Monthly Archives: October 2010

Security

Police Take Over Bredolab Malware

Leave a comment

The High Tech Crime Team in Holland have taken over the 143 command and control servers that manage a 30 million node botnet based on the Bredolab malware.

…Bredolab was capable of infecting 3 million computers a month. At the end of 2009 it was estimated that 3.6 billion emails, each containing the files needed to infect the system and join it to the Bredolab botnet, were sent daily.

Shortly after the takedown announcement, a 27-year-old Armenian was arrested in connection with the botnet. He was detained at the Yerevan Airport in Armenia [on his way home from Moscow]. It’s reported that he had tried to regain control of the botnet, and when the attempts failed, he used 220,000 systems to launch an attack against LeaseWeb. The DDoS failed when the servers [in Paris] were pulled from the Web.

Bredolab also spread by looking for Web server passwords and then installing an infection kit on Web pages.

The above quote is from the Tech Herald, which also makes note of the fact that the majority of command and control servers for botnets are actually hosted in the US. Botnet administrators might live in another country from their servers, or they might not. The Tech Herald calls it an ISP “shame” inside American borders.

The Dutch Police action already might seem like a big step for fighting botnets. Yet that is not the end of the story. It just gets more controversial from here. They also used their new found control of the botnet to update infected systems and redirect their browsers to a warning page on the Police website. Would you believe this page is real?

Ironic that the bottom of the page just has a link called “More information”. Would you click on the link? There is scant information to prove this page is authentic. It should be hard to trust this if you have never before read pages from the Dutch Police and their HTCT.

Although some who are infected may appreciate hearing from the police that their computer has malware (cue image of woman tied to railroad tracks) the police action seems aggressive and definitely breaks new ground. I wonder whether victims will see this as a public service saving them from even greater disaster or as a breach of trust and unnecessary risk.

Do the police justify moving from takedown to control and command of a botnet as necessary — quick action in the face of imminent harm? Maybe it will prove to be the most effective way to educate users and prevent reinfection.

It is difficult to say victims could ever be worse off when controlled by Dutch police instead of the former Botnet administrator. The man accused and arrested clearly had malicious intent. Then again police abuse and corruption is not totally fiction.

I am tempted to compare the situation with a non-technology rescue operation. Victims first end up in the care of a rescue team before being released. The problem with technology, however, is the abuse of the situation by those in control is far less clear than the physical world. It therefore makes sense to address the tough questions ahead of time. The Dutch victims should be able to review police rules of engagement such as their procedure and policy. Victims should know what other actions the police may take or their protection from abuse, in other words, now that they are in something akin to “safe custody”.

Security

Microsoft Takes a Beating

Leave a comment

An article called ” Microsoft’s consumer brand is dying” by CNN points out that the software giant’s execution is no longer winning the market. They cite a blog from Ray Ozzie who says fit and function has been surpassed. This sounds right to me. Consumers often say they like the feel of Apple and Google better.

Then the article has this odd quote from an analyst:

“In this age, the race really is to the swift. You cannot afford to be an hour late or a dollar short,” says Laura DiDio, principal analyst at ITIC. “Now the biggest question is: Can they make it in the 21st century and compete with Google and Apple?”

I disagree. Apple and Google were not swift. Neither was first to market. The race is to the simple (smooth and sexy), not the swift. Ozzie is right, Didio wrong.

More importantly no one seems to be saying the race is to the secure. Microsoft used to get beaten up in the news for being insecure. Although they have done much to improve this, which helped them stop loss in the enterprise market, it appears not to be a primary factor in the fashion-fickle American consumer market where simplicity reigns.

EDITED TO ADD: Tonight I spoke with students at Cal Berkeley and they asked me to explain this further.

First, let me give another great example of a latecomer strategy that is successful:

…interviews conducted by SF Weekly with several former Zynga workers indicate that the practice of stealing other companies’ game ideas — and then using Zynga’s market clout to crowd out the games’ originators — was business as usual.

Rather than comment on whether Zynga is right or wrong, my point is just that they are not in a race to the swift. Zynga apparently is making a lot of money and being successful with a strategy of being later but executing better.

Second, since they were students of political science, I emphasized that people underestimate the value of complexity. Consumers often say they like simplicity but they probably do not realize that this is inversely related to freedom.

The less you can adapt and alter an environment the less freedom you are granted. Looking at the spectrum of freedom in another context, democracy is complicated while a dictatorship is simple. It was at this point the eyes of my audience suddenly lit up, wide with excitement. I was gratified to hear:

Oh! I see now. I never thought of it that way.

Reducing complexity in one area can open up freedom to tinker in another area. Demand for simple interfaces is not hard to understand. But if the market for simplicity gets crowded then differentiation may next come from privacy or security, which Microsoft has actually made progress with lately. I still do not see speed to market as the race Microsoft has to win.

