter at Bruce Schneier's blog also came up with the same idea.

F-Secure's blog also offers some good criticisms of Williamson's proposal.

Thursday, February 21, 2008

Canada busts 17 in botnet ring

This morning Canada arrested 17 people of ages ranging from 17 to 26 years old for running botnets containing "up to one million computers" in 100 countries. They face charges that could result in up to 10 years in prison.

This barely scratches the surface of online criminal activity. Niels Provos of Google did a study (PDF) that found that of 4.5 million websites scanned between March of 2006 and February of 2007, 450,000 of them attempt to load malware on visiting machines. Sophos' similar survey in July of last year that found that 29% of websites host malware, 28% host porn or gambling content, and 19% are spam-related. Drive-by malware installations (where merely visiting a website causes malware to be loaded onto your machine) are definitely the method of choice for creating botnets today. I recommend using Firefox with the NoScript plugin and the MyWOT plugin to help prevent getting infected by such sites.

Tomorrow, I'll be attending a New Mexico InfraGard conference at which I hope to learn more about recent malware trends (and get my copy of Catch Me If You Can and/or The Art of the Steal autographed by their author). This is another one open to the general public, so I expect no talk about "shoot to kill" powers except in jest.

UPDATE (February 22, 2008): I'm quoted in Brian Jackson's article on the Quebec botnet hacker bust on itbusiness.ca. I'm not entirely happy with the quotes attributed to me--I didn't say "tens of millions," though I said there have been botnets with more than a million hosts, and there are multiple millions of compromised hosts out there. If tens of millions is not accurate today, it will be in the future. The other quotation about IRC got a little bit garbled, but is not far off--I made the point that the bots of today have evolved from a combination of IRC bots of the past combined with denial of service attack tools, remote access trojans, and other malware, and many of them still use IRC as their mode of communication.

Friday, February 08, 2008

Tinfoil hat brigade generates fear about Infragard

An article in The Progressive by Matthew Rothschild worries that the FBI's InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to "shoot to kill." Rothschild writes:
The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.
Nonsense. I've been a member of the Phoenix InfraGard Members Alliance for years. It's a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild's statement that "InfraGard is not readily accessible to the general public"), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special "shoot to kill" or law enforcement powers of any kind--and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members--that is a pretty large size for a conspiracy plot.

At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a "special telecommunications card that will enable your call to go through when others will not." This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards.

The ACLU's concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I've been specifically asked to give information to InfraGard is when I've been asked to speak at a regular meeting, which I've done a few times in talks that have been open to the public about malware threats and botnets.

Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security's TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law.

Now, I think there are plausible criticisms to be made of the federal government's use of non-governmental organizations--when they're used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I've not witnessed anything in InfraGard that has led me to have any concerns that it's being used to enlist private businesses into questionable activities--rather, it's been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals.

UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers:
We have enough proof that the Bush administration is a bunch of lying evildoers. We don't need to make it up.
He's right about that, but he's now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it's actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for).

UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there's actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that's a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members.

UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point--that the FBI doesn't have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on.

UPDATE (February 12, 2008): I've struck out part of the above about the ACLU's concern about spying being unfounded, as I think that's too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams' memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, "CIA Is Expanding Domestic Operations," The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post's site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that "Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.")

The slippery slope is this--the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled "CIA"; I highly recommend Tim Weiner's Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler's book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn't help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren't cherry-picked to produce desired conclusions, as well as ensure that information isn't sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens.

My recommendation is that all InfraGard members read Kessler's The Bureau, Weiner's Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, "The Lives of Others," to help innoculate them against such a slippery slope.

UPDATE: Amy Goodman interviewed Matt Rothschild for "Democracy Now!" on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn't understand--what he cites as evidence doesn't support what he claims. Here's a key excerpt, see the link for the full transcript:
MR: [...] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure.
AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves?
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
[...]
You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff.
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
It looks to me like the following transformation has occurred:

1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant).
2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above).
3. Matt turns that into a general right to "shoot-to-kill" in times of martial law by any InfraGard member.
4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law.

