[SecurityRatty] tag: earn

MSP Snapshot Monitoring with EM7

Wed, 08 Oct 2008 12:51:50 +0000

Between the fifth anniversary for ScienceLogic and the Inc 500 milestone, we’ve become very nostalgic about the beginnings of the company and EM7. For instance, did you know that EM7 was originally designed with managed service providers in mind? Not so surprising when 5 of the first 6 employees (including all 3 founders) came from hosting and MSP backgrounds and had first-hand experience with the daily trials and tribulations of MSP operations – and the tools that didn’t quite work for them.

Here we talk to John Proctor, who started out as one of our first customers (and the first MSP customer). And he believed in it so much, he eventually became part of the ScienceLogic team. (Remember “I’m not only the President, I’m also a client” from the Hair Club for Men?)

John shares his perspectives about the service provider world and why he took a chance on a little-known product called EM7.

ScienceLogic: What is your background? How many years have you worked as a service provider and for what types of companies?

John Proctor: I have been working with Service providers for over twelve years. I worked at a major regional service provider for six years and before that I designed and built national and international networks for ISP’s and Fortune 500 companies as a consultant for PriceWaterhouseCoopers and WorldComm.

ScienceLogic: You were one of the first customers of EM7 – why did you choose it and how did you get over the hurdles associated with using a start-up company’s product?

John Proctor: We were actually customer number five. Back in 2004 when we evaluated and purchased EM7 we could see that EM7 provided about 80% of what we were looking for in one integrated solution right out of the box. One of the things that sold us on EM7 was that the ScienceLogic founders had all previously worked for a service provider, so we knew they understood our business and our challenges. But in the end, it comes down to features. Once we compared EM7 functionality to the alternatives, it was clearly a “no brainer.”

ScienceLogic: What other alternatives were being considered?

John Proctor: Well, we had started with a few point solutions, but as our business and product offerings matured, this resulted in a growing number of point solutions. What started with 3 or 4 ended up as 14 separate tools. They all had strengths but what they didn’t have was integration and because of this they could not scale. And, if the tools could not scale, our business could not grow.

So, naturally we started looking at framework solutions, but they are expensive to buy, expensive to implement, and expensive to maintain. At one point, we even considered some open source projects. There were several that showed promise, but we would still be stuck with tools that were not integrated. So then we considered hiring developers to cobble something together that would work for our business. The only problem with this alternative was that we felt it would take 6 to 8 months before we could have something viable to work with.

ScienceLogic: What products were you using before EM7? What were your goals?

John Proctor: Before we purchased EM7 we used 14 different point solutions to deliver our products and services to the marketplace. Tools like NetCool, Openview, Argent, Heat, What’s Up Gold as well as several other point solutions, vendor specific applications and manually updated spreadsheets. And, as I mentioned before, this does not scale. This also adds a great deal of complexity when you begin to consider business continuity and disaster recovery. All these tools were vital to the delivery of our products and services. Any service provider will tell you it is all about uptime. So if the product is uptime, the tools used to deliver it have to be available 24×7x365.

Our goals were simple: scale and redundancy. As it turns out, the solution was simple as well. EM7 provided a tool that could replace the functionality of almost half of the existing point solutions and the applications that could not be replaced were integrated with EM7 to provide our staff with a “single pane of glass” to see the status and performance of each area of the business from one application. We had visibility into everything from facility systems to applications using EM7.

ScienceLogic also delivers an extensible configuration that addressed uptime and redundancy. We deployed collectors throughout our network that reported back to a central pair of redundant database servers and with this configuration we were able to perform backups and add capacity without taking the system down.

ScienceLogic: Why are service providers different from enterprises? How are their needs different?

John Proctor: First and foremost, service providers face the same challenges that only the largest enterprises ever face and they also have many unique challenges that only service providers experience.

One challenge we faced was that we had multiple datacenters in different states. They were all interconnected with plenty of bandwidth between each site, but the tools were not designed to be used across the WAN. Our staff in our remote data center did not have the same access as our staff in the corporate office. Since EM7 is web-based, it immediately eliminated this problem.

Another challenge is that service providers must manage systems across multiple domains. Back in the early version of a specific tool we were using before EM7, the only way you could implement it across multiple domains was to put the same username and password on every computer that you monitored. Beyond the security concerns, maintenance was a nightmare. Anytime we had to change the password, we would get locked out of dozens upon dozens of systems. When the password was changed on the monitoring server, it would attempt to login to the remote machines and fail. Repeated attempts would result in the account getting locked. I think that vendor eventually addressed this issue, but service providers seldom find tools that were designed for their unique situations.

