SPAMing as a Full Time Job?

no spam
I’ve been noticing that most of the spam I get (and nearly all that gets through the filters) arrives during the week, not the weekends. Actually, looking at my spam box, it looks like I receive around twice as much on week days than weekend days.

My point being, and I sure there are some good answers: Is spamming a full time job for a lot of spammers, or even a 40 hour a week job? I’d have to say for at least the dedicated ones, it probably is. Or, do they just figure more people check their mail on the weekdays?

Either way, spam sucks.

Share

Cross Site Scripting can cause your stock to tank

A woman working in HP Israel sent an email to hundreds of co-workers accusing (falsely) that a snack made by Osem, one of the largest food manufacturers in Israel and the local subsidiary of the Nestle food giant, is causing infant death.

This email quickly spread and the immediate result was a 6% drop in Osem’s stock in just a few hours.

The email wasn’t very sophisticated. It wasn’t even remotely true and the ministry of health immediately issued a statement confirming the rumour is false. Still, Osem – one of the largest companies in Israel – will see its stock down a few percent over this rumor.

Earlier this month, Apple’s stock went down following rumors that Apple’s CEO Steve Jobs had a heart attack. The Apple stock takes a beating every time that rumor surfaces, and that happens regularly.

Stocks going up or down because of rumors is old as the invention of the stock market. But the Internet makes it easier to create a rumor that reaches far and wide within hours; there is just one more component that is missing: credibility.

Imagine if you saw a news item on Apple.com that discussed the death of CEO and chairman Steve Jobs. Imagine if you saw a clarification text on Osem’s web site explaining that the ‘bamba’ snack is indeed suspect of poisoning infants. This is not difficult to do – I don’t really need to break in or deface the web sites for this to happen – I just need to find a cross site scripting vulnerability and use it for attack.

In fact, we made a quick proof of concept to the Tel Aviv stock exchange a few years ago when we planted a false news item using a cross site scripting attack. The reaction from TASE was familiar to anyone who ever reported a XSS vulnerability: “oh, this is not really a problem as it does not permanently changes the page” (for something that is “not a problem” they sure fixed it within the hour, though).

We’ve repeated this exercise almost every time our vulnerability scanning service found a XSS vulnerability and we had to explain why the report claims it’s a serious issue. We planted false financial reports in the ‘investors’ section, altered news items and in almost all cases, met with the standard reaction: “this is not a real vulnerability” and “how can this really affect me?”

Most security researchers opt to explain XSS as an attack for stealing cookies. While this is true, I think there’s a greater risk in altering the information on the page to visitors which could be useful in a phishing attack, or like the examples above, a speculative attack.

I’m waiting for the first XSS attack that will tank a big company stock. If you’re reading this, make sure your company won’t be the one.

Share

AVG’s NOPslide

AVG's NOPslide

AVG Technologies (formerly Grisoft) has been through a lot the last 17 years. Its almost considered an adult! From specializing in security software to… well actually they still do the same thing, they just focus greatly on antivirus and antimalware technology today.

In April 2006, AVG acquired Ewido Networks and bumped up their own antivirus’s version from version 7.1 to 7.5. Soon thereafter, Microsoft (!@#$) stated that AVG’s products would even be DIRECTLY available from the Windows Security Center in Vista.

Not cutting many corners, lets shift our focus now on AVG’s acquisition of Exploit Prevention Labs in late in 2007. AVG liked their ‘LinkScanner’ code and later released it in the next huge ‘revision’ of the AVG antivius suite, AVG 8. Now before I bash AVG 8, I will tell you that I used to be a big AVG fan. I always recommended it to everyone, whenever I had the chance. It WAS great — AVG offered advanced protection and ran so smooth and so clean. But at the moment, its bloated, clunky, very slow, a huge resource hog, and I am glad that I don’t have to use it. LinkScanner seems to have great intentions but has, so far, gotten off to a rocky start (or finish). A friend of mine warned me about it when it first was released, and I tried to give it the benefit of the doubt, keeping it on the ‘good’ list. I just simply don’t like the fact that it has been near ruined recently, thanks to AVG’s poor decisions.

