[SecurityRatty] tag: continuously

The Economics of Spam

Wed, 12 Nov 2008 03:52:17 +0000

Excellent paper on the economics of spam. The authors infiltrated the Storm worm and monitored its doings.

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 -- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network -- we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.
Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise.

Of course, the authors point out that it's dangerous to make these sorts of generalizations:

We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context.

Spam is all about economics. When sending junk mail costs a dollar in paper, list rental, and postage, a marketer needs a reasonable conversion rate to make the campaign worthwhile. When sending junk mail is almost free, a one in ten million conversion rate is acceptable.

News articles.

Way to go BitDefender!

Tue, 11 Nov 2008 15:00:44 +0000

Ive been using their products for two years now and Im very satisfied.
BitDefender even works with Vista!
Their online support is excellent and Its not a resource hog.

clipped from www.marketwatch.com

BitDefender Receives Prestigious Integrated Threat Management
Checkmark Certification From West Coast Labs

MOUNTAIN VIEW, CA, Nov 10, 2008 (MARKET WIRE via COMTEX) –
BitDefender(R), an award-winning provider of antivirus software and
data security solutions, announced today that BitDefender Total
Security 2008 received the prestigious Integrated Threat Management
Certification following independent testing performed by West Coast
Labs. The Integrated Threat Management Checkmark Certification is
granted only to products that have successfully passed and
continuously satisfy the requirements of a combination of Checkmark
certifications that together provide an effective integration of
security technologies in a content security context.

Risk or Security Management: What's In a Term?

Tue, 11 Nov 2008 11:59:18 +0000

When Gartner security and risk analysts give presentations, write research or talk to clients, we often get criticized for using the terms security and risk management interchangeably. This is deemed to be confusing by the audience as they try to articulate a clear differentiation between these terms. Indeed, in large sections of our client base, vigorous debate is being held on defining, differentiating and positioning information security vs. information risk management.

Well, maybe such a clear differentiation is not always required. Maybe security and risk management is so intertwined that continuously trying to separate them becomes counterproductive. Let's try to look at this objectively: I can make a clear argument that security is an integral part of risk management. But I can make a similarly cogent argument that risk management is an integral part of security management. The definition is largely in the eye of the beholder. It is contextual and situational. Maybe security and risk management are not the two sides of the same coin - maybe these disciplines are so integrated that they ARE the coin. The business is interested in the coin, not the pictures embossed on either side of it.

I am not arguing that the security and risk management are one and the same. They are indeed discrete disciplines with different functions and activities. And from an organizational perspective, is it important the different roles are named appropriately to the responsibilities of the individuals concerned. But let's be frank, does your business really care whether you call yourself a security manager or a risk manager? All they want is for (both of?) you to help them manage your information security and IT risks appropriately.

Risk management and security management. It's not either/or. Black or white. So here is my call: Let's spend less time debating and arguing the differences, and more time on using and maturing these extremely important, completely interrelated disciplines.

A Diverse Portfolio of Fake Security Software - Part Five

Tue, 02 Sep 2008 01:04:58 +0000

The "campaign managers" behind these fake security software propositions are not just starting to take park them at up to three different locations, localize the sites to different languages and introduce client-side exploits, just in case the end user gets suspicious and doesn't install it, but also, the natural evasive practices. For instance, once some of their domains get detected and blocked, they put them in a stand by mode and relaunch them online in a week or so, or ensure that only those coming to the domains from where they are supposed to come - yet another blackhat SEO or SQL injection attack - are the only ones getting to see the download screen.

Some of the new additions parked at the same IPs offered by the "known suspects" include :

main-scanner .com - (77.244.220.138; 78.159.97.247; 89.149.209.251; 212.95.37.154)
scanner-mainpro .com
scanner-online1 .com
alldiskscheck300 .com
myscanners101 .com
download-a1 .com
scanner-online1 .com
multilang1 .com
ratemyblog1 .com
multisearch1 .com
filescheck-list303 .com
woodst-sale .com
scanner-mainpro .com
main-scanner .com
directrevisions .com

