Botnets

CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)
=============================

introduction
————

cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security –
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at: http://isotf.org/isoi3.html

details
——-
27th, 28th august, 2007
washington dc –
aed conference center:
http://www.aedconferencecenter.org/main/html/main.html

registration via contact@isotf.org is mandatory, no cost attached to attending. check if you apply for a seat in our web page.

cfp

this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email contact@isotf.org as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)
——————————————–

roger thompson (exp labs
– google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
– what you should be asking me as a routing vendor

john lacour (mark monitor)
– vulnerabilities used to hack sites for phishing
– using xss to track phishers

dan hubbard (websense)
– mpack and honeyjax (web 2.0 honeypots)

april lorenzen
– fastflux: operational update

william salusky (aol)
– the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
– incident response during the recent attack

Sun Shine (beyond security)
– strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
– botnet statistics from the estonian attack

andrew fried (treasury department)
– phishing and the irs – new methods

danny mcpherson (arbor)
– tba

The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.

thanks,

gadi evron,
ge@beyondsecurity.com.

Botnets are old-fashioned – P2P networks are behind of massive DDoS attacks

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!

DDoS against Finnish broadcasting company took 3 days

Today was the third day when the Web site of Finnish broadcasting company YLE (Yleisradio) suffer problems of large-scale DDoS attack.

From the YLE News site:

The company’s web pages were targeted by of a concerted attack on Monday and Tuesday. Two other major web sites, those of the telecommunications service provider Eniro, and the Suomi24 portal also reported similar attack.

There are several possible motives – Finland was the host of Eurovision Song Contest 2007 last weekend and our second place in hockey World Championship during the next day.

Some people said earlier that there was connections to recent DoS attacks on Estonian government sites too.

From broadband routers insecurity to significance of what we do

fergie replied on nanog to my recent post on the subject of broadband routers insecurity:

> i’ll even go a step further, and say that if isps keep punting
> on the whole botnet issue, and continue to think of themselves
> as ‘common carriers’ in some sense — and continue to disengage
> on the issue — then you may eventually forced to address those
> issues at some point in the not-so-distant future.
>
> i understand the financial disincentives, etc., but if the problem
> continues to grow and fester, and consumer (and financial institutions)
> losses grow larger, things may take a really ugly turn.

he is right, but i have a comment i felt it was important – to me – to make. not just on this particular vulnerability, but on the “war”.

i must admit, vulnerabilities are endless and new exploitation vectors will never end, even if it was possible and we were all 100% secure, someone (an attacker rather than a vulnerability) will find a way to make it 99% again for the right investment or with the right moment of brilliance.

enough with cheap philosophy though… as tired (even exhausted) as i am of the endless repeating circle which security is, on all levels (from the people involved through the interests involved all the way to the same-old-fud) i still haven’t burned out, and i am still here.

the world isn’t going to end tomorrow, and even if the internet was to die (which i doubt it will), we will survive. however, in the recent couple of years a new community has been forming which we started refering to as “internet security operations”. these folks, for various motives, work to make the internet stay up and become safer (actually being safe is a long lost battle we should have never fought the way things were built).

with such a community being around, treating issues beyond our little corner of the `net is possible to a level, and at least some progress is made. some anti virus engineers no longer care only about samples, some network engineers no longer care only about their networks, etc.

is any of this a solution? no. the problems themselves will not go away, they aren’t in any significant fashion currently being dealt with beyond the tactical level of a fire brigade.

is it the end than? of course not. but operations vs. research are determined by intelligence. as we have some intelligence, i can point to yet another annoying vulnerability in the endless circle which those of us who will want to, can study, and if they feel it is justified, defend
against. that is the broadband routers issue, which personally i’d really rather avoid.

unfortunately, this limited defense is what most of us can do at our own homes, or tops as a volunteer fire brigade or neighborhood watch.

the internet is the most disconnected global village i can imagine, but we all have the funny uncle on another network and a weird one on yet another. i sometimes feel that the old analogy of the internet to the wild west is not quite it. perhaps we are living in the wild west, only if instead of wastelands and small towns, we have new york city and the laws
of a feudal dark ages kingdom.

things will eventually change, and some of us will stick around to help that change (or try to). for now though, it is about one vulnerability ignored at a time, and working on our communities.

gadi evron,
ge@beyondsecurity.com.

Malware went commerical

In a post by Brian Krebs in the Washington post, Brian describes how Virus (malware) makers have started to spend cash on buying sponsored links of high-profile keywords which get regularly visited by poorly patched people so that they can infect them with malwares.

One such high-profile keyword is the BBB, the Better Business Bureau, which as you would guess it most average joes would go to visit and will look for, while buying something like Slashdot won’t :).

This of course is an interesting move, though not so much unexpected. I can see an “legit-company” coming soon, where a company of such malware distribution will have an R&D – create new malwares and find new vulnerabilities, Marketing – buy high profile keywords, or generally get people interested in your malware infected web site and Sales – sell bot nets and infected/hacked computers for money type of organizations.

A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:
http://blog.support-intelligence.com/

they are good people, and they know botnets.

gadi evron,
ge@beyondsecurity.com.