Mike Elgan on Openness vs. secrecy – the case of Apple vs. Google  30.10.10

Mike Elgan compares the alleged openness of Google an with the notoriously secretive Jobsian empire. Suprising discovery is that every company has its secret sauce, the recipe of which is stored in iron boxes or, modern times, in encrypted databases:

The companies are different, and what they’re “open” about reflects that difference. For example, Trump is very secretive about pending real estate transactions, but would probably be happy to share the details of food served at one of his golf courses. McDonald’s on the other hand, isn’t all that secretive about real estate transactions but they’re very secretive or “closed” about their Secret Sauce.

In other words, companies are very closed, secretive, and controlling about the part of their business that makes the money. (via gruber)

Reminds me of the interesting question who has or wants which secret sauce in the area internet security?

Volker Weber (heise) zur Diskussion über Blackberry-Sicherheit  29.10.10

Die zwei Sicherheiten einer Marke:

RIM verhandelt mit den Regierungen und die Presse berichtet von Erfolgen: RIM werde etwa Indien Tools zur Überwachung der Kommunikation zur Verfügung stellen, heißt es. Andererseits wiederholt die Firma gebetsmühlenartig, dass die Blackberry-Kommunikation sicher sei und niemand, nicht einmal RIM selbst, einen Zugriff auf die Daten habe. Wenn aber RIM selbst keinen Zugriff auf die Nachrichten der Blackberry-Nutzer hat, wie kann das Unternehmen dann den Forderungen nachkommen? … Dieser scheinbare Widerspruch lässt sich auflösen, wenn man zwischen den Blackberry-Diensten BES und BIS unterscheidet. BES ist das Produkt, dass RIM seinen Unternehmenskunden andient, BIS das für Privatkunden.

1&1, Gamballa, botnets, and quantitave internet security research  28.10.10

As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.


Looks like botnet take-down time: Bredolab, Zeus…  27.10.10

The High Tech Crime Team did the job against the unsophisticated Bredolab Botnet:

The Bredolab botnet has been busted. So said the High Tech Crime Team, part of the National Crime Squad in the Netherlands, on Monday.
According to Dutch authorities, “the botnet network used servers hired in the Netherlands from a reseller of LeaseWeb,” one of Europe’s largest hosting providers, which is working with investigators. All told, 143 servers were seized and disconnected. (informationweek.com)

Further information is provided by the Openbaar Ministerie, the Dutch top prosecution authority.

Global cooperation among police forces in cybercrime cases appears to work way better than two years ago.

dataloss.db  27.10.10

The so-called Open Security Foundation has set up a publicly view- and editable database to collect and share information about, well, data losses:

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

May it help those virtual runaway bits to come back to their motherships. Such as:

New York breach notification: Bear Sterns – client information accidentally was viewable by 2 unauthorized firms. 442 NY residents potentially exposed.  (Source)

If only Bear Sterns had exposed just those 442 New Yorkers. Anyhow. Data losses are a societal problem, especially when incidents climb up to the dimensions of the Heartland Payment Systems case with their 130,000,000 records or the T-Mobile Germany incident, which affected some 17,000,000 customers.

Anup Ghosh on Zeus malware with inbuilt piracy protection (written back in May)  27.10.10

Cleaning my RSS-feeds inboxes, I found this little gem called “The Reign of Zeus”, written back in May, ages ago on the internet security time scale, by Anup Ghosh:

Zeus is a game changer virus for the financial services industry, and perhaps its most pernicious computer-related threat. It specifically targets banking information by users and will defeat strong multi-factor authentication (MFA) methods used by banks including hardware tokens with one-time random passwords. A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus.

Zeus is an example of the sophisticated crimeware now available to crime syndicates that are focused on illicit financial gains by capturing banking credentials. The toolkit is available for sale in underground markets and the Zeus author has even implemented sophisticated hardware licensing schemes to prevent piracy.

Not sure whether the “DRM is bad for the customer” mantra applies here.

Threat Level has an update on spear-phishing, based on data issued in Symantec’s MessageLabs Intelligence reports.

Eric Schmidt writes in Foreign Affairs, “The Digital Disruption”  27.10.10

You never know with these Foreign Affairs articles, how significant they will be for actual policy making. But they reveal at least what is being discussed in US foreign policy circles. Google’s ties with the US administration and the Department of State became visible for a larger audience in the course of the China-Google showdown earlier this year. The publication of Eric Schmidt’s and Jared Cohen’s article “The Digital Disruption – Connectivity and the Diffusion of Power” in the forthcoming issue of Foreign Affairs only stresses this special relationship.

