innismir.net

F-Secure, who is doing great work on surveying the breadth of Downadup, recently asked “Is it time for Internetpol?” when people starting asking why they didn’t take advantage of their sinkholes for Downadup and attempt to disinfect the zombies.

Still — it seems that people want a champion that can make big command decisions. Perhaps it would be a good time to bring up the idea of Internetpol again? Mikko briefly mentioned it on December 12th, it was the topic of his AVAR 2008 keynote. The idea was also mentioned in our third quarter security summary.

Do you want an organization with international legal authority to act against Internet threats?

Speaking strictly as a security researcher who, whenever I feel a bit masocistic, attempts to play whack a mole with various “bad sites” on the Internet: “Yes!” I don’t think anyone would disagree with a group Internationally recognized with the authority to shut down “bad” sites.

However, the primary issue is what constitues a “bad” site? With the authority to declare a site “bad” shifted over to an International entity, what standards will they use to judge sites? Sure, I think everyone will agree that sites which distribute malware is bad, but what about sites engaging in dissident political speech? I’m sure China think that any site blocked by the “Great Firewall” is “bad.” How will an InternetPol handle this? I would see conversations playing out like a scene from Silence of the Lambs:

Clarice: That’s only a part of the island. There’s a very, very nice beach. Terns nest there. There’s beautiful…
Hannibal: [cuts her off] Terns? Mmh. If I help you, Clarice, it will be “turns” with us too. Quid pro quo. I tell you things, you tell me things. Not about this case, though. About yourself. Quid pro quo. Yes or no?
[pause]
Hannibal: Yes or no, Clarice? Poor little Catherine is waiting.

China is a large haven for malware. Does “InternetPol” say “we won’t disconnect the sites you’ve requested” to China? If so, what would China do when InternetPol comes knocking and asks them to assist in an investigation from another member country? Quid Pro Quo would expect them to show InternetPol the door. The only way to get every country to play ball is to adjust the standards so that every country will be enforcing every other country’s laws. China doesn’t like Falun Gong sites? Gone. US doesn’t like gambling sites? Gone. Australia doesn’t like naughty web sites? Gone. It’s less of a “slippery slope” and more like a near vertical drop.

This is also coupled with numerous other issues of local Law Enforcement Organizations (LEO). If Russia doesn’t feel like enforcing their laws against a certain group *cough* RBN *cough* then the best an InternetPol oganization can hope for is to lean on their upstream providers and hope they cave. Thankfully, this seems to be working even with private organizations, but criminals are crafty, what happens when we see criminal organizations start setting up their own NSPs (With Blackjack! And Hookers!)? How about when the local LEO is compromised itself through bribes or worse?

These are major issues that need to be addressed on a global scale. Sadly, if only one country decides to take it’s ball and go home, we’re going to see every e-Crime enterprise beat a path to that country’s door the next day. If numerous countries refuse to play ball, InternetPol will be the electronic form of the United Nations: a great idea who’s main weapon is a strongly worded letter.

The InfoSec community was murmuring lately over a interview with Matt Knox, who wrote spyware in a previous life. I did feel that the interview, although done fairly well, was a bit soft and “DirectRevenue” did cause long-dormant synapses in my brain to start to wake up and scream in horror, but I dismissed them and didn’t look into it any futher.

Thankfully, Chris Boyd aka “Paperghost” did. Boy, did he ever…

The interview painted a “Hey, they did things that were of questionable morality, but they weren’t that bad!” picture and Knox did have a “Aw, shucks… Sorry!” demeanor to him. Which, as Chris points out, is kind of expected, since the interviewer is a friend. However, the State of New York documents paint a very different picture to the entire operation, and comments like:

Matt is a wonderful teacher, a great coder and a good friend. It was pretty awesome that he did this interview and gave us the inside scoop on how a noted adware company operated, both technically and from a business perspective… Nowadays he uses his skills to educate and create software for doctors.

Seem to try to whitewash the seriousness of the situation he had a hand in creating. I’ll give Knox credit for doing an interview, but I won’t give him a pass for coding such nastiness for a very, very long time. Everyone can make mistakes, but the questionable ethics that get them into such mistakes deserve to be scrutinized. As much as I would like to believe he has turned over a new leaf (and by the accounts I’ve see he has) there is this little nagging voice that says “Software for Doctors? He better not be touching patient records.”

I would enjoy a follow-up interview with Knox to address the question raised by Chris. I hope one is forthcoming.

SOURCE Boston officially let the cat out of the bag yesterday by posting their schedule, so I can now say what I’ve known for since about mid-December: I’m doing a talk on the SOURCE business track entitled Massachusetts Data Breach Laws, Regulations, and Responsibilities.

I’m excited to be a part of SOURCE. I attended last year and it was an excellent conference. A great mix of  secruity geeks and business types and everything just seemed to click. Not as “free-for-all-ish” as DEFCON or HOPE, not as stuffy as a business conference. This year, it’s shaping up to be even better: They moved the conference to a better location, and the schedule is even more impressive then last year. If you’re a security geek, you should definitely look into attending. It is worth every penny.

Of course there is an off chance that someone might make a grand entrance a touch early. I think everyone is hoping that doesn’t happen.

Ever since I started in Ham Radio, my band of choice has been 2M. I started on that band in 1995 when I first started operating and I continue to use it every day when I am in the car commuting back and forth from the commuter rail station. When I was living in the Boston area, I didn’t have a radio capable of operating on 70cm, so 2M was the band of choice. When I finally got a radio that could operate on 70cm, it was after PAVE PAWS severely limited the repeaters in the southeastern Massachusetts area, so the usefulness was rather limited.