I don't see his key source--Christine Moerke--confirming anything beyond #1 and #2.

Note other exaggerations and contradictions--Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of "business leaders," which the blogosphere has turned into "CEOs," yet I suspect the most common "business leader" represented in InfraGard is an IT or physical security manager.

UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild's Progressive article (PDF), which says, in part:
In short, the article's claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to "shoot to kill" than other civilians. The FBI encourages InfraGard members -- and all Americans -- to report crime and suspected terrorist activity to the appropriate authorities.
The FBI response also states that Rothschild has "refused even to identify when or where the claimed 'small meeting' occurred in which issues of martial law were discussed," and promises to follow up with further clarifying details if they get that information.

UPDATE (February 25, 2008): Here's another blogger with a rational response to The Progressive article.

UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI's response on Alex Jones' Info Wars blog, and he stands behind every word of his original article. He doesn't display any knowledge of or response to any of the criticisms I've offered.

Thursday, January 03, 2008

Notorious major spammer indicted

Alan Ralsky, at one time believed to be the top spammer in the world, has finally been indicted today by a federal grand jury. His home was raided back in 2005, and he's now been charged along with ten other people in "a wide ranging international fraud scheme involving the illegal use of bulk commercial e-mailing." Those indicted include James E. Bragg, 39, of Queen Creek, Arizona.

The indictment alleges that Ralsky's spam gang "tried to send spam" through botnets and engaged in a "pump and dump" stock scam for Chinese companies. The Detroit Free Press's coverage reports: "Prosecutors described Ralsky, 52, of West Bloomfield, as one of the most prolific spammers in the nation. Until 2005, when federal agents raided his home and seized his computers, his operation sent tens of millions of unsolicited email messages daily to Internet subscribers, hawking everything from sexual enhancement drugs, weight loss products and worthless stock, the government said. In the summer of 2005 alone, prosecutors said, his operation generated $3 million."

The DOJ press release is here.

Tuesday, November 06, 2007

Spammers and criminals for Ron Paul

From metafilter:
When Ron Paul email spam started hitting inboxes in late October, UAB Computer Forensics Director Gary Warner published findings on the spam's textual patterns and the illicit botnet used to spread it -- findings which were picked up by media outlets and tech websites like Salon, Ars Technica, and Wired Magazine's "Threat Level" blog, the latter in a set of followup posts by writer Sarah Stirland: 1, 2, 3.

The Ron Paul fan response was swift and decisive: clearly the botnet was the work of anti-Ron Paul hackers trying to discredit his campaign, and Rudy Giuliani had paid Stirland (and not UAB Computer Forensics) to do a smear piece -- as claimed by a YouTube video pointing to posts on RudyGiulianiForum.com. Thus proving, once again, that the Ron Paul campaign's greatest liability is not so much his far-right conspiracy-driven antifederal libertarianism, but rather the spittle-flecked anger of his own noisiest supporters.
There are definitely a lot of nuts among Ron Paul's supporters. Meanwhile, he raised $3.8 million yesterday (apparently a number revised downward from $4.3 million) in the largest one-day online political fundraiser ever. Intrade currently shows Paul as the third most likely GOP nominee, after Giuliani and Romney.

A few other Ron Paul-related blog posts that I realize I've neglected to mention here, from Dispatches from the Culture Wars:

"Is Ron Paul a Dominionist?"
Argues that Paul appears to have much in common with some theocrats.

"Sandefur on Ron Paul" Doubts that Paul is a dominionist, but suggests he might be a Thomas DiLorenzo-style neo-confederate who thinks we don't even need a federal government (in which case he wouldn't really be the supporter of the Constitution that he seems to be) and that the U.S. Civil War wasn't about slavery (which is pernicious nonsense).

I also just came across this story, which says that Paul would like to see the U.S. Constitution amended to remove the subject of abortion from the purview of the courts, which is yet more anti-constitutional insanity.