Just like in poker, “Its about making the best decisions”, and how true that is when you think about it for the software industry too. Everyone makes mistakes, but AVG: PLEASE BE GOOD AGAIN!

Share

Kaspersky’s SAFE Internet

Kaspersky

Recently Kaspersky, the company who makes your favorite, or not-so-favorite anti-malicious software, called upon government and banking institutions to be more secure. But is it really up to these agencies to make draw the perfect picture of security, or should the end users stop making such bad decisions, both on and offline?

If these ‘safety nets’ are deployed, it won’t going to make the best out of security situation, but it will help. On the other side of the packet, using outdated software or insecure browsers (cough!*IE*cough!) that do little or nothing to protect the web surfers, directly and indirectly, should also be of major concern. Wouldn’t it be something if, when accessing one of these websites running INSECUREBROWSER, it suggested you use MORESECUREBROWSER, FOR SECURITY REASONS IF NOTHING ELSE? Woah, wouldn’t that be a different color light bulb. Especially if it was something like, say, Internet Explorer VS Firefox (Yes, I am saying that Firefox’s security is better than Internet Explorer. I believe both core and rendering engines are better, too).

Now, if they try to regulate the internet with security laws and cyber architecture boundaries, its just going to be one big mess. If you’d like one reason it wouldn’t work, just think about how outlawish the internet already is, and has been, since its inception. Then take a break and elaborate on it. I’m sure you’ll find more than one reason we can’t import some crazy set of regulations and actually believe they are going to work and/or solve our problems.

Here is some more fuel for thought: How about separating the internet for low and high bandwidth data flow. Interconnected, but bridged. Not a good idea? Well why not? As long as we are on the same network, there will be fighting over who owns what (more than just headers and footers). But as long as we put the big with the small, there is going to be controversy. There are going to be debates. This last part may have been a little off topic, but I feel like it needed to be said. Security isn’t made, its planned and implemented before regulation begins.

Share

Not your typical firefox SSL error message

I almost never mistype domain names, so I’m glad firefox was able to catch my error when I did:

firefox warning

(click the image for a larger version)
If you haven’t noticed (I didn’t notice myself in the first 3-4 times; I kept clicking ok and reloading, I thought firefox was acting up) the url is adwords.gogole.com. The good news is that the site is owned by google, so I wouldn’t have been phished in any case. The bad news is that google should have either redirected me to the right site or give me an error message instead of showing me the site with the wrong certificate. I know why they are doing it – it’s easier to do a domain catch-all then a redirect, but it’s not good in terms of user experience.

Firefox’s behavior is interesting too. Note that the warning I got was accompanied with a popup dialog that forced me to press ‘ok’ to get to to a second warning on the page itself.

If you don’t remember the typical error message, here is what anybody surfing more than a day with firefox has seen:

typical firefox warning

(click the image for a larger version)

This typical firefox warning tries to let me know something is wrong. The problem is, I’m seeing it so much that I’m adding exceptions left-and-right. In this case of the ‘gogole’ typo, the problem is more sever (gogole.com is claiming to be google.com) so I guess firefox decided to add a dialog box to the error. I’m not sure what triggers it and how often it’s displayed, but for me this is the first time seeing it, so my guess is that firefox is trying to keep it for the rare occasion when you need the user to understand the warning has escalated.
I wonder if the next escalation will be a warning siren through the speakers with a small electric shock through the keyboard.

Share

Opera’s Latest Hitman

Opera Logo

Opera the web browser is apparently now great at one thing: following the standards.

Yesterday, Opera 10 Alpha was released and flaunted its 100/100 score on the Acid3 test, passing with all the colors of the rainbow this time. But honestly, Opera, like several other ‘alternative’ browsers (and if your a hardcore fan/follower, excuse me), is just trying to catch up with the old dogs.

Firefox in particular has had many of Opera’s ‘new’ features and ‘improvements’ for quite a while. Security issues in Opera, often simple and totally trivial bugs, have been found and released. Not saying more than other browsers; both Firefox and Internet Explorer have them doubled to say the least, but I just never could bring myself to trust this unique web browser.

