Scary. USA Today reports that the vulnerability exploits are so targeted and numerous, that it takes 4 (FOUR) minutes for a clean unpatched Windows XP machine connected to the Internet to become a zombie and a “virtual soldier” in a botnet.

While most break-in tries fail, an unprotected PC can get hijacked
within minutes of accessing the Internet. Once hijacked, it is likely
to get grouped with other compromised PCs to dispense spam, conduct
denial-of-service attacks or carry out identity-theft scams.

While the fact that unprotected and unpatched Windows XP PC, left connected to the Internet, will become “hijacked” quickly is not surprising, the time and the intensity of the probes show an increasing and alarming rate of probes. A graph by the Internet Storm Center showing the “survival time history” indicates that while last November the average survival time was 60 minutes, this October it has fallen to 10 minutes.

What is the moral of the story - don’t connect unpatched and unsecured machines to the Internet. Period. This gets into a catch-22 situation - when you receive your new PC and you need to download and install Service Pack 2 the temptation is great to connect the PC to the network, and start the Internet install. Don’t do it, or your new PC will be a zombie spam warrior of a large botnet.

One of the most useful techniques for criminal investigation involving shooting is to compare the gun “fingerprint.” Each gun apparently leaves a unique pattern on the bullet so it is easy to verify whether a bullet came from a particular gun.

With the increasing use of high quality printers in counterfeiting and other types of fraud, Xerox and other printer manufacturers have built-in a similar “fingerprint” technology into some of their printers. According to the story, the printers print faint information in very small yellow dots in the background of printed-out pages, to identify the model and serial number of the printer that printed the page. Of course, it is invisible to the naked eye, but it is there (haven’t tested it personally yet, though.)

Ed Felten at Freedom to Tinker has some questions (with no answers yet) about this scheme:

• Is encryption used, and if so, how?
• Is there a secret key? If yes - who knows it?
• Do they track who buys each printer?

It is clear that privacy advocates are and should be asking these questions. Also, based on the encryption and the key used - how easy it is to spoof this identification string? Depending on the strength of the encryption, this scheme could be quickly beaten and become obsolete - there is not really a point in tracking a number which can easily be spoofed.

Verisign released recently the new volume of their Internet Security Intelligence Briefing. The paper focuses on two major areas of cyber security - vulnerability trends and spam.

Vulnerabilities’ Trends

Verisign reports that in Q3 2004 there was a 150% growth in the number of security events per device per day over Q3 2003. The US leads the list with 90% of the security events generated in the period July-September 2004. Another of Verisign’s assertions is that although the sophistication of the attacks increse, the exploits are becoming easier to create.

Attackers have apparently been brushing up on their programming skills as well. Exploit code has become increasingly sophisticated lately. Sample exploits, those that can be quickly found online, used to be of very poor quality, requiring a skilled programmer to painstakingly edit the code in order to produce a working exploit. In contrast, sample exploit code this past quarter has been surprisingly simple to make work. This refined skill on the part of the experts is in turn enabling junior hackers, A.K.A. ?script kiddies,? to wreak havoc much more quickly.

Finally, it is important to recognize that attackers are attacking an increasing number of platforms - PDAs, cell phones, routers, even… well, maybe not yet, your refrigerator.

Spam

Although a federal legislation went into effect on January 1, 2004, the CAN-SPAM hasn’t had much effect, according to Verisign’s report. Spam solicitations become increasingly aggressive, and the spammers use increasingly novel methods to collect email addresses. There are some interesting statistics, such as the fact that spam, although accounting for 80% of email messages, it only accounts to 21% of the bandwidth consumed. These numbers seem to debunk two of the main myths about spam - the storage and bandwidth costs are the largest and suggest that mainly the management of the increased number of messages, filtering, and detection are among the main costs of spam and the fight against it.

With their efforts to sue the world of p2p file sharers slowing down, the entertainment industry is pushing their agenda in a different direction - to make it a crime punishable by jail time to share music or movies online. Currently this, if proven, is a copyright violation where the legal owner can seek damages. The problem with the current system is that there are literally millions of people downloading music and movies online, and filing an individual lawsuit against each one is very time-consuming and expensive, although very possible as we all know.

The entertainment industry is pushing Congress to approve a bill that could send thousands of Internet music and movie downloaders to jail, but the legislation faces opposition from groups that say it would unfairly punish consumers.