Thursday, June 14, 2007

Operation Bot Roast

Yesterday, the Washington Post reported on the FBI's "Operation Bot Roast," which busted several criminal users of botnets:

_James C. Brewer, of Arlington, Texas. He was indicted Tuesday on charges of infecting more than 10,000 computers globally, including two Chicago-area hospitals operated by the Bureau of Health Services in Cook County, Ill. The computers at the two hospitals were linked to the health care bureau's mainframe system. They repeatedly froze or rebooted from October to December last year, resulting in delayed medical services, according to the indictment. Brewer was released on a $4,500 bond, court records show.

_Robert Alan Soloway of Seattle. When he was arrested last month, he was described as one of the world's top spammers for allegedly using botnets to send out millions upon millions of junk e-mails since 2003. Soloway continued his activities even after Microsoft won a $7 million civil judgment against him in 2005 and after Robert Brauer [they mean Braver -jjl], the operator of a small Internet service provider in western Oklahoma, won a $10 million judgment. Soloway has pleaded not guilty to all charges in a 35-count indictment.

_Jason Michael Downey, of Covington, Ky. He was accused in Detroit last month of flooding his botnet-linked computers with spam for an 11-week period in 2004 and causing up to $20,000 in unspecified losses, according to court records.

This is just the tip of the iceberg, and follows on the heels of last year's prosecution of Jeanson James Ancheta of Los Angeles, or "botmaster," as he called himself. Like Brewer, he was prosecuted for the damage he caused to hospital computers, so botherders and spammers should beware of making use of hospital computers for their botnets.

Soloway, who was arrested on May 30 in a bust that already got a lot of press, was probably the biggest fish of these so far. His case follows the historically more common pattern--being tracked down and civilly prosecuted before being criminally charged.

Wednesday, June 06, 2007

The bots of summer

My two-part appearance on "The Security Catalyst" podcast last year has resulted in some media coverage of botnets this week at IT World Canada. The article, "The botnet menace--and what you can do about it," by Joaquim P. Menezes, is more detailed than most media coverage of bots has been. He draws on both my Security Catalyst interview and my colleague Bob Hagen's blog post on bots.

Friday, March 09, 2007

Bob Hagen on botnet evolution

Bob Hagen has put up a post on the evolution of botnets at the Global Crossing blog.

(BTW, I'm hoping to have future opportunity to use titles like "Where the bots are", "The bots from Brazil", and "The bots of summer".)

UPDATE (August 27, 2009): I've replaced the above link with one to the Internet Archive, since the blog post is no longer present at its original location.

Friday, August 18, 2006

Is it worth shutting down botnet controllers?

Gadi Evron has now suggested, following Paul Vixie, that it's a waste of time to fight botnets by shutting down botnet controllers. Here's what I wrote to some colleagues when I read Vixie's statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques:
1. If you don't stomp them they are *still* going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There's no getting around an arms race. Even taking his analogy seriously, he wouldn't recommend that we stop using antibiotics.

2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don't think I'll be happy with what it will take for them to do it (I'm already unhappy with the new CALEA draft bill that's circulating). Criminal prosecution will likely never target more than a minority of offenders--mostly the high-profile cases.

3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach.

4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren't putting up a fight.
Shutting down botnet controllers does have positive effects--and it's much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them--as I said above, it is a continuing arms race.

Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there's some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco's suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located).

There are a number of approaches that are being developed, which I won't describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs--that's where the biggest bang for the buck will occur.

Monday, June 12, 2006

When private property becomes the commons

While thinking about Jonathan Adler's presentation at the Skeptics Society conference, it occurred to me that the problem of botnets is, in effect, a tragedy of the commons. The private personal computers of consumers which are connected full-time to the Internet and are not kept up-to-date on patches have, in effect, become a commons to be exploited by the botherders. The owners of the computers are generally not aware of what's going on, as the bots generally try to minimize obtrusiveness in order to continue to operate. The actual damages to each individual are typically quite small (with some notable exceptions--botherders can steal and make use of any data on the machine, including personal identity information and confidential documents), and the individual consumer doesn't have sufficient incentive to prevent the problem (say, by spending additional money on security software or taking the time to maintain the system).