Security

Rhinos Protected by GPS

Leave a comment

Park staff in South Africa have installed GPS devices into Rhino horns to help protect them from poachers. Rusty Hustler, head of security for North West Parks Board, explains:

“There are a number of alarms that can be programmed: one for excessive movement, so if the rhino starts running, and another that goes off if the rhino sleeps for longer than six hours, which is abnormal.”

An alarm also sounds if the chip goes outside of the area of the game reserve.

Poachers could jam the signal to obscure their location but this too would set off an alarm.

Food, History, Security

Rinderpest Virus Wiped Out

Leave a comment

The BBC brings good news about the cattle plague (Rinderpest) virus — it has officially been wiped out. The virus has been blamed for widespread famine.

The World Health Organization (WHO) so far has declared only two diseases officially eradicated.

The first was smallpox caused by variola virus (VARV), which was in fact eradicated by application of cowpox. The second was cowpox or rinderpest (caused by the rinderpest virus — RPV). Smallpox had caused epidemics throughout human history with estimated death tolls in the 300-500 million range (as high as 10% of all deaths in the 20th century).

Although rinderpest was used to cure smallpox, on its own it continued causing mass death of cattle herds throughout Europe and Africa for centuries.

More than a third of the population of Ethiopia died in the 19th century, for example, after Italians introduced infected cattle from India.

Vaccination was hindered due to conflict, lack of authority and perhaps even a lack of will from Europeans to solve for destabilization of Africa (preferring wealth accumulation to be controlled from Europe).

The BBC article points out the method used to test and eliminate the virus had to be administered locally, which meant operation in uncontrolled environmental conditions and by non-professionals.

The test, which was developed with the support of the UK’s Department for International Development, was designed to be used by local people in the field and to give reliable results within minutes. It proved highly effective and the technology has been rolled out across Africa. This was particularly important in the later stages of the programme when pockets of the virus remained in war-torn areas of southern Sudan and Somalia. Dr Mike Baron of the IAH told BBC News that it had been too dangerous for outsiders to enter those areas. Experts, he said, would train locals – so called ‘barefoot vets’ – to recognise the disease and administer vaccines. They would work with nomadic tribesmen in the regions and vaccinate herds “on the move”.

This is hugely important to understand for the security community because it highlights how distributed and centralized systems of information can interoperate; two systems of thinking, if you will, one deliberative and controlled (follow the steps handed to you) while the other is exploratory and creative (design the steps for others to follow).

The cost of infection was extremely high as 70% of cattle infected would die. This surely gave the incentive for tests and vaccines to be taken seriously. It also probably is what enabled the broad collaboration across systems despite national, religious and ethic diversity.

…to begin with [in the 1960s] there was little to no co-ordination. Individual countries and groups of countries would attempt to vaccinate cattle, suppressing the disease for a while. But it would then re-appear. Progress was only made [in the 1990s] once large unified projects were established to tackle the disease.

A dedicated global campaign, combined with local administration, was necessary for eradication.

Conflict in Ethiopia and Somalia in the 1980s was the main obstacle to the vaccination campaigns but there were other problems too. UC Davis has an excellent write-up about issues of trust, competition and complex economics that were overcome by an Ethiopian scientist in America armed only with an elegantly simple and stable test and vaccine.

The new vaccine proved amazingly powerful in protecting cattle, even when they were injected with 1,000 times a fatal dose of rinderpest. And it met all of Yilma’s criteria for simplicity and heat stability. Requiring no syringes or needles, the vaccine could easily be scratched onto the neck or abdomen of the animal, producing sufficient immune response to ward off the rinderpest virus. Later, the herder could just peel the scab from an animal’s immunization site, grind it up in a saline solution and, from a single calf, have 250,000 additional doses for future vaccinations.

What happens next? Here is an interesting side-note in the NYT:

Still to be decided is how much virus to keep frozen in various countries’ laboratories, along with tissue from infected animals and stocks of vaccine, which is made from live virus. Virologists like to have samples handy for research, but public health experts, fearing laboratory accidents or acts of terrorism, usually press to destroy as much as possible. The smallpox virus is officially supposed to exist only in two lab freezers, one in Atlanta and one in Moscow.

This brings me back to the Italian invasion of Ethiopia. Rinderpest has been associated with wars and invasions; arguably introduced as a form of biological warfare. The first Italian invasion of 1888 destroyed the capital and foundation of social relations in the Horn of Africa by killing 90% of livestock. Rinderpest also was followed by smallpox but the complete collapse of food sources intensified local disputes and withered resistance. Anyone who wonders if Italy could have had this role only needs to look to the second Italian invasion in 1935, which involved heavy use of mustard gas, tear gas and other agents as well as bombing of field hospitals.

Was Rinderpest unintentionally carried or sent as a strategic weapon? Rinderpest is still listed as “biological warfare” agent so keeping it in Atlanta or Moscow seems like an incredibly high risk practice.