ScienceLogic: How is EM7 geared to service providers?

John Proctor: Enterprise IT is a trusted part of the business; they are one of the team. Service providers are outsiders that must earn trust by showing the customer exactly what they are doing.

EM7 provides a multi-tenant environment that allows service providers to manage systems across many different customers while at the same time providing the customer access to see the same information but only what’s relevant to them.

EM7 was built by service providers and even includes a few features just for them. Two of my favorites are bandwidth billing and the emergency notification system. Take bandwidth billing, for instance. EM7 provides a way to collect bandwidth utilization, store subscription information, and calculate a bill from any one of about 10 different methodologies. And at the end of the billing period, EM7 sends the completed report out to whomever you chose via email.

Another unique service provider feature is the emergency notification system. EM7 allows the provider to track what customers used their unique infrastructure components. If they have to perform maintenance on the infrastructure component or have a problem they can send an email to all of the impacted customers in a matter of minutes.

ScienceLogic: What trends do you see for service providers? What about big trends such as virtualization and cloud computing – how will they impact service providers?

John Proctor: Virtualization is really hot for service providers right now and for the same reasons as in the enterprise. Service providers run data centers and data centers must be powered and cooled. So, anytime they can use a virtual server instead of adding physical equipment it is a good thing. But then you add the complexity that multiple customers reside on the same host and you must track things like bandwidth utilizations by guest OS, and it all gets a little harder. Lucky for us this is not a problem for EM7.

I still think it’s early days for cloud computing. Depending on who you talk to, much of what service providers (especially the big ones) have already been doing with SAAS offerings and hosted applications could be described as cloud computing already. In which case, service providers are ahead of the game. But whatever the “final” definition, cloud computing actually shares many similarities with virtualization – in that service providers (or enterprises) will need to be able to manage far more “devices” in real-time with “zero downtime” expectations by customers. What this really means is that you’re going to see much more automation in provisioning and IT monitoring tools to handle the scale and speed with which things can change in the data center given vm migration and the talked-about switching between “clouds” that can be used for high availability.

Inc 500/5000 Conference Summary

Fri, 26 Sep 2008 14:00:44 +0000

It didn’t really sink in until after the final black-tie awards ceremony finished last Saturday night that I had a chance to comprehend how starting a company that achieves this list is a once in a lifetime experience.

When I walked up on stage and accepted the Inc 500 award, it hit me square in the face that this is a rare accomplishment, and even more difficult for a product company that started without the benefit of VC funding.

Dave with wife, Anne, at the awards ceremony
Over the 2 day period, I heard from some great speakers with entrepreneurial passion, many who never had accomplished making the list. It is so highly competitive and just plain hard to do.

I loved hearing some of the speeches during the conference and getting to know other entrepreneurs that attended the conference talk about how they created their niche and ultimately built a successful company from a good idea.

Because I enjoyed hearing some of what I like to call “golden nuggets of wisdom” so much, I thought in my conference wrap-up I would pass on a few to our blog readers:

Tom Peters – Author In Search of Excellence and The New World of WOW

“Only 7% of our great nation works for Fortune 500 companies. Small businesses and the entrepreneurs are the jet fuel that makes our country fly.”

“Brand is shorthand for a collection of experiences, memories of what it will be like the next time a customer deals with you. With the advent of blogs and consumer activism, Brand is impossible to fake; it is like the temperature in the room… it is there… it exists.”

Chester Elton – SVP Carrot Culture Group

“At the casino – they train the heck out of the Valet! Why do they spend 3 months on Valet training? Because he is the first and the last person to greet and interact with a visitor during their trip! Who is your company Valet?”

Paul Bennett – Chief Creative officer IDEO – speaking on — Creating a culture of optimism:

“You need to ditch B-B and B-C Need to become P-P Person to Person.”

“You don’t buy loyalty… you earn it… this is an interesting challenge, but small allows us to behave like human beings… Going off script and doing something human is a great place to start.”

“Stop obsessing about ROI and start obsessing about ROC! Return on Customer/Consumer is much more powerful than ROI!!!!”