Similarly, the typical entry-level casual blogger may not have incentives to keep their blogs free of spam comments. Neither, for that matter, does commons-advocate Larry Lessig, whose blog's comments are full of spam, making them less useful than they otherwise would be--I think this is an amusing irony about Lessig's position in his book Code. He argues that we need to have some subsidized public space on the Internet, but it seems to me private companies have already created it largely without public subsidy, and I think Declan McCullagh has the better case in his exchange with Lessig. (By contrast, Blogger does have incentive to prevent spam blogs, which consume large amounts of its resources and make its service less useful--and so it takes sometimes heavy-handed automated actions to try to shut it down.)

Bruce Schneier has argued that the right way to resolve this particular problem is by setting liability rules to shift incentives to players who can address the issue--e.g., software companies, ISPs, and banks (for phishing, but see this rebuttal). I agree with Schneier on this general point and with the broader point that economics has a lot to teach information security.

Friday, June 09, 2006

Information Security Index

This post is an index to posts at The Lippard Blog on the subject of information security. This is probably not a complete list; I've tended to exclude posts labeled "security" that don't specifically touch on information security and may have over-excluded.

"Richard Bejtlich reviews Extreme Exploits" (August 16, 2005) Link to Richard Bejtlich review of Extreme Exploits, a book I was the technical editor on.

"Sony's DRM--not much different from criminal hacking" (November 2, 2005) Summary and link to Mark Russinovich's exposure of the Sony rootkit DRM.

"Defending Against Botnets" (November 3, 2005) Link to my presentation on this subject at Arizona State University.

"Sony DRM class action lawsuits"
(November 10, 2005) Comment on the Sony rootkit class action lawsuits.

"Another Botnet Talk" (December 11, 2005) Comment on my December botnet talk for Phoenix InfraGard, with links to past botnet presentations.

"Major flaw in Diebold voting machines" (December 23, 2005) A flaw that allows preloading votes on a memory card for Diebold voting machines in an undetectible way.

"The Windows Meta File (WMF) exploit"
(January 3, 2006) Description of an at-the-time unresolved Windows vulnerability.

"New Internet consumer protection tool--SiteAdvisor.com"
(January 25, 2006) Report on SiteAdvisor.com tool (now a McAfee product).

"Pushing Spyware through Search" (January 28, 2006) Ben Edelman's work on how Google is connected to spyware by accepting paid advertising from companies that distribute it.

"Database error causes unbalanced budget" (February 17, 2006) How a house in Indiana was incorrectly valued at $400 million due to a single-keystroke error, leading to wrongly increased budgets and distribution of funds on the expectation of property tax revenue.

"The Security Catalyst podcast" (February 18, 2006) Announcement of Michael Santarcangelo's security podcast.

"Controversial hacker publishes cover story in Skeptical Inquirer"
(February 19, 2006) Critique of Carolyn Meinel's article about information warfare.

"Even more serious Diebold voting machine flaws"
(May 14, 2006) Hurst report on new major flaws found in Diebold voting machines.

"Botnet interview on the Security Catalyst podcast" (May 23, 2006) Link to part I of my interview on botnets with Michael Santarcangelo.

"Part II of Botnets Interview"
(June 4, 2006) Link to part II of my botnets interview.

"'Banner farms' and spyware"
(June 12, 2006) Ben Edelman's exposure of Hula Direct's "banner farms" used to deliver ads via spyware.

"When private property becomes the commons" (June 12, 2006) Consumer PCs as Internet "commons," economics and information security.

"Network security panel in Boston area" (June 12, 2006) Announcement of a public speaking gig.

"Identity Crisis: How Identification is Overused and Misunderstood" (July 6, 2006) Quotation from Tim Lee review of book by Jim Harper with this title.

