CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


Next to come: Nigerian scam ads in the New York Times

Davis Freeberg wrote an excellent piece on penny stock scammers putting advertisements in the top financial magazines. This is embarrassing enough – you’d expect Forbes to do a minimal background check on their advertisers, especially when the advertisement is stock related. But to make matters worse, Business Week and Smart Money ignored Davis’s email, while Investors Business Daily went as far as tagging this as “new and interesting investment opportunities”. Hey guys, I have a bridge to sell. Mind if I run the ad in your newspaper?

David also does an interesting analysis on the performance of those stocks, and sums it up well: You Can Get Better Odds In Vegas.

More here:


Oh, did we forget to write “spam” in the subject line?

The Jerusalem Post just sent me an interesting apology today. Here is how I would summarize it:

“We sold the email you gave us to a third party so that they can send you advertisements. Unfortunately they forgot to mark it clearly as spam – no idea how that happened and we’ll ask future spammers to clearly say so when we sell them the list again”.

Of course they are wrapping it with niceties and sincere apologies; I would appreciate a proper explanation on why the email I gave them when I asked to view an article online was later used to send me “alerts” and “updates” not to mention given to 3rd parties I’m not gonna vote for. BTW, this is not the first time I get an advertisement from the jp, but they are usually better disguised as “informationals”.

The Jerusalem Post

Aviram Jenik (an email address reserved only for the Jerusalem Post)

Today 04:37:28 pm


In recent days, registered users of have received a paid email advertisement for Rudy Giuliani.

The bottom of this email advertisement stated that it was “Paid for by the Rudy Giuliani Presidential Committee, Inc.” However, correct practice is to mark such emails as advertising in the “Subject” box as well. Because of an internal error, this practice was not followed. We have taken steps to insure that it will be in future.

We would like to stress again that the content of this advertisement has no connection to The Jerusalem Post newspaper or its online content, and does not reflect the editorial views of The Jerusalem Post in any way.

Commercial Department

The Jerusalem Post online


RSS Spam

a friend just sent me this link. take a look.

newsgator online. indeed, it’s usually a smart strategy for keeping track of your company, products and identity in the blogosphere.

except when nude japanese nurses sneak into the picture

gadi evron,


Macchiavelli and havesting targeted data for spam

for a long time now i’ve been getting spam email, much like everyone else. for a couple of years now, i’ve also been getting subject lines that at first, although not always, made me look at the spam for a fraction of a second.

these subject lines would mention issues i care about, such as security. the f-up would be the viagra that would sometimes follow in the same subject line.

very recently i spoke on a mailing list about macchiavelli. today i got a spam with macchiavelli in the subject line (regular spam body, same subject mistake).

spammers are smarter. the smarter they are the more annoying they become, because “they just don’t get it”.

gadi evron,


More Soloway documents online (Search warrant application) (Schmutz affidavit) (Reyes affidavit)

Original post:


The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.


gadi evron,


Soloway: Another spammer bites the dust

A big victory against spam. From the article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

Early press accounts:

Update post and more documents:


Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,


A call from the boiler room

Being knee deep in online mischief all day I sometimes forget that most of the online attacks are simply extensions of offline ones. The Nigerian scam has been performed via fax and (snail) mail for decades now – I even got a 419 scam by postcard a year back that made me feel very special that someone will waste a stamp on me.

Spam is obviously just an online extension of junk mail, only in a different order of magnitude, and same goes for phishing compared to identity theft. But there is one fraud scheme I’m especially fond of – ‘pump-n-dump’, where you get a spam email about a stock that’s about to go up (“skyrocket”), hoping enough people will buy it and make it go up so that the person who initiated the attack can sell quantities of this penny stock and leave the victims with a worthless piece of paper.

The ‘pump-n-dump’ is an extension of phone-based fraud that was featured in the Sopranos (with Chris’s crew running the scam) and outlined nicely in “Boiler Room”. Wikipedia has a nice description on the scheme and origin of the term.

The reason I’m reminded of this is because I actually got a call from a boiler room, sorry, from a law office with offices in Park Avenue and London. The call could have been a scripted audition to “Boiler Room 2″ to play the part of the junior associate creating warm leads to Ben Affleck’s gang. It included everything to the immortal “I will only call you if we have something really good” and “we might have something for you in 2 weeks”. Amazingly enough they did have something really good for me and exactly two weeks later I got a call from the Vin-Diesel wannabe following up on the warm lead created by the associate. Unfortunately this time I didn’t have the time to play along so I don’t know if he would have told me there’s a maximum for new clients and 5,000 shares is as much as he can sell me…

My only complaint now is that my spam filter who is doing such a good job filtering pump-n-dumps is unable to handle human conversations and filter boiler room calls. Actually, there’s one more complaint – why is it I always get stuck in the Boiler Room-like movies instead of getting a visit from Halle Berry a-la swordfish?…


Cell-phone Virus Pakistani Scare

From Fergie on funsec:

Date: Fri, 13 Apr 2007 16:14:52 GMT
From: Fergie
Subject: [funsec] Pakistan: Deadly ‘Phone Virus’ Threat Causes Panic

Hash: SHA1

Via ComputerWorld (Reuters).


Mobile service providers in Pakistan have been inundated by calls from
subscribers worried by a prank message that they could die of a deadly
virus being transmitted via their phones.

The rumor was so effective that some mosques in the country’s biggest city,
Karachi, made announcements that people were being killed by a mobile virus
and they should be aware of God’s wrath.