“Happy people, unabashedly doing, happy things, makes for happy companies, which create happy businesses which enable happy cultures… IN WHICH THRIVE”

Marilyn Carlson Nelson – Chairman and CEO Carlson Companies – A family owned $40 Billion empire including TGI Fridays, Radisson Hotels…

“My leadership was tested terribly - after 9/11 the travel industry was particularly harmed. It was an extraordinary time for Carlson. “

“Put tactics around these strategic initiatives”

Whomever you serve, serve with caring
Whenever you dream – dream with your all
Wherever you go, go as a leader
And never, never give up
Whatever you do – do it with integrity

“That builds trust, trust builds relationships and relationships build results.”

=============================================

Actually, I took about 40 pages of notes throughout the two days… So I can’t say that this will be my last summary post on the Inc 500/5000 conference, but I can say that the conference did leave a strong impression about how I can help shape the future of ScienceLogic in an even more positive way.

EstDomains and Intercage VS Cybercrime

Tue, 16 Sep 2008 05:09:44 +0000

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. "

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
RBN's Fake Account Suspended Notices
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Exposing Indias CAPTCHA Solving Economy

Fri, 29 Aug 2008 13:03:37 +0000

"Are you a Human?" - once asked the CAPTCHA, and the question got answered by, well, a human, thousands of them to be precise. Speculations around one of the main weaknesses of CAPTCHA based authentication in the face of human CAPTCHA solvers, seems to have evolved into a booming economy in India during the past 12 months, with thousands of people involved.

The following article - "Inside India’s CAPTCHA solving economy" aims to expose legitimate data entry workers, whose business models and techniques are in fact used by Russian cybercriminals not only for personal phishing, spamming and malware spreading purposes, but also, to resell the bogus accounts and earn a premium in the process :

"No CAPTCHA can survive a human that’s receiving financial incentives for solving it, and with an army of low-wagedIndia CAPTCHA breakers human CAPTCHA solvers officially in the business of “data processing” while earning a mere $2 for solving a thousand CAPTCHA’s, I’m already starting to see evidence of consolidation between India’s major CAPTCHA solving companies. The consolidation logically leading to increased bargaining power, is resulting in an international franchising model recruiting data processing workers empowered with do-it-yourself CAPTCHA syndication web based kits, API keys, and thousands of proxies to make their work easier, and the process more efficient."

Cybercrime is just as outsourceable as CAPTCHA breaking is these days.

Related posts:
The Unbreakable CAPTCHA
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Economist.com - Confessions of a Risk Manager

Mon, 11 Aug 2008 04:42:00 +0000

I was reading the Economist this week and came across an excellent article titled "Confessions of a Risk Manager".

In the article a risk manager for a major financial institution talks about managing risks and how the risk department was viewed as an obstacle by the rest of the business. I'll just quote a section here so you can see that governance roles, especially those involving trade-offs of risk vs. return are difficult not just in security.

In their eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.
At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.
Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.

Every time I read about decision making like this I refer back to an some excellent presentations I've come across by Reidar Bratvold. He has done some excellent presentations on decision making in the face of risks/uncertainty.

Click Fraud, Botnets and Parked Domains - All Inclusive

Mon, 28 Jul 2008 03:58:08 +0000

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.

Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :

"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."

Will cybersquat security vendors for improving the chances of attracting high-valued keywords to later on click fraud? The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :

"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands. The cybersquatter receives money every time internet users access this website and click on one of the ads."

However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :

symentec .com
symantek .com
symanteck .com
symantac .com
symantaec .com
symantic .com
symmantec .com
symanntec .com
ssymantec .com
symanthec .com
symanzec .com
symanttec .com
sjmantec .com
saimantec .com
seymantec .com
symanrec .com
symantrc .com
symantwc .com
aymantec .com
dymantec .com
sxmantec .com
symantex .com
symantev .com
symabtec .com
symamtec .com
synantec .com
stmantec .com
symanyec .com
sumantec .com
symant3c .com
syman5ec .com
wwwsymantec .com
symanteccom .com
ymantec .com
syantec .com
symntec .com
symanec .com
symantc .com
symante .com
symattec .com
symantcc .com
syman-tec .com
syymantec .com
symaantec .com
symanteec .com
symantecc .com
ysmantec .com
syamntec .com
symnatec .com
symatnec .com
symanetc .com
symantce .com

