[funsec] McColo: Major Source of Online Scams and Spams Knocked Offline (fwd)
---------- Forwarded message ---------- Date: Tue, 11 Nov 2008 18:22:42 -0800 From: Paul Ferguson <fergdawgster@gmail.com> To: funsec@linuxbox.org Subject: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via Security Fix. [snip] A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network. For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today. On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry. [snip] More: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online _scams_a.html Also, more details will become available real soon now... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJGj2hq1pz9mNUZTMRAsUaAJ4g4AzgLzD+NB9jvtlQu2kWwxY9UgCfakeM RzvY4TKA6HqN8jePb8AJlOY= =r3Oz -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Since 11/5, my spam load has dropped from about 400,000 attempts per day to less than 40,000 ! And most of this I had noted was comming from what looked like compromised web hosts - eg: same host/domain name representing 10 or 20 addresses in any given range). I am shocked at the sudden and dramatic downtick but also equally delighted! Way to go! Gadi Evron wrote:
Via Security Fix.
[snip]
A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.
On Nov 11, 2008, at 7:52 PM, mike wrote:
Since 11/5, my spam load has dropped from about 400,000 attempts per day to less than 40,000 ! And most of this I had noted was comming from what looked like compromised web hosts - eg: same host/ domain name representing 10 or 20 addresses in any given range). I am shocked at the sudden and dramatic downtick but also equally delighted! Way to go!
Gadi Evron wrote:
Via Security Fix.
[snip]
A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.
We noticed a very sudden 50% reduction yesterday. Now to see how long it lasts... -- bk
After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me. The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown. At the very least, it seems that this makes any prosecution more difficult. While it appears that folks did a great job of following the network connections--to nail the individuals involved you need to follow the money. Even worse, what if the FBI *was* investigating them already, and now their target has been shut down? Unless there was behind-the-scenes cooperation that hasn't been reported, someone (on either the technical or law enforcement side) was not behaving responsibly. This should have been a coordinated shutdown--simultaneously involving closing network connections and arresting individuals. Secondly, aren't we still playing whack-a-mole here? The network controlled over a million compromised PCs. Those machines are still compromised. Since the individuals who controlled them are evidently still at large, I think it's safe to assume that the keys to those machines are still out there. If that's the case, then those machines will be up and spamming again inside of a week. The only thing that might delay that would be if the primary payment processors really were taken offline as well. I don't want to open the "counter-virus" can of worms. But how hard would it have been to identify the control sequences for those PCs and change them to random sequences? Shutting down a central control center is good news, but taking 1.5 million PCs permanently (at least until next infection) out of a botnet would be really impressive. Maybe more information will prove me wrong, but right now this seems more like a lost opportunity than a great success. I was quite surprised to hear that so many operations were centralized in one place. I doubt that opportunity is going to come again. Kee Hinckley CEO/CTO Somewhere, Inc.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 12, 2008 at 9:30 AM, Kee Hinckley <nazgul@somewhere.com> wrote:
After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.
The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown.
Don't assume what you don't know. :-) - - ferg p.s. McColo's upstream providers are completely within their rights to terminate connectivity if they feel that they have violated their contractual terms of service. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJGxggq1pz9mNUZTMRAsAwAKCUWdQAbTEZ+O5nWA/d1ED2fGSCQQCeJMUS PmOiEoLms6r/V1IxJqcLMlk= =2xEG -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
I do know that the CA AG office ignores any complaints received from the Internet Crime Complaint Center (IC3), which bars many complaints state/local LE would have received from the public about McColo. Law enforcement (in the US, anyway), by nature, is 99% reactive and 1% proactive; no complaints to LE results in no response from LE. It's hard to tell if any local/state/federal agencies knew-about/were-investigating McColo (it was the same with Intercage), but the bigger question is: does it really matter? How many cops does it take to throw a community lynching? -- Nick Nicholas R. Newman Computer Crimes Specialist National White Collar Crime Center 1000 Technology Drive, Suite 2130 Fairmont, WV 26554 1-877-628-7674 x2244 nnewman@nw3c.org -----Original Message----- From: Paul Ferguson [mailto:fergdawgster@gmail.com] Sent: Wednesday, November 12, 2008 12:54 PM To: Kee Hinckley Cc: nanog@merit.edu Subject: Re: [funsec] McColo: Major Source of Online Scams and Spams KnockedOffline (fwd) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 12, 2008 at 9:30 AM, Kee Hinckley <nazgul@somewhere.com> wrote:
After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.