supersolution-freeantivirus .com - (213.155.2.69)
antivirus-bestsolution .net
antivirus4protection .net
antivirusproxp .com
freebest-antivirus .net
goodantivirus-free .net
noadwareantivirus .com
pwrantivirus2009 .com
solution-freeantivirus .com
supersolution-antivirus .com
supersolution-freeantivirus .com
antivirusdwl .com
securesoftdl .com
viva-codec .com
win-antivirus-protect .com
avxp-2008 .net
antivirusq .net
antivirus2008b .net
antivirus2008m .net
antivirus2008n .net
antivirus2008v .net
antivirus777 .com
antivirusq .net
antivirusr .net
antivirust .net
antivirusw .net
antivirusu .net
expressantivirus2009 .com
spywarezscan .net
antispywareq .net
free-anti-spywaree .net
avcheckyourpc .net

software-for-me08 .com - (78.157.143.250)
software-for-me-08 .com
softwarefor-me2008 .com
softwarefor-me-2008 .com
software-forme08 .com

doctor2antivirus .com - (217.112.94.226; 87.248.163.56)
doctor5antivirus .com
doctor6antivirus .com
doctor7antivirus .com
doctor8antivirus .com
doctorantivirus2008a .com
doctor-antivirus .com
bcodecnow .net

mysoftwarefreezone .com - (91.203.92.97)
hotvid44 .com
totsec2009 .com
getdefender2009 .com
totalsecure2009 .com
myveryprivatevid .com
mustseethatvid .com
onlythebestvid .com
ie-antivirus-order .com
ie-anti-virus .com
secure-order-box .com

secureexpertcleaner .com - (89.149.227.50)
bestxpclean2008 .com
virusremover2008 .com
registrydoctor2008 .com
securefileshredder .com
hypersecurefileshredder .com
bestsecureexpertcleaner .com

getdefender2009 .com - (58.65.238.34)
malwarebell .com
free-viruscan .com
tmptmpservvv .com
cometoseemyshow .com

getneededsoftware .com - (91.203.93.25)
gettotalsec2008 .com
thedownloadvid .com
scan.pc-antispyware-scanner .com
totalsecure2009 .com

wista-antivirus2009 .com - (216.255.179.203)
usawindowsupdates .com - (85.17.143.213)
mswindowsupdates .com

The campaigns and the hosting providers are continuously monitored, especially taking into consideration the fact that the domains are already appearing in Alexa's web rankings with sudden peaks of traffic.

Related posts:
Fake Security Software Domains Serving Exploits
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Automatic Email Harvesting 2.0

Tue, 26 Aug 2008 04:01:51 +0000

Just when you think that email harvesting matured into user names harvesting in a true Web 2.0 style with the recently uncovered harvested IM screen names, and Youtube user lists for spammers, phishers and malware authors to take advantage of, someone has filled in the gap that's been around as long as email harvesting has been a daily routine for spammers - dealing with text obfuscations which still remain highly popular online, once it became evident that spammers are in fact crawling for default mailto lines. This email harvesting module can be run a separate script, or get integrated as a module within any botnet, is capable of harvesting the following text obfuscations often used in order to prevent spamming crawlers :

mail@gmail.com
mail[at]gmail.com
mail[at]gmail[dot]com
mail [space]gmail [space]com
mail(@)gmail.com
mail(a)gmail.com
mail AT gmail DOT com

The overall availability and easy of obtaining a huge percentage of valid email addresses within an organizaton, is not just resulting in the increasing segmentation and localization of spam, phishing and malware campaigns, it's increasing the profit margins for the spamming providers which is now not just offering verified to be 100% valid email addresses, but also, can providing the foundations for spear phishing and targeted attacks.

Quality assurance in spaming is still in its introduction phrase, with customers starting to put the emphasis on the number of emails that actually made it through the spam filters, than the number of emails sent as a benchmark for increasing the probability of bypassing anti spam filters. Taking into consideration the big picture, sniffing for email addresses streaming out of malware infected hosts, and stealing huge email databases by exploiting vulnerable online communities, seems to be the tactics of choice for the majority of individuals whose responsibility is to continuously provide fresh and valid email addresses.

Very few details are available for Missouri National Guard breach

Tue, 15 Jul 2008 10:15:48 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
National Guard Bureau

Contractor/Consultant/Branch:
Missouri National Guard ("MOGUARD")

Victims:
"Citizen-Soldier and employee"s

Number Affected:
"approximately 2,000"

Types of Data:
"some personal information"

Breach Description:
"The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised. Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation."

Reference URL:
Missouri National Guard Press Release
St. Louis Post-Dispatch

Report Credit:
Missouri National Guard

Response:
From the online sources cited above:

The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised.

Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation.
[Evan] Sounds like a good excuse to not reveal details.

It is important to note that we have no reason to believe that the information that was compromised was for the purpose of gaining Citizen-Soldier or employee information or that the information has been or will be used inappropriately.
[Evan] It's nice that MOGUARD can make this judgment call on behalf of the victims. Its too bad the victims are not allowed to make a determination themselves based on the facts surrounding this breach.

The Missouri National Guard has a list of those Citizen-Soldiers or employees whose information was compromised.
[Evan] Keyword is "was", and not the phrase "may have been".

Letters are being sent to these individuals and/or their Families.

The list includes approximately 2,000 individuals.

At this time we have no confirmation of misuse of Citizen-Soldier or employee information resulting from the loss.

"I am distressed that sensitive information has been compromised," Major General King Sidwell
[Evan] I am impressed when a leader of an organization steps forward and speaks about a breach. In my opinion it demonstrates strong leadership and the understanding that the "buck" ultimately stops with him.

"I am especially concerned about the problems and inconveniences this may cause for our Missouri National Guard Citizen-Soldiers and their families," King said.

Because Social Security Numbers may have been contained within the missing information, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice.
[Evan] This statement provide a clue as to what "some personal information" may be.

The Missouri National Guard has safeguards in place to protect private information.

We provide ongoing privacy training to all employees.

The Missouri National Guard has taken action to rectify this unfortunate situation, and is working to insure our Citizen-Soldier’s or employee’s information receives the highest standard of security and privacy protection.

Any soldier or family member with questions should call a hotline number at 1-888-526-6664 extension 7888.

If the soldier is deployed overseas, the soldier may use the Defense Switching Network and call 312-555-9500 extension. 7888.

Commentary:
We have no idea as to what the cause of this breach may have been. Anyone want to guess? If so, post a comment.

It’s a little ironic. I was just typing an email response to an information security friend of mine about military breaches and the way the military has a completely different way of disclosing details (if any). This breach is proof positive. We'll have to see if further details emerge over time.

I sincerely hope that the owners of the "personal information" (the victims) get all of the answers that they require in order to evaluate risk themselves and make educated decisions on how they will proceed.

Past Breaches:
Unknown

Efficient Data Protection for Microsoft Applications with Backup Exec 12

Wed, 18 Jun 2008 09:00:00 +0000

(Source: Symantec) Companies today face the ever-increasing challenge of managing the explosive growth of valuable data. Symantec Backup Exe 12 for Windows Servers is the gold standard in Windows data protection, providing cost-effective, high performance, disk-to-disk-to-tape backup and recovery. Continuous data protection for Microsoft applications, include Exchange, SQL, Active Directory, and SharePoint, helps ensure that data is continuously backup up as it changes.

Cascade Healthcare Community donors affected by malware

Fri, 07 Mar 2008 11:02:22 +0000

Technorati Tag: Security Breach

Date Reported:
3/5/08

Organization:
Cascade Healthcare Community

Contractor/Consultant/Branch:
St. Charles Medical Center (Bend - Redmond)

Victims:
"community members", Donors

Number Affected:
11,500

Types of Data:
Names, addresses, dates of birth and credit card information

Breach Description:
"A computer virus may have exposed the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community in Bend and Redmond"

Reference URL:
Cascade Healthcare Community press release
The Oregonian
The Bend Bulletin

Report Credit:
Cascade Healthcare Community

Response:
From the online sources cited above:

Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information.
[Evan] We would like to think "all health care organizations" have a strong commitment to protecting patient and employee information, but some obviously take this commitment more seriously than others.

Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.

Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11.

The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.

After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.

This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community.
[Evan] Although I think I understand why this information was kept by CHC, I don't agree with CHC's decision to keep credit card information on file. I can see something like this as a statement, "In the best interests of CHC, it's donors and patients, we do not store credit card information".

At this time, there is no evidence indicating any patient health information was compromised.

“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC.
[Evan] Mr. Diegel understands that the information security buck stops with him. As an organizational leader, he understands that he is ultimately responsible for the due care of information assets. I admire Mr. Diegel for addressing this situation personally.

“We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”

CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.

In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time.

All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.

