By: Tim Cronin

Dark Reading published an article titled “Booming Underground Economy Makes Spam A Hot Commodity, Expert Says” regarding the ease of using botnets for spam activity and how this makes spamming profitable.  Some of the more startling statistics show that “For about $10, [a spammer] can send a million emails”.  Even if 2 people order a product that they are selling for $10, that’s a 100% profit over the cost of the use of the botnet.  Assuming the actual production of the product is cheap enough, that’s a good margin.

How are botnets so inexpensive, though?  And, why are there so many available?  If you look at Commtouch’s Malware Outbreak Center you will notice that the vast majority of detected malware seems to be botnet downloaders.  Gone are the times when malware consisted of cute “look what I can do” code we are now in the time of real revenue-generating malware.  All a botnet “commander” needs to do is create the code, send it out and let it propagate through the Internet.  Eventually, there will be enough zombie hosts to really make money.

The strategies in use now should provide a good-enough deterrent to spammers, but there are simply not enough people using current protections.  So long as host-based malware detection is in use and network based protections such as IDS/IPS, malware scanning and firewalling are in use, then the amount of zombies on the internet will be reduced enough so that spamming will not be profitable.  Then we can look at our in boxes with confidence.  We haven’t reached that point yet, because there just simply aren’t enough people using adequate controls of network traffic.  According to Commtouch  again, in the Western world, zombies are not as common as developing nations.  Unfortunately for the Western world, we feel the effects of others’ lack of controls. 

Judging from all of this information, all the world needs to do in order to stop spam is make sure we are using currently available controls for our networks.  This will make spamming unprofitable and make spammers use their tricks for other means.  Until that day, the back-and-forth between spam and anti-spam will continue.

By Tim Cronin

There are three measures network administrators can take to avoid the types of network attacks that plagued US and South Korean websites including www.whitehouse.gov, NASDAQ, NYSE, Yahoo!’s financial page and the Washington Post. The three areas to focus on are network based mitigation, host based mitigation and proactive measures.

Network based mitigation:

• Install IDS/IPS with the ability to track floods (such as SYN, ICMP etc.)
• Install a firewall that has the ability to drop packets rather than have them reach the internal server. The nature of a web server is such that you will allow HTTP to the server from the Internet.  You will need to monitor your server to know where to block traffic.
• Have contact numbers for your ISP’s Emergency Management Team (or Response team, or the team that is able to respond to such an event).  You will need to contact them in order to prevent the attack from reaching your network’s perimeter in the first place.

Host based mitigation:

• Ensure that HTTP open sessions time out at a reasonable time.  When under attack, you will want to reduce this number.
• Ensure that TCP also time out at a reasonable time.
• Install a host-based firewall to prevent HTTP threads from spawning for attack packets

Proactive measures:

• For those with the knowhow, it would be possible to “fight back” with programs that can neutralize the threat. This method is used mostly by networks that are under constant attack such as government sites.

By: Tim Cronin

PC World’s Jaikumar Vijayan recently reported on the attacks against US government public information infrastructure.  In the article, Karen Evans, a Bush administration Information Systems executive outlined what she thought should be fast-tracked.  It includes using TICs (Trusted Internet Connections) for all public infrastructures.  This would include making sure that the internet connections for public access are consolidated and then served by only trusted parties.  In my calculations, this has many benefits with only one glaring weakness.

What happened?

A single quote of the story stuck out.  “the most important lesson learned is that many federal agency security people did not know which network service provider connected their Web sites to the Internet,” said Alan Paller, director of research the SANS Institute. “So they could not get the network service provider to filter traffic.” That quote takes my breath away.  If this is accurate, then the preparedness of network security for the government’s infrastructure is simply not up to par.  There is not much else that can be said.  What are we as a community to do?

Choose the battlefield. 