The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown.
Don't assume what you don't know. :-) - - ferg p.s. McColo's upstream providers are completely within their rights to terminate connectivity if they feel that they have violated their contractual terms of service. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJGxggq1pz9mNUZTMRAsAwAKCUWdQAbTEZ+O5nWA/d1ED2fGSCQQCeJMUS PmOiEoLms6r/V1IxJqcLMlk= =2xEG -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching? Following the metaphor and using the US "Old West" as an example, lynchings were largely due to one of the following: * a lack of organized law enforcement * a lack of effective law enforcement * an outraged mob following the lead of a few with their own agenda in the heat of some moment I don't think the latter point applies (though some have argued it very much does). The former two points though very much do IMO, and I think this was the point Kee was making. To put it another way: How can we as network operators help law enforcement become more organized and effective such that lynchings are no longer needed? I'm not convinced there's an adequate answer to that question given the current structure of "the internet", and the nature of how things work. ( I suppose there's room in there for an argument that community lynchings are the most effective way to deal with the problems that arise, though I don't think such is the case. ) -- Jason
Jason Ross wrote:
On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching?
Following the metaphor and using the US "Old West" as an example, lynchings were largely due to one of the following:
* a lack of organized law enforcement * a lack of effective law enforcement
The problem is that to fix either of those problems you'd have to wade through a fever swamp of "facists online!" claims from all the pseudo-anarchists who start twitching at the thought of any agency imposing it's will on the internet. -- Jeff Shultz
I wonder how many of these "pseudo-anarchists" are bewailing the lack of regulation in the financial markets, given the events of the past couple of months? A certain amount of regulation and oversight is needed, both in the financial world and on the Internet. I am all for seeing how little we can get by with, but clearly, some is needed. On Wed, Nov 12, 2008 at 3:55 PM, Jeff Shultz <jeffshultz@wvi.com> wrote:
Jason Ross wrote:
On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching?
Following the metaphor and using the US "Old West" as an example, lynchings were largely due to one of the following:
* a lack of organized law enforcement * a lack of effective law enforcement
The problem is that to fix either of those problems you'd have to wade through a fever swamp of "facists online!" claims from all the pseudo-anarchists who start twitching at the thought of any agency imposing it's will on the internet.
