Thursday, March 29, 2012

Twenty percent of all households have at least one bot-infected computer

...and 5% of all enterprise 'assets' are infected.

From Gunter Ollmann, VP of Research at Damballa in this post on CircleID:
"...on average, between 3-7% of assets within enterprise networks are identified as being infected..."
"Within the ISP/Telco world that have chosen to deploy the Damballa CSP product, between 18-22% of unique subscriber IP addresses are actively seeking to connect to known C&C servers."

Note that this is bot-net infections only, not the broader category of computers infected with malware in general. 

When I first started securing systems a couple decades ago there were no external threats. We had Netware, IPX and Arcnet. The only path to a compromise of confidentiality or integrity originated on a keyboard withing the campus. There were no external threats. The threat to our systems was from the inside, and the risk from insiders was mitigated by the assumption that we'd be able to pin the actions initiated a keyboard inside our buildings to an individual and that the individual would know that the actions would be traceable. It wasn't foolproof - you routinely read about employees misappropriating employers funds - but as far as I know, it was a manageable problem.

Then we connected our wonderful safe little island to the Internet. It didn't take long to figure out that an action by an outsider, external to our island, was a threat to our systems. The solution? Firewalls, of course. If the outsider can't get in, we can focus on the threat from the inside where we know who is at the keyboard, where they know that we know, and where they know that detection and prosecution is a likely outcome.

Today? Unlike years ago, we cannot associate the actions of a keyboard with the individual sitting at the keyboard. This effectively means that what used to be external is now internal, and what has always been internal is now external. What used to be a fairly clear delineation between something that happened from the outside and something that happened internally is gone. We no longer can assert that we know who is at any particular keyboard, and tracing an event back to an internal keyboard doesn't permit us to presume that the action was initiated by a person internal to the organization.

The external threat is inside your enterprise.

Monday, March 26, 2012

Micrsoft and its partners seize servers...

Microsoft press release on their Zeus botnet server seizure:

"This disruption was made possible through a successful pleading before the U.S. District Court for the Eastern District of New York, which allowed Microsoft and its partners to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets."

"As a part of the operation, on March 23, Microsoft and its co-plaintiffs, escorted by the U.S. Marshals, seized command and control servers in two hosting locations, Scranton, Pa., and Lombard, Ill., to seize and preserve valuable data and virtual evidence from the botnets for the case."

Emphasis is mine.

From the actual seizure order:

"There is good cause to believe that the Defendants have engaged in…Trademark Infringement, False Destination Origin, and Trademark Dilution…"

Emphasis is mine.

So if I'm reading this correctly, Microsoft seized the servers, not federal law enforcement. Individuals who work for a corporation, not law enforcement agents who report to elected officials, executed the seizure. A corporation has, with the permission of a court and while escorted by law enforcement, seized property using (amount other things) Trademark Infringement as a justification.

Kudus to Microsoft for taking bold action. A large corporation like Microsoft can put far more resources on something like this than law enforcement. (The best funded crime lab in my home state is at the home offices of a large nation wide retailer, not at a government facility.)

But we should stop and consider if we really want corporations leading a law enforcement actions.

Thursday, March 8, 2012

I thought I had this privacy thing figured out, but…

…maybe not.

I’m trying out the Collusion plugin for Firefox and the results are interesting. After a couple evenings of my normal surfing routine, the plugin looks like:



As expected, Google appears at or near the center of attraction.


I use the Google suite for anything related to my profession and I use Google’s competition for anything unrelated to my role as an IT professional. My theory is that as a public employee in Minnesota, pretty much everything I do professionally is public anyway, so I figure that there is no net loss to using the Google stack. Winking smile The Collusion plugin shows that I’m merging the two realms far more than I thought.

Also unexpected are several domains that I’ve never heard of, including something called imrworldwide:


I have no idea who they are, but they know more about me than I’d like.

I use Adblock Plus and NoScript plugins and I accept third party cookies, but I clear all cookies each time I close Firefox (once every few weeks), so I’ve assumed that I’m less ‘connectable’ than the typical surfer.

It looks like I’m not as segmented as I thought. I’ve added ‘Antisocial’ and ‘Adversity’ block lists to Adblock Plus.