[SecurityRatty] tag: database

Supremes Mull Whether Bad Databases Make 4 Illegal Searches

Sun, 05 Oct 2008 13:30:02 +0000

If a false entry in a database leads to a unconstitutional police search that reveals illegal drugs, does the government get to hold it against you?

Supremes Mull Whether Bad Databases Make for Illegal Searches

Sat, 04 Oct 2008 17:26:00 +0000

If a false entry in a database leads to an unconstitutional police search that reveals illegal drugs, does the government get to hold it against you? That's the question the Supreme Court will tackle on Tuesday.

ePolicing - Tomorrow the world?

Thu, 02 Oct 2008 13:57:15 +0000

This week has finally seen an announcement that the Police Central e-crime Unit (PCeU) is to be funded by the Home Office. However, the largesse amounts to just £3.5 million of new money spread over three years, with the Met putting up a further £3.9 million — but whether the Met’s contribution is “new” or reflects a move of resources from their existing Computer Crime Unit I could not say.

The announcement is of course Good News — because once the PCeU is up and running next Spring, it should plug (to the limited extent that £2 million a year can plug) the “level 2″ eCrime gap that I’ve written about before. viz: that SOCA tackles “serious and organised crime” (level 3), your local police force tackles local villains (level 1), but if criminals operate outside their force’s area — and on the Internet this is more likely than not — yet they don’t meet SOCA’s threshold, then who is there to deal with them?

In particular, the PCeU is envisaged to be the unit that deals with the intelligence packages coming from the City of London Fraud Squad’s new online Fraud Reporting website (once intended to launch in November 2008, now scheduled for Summer 2009).

Of course everyone expects the website to generate more reports of eCrime than could ever be dealt with (even with much more money), so the effectiveness of the PCeU in dealing with eCriminality will depend upon their prioritisation criteria, and how carefully they select the cases they tackle.

Nevertheless, although the news this week shows that the Home Office have finally understood the need to fund more ePolicing, I don’t think that they are thinking about the problem in a sufficiently global context.

A little history lesson might be in order to explain why.

Back in 1930’s, Bonnie and Clyde and other US bank robbers were using the new-fangled automobile to flee across state lines — creating jurisdictional problems as a result. The US solution was to make bank robbery (along with auto-theft and other related offences) into federal offences rather keeping them as state-specific infractions. In particular this meant that the FBI could provide federal level policing (tracking down and killing John Dillinger for example).

We have the same jurisdictional issues dealing with cyberspace, with criminals in one country fleecing consumers in another while using systems hosted in a third. The Convention on Cybercrime addresses part of the problem by trying to ensure international consistency where eLaws are specifically needed (which of course is only the case for small parts of eCriminality, fraud is fraud whether eEnabled or not). However, there is limited inter-jurisdictional co-ordination for eCrime investigations — for example Interpol (often incorrectly perceived to be international police force) merely keeps a large database and passes faxes from one place to another.

In practice, most cross-border investigations are done as “joint operations” and the jointness is usually very limited — one force does all the legwork and a liaison officer in the other country deals with local paperwork. There’s usually a quid pro quo element to these joint operations, for budgeting reasons if no other.

What isn’t happening, or at least only in a handful of very specialised areas, is any international co-operation in setting priorities or selecting cases to pursue. Every country is doing its own thing about eCrime, and there’s a widespread impression that any criminal who can operate from “across the state line” is essentially immune from serious investigation.

We identified this problem last year when we (Ross Anderson, Rainer Böhme, Tyler Moore and myself) wrote a report on Security Economics and the Internal Market for ENISA. It’s not an easy one to fix whilst politicians (and populaces) are unwilling to see “foreign” police officers operating in their country, and the establishment of a truly international “cyber police force” seems equally unlikely.

Our policy proposal to tackle the issue harks back to WWII’s SHAEF, which has morphed into similar arrangements within NATO. In essence liaison officers from multiple forces would sit around a single table, working with a central coordinator, to set policy and decide which investigations to pursue. They would then communicate back to their own countries, who have specifically budgeted to provide appropriate assistance. So it’s very like “joint operations”, but the scheme is multi-laterial, and has a true command and control function in the centre — who will quickly learn to shy away from politically sensitive topics and make a real impact on eCriminality.

To summarise then, a welcome to the Home Office for finally finding a small amount of funding for some country-wide ePolicing; but it’s well past time to be working on world-wide initiatives.

The Genesis of Complex Event Processing: Asymmetric Capabilities

Mon, 29 Sep 2008 13:31:50 +0000

More often than not, folks working in the field of complex event processing do not truly understand CEP. We often see the same folks try to position and mischaracterize CEP as business process orchestration, business process management, event-driven architecture or even an evolution of service-oriented architecture. Well-intended, this mischaracterization of CEP is often for sales and marketing purposes. However, sometimes the mischaracterization of CEP is from a lack of understanding of what CEP was designed to accomplish. These mischaracterizations have very little to do with the original intent of complex event processing.

