23:38 Spam rates massively down on shutdown of rogue ISPSeveral major news outlets are reporting that the shutdown of a rogue ISP in the Bay Area has lead to a massive drop in the global amount of spam. While this is “good thing”, this event is not an end of spam, nor is it even the beginning of the end of spam; it [...] >>>
22:03 Security World: The $10,000 hacking contestGizmox, the developer of Visual WebGui open source platform, announced a contest which will pay $10,000 to anyone who can hack into its Visual WebGui Platform.
The contest will take the shape of ... >>>
Yet another network provider has been yanked offline after being accused by security researchers of acting as the mothership that allowed a large percentage of the world's spam operators and malicious networks to thrive.
19:43 DIY Skype Malware Spreading Tool in the WildWho needs to build hit lists by harvesting user names when a usability feature allows you to expose millions of users to your latest social engineering campaign? That seems to be the mentality of yet another Skype malware spreading tool, which just like the majority of publicly obtainable tools is aiming to contact everyone, everywhere.
The tool's main differentiation factor is its feature of harvesting the personal information of users it has managed to detect randomly, that's of course in between the mass spamming of malicious URLs. However, despite it's DIY nature allowing someone to easily launch a malware campaign spreading across Skype, the tool is lacking the segmentation features offered by related Skype spamming tools. Just like in a cybercrime 1.0 world where DIY exploit embedding tools were favored due to the lack of web malware exploitation kits, in a cybercrime 2.0 world these DIY tools matured into IM malware spreading modules easily attached to any infected host given the botnet master is looking for such a functionality.
19:32 Why did Microsoft wait 7 years to fix SMBRelay attack flaw?One of the code execution vulnerabilities fixed in this month’s Microsoft Patch Tuesday release dates back to 2001 when it was first disclosed by Cult of the Dead Cow hacker Sir Dystic (pictured left).
If that wasn’t cause for worry, get this: An exploit for the bug — in the way that Microsoft Server Message Block [...] >>>
18:41 Double-check your QSAI’m not sure if this is something I’d missed before, but you can look up you’re Qualified Security Assessor (QSA) and see if they’re in good standing. All you need is their last name and the name of their company and you can know for certain that they’re on the up and up and have [...] >>>
17:17 Talking to Michael ChertoffI’m still digesting yesterday’s talk with DHS Secretary Michael Chertoff. Thanks to Mr. Chertoff and his press folks for inviting me to the event. I never thought I’d invited to talk to one of the highest level security professionals in the country, it wasn’t even something I had as a ’some day, possibly’ goal. I [...] >>>
08:13 Virus Center: Malicious worm attacks social networksPandaLabs has detected Boface.G, a new worm that uses the Facebook and MySpace social networks to spread. The Boface.G worm posts a link on the infected users' profile or contacts panel of a fake YouT... >>>
07:54 Network Security Podcast, Episode 127: DHS Secretary Michael ChertoffWhen I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it. A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC. Traveling [...] >>>
Weve received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack.
Specifically, weve gotten some questions about why, in 2008, were releasing an update that addresses an issue first discussed in 2001. Since I was in the MSRC back in 2001 when this was all first discussed, I feel well placed to answer that.
At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol. When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers network-based applications then inoperable. For instance, an Outlook 2000 client wouldnt have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.
After saying that, though, the matter wasnt closed for us. Since then weve been looking at this issue to see if theres a way we can address this issue that doesnt have such a large impact to applications and also doesnt require application developers to completely rewrite their applications. In general, changes of this magnitude can only be made safely in completely new versions of Windows because of the thorough testing that would would receive. And weve made some incremental changes in things like Windows XP SP2 and Windows Vista to help address some of this issue.
Over the course of the past year, however, that ongoing work showed us a way to build on those incremental changes that we believed would enable us to make changes that address the issues outlined in the SMBRelay attack and also minimize the impact on network applications. If we were able to do that, we would be able to look at addressing this issue not in a new version of Windows but instead in a security update, provided it met the appropriate quality bar.
Our engineering teams spent a great deal of time testing this approach and found it was feasible. We then took that work and developed it into a security update, putting it through our standard testing to ensure it met an appropriate level of quality for broad release. What we released today with MS08-068 is that security update. It addresses the SMBRelay issue but does so in a way that doesnt have the negative impact on applications that we originally believed addressing this issue would have.
As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend. However, if youre like me and remember the SMBRelay attack, you now have a protection option in case you cant implement SMB signing: apply MS08-068.I hope this helps give some more background on this.
Thanks
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights*
Excellent paper on the economics of spam. The authors infiltrated the Storm worm and monitored its doings.
After 26 days, and almost 350 million e-mail messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 -- a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network -- we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm's pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.
Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than "millions of dollars every day," but certainly a healthy enterprise.
Of course, the authors point out that it's dangerous to make these sorts of generalizations:
We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context.
Spam is all about economics. When sending junk mail costs a dollar in paper, list rental, and postage, a marketer needs a reasonable conversion rate to make the campaign worthwhile. When sending junk mail is almost free, a one in ten million conversion rate is acceptable.
I was in Dubai last weekend for the World Economic Forum Summit on the Global Agenda. (I was on the "Future of the Internet" council; fellow council members Ethan Zuckerman and JeffJarvis have written about the event.)
As part of the United Arab Emirates, Dubai censors the Internet:
The government of the United Arab Emirates (UAE) pervasively filters Web sites that contain pornography or relate to alcohol and drug use, gay and lesbian issues, or online dating or gambling. Web-based applications and religious and political sites are also filtered, though less extensively. Additionally, legal controls limit free expression and behavior, restricting political discourse and dissent online.
What was interesting to me about how reasonable the execution of the policy was. Unlike some countries -- China for example -- that simply block objectionable content, the UAE displays a screen indicating that the URL has been blocked and offers information about its appeals process.