Foreign Affairs continues its tradition of articles on the strategic usage of information technology for US foreign policy. Back in 1996, Nye/Owens called for an “information umbrella” as a future means to allow the US to further lead an alliance of like-minded states in a post-“nuclear umbrella” world. Schmidt/Cohen discuss in a diplomatically sterile language the effects of “connection technologies” on politics, governments, and the diffusion of power among different actors. They have retained some techno-optimism:

In an era when the power of the individual and the group grows daily, those governments that ride the technological wave will clearly be best positioned to assert their influence and bring others into their orbits. And those that do not will find themselves at odds with their citizens.

But also within Western states, the notion of governance will further flourish:

Instead, governments, individuals, nongovernmental organizations, and private companies will balance one another’s interests.

Looks like multi-stakeholderism gone ubiquitous.

If you don’t want to register with the foreignaffairs.com website, Stefaan Verhulst has the complete article.

Gunter Ollmann (Gamballa) has new figures on Botnet Hosting  26.10.10

World-wide leader in botnet CnC-hosting according to an Gunter Ollmann, VP Research of security provider Damballa, is the German ISP 1&1 Internet AG.

1&1 headquarters will be relieved to read this:

It is important to note that the ISP’s and hosting providers listed in the top-10 do not necessarily conduct criminal practices, but they have found themselves in a position of being “preferred” by the criminals operating the botnets.

It it surprising to see 1&1 spearheading CnC hosting. The data for a study released earlier this year by my TU Delft colleagues Michel van Eeten, Hadi Asghari et al. reveals that 1&1 is among the best ISPs when it comes to dealing with malware and spam. In that perspective, 1&1 has one of the cleanest ASNs, much better than, say, Deutsche Telekom.

I’ve briefly skimmed through some Gambella papers, but I could find a description of their method to detect CnC servers.

Stephen Walt, foreignpolicy.com, embraces Wikileaks: “a good thing”  26.10.10

Stephen M. Walt, good-ol’ Realist with an almost Niebuhrish image of humanity, embraces Wikileaks:

Realist that I am, I believe that human beings are more likely to misbehave if they think they can shield what they are doing from public view. For that reason, I also believe that democratic societies are more likely to adopt better policies when information is plentiful and when government officials cannot determine which facts are available to the public and which are not. Because its primary function is to make more information available on issues that concern us all, I therefore conclude that what Wikileaks is doing is on balance a good thing.

The German liberal, internet-politics blogosphere and IT magazines still appear to have visions of transparent, democratically organised Wikileaks clones. I’m wondering how such an organisation would transparently and democratically deal with the spectre of their members being declared “enemy combatants”.

Seymour Hersh’s 6731 words take on “the online threat”  26.10.10

Summary: There is no cyberwar-problem, only cyber espionage. Cyberwar is made up by cybergeddonists, who happen to work for security contractors after having left their public cyber-security posts. China has no interest in launching a cyberwar against the US, even if it might possibly have the means. Cyberwar is hardly wageable, because of unintended consequences caused be the openness of the web. Espionage could be dealt with by obligatory encryption, which however is costly and hard to operate and maintain. Non-encryption however might not be the underlying cause for internet security problems. And military activities can however have unintended consequences. Nevertheless, recommended reading.

The political situation:

In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?

Blurring definitions of cyber war and cyber espionage…

Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.

The cybergeddonists’ false scenarios:

The most common cyber-war scare scenarios involve America’s electrical grid. … There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines…. …an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems.


If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran… The real hazard of Stuxnet, he [Schneier] added, might be that it was “great for those who want to believe cyber war is here.”

On Army General Keith Alexander (head of US cyber command, director of NSA):

One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks.

Military-civilian relationship:

If the military is operating in “cyberspace,” does that include civilian computers in American homes?

Encryption as he solution for the cyber security problems (citing John Arquilla):

“We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” … “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

A Maginot line mentality (citing Marc Rotenberg, EPIC):

“The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”

Clipper-Chip 2.0:

The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.

A long list of interviewees and sources:

Jonathan Pollack, Whitfield Duffie, Jeffrey Carr, “a retired four-star Navy general”, John Arquilla, Marc Rotenberg, Howard Schmidt, “a senior official in the Department of Homeland Security”, William J. Lynn III, James Lewis (senior fellow at CSIS), Bruce Schneier, J. Michael McConell, Army General Keith Alexander (head of US cyber command, director of NSA), “a defense contractor” (“one of America’s most knowledgeable experts on Chinese military and cyber capabilities”), Richard Clark (cybergeddonist, security contractor and Bush’s man for cybersecurity, “poison gas clouds…”), J. Michael McConell (Bush’s second director of National Intelligence, now cybergeddonist and security contractor, “Our cyber-defenses are woefully lacking”).