Originally, researchers in CEP were not trying to solve a problem of streaming data or streaming events. Often we read this mischaracterization by folks in the database/streaming domain, as they were focused on the low latency processing of streaming events. A natural extension of this research has been stream processing software (often called “engines”) that process streaming data with continuous queries, for example market data feeds for algo-trading or best market order execution. This mischaracterization is partly responsible for why we see many order processing applications in market data stream processing mislabled as “complex event processing” applications.

The genesis of complex event processing was not the stream processing need for “feeds and speed” but the processing capability to solve what can be characterized as the “problem of asymmetric capabilties”. The term “asymmetric” has been used in the military domain. For example we often hear the term “asymmetric warfare.” However, in general the concept of “asymmetrical processing capablities” is the true genesis for CEP and related processing concepts and domains. It is this genesis that distinguishes CEP from EDA, SOA, SOR, and so many other technology oriented concepts.

In order to illustrate what I mean by “asymmetrical processing capablities” we will take the example of the evolution of rocketry. In the early days, scientists learned how to make rockets, I assume with gunpowder and similar chemical compounds to launch rockets. Over many years the application of rocketry advanced much faster than the ability to understand the situations created in the sky. In other words, folks could fill the skies with rockets long before they had the capability to track and identify (or sense and respond to) the rockets in real time.

Therefore, the concept of “asymmetrical processing capablities” is the situation where there is a capability, such as “launch a rocket, sense-and-respond,” that is asymmetric in nature. In other words, the capability to detect multiple rocket launches creates an asymmetric situation where it is easy to launch rockets, but hard to detect and defend against those launches.

The same concept can be applied to everyday air travel. If we could only fly airplanes, but did not have the capability to track the planes, understand situations in airspace, and then respond to changing situations, air travel would be quite difficult. Lucky for us, the global traveller, there is symmetry in the capabilities to build and fly aircraft and the capabilities to detect, track and follow the evolving situations in the sky.

The genesis of CEP was to solve the problem of asymmetry in cyberspace, or if you prefer, distributed data networks. The folks who identified, early on, the problems associated with asymmetry in cyberspace were folks working the the field of network and security management. This is because there has been, and is currently, a great asymmetry between the capablities to “launch a process or transaction” in cyberspace and the capabilties to detect and track what is going on in the same domain.

In my next post on this topic, we will go into some details of this asymmetry and review the first CEP projects from Stanford University in the context of asymmetric processing capabilities in cyberspace.

Hijacking a Spam Campaign's Click-through Rate

Fri, 26 Sep 2008 06:07:16 +0000

This spammer is DomainKeys verified, a natural observation considering that the spam compaign which I discussed last Wednesday is using bogus Yahoo Mail accounts, and is spamming only Yahoo Mail users through a segmented emails database.

Not necessarily what I wanted to achieve, but once posting the spam campaigns SEO URLs, Yahoo's crawler's picked up the post pretty fast, and have ruined the SEO effect, with everyone clicking on the campaign's links reaching the post. Close to 15,000 unique visitors reached the article during the past 7 days since the now hijacked, spammer's link is no longer achieving the effect it used to.

What does this prove? It proves that users tend to trust emails that pass through spam filters so much that they actually click on the links. And whereas it's a spam campaign, and not a malware campaign, the next time they over trust such a email, they'll expose themselves to client-side vulnerabilities coursesy of a copycat web malware exploitation kit.

The latest search query the campaign is using :
- yahoo.com/search/search;_ylt=?p=...........................................stossregularnew............$0.00.........

leads to stossregularnew.com (61.255.135.185).

250k of Harvested Hotmail Emails Go For?

Thu, 25 Sep 2008 08:13:08 +0000

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What's to come? Spam and malware campaigns across social networks "as usual" will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 "marketing" tools targeting the high-trafficked sites and automatically spamming them.

From a spammer's perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they've already abused a log time ago? That seems to be the case, since there's no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we've got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering "direct marketing services" working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side's business models. On the other hand, you've got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure -- already available as a module to integrate in managed spamming services -- using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Related posts:
Harvesting Youtube Usernames for Spamming
Thousands of IM Screen Names in the Wild
Automatic Email Harvesting 2.0
Dissecting a Managed Spamming Service
Managed Spamming Appliances - the Future of Spam
Inside an Email Harvester's Configuration File
Segmenting and Localizing Spam Campaigns
Shots from the Malicious Wild West - Sample Four

Sarah Palin's E-Mail

Wed, 24 Sep 2008 12:01:58 +0000

People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

French gov't resists police database protests

Wed, 17 Sep 2008 20:00:00 +0000

The French government will not reverse a decree allowing French police to record the sexuality and religion of suspects in their files, the French Minister of the Interior has said, despite calls from a parliamentary commission on Thursday not to collect some of that information.

EU data protection head supports police database link-up

Wed, 17 Sep 2008 20:00:00 +0000

European data protection supervisor Peter Hustinx demanded some changes to a plan by lawmakers to link up all national criminal databases in the 27-member European Union, but broadly he supported the move, he said Thursday.

EstDomains and Intercage VS Cybercrime

Tue, 16 Sep 2008 05:09:44 +0000

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. "

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
RBN's Fake Account Suspended Notices
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network