-- Jeff Shultz
-- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
There's a common misconception of what LE does online (and when I say LE, I'm talking mostly state/local agencies): if you watch CSI or any other show that has anything to do with computer crimes, there is always a team of uber-geeks at every single agency (no matter how big it is) who spend 50% of their time online looking for phishing sites, CP sites, fraud sites and on and on. The real world isn't like that at all. For example, one state police agency we're familiar with has a team of *two guys* that do almost all of the computer forensics work for the *entire state*. Considering the caseload they have (if I remember correctly, a computer has a turn-around time of 6 months, a cell phone about a week; this is because every avenue a defense attorney is going to take has to be covered), there quite simply is not time to do anything proactive online (such as analyze spam to find out most of it is coming from a couple particularly nasty web hosting companies on the other side of the country). In most small agencies, the "computer forensics guy" is just the guy that knows more about computers than anyone else (read as, he figured out which port on the back of the computer was the USB port to hook up a new printer). A handful of agencies nationwide are fortunate enough to have a CSI-esque computer forensics unit, but most do not. Let's compare these two scenarios: 1. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California. They've determined that the majority of spam world-wide originates from this company offering bullet-proof hosting. So they call the upstream providers and get them cut off. NastySitesUnlimited tries to switch providers, but are disconnected again. And again. And again. A few days later, company files for bankruptcy because no one will give them an uplink to the 'net. Problem solved. End of story. 2. Some LE agency serves a search warrant for "any digital evidence" and collects hundreds of terabytes of worth of data. 5 years later, after everything is processed (and during this time, things at Nasty Hosting Company have continued as normal, thanks to regular backups), charges are finally brought against some entity in the business, he gets thrown in jail for a few years and fined heavily, business gets renamed (VP takes over) and it's almost like nothing ever happened. Which happened faster and was more effective? On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out. If we lived in a perfect world, there would be a third scenario: 3. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California. So they gather an abundance of super-damning evidence and submit it to LE. LE starts an investigation with the outstanding leads provided in the package, and starts making arrests. The CEO and a few others at NastySitesUnlimited get sentenced and thrown in jail. Business at NastySitesUnlimited continues as usual until they are cut off from the Internet a few days later because no one will give them upstream service. It took a little bit longer, but the culprits are in jail and the business has been lynched. Kee had an excellent question when he asked if anyone tried notifying LE, and the answer to that is probably not. It's hard to tell what would've happened if LE was involved (who knows, maybe SS or FBI were working on it). LE does care, it's just a matter of resources available. If you get the evidence together and in a matter that explains itself, it will get handled effectively (though probably not as fast as "Intercaging" a company). -- Nick Nicholas R. Newman Computer Crimes Specialist National White Collar Crime Center 1000 Technology Drive, Suite 2130 Fairmont, WV 26554 1-877-628-7674 x2244 nnewman@nw3c.org -----Original Message----- From: Jeff Shultz [mailto:jeffshultz@wvi.com] Sent: Wednesday, November 12, 2008 3:56 PM To: NANOG list Subject: Re: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd) Jason Ross wrote:
On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching?
Following the metaphor and using the US "Old West" as an example, lynchings were largely due to one of the following:
* a lack of organized law enforcement * a lack of effective law enforcement
The problem is that to fix either of those problems you'd have to wade through a fever swamp of "facists online!" claims from all the pseudo-anarchists who start twitching at the thought of any agency imposing it's will on the internet. -- Jeff Shultz
On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.
Excellent point. Something like the fine folks at http://hostexploit.com/ are doing. I also believe SANS has some excellent courses on forensics, and things like chain of custody etc. Not sure how much that applies to these sort of scenarios but it can't hurt to package/handle the evidence in as compliant a manner as possible.
Something to keep in mind. I don't believe it was McColo that was the end provider of "badware" per se (and I could be proven wrong), they simply played the enabling role by hosting it and looked the other way. Now don't get me wrong, they ought to be kicked offline for externalizing their costs on the rest of us, but what criminal charges could be filed here? I'm not a lawyer but the person actually committing the crime and a person who willing provides tools to someone committing a crime are in completely different boats. We could criminalize hosting malicious tools, but then what of nessus, nmap, wireshark and the host of security tools that are effectively "dual use"? Child porn being an obvious exception of course, but the point remains. Negligence is bad and perhaps there are criminal remedies that can be brought to bear (I'm not a lawyer, I don't play one on the intarwebs) but I would imagine they would be minor in comparison. That said, of course this information should be turned over to law enforcement. It often is. j Charles Wyble wrote:
On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.
Excellent point. Something like the fine folks at http://hostexploit.com/ are doing.
I also believe SANS has some excellent courses on forensics, and things like chain of custody etc. Not sure how much that applies to these sort of scenarios but it can't hurt to package/handle the evidence in as compliant a manner as possible.