The first bill would allow prosecutors to seek jail terms of up to five
years for people who make 1,000 or more songs available for download on
peer-to-peer networks such as Kazaa and eDonkey. The PIRATE Act would
allow the Justice Department to seek civil damages against illegal file
sharers. Under current law, the Justice Department only can prosecute
criminal copyright violations.

Washington Post, 11/16/2004

The new strategy is simple - let the government chase the downloaders. If the proposed bill passes, it would be the government’s job to detect, chase, investigate, and prosecute people who download music illegally. The entertainment industry will sit on the sideline, watch the show, and upon a criminal conviction jump in and start a little civil suit to collect damages.

Another “benefit” from the proposed bill would be that eliminates the “willfulness” element - in other words, even if you don’t know that you are sharing these 1,000 songs, then you are going to jail.

Naturally, civil libertarians and public interest organizations are jumping against the bill. I join them.

SecurityFocus writes about an emerging application exploit - the “time-bomb.” Basically, it is based on code injection attack which instead of executing upon injection remains stealth, usually in data form, and executes upon user interaction or some other trigger. A more detailed paper by a UK based Next Generation Security Software Ltd. goes into more detail.

What makes this type of an exploit more difficult to deal with and protect against is the time-delay nature. With normal cross-site scripting vulnerabilities which execute code upon injection there is no delay between injection and data or system compromise. This allows the system administrators to quickly restore from a recent backup and also investigate from fresh information. A time-delayed attack is likely to be much more hard to recover from and would be very hard to investigate.

The paper argues that mostly this type of attacks would use a data storage, e.g. SQL storage, but also it is possible to inject code in another data storage, file, or even into a log file and execute at a later time. The paper (linked above) also lists few ways to handle web HTTP requests that may contain such malicous code.

A phishing mob suspect has been arrested in Massachussetts and ordered held on $100,000 bond for being part of a phishing scam operation. The suspect, originally from Russia,

FBI has recognized that computer crime is no longer something teenage geeks and CIS students do for fun and to brag about. FBI Deputy Assitant Director Steve Martinez is recognizing that more and more sophisticated and organized groups are the sources of identity theft, hacking, Internet sabotage, and extortion schemes. [Reuters]

One of the major concerns of this administration is to protect against terrorism. According to Deputy Martinez, terrorists can use the identity theft, hacking, and other methods to finance their operations, spread and coordinate their operations. It is clear that more emphasis should be put on protecting the networks, the financial institutions, and even the individual users against possible attacks. My question is, if it is such a big priority for the administration, why is the cyber czar position in the Department of Homeland Security four levels deep into the organization? More on the recent resignation of the nation’s top cyber-security official here.

A recent change by ICANN on the domain transfer rules is to take effect on Friday, November 12th. The new rules provide that domain name transfers would be automatically approved in five days unless they are explicitly denied by the account holder, as opposed as current procedures where no response meant denial of transfer.

“Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default ‘approval’ of the transfer,” the new rules state. “In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.”

Because many domain owners do not keep accurate or outdated information in their WHOIS records, it is possible that a change of transfer request would come in, be sent to a non-existing or non-checked address, and after 5 days of inactivity be approved. I personally received a message from my registrar warning me that they would automatically approve the domain transfer request within 5 days if I don’t respond or if I don’t lock my domains against transfer.

Many other domain name registrars are scrambling to notify their users or put in place policies that would limit the possibility of a domain hijack. Some registrars, such as Network Solutions are automatically locking the domains on behalf of its users. In the meantime, ICANN, in anticipation of increased number of domain name disputes has announced appointments to manage its domain name dispute policy.

Practical note: if you want to check whether your domain is locked - do the following. Use a WHOIS lookup tool (WHOIS.sc, ZoneEdit) and do a check on your domain name.

This site, written in a blog format, focuses on the
increasingly important issues of detecting, preventing, and dealing with
cybercrime.

The broadband Internet and its wide adoption have made it
extremely easy for criminals to commit fraud on increasingly large scales,
disrupt legitimate systems, or merely annoy users. A large number of broadband
“zombie” PCs are used by increasingly coordinated and sophisticated
hackers as “armies” to wage cyber attacks against governments,
businesses, and organizations.

At the same time, old, insecure, or flawed software exposes
personal and confidential information on the open Internet for everyone to see
and use. Insufficient network standards allow spammers to generate enormous
amount of traffic, annoyance, and costs to businesses.