Often used as a text of inspiration to security professionals is Sun Tzu’s “The Art of War”.  There are two quotes that are relevant to this discussion.  “…And therefore those skilled in war bring the enemy to the field of battle and are not brought there by him.”  And “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  The lessons of Sun Tzu show that we want to essentially choose the battlefield and lay in wait for an attack.  We want to be wise about our battlefield and prepared for the enemy.  Using the TIC approach is similar to how the Spartans chose the battlefield for the battle of Thermopylae.  They chose a small gorge that a small force could successfully defend and then they put up the biggest fight in history.  This is the idea behind the TIC.  Secure the path to the prize.  When you secure the only way to get to the servers, you secure the servers.  At the moment, the servers are too distributed to mount an effective defense.

Weakness?

The only glaring weakness that I can calculate is that this can easily turn into a bureaucratic nightmare resulting in weak TICs.  Weak TICs will result in a much wider path to the prize (what if the gorge at Thermopylae was twice as wide?). 

 TICs will have to comply with some standard.  Not only that, but likely the TIC will have to be the lowest bidder on the project.  So what are the standards?  Will they be robust enough?  Will the lowest bidder do just enough to get the grant?  Will the lowest bidder have qualified personnel?  Will there be a process that the TIC and government will need to follow that essentially slows response time?  All these are questions that should be answered among many more.

By Tim Cronin

Recently, NPR’s “All Tech Considered” posted a very good and concise article on securing WiFi technology.  I would just like to add a few key points for those that concern themselves with network security.

First, when using a VPN on an un-trusted hotspot, make sure that it is a “full tunnel” VPN.  Split tunnels work well for connecting with trusted networks (like your home network).  Unfortunately, if you are on an un-trusted hotspot, then there is no guarantee that there is security on that hotspot and an attacker can use your PC to get access to your internal network. 

Second, I would just like to point out that “Secure your home network” Is a huge point.  Don’t just take advantage of encryption, MAC filtering and other ubiquitous measures.  Also, reduce the size of your network to the minimum that is necessary for the amount of expected systems.  And change the default network.  Choose something not common.  These steps may not be effective alone, but can certainly add to an overall secure environment. 

SIDENOTE: MAC filtering and other security features have been shown to be inadequate when a skilled attacker targets your network.  There is still not reason *not* to use them.  The key is to make your network harder to get into than the ones around you, make it difficult enough so that the attacker loses interest or make it harder than his skill level to crack.  An attacker will likely take the path of least resistance, after all. If your network proves to be difficult to hack, the hacker will move on.

Third, disable your wireless antenna when not in use.  Most laptops have a button or switch that disables the antenna so that it’s easy to see that it is disabled.  This is especially true on airplanes.  There are many people that find it fun to browse others’ PCs while on board a plane.

Fourth, if you connect to an access point that you don’t intend to connect with often, delete it from your automatic wireless network list.  This was shown to be a very large hole by HD Moore (with his “Evil eeePC”).  Instructions here: http://technet.microsoft.com/en-us/library/cc778180(WS.10).aspx

Last, never assume that you aren’t compromised.  The chance always exists.  Monitor your systems regularly for irregularities.

By Angelo Comazzetto

Not only is it annoying having to sift through all the garbage which clogs your inbox, but it costs you productivity as you attempt to separate the mails you need from the unwanted items. Spam rarely ends up in my own inbox due to the effectiveness of the blocking solution I use, (I use a solution from Astaro) but many of the people I speak with daily communicate that in an inbox with 50 messages, 45 or more can easily be spam on a given day.

How obnoxious is it to go through all of your email and delete meaningless message after meaningless message. You have to wonder what these spammers are thinking – they must know that 99% of their messages are going to be deleted or blocked – and what are they trying to sell by randomly emailing people? Well, first of all they don’t care that 99% of their emails will be deleted or blocked. Because they send out tens of millions of spam messages at a time if only 1% of the emails get through and accomplishes its goal they consider the distribution a success. That is why spammers use topics currently in the news (like the Swine Flu) to grab the attention of the few people who don’t have a spam blocker already in place.  

So, what can you do to stop these annoying, and potentially harmful messages from getting into your inbox? Email filtering is just the beginning. Email filtering will only work as a spam blocker if you are indentifying spam properly, and using the right technology for your organization. Astaro published a white paper describing the dangers of spam and effective anti-spam technologies and techniques. To read this white paper visit The Hidden Dangers of Spam.