Sunday, December 26, 2010

About Citizens, Medias, Entrepreneurs, Diplomats, Passive Monitoring Intelligence...

Now that you surrendered to the ubiquitous advertising campaigns shelling all around you. Now that you acquired your latest Christmas mobile toy, maybe a few things need to be reminded to users, author included, who do not always really understand that they are not the lonely ones watching their screen. Others do, too. Governments, firms, neighbors. You are "live" for their own gains. The complexity of the means and uses on the subject are such a sophistication that it goes beyond common citizen imagination. It's called: "Passive Monitoring". (Story: 1.666 words)

& Update from Zdnet Dec 26th 2010 on Botnets malicious traffic, down the page. NDAG

You may have noticed that your computer is slow, or, that your blog is immediately mirrored. You may not be aware of the fact that your mobile and smart-phone, or wireless system wifi objects you use, is absolutely not secured contrary to what the manufacturer wrote in the guarantee of sales. Then you may find yourself the target of sudden adds campaigns, or, in other cases, that your system just freezes, worst may come later.

Who has such interest? Comments and quotes.

Here is a commercial from a security corporation:

"V.... is a mass and target interception system that intercepts, filters, and analyzes voice, data, and multimedia for intelligence purposes. Using sophisticated probing technology and V...’s real-time filtering mechanisms, V.... passively collects maximum communications, extracts the most important information, and uses stored data analysis for generating intelligence from data collected over time."

If your smart-phone, Mac or PC, were to be infected in any of those ways, you probably wouldn't even notice, even if you're a sophisticated user. "Because security software generally sees operating systems as trustworthy, rootkits tucked deep within an OS can go undetected for a long time." In fact, desktop anti-malware products have only recently started to scan for rootkits. Quotes:

"The capabilities of spyware have expanded as
always-on Internet connections have become
increasingly frequent . It’s not only data stored on
the compromised machine that is at risk. Variants of
spyware that provide audio and video surveillance."

Ryan Farley and Xinyuan Wang of George Mason
University, Department of Computer Science, Fairfax,
Virginia, USA:

"The capabilities of spyware have expanded as
always-on Internet connections have become
increasingly frequent. It’s not only data stored on
the compromised machine that is at risk. Variants of
spyware that provide audio and video surveillance
through peripherals such as microphones and web-cams
have been around for over ten years. This may all
sound like old news, but that is deceivingly wrong.
There are a few factors why well structured
surveillance attacks are only a recently growing
concern and an increasingly unchecked threat reaching
critical potential. Primarily, consumers are realizing
that a smart-phone with an unlimited data plan is
almost as vulnerable as a desktop on broadband at
home. Also laptops, which have long had built-in
microphones and Internet accessibility, are recently
also being sold with built-in web-cams. Protection is
even more of a concern in the modern computing
environment where new regulations are constantly
driving up the accountability of organizations for the
loss of private data. It is important to point out
that we are not implying that surveillance spyware
will be as widespread as other malware. A microphone
in every house with Internet access is of little use
to the average attacker and surveillance attacks will
probably involve specific victims known to the
attacker. This does not diminish how universal of a
threat this is, after all, potentially anyone is
capable of gaining an unwanted stalker, jealous
spouse, or generally becoming the target of espionage.
The most plausible use of surveillance spyware across
a set of devices is to provide a roving bug. This is a
term used for audio surveillance that follows a
particular victim regardless of which device they are
using. If the attacker has compromised a victim’s home
computer, work laptop, and smart-phone, then the
attacker would have a greater capacity to continuously
monitor the victim."

How does it work?

For instance on the regular "botnet" attacks. Def: A botnet is "a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with IRC bots and more recently malicious software, but it can also refer to a network of computers using distributed computing software." A huge percentage of the Internet bandwidth is being wasted by idiots and crafty thieves pretending to be idiots. Bots are worse than spam. But for some, it's a gold mine.

Search engines are the worst offenders. Then Amazon's clouds. And Twitter aggregators, TOR aggregators, RSS aggregators, all peddling ads with purloined material. Way too many evilly configured programs grabbing stuff indifferent to their damage. "Exploiting openness to sell marked-up closed versions just like the official spies, no doubt some working for the spies."

"The main drivers for botnets are for recognition and financial gain. The larger the botnet, the more ‘kudos’ the herder can claim to have among the underground community. The bot herder will also ‘rent’ the services of the botnet out to third parties, usually for sending out spam messages, or for performing a denial of service attack against a remote target. Due to the large numbers of compromised machines within the botnet huge volumes of traffic (either email or denial of service) can be generated. However, in recent times the volumes of spam originating from a single compromised host have dropped in order to thwart anti-spam detection algorithms – a larger number of compromised hosts send a smaller number of messages in order to evade detection by anti-spam techniques.

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. In July 2010, the FBI arrested a 23-year old Slovenian held responsible for the malicious software that integrated an estimated 12 million computers into a botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet."

What happens?

Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.

Adware exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spyware is software which sends information to its creators about a user's activities, typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.

Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

What answers?

"Several security companies such as Afferent Security Labs, Symantec, Trend Micro, FireEye, Simplicita and Damballa have announced offerings to stop botnets. While some, like Norton AntiBot (discontinued), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer botnets are almost entirely P2P, with command-and-control embedded into the botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Newer botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large botnet that can detect that it is being studied can even DDoS those studying it off the internet." (Wikipedia sources is not trustable as it involves corporations which are on the web spying)

Well then!

Even here, this is not the latest assessment. Hi-Tech researches never ends. The next good guy who'll watch you is your home robot... Next time we'll talk about CCTV, Closed-circuit television in Japan.

Ref: An interesting though incomplete report on the subject, May 2010. "Are hackers spying on you from your mobile phone?"

Sources: Reporter's notes, George Mason
University,, Picture: TW.


Q: "Va-t-on enfin arriver à endiguer puis réduire le volume de spams et tentatives de phishing massivement diffusés par les escrocs qui opèrent des botnet, et qui représentent 80% du trafic e-mail aujourd'hui ?"

R: La lutte contre les botnets s’organise mais le trafic pernicieux dont ils sont à l’origine ne faiblit pas, et je ne suis pas optimiste sur ce sujet. Car il est clair que la « maillon faible » de l’Internet pour ce qui est du spam et du phishing c’est l’internaute lui-même, qui raccorde au réseau des équipements insuffisamment protégés contre les accès extérieurs, et qui passent facilement sous le contrôle distant d’un botnet. Les failles de sécurité des systèmes d’exploitation et logiciels Internet (navigateurs, clients FTP…) se combinent à l’ignorance d’utilisateurs mal formés pour offrir aux organisations criminelles des millions d’ordinateurs dont il est trop facile de prendre le contrôle. Le phénomène n’a pas encore véritablement gagné l’Internet mobile, même si quelques « botnets de smartphones » sont déjà apparus cette année. Je suis prêt à parier que 2011 verra l’apparition de botnets ciblant massivement les smartphones et tablettes…

In :

Creative Commons License
About Citizens, Medias, Entrepreneurs, Diplomats, Passive Monitoring Intelligence... by Asian Gazette Blog of Joel Legendre-Koizumi is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

No comments:

Post a Comment

Be nice and informative when you post or comment.
Thank you to visit Asian Gazette Blog of Joel Legendre-Koizumi.