Auto-update has just been put in place, and I feel, as a security researcher, that it is an extremely valuable mitigation tool when new exploits spring up. Thank God the development team FINALLY put this sub-standard feature in place. Presto 2.2 has taken things to the next level with most of these improvements, more details of which you can find for windows, mac, and ‘linux/unix‘.

Has security been incorporated into Opera recently more than ever? Maybe. Has Opera been built with security from the ground up? Certainly not. Pay attention to your favorite XYZ exploit/advisory feed for inevitable updates.

Share

Happy Birthday Morris!

Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.

The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.

Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.

It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…

David Harley CISSP FBCS CITP
ESET LLC

Share

APWG: Number of phishing sites has decreased – crimeware is here to stay

First time in the history of Anti-Phishing Working Group (aka APWG) the number of phishing reports received and new phishing sites discovered decreased at the end of period (i.e. Mar ’08).

But don’t say “We won the race – at last” yet. :( The number of crimeware-spreading URLs rose to a new record.
Nothing special when digging the statistics of top hosting countries – U.S., China, Russia, etc. But hey, France is listed too.

And link to the recently released Q1 Phishing Trends Report (pdf) here.

Share

Getting Paid For Others’ Work

As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

  • Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
  • Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
  • Replace facebook ads with match.com affiliation blocks.
  • Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S 192.168.0.1 -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) 192.168.0.1 (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.

Share

Vanity Search Attacks

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

Share

Oooh! Scary! (and also wrong …)

You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

Share

Ummm, wait a minute …

A recent survey revealed that 57 percent of Americans fear that their account passwords will be stolen when they bank online, and 38 percent do not trust online payment processing, banks and other ecommerce services. [...] Justifying consumer concerns, 21 percent of the respondents in the survey said they had already had their bank data stolen. 40 percent of consumers who took the survey said they would buy more online if the security was strengthened. Another 44 percent of people said that online credit card processing worried them.

Source: http://www.prweb.com/releases/2008/4/prweb851444.htm

Customer satisfaction with online banking sites has risen significantly over the past five years. [...] The reading of 82 was higher than customers gave banks overall – 78 in 2007 – suggesting they are more pleased with banks’ online operations than with branches and call centers. [...] The survey measured customers’ experiences with three types of financial institutions – banks, credit card companies and investment services firms. Banks got the highest score out of the three financial categories.

Source:
http://news.yahoo.com/s/ap/20080415/ap_on_hi_te/online_banking_survey[...]

Share

Got phished? We’ll take responsibility.

AmitimA referred me to an interesting fact. Bank Hapoalim, the largest bank in Israel, has a warranty notice (Hebrew only) on their web site regarding Internet transactions.

Contrary to my (cynical?) expectations the warranty says as follows (apologies for the rough translation):

“This is to certify,
that bank Hapoalim provides you a warranty on money transfers out of your account, that were done over the Internet, maliciously, by a 3rd party that was not authorized to operate your account and has done so without your knowledge and without your consent, your approval or with you.

The bank hereby declares that it will credit your account in the identical sum of the amounts that were taken out of your account, within 28 days from the day you sign the event form…”

The only obligation is that you notify them within 28 days of the event, and that you give them reasonable help to assist them in investigating. There is no fine print, no disclaimers and no hidden catches as far as I can tell.

I know this is already the informal policy in the Internet-based banking world. It makes sense: Banks want to encourage people to use their Internet banking that is cheap to maintain and support and to do that they swallow online fraud and phishing as the cost of doing business. But this is the first time I’ve seen a bank step forward and declare this unequivocally.

It seems new to me – when I signed up to online banking with Bank Hapoalim a few years ago I signed a waiver that placed all responsibility on me and practically none on the bank.

Are there any other banks out there that have a similar official policy on their web site? I’m not asking about the de-facto policy which is obviously the same as above for most banks. I’m talking about putting a clear and simple notice that they take full responsibility for losses caused by phishing.
Has the online-banking world changed while I wasn’t looking? Go check your bank’s official warranty and post the result in the comments below.