“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”
[Evan] "It is vital that we continue to raise the level of security within the organization". This is one of the best statements I have read from an organization leader in some time. It is vital that ALL of us raise the "level of security" within our areas of responsibility (personally and within our organizations) and explore ways to continuously improve our security posture. This is a never-ending cycle.

A few select FAQ's from the press release:
Q: Is there any way to find out how this virus entered the environment?

A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this.
[Evan] This is all too common. Understand that each and every connection we make from work to an Internet site is a potential (and at times successful) avenue of attack. We weigh the convenience and business benefits of using the Internet against the risk of exposure. It's about balance.

Q: What is Cascade Healthcare Community doing to prevent this from happening in the future?

A. Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.

Commentary:
I am very impressed with Cascade Healthcare Community's press release. The information they provide paints a clear picture of what happened and helps me to feel confident that they know what they are doing. I would just suggest that they not store credit card information anymore (if possible).

Past Breaches:
Unknown

Britain mulling "random" audits to enhance data protection..

Wed, 07 Nov 2007 14:41:00 +0000

Britain's House of Lords recently issued a report on Internet security, urging the Government to examine “as a matter of urgency” that country's laws regarding standards of data protection as they apply to businesses. The report says current laws on the books don't have enough teeth; it says the government should have the authority to conduct “random audits of the security measures in place in businesses and other organisations holding personal data.”

Wow. Imagine the uproar that would erupt here in the United States, if anyone introduced legislation suggesting the government could randomly check to see if businesses are keeping their data safe. Granted, most states have laws that mandate public disclosure in the event of a data breach, and Minnesota has passed a law that makes offending businesses responsible for the cost of remediation. But these laws are designed to address post-breach actions; they don’t enable the government to check prior to any incident.

At what point, however, does the public become so fed up, so wary of doing business with companies that apparently treat data in a seemingly cavalier manner, that Congress passes such a law as recommended by the House of Lords' report?

We must police ourselves to keep secure data controlled. We must ensure that private information remains private, regardless of where it ends up…on or off the network. And we must train our people to continuously implement the policies we’ve developed; technology is a part of that equation, of course, but only part.

If we don’t, we run the risk of falling prey to those who would take advantage of us. And we run the risk of having irate lawmakers, driven by irate constituents, implement new (and onerous) rules that make it far more difficult for us to conduct business. We fail to control the data entrusted to us at our own risk.

Thoughts on OWASP Day San Jose/San Francisco

Tue, 11 Sep 2007 04:39:00 +0000

Last Thursday 9/6/2007 we had a combination San Jose/San Francisco OWASP day at the eBay campus. Details on the program are at: https://www.owasp.org/index.php/San_Jose

The turnout was great, somewhere between 40 and 50 people, I didn't get an exact count. There were two sessions for the evening:

A talk by Tom Stracener of Cenzic on XSS
A panel discussion on Privacy with a pretty broad group of security folks and some people in adjacent areas such as Law and Privacy proper.

The panel discussion was really the part of the night I was looking forward to. I think the discussion rambled a bit between several different areas:

What is Privacy?
What are a companies obligations to protect Privacy? Legal, Ethical, Moral, good business sense, etc.
How do companies, especially large ones that operate in multiple states or are multinationals, deal with all of the different privacy regulations?
How do we integrate Privacy concerns into security operations, secure development, etc.

I'll admit that #4 was the topic I was hoping would get a decent amount of coverage, but despite my efforts to prod the panel in that direction we didn't really come up with an answer.

The best discussion of the night in my mind came on point #3. How do large companies manage to diverse privacy regulations and policies across jurisdictions...

All of the panelists in this area made two points:

Set a baseline policy that encompasses the vast majority of your requirements and implement it across the board. This way you don't have to continuously manage to specific privacy regulations as you've embodied them in your general policy.
Setting the privacy policies and controls around it is an exercise in risk management. People don't often look at writing policies as managing risk, but that is exactly what policies do.

The good thing about the panel was that there were plenty of people with expertise in Privacy considerations. The bad part was that there was little discussion of how we actually do software development with Privacy in mind. Of the people writing about SDL, the Microsoft people have been most vocal in talking about how to integrate Privacy evaluations into their SDLC. For an example, see this post.

If nothing else was achieved last Thursday we had great turnout for the local OWASP event, better than I've seen so far. We also got to try out part of the space that will be used for the fall conference. I think it went well, but I guess we'll have to get the other folks present to weigh-in with their thoughts since I'm obviously a little biased.