"9th Circuit approves random warrantless searches and seizures of laptops" (July 28, 2006) Bad decision granting border police the right to perform full forensic examination of the hard drives of laptops carried by people wanting to cross the U.S. border.

"Is it worth shutting down botnet controllers?"
(August 18, 2006) A response to remarks by Gadi Evron and Paul Vixie that it is no longer worth shutting down botnet controllers.

"The ineffectiveness of TRUSTe" (September 29, 2006) A larger proportion of sites with TRUSTe certification are marked as untrustworthy in SiteAdvisor's database than of those that don't have TRUSTe certification.

"The U.S. no-fly list is a joke" (October 5, 2006) The no-fly list has major flaws, listing people who aren't a threat and not listing people who are--and presuming that terrorists will be identifiable by their names.

"How planespotting uncovered CIA torture flights" (October 20, 2006) How an unusual hobby allowed for traffic analysis to uncover CIA torture flights.

"Point out the obvious, get raided by the FBI"
(October 29, 2006) Chris Soghoian gets raided by the FBI after putting up a web page that allows generation of Northwest Airlines boarding passes.

"Electronic voting machines in Florida having problems in early voting"
(October 31, 2006) A report on voting machines registering votes for the wrong candidate due to touch screen calibration issues.

"The Two Faces of Diebold" (November 5, 2006) The difference between the public and private versions of SAIC's report on Diebold voting machine vulnerabilities.

"FBI eavesdropping via cell phones and OnStar"
(December 4, 2006) Reports of vulnerabilities in newer cell phones that allow them to be used as listening devices even when powered off.

"Time to Stop Using Microsoft Word" (December 7, 2006) New unpatched malicious code execution vulnerability in most versions of Word.

"Staffer for Congressman tries to hire hacker to change grades"
(December 22, 2006) Todd Shriber's failed attempt to retroactively improve his college career.

"My bank is on the ball" (January 6, 2007) My bank prevents theft of my money.

"Skeptical information and security information links" (January 23, 2007) Promotion of my security links and skeptical links sites.

"Schoolteacher convicted on bogus charges due to malware" (February 4, 2007) Connecticut teacher Julie Amero successfully prosecuted for showing porn to kids, when in fact it was the result of malware on a machine the school district refused to pay for antivirus software on.

"McCain proposes an unfunded mandate for ISPs" (February 7, 2007) McCain sponsors a bill to force ISPs to scan all traffic for and report child porn images they find.

"Warner Music: We'd rather go out of business than give customers what they want" (February 9, 2007) Warner Music says no way to DRM-free music.

"The economics of information security" (February 13, 2007) Ross Anderson and Tyler Moore paper on the economics of infosec.

"How IPv6 is already creating security problems" (February 19, 2007) Apple AirPort allows bypass of firewall rules via IPv6.

"Windows, Mac, and BSD Security" (March 8, 2007) Amusing video parody comparing the OSes.

"Bob Hagen on botnet evolution" (March 9, 2007) My former colleague on trends in botnets.

"The rsync.net warrant canary" (March 25, 2007) How rsync.net will communicate whether it receives a National Security Letter without breaking the law.

"FBI focus on counterterrorism leads to increase in unprosecuted fraud and identity theft" (April 11, 2007) The law of unintended consequences strikes again.

"Banning the distribution of AACS keys is futile"
(May 3, 2007) You can't stop the communication of a 128-bit number as though it's proprietary.

"CALEA compliance day" (May 14, 2007) Commemoration of the day that VoIP providers have to be CALEA-compliant.

"Spying on the homefront"
(May 14, 2007) PBS Frontline on FBI misuse of National Security Letters and NSA eavesdropping.

"The bots of summer"
(June 6, 2007) Report on some media coverage of my botnet interview with the Security Catalyst from 2006.

"Microsoft's new Turing Test" (June 12, 2007) It's not often I get to combine animal rescue and information security topics, but this is one--using animal pictures to authenticate.