Since I got back in the hobby, I had heard murmurs of Hams repurposing commercial equipment for operation in various bands. I never really looked into it as I figured that it involved mucking about in circuits and soldering, two skills I am not good at and didn’t want to try to learn on a semi-expensive radio. When I volunteered at the AMSAT table in Boxboro, Steve Meuse, N1JFU, while showing me a Motorola Maxtor radio he recently picked up at the flea market, explained to me that not all radios needed hardware modifications and that there were plenty of radios that were ready to go and just needed to be modified in the software. He pointed me to the GEMOTO and NEAR-900 groups which I subscribed to soon after and lurked.

The nearest repeater to my location was Fall River. A bit of a chip shot, but far enough that I didn’t want to risk buying a radio in case I couldn’t talk on it. I live in a bit of a low-lying area, so it’s often difficult to hit repeaters even if they are close by. However, come December, SCMARG installed a repeater in Dartmouth, the next town over from me. I was sure I could talk on it, so I started looking for a cheap radio I could buy.

The NEAR-900 folks were very helpful in suggesting radios for me. Also, after the repeater went live, Jeff, N1ZZN made another helpful post on the SCMARG list. I started stalking eBay for a cheap used radio. By some small miracle I was able to get $75 from @Beaker by sending him a picture of a bunny with a pancake on his head. (Long story.) Within a week I found a great deal on a used MTX9000 B3 and charger for $70. Santa arrived early and it showed up on my doorstep just before Christmas. I needed it programmed, and again NEAR-900 came to the rescue. John, N1OTY, responded to my plea for “Help! I need it programmed” with an offer of assistance. Sunday I headed over to his house and he graciously programmed my radio. He answered all my questions and made sure everything worked.

I have since had the radio for a few weeks and I must say it’s a great band. While Dartmouth is the only repeater that works from my house and I’ve only heard a handful of SCMARG people on the system, in Boston the Waltham repeater, which is tied into a few other 900MHz repeaters, works great and is fairly active. I can talk on the repeater througout the downtown area and I monitor it from my desk at work during the day. During the GEMOTO “900 Days”, which are Thursdays in which we try to make the band active as possible, the Waltham repeater almost always has a coversation on it. The people I’ve talked to and listened to are very friendly and fairly technical, unlike a lot of the small talk-esque conversations you find on 2M.

There are a few things to get used to: Most of the 900MHz repeaters do not have a “squelch tail”, which is a common “feature” of Ham Radio repeaters to let you know it had heard you. This was very confusing to me at first as I wasn’t sure I was making it to the repeater. Also, my radio, despite lacking a display, has a scan feature. When scanning, if a signal is heard, I have to manually tune the radio to the channel I want to operate on. This can be confusing if the transmission is short. A lot of people solve this by annoucing the repeater they are using. Finally, since my radio is a bit older, it uses NiCd batteries rather then the newer NiMH type. This means that I have to drain the battery before I charge it, which is something that I haven’t had to think about in years.

So far I am pleased, it’s fun to try out a new band  and it’s a feeling of being on something a bit “experimental” as it’s still fairly limited. Coverage is great, and the Motorola radios are very solid, albeit a touch heavy. If you are a Ham in the southern New England area, I highly recommend you give it a try. If you are outside of the area and are looking for a band relatively free of interference and users, I suggest you give 33cm a look.

Link many other Twitter users this weekend, I got the following DM from someone I followed:

Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?

I had the opportunity to go down to the SEMARA club this afternoon as it was open for Kids Day. I was much older then the target demographic, but I wanted to head down and learn how to operate the club station.  I met Bob, K1KVV, who opens the stations just in case someone wants to pop by and he showed me how to set them up, operate, and break them down. Since kids were nowhere to be found (The club doesn’t actually promote this beyond the mailing list), I was able to get behind the wheel and take the station for a spin.

In a word: Wow.

The station consists of a TS-570 and a recently-donated TS-940S and a 40 through 6 yagi on top of an 80 foot tower. I operated almost exclusively on the 570, as that was controled by Ham Radio Deluxe. I must say, I’ve heard the praise for HRD and I’ve been wondering what the hub-bub was all about. The interface and the integration is an incredible blend of the radio and the various tools on the Internet. The integration between the DX cluster is amazing. It really is point, click, QSO.

It was rather quiet for me as most of the activity on the band was focused on the RTTY contest that was this weekend, but soon after I sat down I saw ZR2CR spotted on the cluster and jumped in. I never knew how much a Yagi and tower helps, as I was able to work her on my 2nd try, something I would likely not be able to do at home. I then saw ZD8UW and decided to try my luck. I tuned over there and was curious when he was announcing that he was working split (Listening on one frequency and transmitting on another for you non-Hams) a quick Google showed that it was a DXpedition on Ascension Island in the South Atlantic. It took some time to figure out how to set the 570 into split, and I had a couple of false starts when I was transmitting in LSB but listening in USB, but after that was sorted out, I worked him after about 5-10 tries. I then popped over to 17 Meters and worked PJ2/N9JZ in the Netherlands Antillies.

I had been on the radio for a bit at this point, and Bob was curious about Ham Radio Deluxe so I handed the mic over to him. I showed him what I had learned and he was impressed, working 4A1DXXE, HK1NK, and a couple other stations in short order. He then tried to work an Australian station, but the band was closing up and we both had to leave.

Bob informed me that I can get a key to the station as I was a club member. Bob is fairly active trying to get interest going in operating the club station so I think he was happy that I was excited to use it. I must say, after using that tower and HRD, I’m am very interested, as its a bit of a step up from my TS-120 and my tree-strung dipole. Plus, with winter here, trudging out into the snow to set up my antenna isn’t the most alluring thought in the world.