John Bambenek wrote:
Something to keep in mind. I don't believe it was McColo that was the end provider of "badware" per se (and I could be proven wrong), they simply played the enabling role by hosting it and looked the other way. Now don't get me wrong, they ought to be kicked offline for externalizing their costs on the rest of us, but what criminal charges could be filed here?
Aiding and abetting and conspiracy come to mind at the very least. Knowingly facilitating child porn should have quite a few possiblities too. But they're really hard things to prosecute on the Internet, in the face of the plausible deniability shields they work at so carefully to erect.
That said, of course this information should be turned over to law enforcement. It often is.
Don't assume it hasn't already. Previously. Repeatedly. And I don't think the dust has quite settled yet.
Since McColo, et al., cutting off those miscreant customers on Wednesday, I've noticed a huge decline in connection attempts to our e-mail gateways. Even if their efforts are temporary, the change is quite noticeable. matthew black e-mail postmaster california state university, long beach
I would agree, a tedious drop. The image is from one of our gateways. -----Original Message----- From: Matthew Black [mailto:black@csulb.edu] Sent: Friday, November 14, 2008 10:56 AM To: NANOG list Subject: Re: [funsec] McColo: Major Source of Online Scams andSpamsKnockedOffline (fwd) Since McColo, et al., cutting off those miscreant customers on Wednesday, I've noticed a huge decline in connection attempts to our e-mail gateways. Even if their efforts are temporary, the change is quite noticeable. matthew black e-mail postmaster california state university, long beach
On Fri, 14 Nov 2008, Dave Larter wrote:
I would agree, a tedious drop. The image is from one of our gateways.
Spam will be back. The value is that we see networks no longer willing to accept bad apples among them. There are other pros and cons, but if nothing else, it's a moral victory and makes some of us feel good--finally.
-----Original Message----- From: Matthew Black [mailto:black@csulb.edu] Sent: Friday, November 14, 2008 10:56 AM To: NANOG list Subject: Re: [funsec] McColo: Major Source of Online Scams andSpamsKnockedOffline (fwd)
Since McColo, et al., cutting off those miscreant customers on Wednesday, I've noticed a huge decline in connection attempts to our e-mail gateways. Even if their efforts are temporary, the change is quite noticeable.
matthew black e-mail postmaster california state university, long beach
I agree, yes it will, but it was nice to see proven the ability to fight the trash out there. Actually, coincidently I was installing new AV SW on out pub DNS and SMTP gateways the same time they got there plug pulled, I thought I was breaking stuff on my end, but not as the news hit the list a short time after I started updating. And in my previous post I meant tremendous drop. -----Original Message----- From: Gadi Evron [mailto:ge@linuxbox.org] Sent: Friday, November 14, 2008 6:36 PM To: Dave Larter Cc: Matthew Black; NANOG list Subject: RE: [funsec] McColo: Major Source of Online Scams andSpamsKnockedOffline (fwd) On Fri, 14 Nov 2008, Dave Larter wrote:
I would agree, a tedious drop. The image is from one of our gateways.
Spam will be back. The value is that we see networks no longer willing to accept bad apples among them. There are other pros and cons, but if nothing else, it's a moral victory and makes some of us feel good--finally.
-----Original Message----- From: Matthew Black [mailto:black@csulb.edu] Sent: Friday, November 14, 2008 10:56 AM To: NANOG list Subject: Re: [funsec] McColo: Major Source of Online Scams andSpamsKnockedOffline (fwd)
Since McColo, et al., cutting off those miscreant customers on Wednesday, I've noticed a huge decline in connection attempts to our e-mail gateways. Even if their efforts are temporary, the change is quite noticeable.
matthew black e-mail postmaster california state university, long beach
Personally, I haven't been to any SANS courses, but I have a few coworkers who have and have been nothing but impressed with their material. They have an incident response class that deals with packaging up material for LE (what's important and what's not-so-much, forensic "soundness", and chain-of-custody). Nicholas R. Newman Computer Crimes Specialist National White Collar Crime Center 1000 Technology Drive, Suite 2130 Fairmont, WV 26554 1-877-628-7674 x2244 nnewman@nw3c.org -----Original Message----- From: Charles Wyble [mailto:charles@thewybles.com] Sent: Wednesday, November 12, 2008 5:29 PM To: NANOG list Subject: Re: [funsec] McColo: Major Source of OnlineScams andSpams KnockedOffline (fwd)
On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.