In a prank reminiscent of the plot in the hit Hollywood movie “The Ring” in
which people die within a week after watching a video, the prankster warned
users that a deadly virus transmitted through phones had killed 20 people.




Happy Friday the 13th.

Enjoy. :-)

- – ferg


A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:

they are good people, and they know botnets.

gadi evron,


Unusual smail (SPAM mail)

What is special about this email subject:

“An unauthenticated, remote attacker could exploit it to gain root on your Solaris system.”

Well at first glace, nothing it looks legit, but believe it or not, this was used a as subject for a SPAM I received (for meds of course).

What baffles me more is the fact that this line does not appear to be written anywhere on the Internet (2 hits in Google), where did they get this text from?


On-going Internet Emergency and Domain Names

there is a current on-going internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

this incident is currenly being handled by several operational groups.

this past february, i sent an email to the reg-ops (registrar operations) mailing list. the email, which is quoted below, states how dns abuse (not the dns infrastructure) is the biggest unmitigated current vulnerability in day-to-day internet security operations, not to mention abuse.

while we argue about this or that tld, there are operational issues of the highest importance that are not being addressed.

the following is my original email message, elaborating on these above statements. please note this was indeed just an email message, sent among friends.

date: fri, 16 feb 2007 02:32:46 -0600 (cst)
from: gadi evron
to: reg-ops@…
subject: [reg-ops] internet security and domain names

hi all, this is a tiny bit long. please have patience, this is important.

on this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “the internet security operations community”.

we face problems today though, that you can not help us solve under the current setting. but only you can help us coming up with new ideas.

day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. i don’t blame you.

in emergencies, we can only mitigate threats if one of you or yours are in control.. just a week ago we faced the problem of the dolphins stadium being hacked and malicious code being put on it:

1. we tracked down all the ip addresses involved and mitigated them (by we i mean also people other than me. many were involved).
2. we helped the dolphins stadium it staff take care of the malicious code on their web page – specifically gary warner).
3. we coordinated with law enforcement.
4. we coordinated that no one does a press release which will hurt law enforcement.
5. we did a lot more. including actually convincing a chinese registrar to pull one of the domains in question. a miracle. there was another domain to be mitigated, unsuccessfully.

one thing though – at a second’s notice, this could all be for nothing as the dns records could be updated with new ip addresses. there were hundreds of other sites also infected.

even if we could find the name server admin, some of these domains have as many as 40 nss. that doesn’t make life easy. then, these could change, too.

this is the weakest link online today in internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

every day we see two types of fast-flux attacks:
1. those that keep changing a records by using a very low ttl.
2. those that keep changing ns records, pretty much the same.

now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
however, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. sorry for the language.

icann has a lot of policy issues as well, and the good guys there can’t help. icann has enough trouble taking care of all those who want money for .com, .net or .xxx.

all that being said, the current situation can not go on. we can no longer ignore it nor are current measures sufficient. it is imperative that we find some solutions, as limited as they may be.

we need to be able to get rid of domain names, at the very least during real emergencies. i am aware how it isn’t always easy to distinguish what is good and what is bad. still, we need to find a way.

members of reg-ops:
what do you think can be conceivably done? how can we make a difference which is really needed on today’s internet?

please participate and let me know what you think, we simply can no longer wait for some magical change to happen.


thousands of malicious domain names and several weeks later, we face the current crisis. the 0day vulnerability is exploited in the wild, and mitigating the ip addresses is not enough. we need to be able to “get rid” of malicious domain names. we need to be able to mitigate attacks on the weakest link – dns, which are not necessarily solved by dns-sec or anycast.

on reg-ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running dns:

1. a system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their aup and icann policy, thus “getting rid” of them in a much quicker fashion, is being set up at the isotf.
a black list for registrars, if you will. this is far from perfect and currently slow-going. naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. a black list for resolvers (hopefully large service providers) is also being created at the isotf, so that the risk of visibility of bad domains, as will be defined, can be minimized. naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. setting up a black list of domain names for tld servers, for them not to respond on.

4. creating an alternate root which we could trust.

another suggestion which was raised:

5. apply to change the icann policy.

we need a solution. this operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. i blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on dns for many years, but what’s done is done.

the operational communities do not always know how to voice their needs or the difficulties they face. nor will everyone agree on what the issues are. it is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the internet that this issue is paramount, and i am sending here a call for help to the dns experts of the world: what is our next step to be?

what do we currently intend to do (not my personal opinion):
we are formalizing a letter to icann’s ssac, as they are the top experts on dns infrastructure security issues, coming from operational folks at the isotf dealing with daily usage of the dns for abuse purposes (and specifically fastflux).

further, the isotf is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

are we missing a possible solution? what does the larger community suggest?

gadi evron,


e360 Sues Yet Again

if you remember, e360 filed against spamhaus. now they filed against the nanas usenet newsgroup maintainer.

this is what happens when you open the door. (thanks to john l).

gadi evron,


Operation spamalot

The SEC is doing the right thing by fighting stock spam. The best way to fight the ‘pump and dump’ schemes is through the body that is responsible for controlling stock trading.

However, this is a slippery slope – is it the company’s fault that someone is running a scam on their stock? Quite the contrary – the company’s stock usually takes a dive, and unless the company’s owners are in on the scheme they have the most to lose from this fraud. Some would say the SEC is doing a favor to those companies by suspending trade, but remember how anonymous email is and how easy it is to spam to million of people – if I run a fake pump-and-dump on MSFT or GOOG (in order for it to work I would need a less high-profile stock, but you get the point) should that result in a trading suspension?