Share

Manual Vishing

This Hebrew post in linmagazine describes what first sounds like a typical Vishing attack. The author’s mother receives a phone call telling her there’s been a terrible accident and she needs to call the hospital for the details. They give her the ER’s number but tell her to use only her land line. The number is *7200526671955. Strange, but not unusual in Israel where dialing *pizza connects you to Dominos and *mortgage to your local sub prime pusher.
So she calls and calls but there’s no answer, and she rings her son to tell him to try and call.

He rings, and gets a voicemail. Getting suspicious he dial his phone company’s information directory and finds they were conned: *720 is the code for call forwarding, and 052-667-1955 is a local cell number. It’s a clever scheme, actually. All the for-pay phone numbers (sex hotlines, etc) are opt-in which means they are blocked by default (to prevent scams like this, among other things).
However, calls to cellular phones are more expensive (in Israel the caller pays the charge and not the receiver) and so it is possible to cut a deal with the cellular company for revenue sharing and open your own ‘recipe tips’ hotline which should bring in many incoming cellular calls and make everybody (especially the mobile operator) happy. If instead of recipes you make people call because their friend’s phone lines are automatically forwarded to your number, well that doubles the fun.

So these guys figured call forwarding to international numbers won’t work, and chose the mobile option. Although it’s a bit risky (you need to be able to collect the money from the cellular operator before the cookie jar slams shut) but sounds lucrative. Now comes the final step in a Vishing scam like this; you need to convince a lot of people to do the call forwarding, and for that you usually use a Voice-over-IP line with a pre-recorded message. But not these guys: the post’s author confirmed to me that his mother spoke to a flesh-and-blood voice who actually answered her questions, had a perfect Hebrew accent (it wasn’t a Nigerian who went to Jewish Sunday school) and told her the number to call twice (and even waited until she grabbed a pen).

Calling manually is risky: people can trace back the call and find out where you were. Hiring telemarketing is typically out of the question (lets just try to imagine the brief to the telemarketing team) and manually calling hundreds of people is really not cost effective.

So why the manual call? The only thing that comes to mind is they were beta testing or watching to see the response from the cellular company or law agencies. Maybe they are even using Israel as a beta site for an international Vishing attack? When the FBI or secret Service (or Israeli Police) catch them, I hope they ask. With a bit of luck they’ll post a hint here in the comments.

Share

Fake blogs and search engines

urls in this post should be considered as unsafe.

fake sites and se poisoning are nothing new. the use of blogs for this is far from new, either. thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

web spam is a subject i have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

a new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a google alert on my name.

i get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
this time around they really over-did it.

the page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

then the site shows the youtube video which can be found under my name.
following that is a post i made to a mailing list recently (poorly formatted).
then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

they finish the page off by adding comments, which are actually some old securiteam posts by me.

heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. their auto-creation tools seem to be getting more impressive, and i believe we will see much improved believable sites, soon.

google blog search displays this site as (nasty words replaced with beep):

gadi evron
2 sep 2007
gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. teen cherry action – nice brunette teen beeped hard on the bed and getting a beepy beepshot. beep beeping boy beep teen legs, …
untitled – h ttp://n ewadult.celeberia.com/

url:
h ttp://n ewadult.celeberia.com/sun-shine

again, i am unsure if these urls are safe.

for those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). then of course, there is advertising and google ads.
it works. and the advertising space on unrelated key words is a plus.

the concept is very similar to comment spam. comment spam may not contribute to se ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. nofollow is crap, and what shows up when you search is what matters.

as an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://sunshine.livejournal.com/8859.html for the example).

he left a url for his legitimate python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘a jew in a german camp’ (about the ccc camp in germany). he is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

gadi evron,
ge@beyondsecurity.com.

Share

ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.: http://www.afilias.info/
icann: http://www.icann.org/
the internet society: http://www.isoc.org/
shinkuro, inc.: http://www.shinkuro.com/

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,
ge@beyondsecurity.com.

Share