Excellent point. Something like the fine folks at http://hostexploit.com/ are doing. I also believe SANS has some excellent courses on forensics, and things like chain of custody etc. Not sure how much that applies to these sort of scenarios but it can't hurt to package/handle the evidence in as compliant a manner as possible.
On Wednesday 12 November 2008 21:52:12 Nick Newman wrote:
Let's compare these two scenarios:
1. The world-wide community of people who essentially run the Internet have had enough with a nasty webhosting company in California. They've determined that the majority of spam world-wide originates from this company offering bullet-proof hosting. So they call the upstream providers and get them cut off.
2. Some LE agency serves a search warrant for "any digital evidence" and collects hundreds of terabytes of worth of data. 5 years later....
These aren't mutually exclusive.
nw3c.org
Grr - those stupid DreamWeaver menus that only work in 66% of browsers.
Jason Ross wrote:
On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching?
I think we're using the wrong metaphors here. A community lynching would be storming his datacenter and setting his servers on fire. That didn't happen. A better metaphor would be a rowdy patron in an upscale bar attempting to deal drugs and being tossed out by the bouncer. Although dealing drugs is illegal, the people in the bar are more concerned about getting rid of the jerk than throwing his butt in jail (although that would be nice as well). If law enforcement is busy with gang warfare in another part of town, their priority in responding to a rowdy in a bar is going to be low, especially if there's a bouncer who is capable of dealing with the problem. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Don't confuse contract enforcement with law enforcement. The word "lynching" or "vigilante" suggests that the enforcer of "justice" is breaking the law. But there's no indication that the service providers who've cut their customers off have done anything but follow the provisions in their contracts. As said elsewhere, contract enforcement is generally more effective. Frank -----Original Message----- From: Jason Ross [mailto:algorythm@gmail.com] Sent: Wednesday, November 12, 2008 1:45 PM To: Nick Newman Cc: nanog@merit.edu; Kee Hinckley Subject: Re: [funsec] McColo: Major Source of Online Scams and Spams KnockedOffline (fwd) On Wed, Nov 12, 2008 at 14:16, Nick Newman <NNewman@nw3c.org> wrote:
How many cops does it take to throw a community lynching?
None. The question that remains is: Why is the community having to resort to lynching? Following the metaphor and using the US "Old West" as an example, lynchings were largely due to one of the following: * a lack of organized law enforcement * a lack of effective law enforcement * an outraged mob following the lead of a few with their own agenda in the heat of some moment I don't think the latter point applies (though some have argued it very much does). The former two points though very much do IMO, and I think this was the point Kee was making. To put it another way: How can we as network operators help law enforcement become more organized and effective such that lynchings are no longer needed? I'm not convinced there's an adequate answer to that question given the current structure of "the internet", and the nature of how things work. ( I suppose there's room in there for an argument that community lynchings are the most effective way to deal with the problems that arise, though I don't think such is the case. ) -- Jason
On Wed, 12 Nov 2008, Kee Hinckley wrote:
After reading this, and the (Washington Post I believe--I'm away from my laptop right now) article on this, two things are bothering me.
The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues. What wasn't clear was whether any attempt had been made to involve them prior to the shutdown. At the very least, it seems that this makes any prosecution more difficult. While it appears that folks did a great job of following the network connections--to nail the individuals involved you need to follow the money. Even worse, what if the FBI *was* investigating them already, and now their target has been shut down? Unless there was behind-the-scenes cooperation that hasn't been reported, someone (on either the technical or law enforcement side) was not behaving responsibly. This should have been a coordinated shutdown--simultaneously involving closing network connections and arresting individuals.