"Operation Bot Roast" (June 14, 2007) FBI prosecution of some botnet people.

"Google thinks I'm malware"
(July 13, 2007) Google stops returning results to me in some cases because my behavior looks like malware activity.

"Asking printer manufacturers to stop spying results in Secret Service visit?"
(July 14, 2007) MIT Media Lab project to get people to complain to printer manufacturers about their secret coding of serial numbers, which got one person a visit from the USSS.

"A marketplace for software vulnerabilities" (July 29, 2007) WabiSabiLabi's abortive attempt to create a market for the sale and purchase of vulnerability information.

"Another Sony rootkit"
(September 5, 2007) F-Secure finds another Sony product that installs a rootkit--the Sony MicroVault USM-F memory stick (now off the market).

"Anti-P2P company suffers major security breach"
(September 16, 2007) Media Defender gets hacked.

"Microsoft updates Windows XP and Vista without user permission or notification" (September 17, 2007) Nine executables get pushed to everybody even if Windows update is turned off--except for corporate SMS users.

"Lessons for information security from Multics"
(September 19, 2007) Paul Karger and Roger Schell's paper on Multics gets attention from Bruce Schneier.

"Hacker finds vulnerability in Adobe Reader"
(September 24, 2007) The era of attacks on applications rather than OS's gets a boost.

"Break-in at CI Host colo facility" (November 4, 2007) The role of physical security for websites.

"Spammers and criminals for Ron Paul" (November 6, 2007) Botnets used to send spam promoting Ron Paul.

"Macintosh security lags behind Windows and BSD" (November 8, 2007) Rundown on new Mac security features, some of which are negative in effect.

"Multics source code released" (November 13, 2007) Multics becomes open source.

"Untraceable looks unwatchable"
(December 18, 2007) A post that generated a huge amount of response, about the Diane Lane movie that flopped at the box office, before it came out.

"Notorious major spammer indicted"
(January 3, 2008) Alan Ralsky may actually get what he deserves.

"Boeing 787 potentially vulnerable to passenger software-based hijacking" (January 8, 2008) Passenger Internet access for the Boeing 787 is physically connected to the network for communication and navigation.

"'Anonymous' launches 'war' against Scientology"
(January 22, 2008) Denial of service attacks and other pranks against Scientology.

"Tinfoil hat brigade generates fear about Infragard"
(February 8, 2008) Response to Matt Rothschild's article in The Progressive claiming that InfraGard members have the right to "shoot to kill" when martial law is declared.

"FBI responds to 'shoot to kill' claims about InfraGard" (February 15, 2008) Commentary and link to the FBI's response to Rothschild.

"Malware in digital photo frames" (February 17, 2008) Viruses in unusual digital storage locations.

"Canada busts 17 in botnet ring" (February 21, 2008) News about law enforcement action against criminals in Canada.

"More InfraGard FUD and misinformation" (February 23, 2008) Response to Gary Barnett's InfraGard article at the Future of Freedom Foundation website.

"New Mexico InfraGard conference" (February 24, 2008) Summary of the New Mexico InfraGard's "Dollar-Gard 2008" conference.

"Pakistan takes out YouTube, gets taken out in return" (February 25, 2008) Yesterday's events of political and/or religious censorship gone awry in Pakistan.

"Jeremy Jaynes loses appeal on spamming case"
(March 1, 2008) The Virginia Supreme Court upholds Virginia's anti-spam law.

"Software awards scam" (March 25, 2008) Many software download sites give out bogus awards.

"Scammers scamming scammers" (April 7, 2008) Marco Cova looks at what some phishing kits really do.

"Bad military botnet proposal" (May 13, 2008) A response to Col. Charles Williamson's proposal to build a military botnet.

"MediaDefender launches denial of service attack against Revision3" (May 29, 2008) Anti-P2P piracy firm crosses the line and attacks a legitimate company.