As well as recent sample brandjacking Kaspersky :

kespersky .com
kasparsky .com
kaspaersky .com
kaspasky .com
kasperscky .com
gaspersky .com
kasbersky .com
kasppersky .com
kasperrsky .com
kasperssky .com
kasperskj .com
kasperskey .com
kaapersky .com
kasperaky .com
kasperdky .com
laspersky .com
kaspersly .com
kasperskt .com
kaspersku .com
kasp3rsky .com
kaspe4sky .com
kas0ersky .com
wwwkasperskycom .com
wwwkaspersky .com
kasperskycom .com
aspersky .com
kspersky .com
kasersky .com
kaspesky .com
kaspersy .com
kaspersk .com
kappersky .com
kaspessky .com
kas-persky .com
kasp-ersky .com
kasper-sky .com
kasperskyy .com
akspersky .com
ksapersky .com
kapsersky .com
kaseprsky .com
kaspesrky .com
kaspersyk .com
kaspersky24 .com
kasperskyonline .com
kaspersky-online .com

What's most disturbing is that instead of having cybersquatting taken care take of a long time, and scammers emphasizing on the junk content in order to attract the relevant ads on the bogus domains, the still trendy cybersquatting still does the magic by including the targeted word in the domain name itself.

Related posts:
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

D.C. Police Detective Arressted for Propositioning a "Prostitute".

Sat, 12 Jul 2008 14:58:00 +0000

Some time clients call us up and ask if we can send them off-duty cops for Executive Protection assignments. My first inclination is to tell them why we are reluctant to use off-duty police.

Yesterday, WTOP radio reported that a Detective Wheeler from the Washington D.C. Metropolitan Police had been arrested for trying to hire a Prostitute. Unfortunately for Detective Wheeler, the "prostitute" was an undercover Police Detective herself.

The story gets better, however. It seems that Detective Wheeler is assigned to the Vice Unit. For those of you who don't know what a Vice Unit does, they set up "stings" and dress female Police officers to look like prostitutes in order to arrest those who try and do business with "prostitutes". One wonders if Detective Wheeler should be charged with the prostituion charge or one involving gross stupidity.

Just becaause a Police officer carries a gun, does not mean that this qualifies him or her to do everything security related. While most of them are decent, hard working indivduals, there are also some who break laws and circumvent the system for their own benefit. When you hire an "off-duty cop", you do not know what you are getting. Perhaps you will get a bad apple(s) who will do more harm than good. Afterall, what way is there to vet them?

A professional security company like ours, train their own people and enforce from day one a strong sense of Ethics. We have a zero policy for any behaviour that might be detrimental to us or the client. On the rare occassion when someone does something that we do not condone, they are terminated. There is no room for Union intervention or "three strikes, you're out" or any other delaying tactic.

Our reputation is too important. Then again, we do not have "jobs for life" but must instead earn buisness by constantly performing. The next time you need a security person, keep this in mind.

Security Circumvented: My Anti-Virus

Thu, 19 Jun 2008 23:31:34 +0000

I recently needed to renew the anti-virus subscription on my tablet PC. Of course, Symantec popped up and let me know well in advance, and of course, I waited until the almost-last-day before I renewed.

When my renewal options appeared, there was a selection to upgrade to the shiny new Norton 360. Woo hoo! It listed all these great new security features… I don’t remember what they were… but, they sounded REALLY great (I promise).

So I went with the upgrade, instead of the anti-virus signature renewal. Okay.

It did seem like a good idea at the time. However, in addition to my overly-protective Vista popups eeeevvvvery time I want to run something, connect somewhere, or wipe my nose… Now, I have the Vista pop up AND the Norton 360 popup. Okay.

Except, the Norton pops up with flagrantly ambiguous information like “An application is trying to access your Internet.” Do I want to allow it? I don’t know. How am I supposed to know- which application wants to access my Internet? Oh, it’s not going to tell me. Okay.

Well, I guess I’ll click ‘Allow’ because I have no clue what is trying to access my Internet, but I’ll assume it’s something that I have somehow asked to access my Internet… and I’ll be quite upset if whatever I clicked on doesn’t work. So YES, ALLOW. Okay again.

And what was the point in that? One click has transformed to three, and I’m no more secure than I was before, I’m just being forced to make more clicks to earn my insecurity. So today I am the poster child of what NOT to do.

Security circumvented is quite possibly worse than no security at all. I see visions of ‘invalid browser certificate’ notices dancing in my head.

# # #

Internet fraud has taken a sinister new turn

Tue, 17 Jun 2008 06:19:08 +0000

Organised crime has identified the web as a goldmine – providing opportunities to launch cyber attacks that will earn large amounts of money at a relatively low risk. Learn more.