Secondly, aren't we still playing whack-a-mole here? The network controlled over a million compromised PCs. Those machines are still compromised. Since the individuals who controlled them are evidently still at large, I think it's safe to assume that the keys to those machines are still out there. If that's the case, then those machines will be up and spamming again inside of a week. The only thing that might delay that would be if the primary payment processors really were taken offline as well. I don't want to open the "counter-virus" can of worms. But how hard would it have been to identify the control sequences for those PCs and change them to random sequences? Shutting down a central control center is good news, but taking 1.5 million PCs permanently (at least until next infection) out of a botnet would be really impressive.
Maybe more information will prove me wrong, but right now this seems more like a lost opportunity than a great success. I was quite surprised to hear that so many operations were centralized in one place. I doubt that opportunity is going to come again.
All your points sound valid to me, but I am already proved wrong that while I believed this to be a great precedent and a strategic move... it wouldn't happen again. It did... twice, since Atrivo, Estdomians (kinda) and now mccolo.
Kee Hinckley CEO/CTO Somewhere, Inc.
On Wed, Nov 12, 2008 at 11:30:45AM -0600, Kee Hinckley wrote:
The article expressed a good deal of frustration with the (lack of) speed with which law enforcement has been tackling these issues.
Law enforcement is almost a complete non-factor in dealing with online abuse. Action is erratic, slow and incompetent at best; it tends to only happen when one of four things is true: (a) someone's running for office (b) positive PR is needed (c) a government has been publicly embarrrassed and needs a scapegoat or (d) someone with sufficient political connections, money, and/or power wants it. And even when it happens, it's ineffective: for example, token prosecutions of spammers have done nothing to make the spam problem any better. Multiple spyware vendors have settled their cases for pitifully small sums and then gone right back to work. But even if that weren't true, even if law enforcement worldwide had adequate staff, resources, training, clue, etc. to attempt something useful -- the necessary legal framework really doesn't exist. Abusers can dissolve their shadow companies, form new ones, relocate (possibly across international borders), modify their tactics, etc. Peer-to-peer action continues to be the best available option -- one that needs to be exercised far more often. ---Rsk
The more we allow Gadi Evron to post the more this list turns into a rehash of digg and reddit news aggregation web sites. On Wed, Nov 12, 2008 at 2:37 AM, Gadi Evron <ge@linuxbox.org> wrote:
---------- Forwarded message ---------- Date: Tue, 11 Nov 2008 18:22:42 -0800 From: Paul Ferguson <fergdawgster@gmail.com> To: funsec@linuxbox.org Subject: [funsec] McColo: Major Source of Online Scams and Spams Knocked Offline
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Via Security Fix.
[snip]
A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.
For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.
On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry.
[snip]
More: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online _scams_a.html
Also, more details will become available real soon now...
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFJGj2hq1pz9mNUZTMRAsUaAJ4g4AzgLzD+NB9jvtlQu2kWwxY9UgCfakeM RzvY4TKA6HqN8jePb8AJlOY= =r3Oz -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
n3td3v wrote:
The more we allow Gadi Evron to post the more this list turns into a rehash of digg and reddit news aggregation web sites.
Well, I'll just drop off the list so you you can talk uninterrupted about Important Operational Matters like "who's got a freebie DSL connection for me in Inner Sweatsock, Mumbolia?"
participants (20)
-
Brian Keefer -
Charles Wyble -
Chris Lewis -
Dave Larter -
Frank Bulk -
Gadi Evron -
Jason Ross -
Jay Hennigan -
Jeff Shultz -
John Bambenek -
Kee Hinckley -
Larry Sheldon -
Matthew Black -
mike -
n3td3v -
Nick Newman -
Paul Ferguson -
Rich Kulawiec -
Simon Waters -
Steven Fischer