"San Francisco's city network held hostage" (July 19, 2008) Some actual facts behind the hyped charges against the city's network administrator.

"Did Diebold tamper with Georgia's 2002 elections?" (July 20, 2008) Some troubling information about Diebold's last-minute patching on Georgia election machines.

"Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure" (August 1, 2008) Concerns about privacy in both China and the U.S.

"Military botnets article" (August 28, 2008) Peter Buxbaum's article on "Battling Botnets" in Military Information Technology magazine.

"Virginia Supreme Court strikes down anti-spam law" (September 12, 2008) Julian Jaynes goes free as Virginia's anti-spam law goes away.

"Sarah Palin's Yahoo account hacked" (September 17, 2008) Palin's Yahoo account is hacked, and the contents published.

"TSA airport security is a waste of time and money"
(October 18, 2008) Link to Jeffrey Goldberg's article in The Atlantic.

"Behind the scenes during the election process" (November 6, 2008) Both major party presidential nominees suffered computer compromises.

"White House may be forced to recover 'lost' emails"
(November 14, 2008) Lawsuit may require recovery from backups.

"Criminal activity by air marshals"
(November 14, 2008) Multiple cases.

"PATRIOT Act NSL gag order unconstitutional" (December 19, 2008) Recipients of National Security Letters now can't be gagged without court order.

"The U.S. Nazi dirty bomb plot" (March 15, 2009) A little-covered story about a real terrorist plot.

"The Cybersecurity Act of 2009" (April 4, 2009) It's not as bad as it appears.

"Tracking cyberspies through the web wilderness" (May 12, 2009) How University of Toronto researchers have tracked online spying activity.

"Bad military botnet proposal still being pushed" (June 26, 2009) Col. Williamson's proposal to build an offensive U.S. military botnet is still being promoted by him.

"DHS still a mess, five years on" (July 16, 2009) Center for Public Integrity review of DHS.

"How Twitter got compromised"
(July 23, 2009) TechCrunch gives the anatomy of the attack on Twitter.

Sunday, June 04, 2006

Part II of Botnets Interview

Part II of my interview on Michael Santarcangelo's Security Catalyst podcast is now available.

(Part I is here.)

Tuesday, May 23, 2006

Botnet interview on the Security Catalyst podcast

I did an interview over the weekend with Michael Santarcangelo of the Security Catalyst about botnets. Part I of that interview is available now as a podcast (you can subscribe via Yahoo or iTunes).

UPDATE: Part two is here.

Sunday, December 11, 2005

Another Botnet Talk

I'm giving another talk tomorrow on botnets, this time for the Phoenix chapter of Infragard, the FBI-sponsored 501(c)(3) that is devoted to public sector/private sector partnerships to protect national infrastructures. While Infragard has primarily focused on information technology, they are broadening their focus to include things like agriculture and food distribution, energy production and transmission, chemical plants, etc. This is an update for those who attended my April 2004 Infragard talk, and includes new material that hasn't been in any of my past botnet talks (for ASU, HTCIA, ATIC, FRnOG, and the Phoenix and Rochester, NY chapters of Infragard).

Thursday, November 03, 2005

Defending Against Botnets

My presentation on "Defending Against Botnets" for ASU's Computer Security Week is online in streaming video and MP3 audio formats.

Unfortunately, the audience was quite small. ASU's Polytechnic Campus is way out east of Phoenix, on the former Williams Air Force Base which ASU purchased and turned into its east campus. It doesn't appear that it has a very large student population yet. I was amused that the streets are named after military figures. To get to the Student Union I drove on a street called Twining, named after General Nathan Twining. Twining is a name well-known to UFO enthusiasts, as his name was used on one of the forged "MJ-12" documents known as the Cutler-Twining memo, and also authored a genuine document that discusses UFOs (and is often misinterpreted by UFO advocates as claiming that crashed saucers have been recovered).

My talk was followed by a talk on Wireless Security by Erik Graham of General Dynamics, which covered threats and defenses for 802.11 and Bluetooth.