Korean Banks

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

Southeast Asia’s Third Mobile Tier

The mobile revolution is moving from second tier countries in Southeast Asia to the third and final tier. Whereas previously Indonesia and the Philippines were seeing the biggest growth in mobile Internet traffic, now it’s Burma (Myanmar) and Cambodia which top the list in terms of user- and usage-growth, according to the Opera State of the Mobile Web report for July:

    • Myanmar and Cambodia lead the top 10 countries of the region in terms of page-view growth (6415.0 % and 470.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of unique users (1207.5 % and 179.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of data transferred (3826.6 % and 353.2 %, respectively)

Of course these figures are from a low base, and the Opera data is not the easiest to trawl through. (The Opera mobile report is always interesting reading, so long as you take into account that the Opera browser is for many people a Symbian browser and so of declining popularity in some quarters. Also their data is never presented in quite the order one would like, so you have to dig. )

Looking at the figures in more detail, and throwing them into a spreadsheet of my own, it’s clear that Burma is definitely an outlier. Cambodia’s growth is impressive, but Burma’s is by far the greatest out of all 27 countries surveyed. Here’s how it looks:

2011-07 Page view growth SEA

So is the Burma usage real, or is this just a jump from nothing to slightly more than nothing? I suspect it may actually be a sizeable jump. Opera are coy about the actual number of users (so we may actually be dealing with a small dataset). But the figures suggest that this is a real spurt in usage: Burmese mobile users are transferring more data per page view than any other of the 27 countries surveyed, and the page views per user is on a par with the Philippines and Thailand.

I’d cautiously suggest that Burma, along with Cambodia and Laos, are beginning to show exhibit some of the signs of what one might pompously call “mobile societies”: using the mobile phone as an Internet device as a regular part of their activities. Take the page views per user, for example, which measures how much they’re using the mobile phone to view the Internet (Brunei seems to be in a league of its own; I don’t know what’s going on there, except that in terms of nightlife, I’d have to say not much):

2010-07 Page views per user SEA

It’s probably too much to conclude that mobile phones as Internet devices are now mainstream in this third tier of the region, but it’s a healthy sign, with lots of interesting implications.

Libya: We’re Back. Iran: We’re Not

In its latest quarterly report Opera looks a how quickly Libyans have gone back online with their mobile devices after six months in the dark. The graphic pretty much sums it up:

Talking of Internet blocking, Opera noticed that Iran continues to mess with Internet access for its citizens:

While we can speculate on government intervention or an operator shutting down Opera Mini access, the numbers are striking. Opera Mini usage in Iran dropped 36% in July. Most of the user loss occurred over five days, from July 4th to July 9th. Iran is no stranger to these quick drops. After reaching new highs, Opera Mini usage drops quickly. On June 14, 2011, Opera Mini reached an all-time high in Iran. The next day, usage plummeted more than 48%.

One can indeed only speculate, but the June plummet may be to do with the June 12 second anniversary of the 2009 election, when marchers took to the streets [Inter Press Service report via Asia Times]. (The lag between the Sunday June 12 march, the spike in traffic two days later, and then the plummet could either be explained by the marchers using their cellphones and then losing interest, or the sudden interest of the security services in curtailing mobile traffic to disrupt more planned marches.

The July drop in traffic I can’t explain: I’ve looked for events around that time, but can’t find any.

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Using Google to Predict the Future

Elegantly simple proposal to measure economic confidence in The Economist’s search for other quirky indicators: searches in the U.S. on Google for “gold price” in the piece Alternative indicators: Behind the bald figures

But the hottest tip came from Edward Ritchie, an investment analyst in London. He tracks Google searches for the “gold price” as an indicator of economic confidence. This does not follow the gold price itself. For example, during most of 2008 when the world’s financial system was melting down, the gold price tumbled yet the number of searches soared. The number of gold-price searches shoots up when American consumer confidence dives and subsides when households perk up again (see chart). That makes it a handy device for spotting turning-points in economic confidence, with the added advantage that the data are available earlier than for conventional survey-based figures. Worryingly, the number of searches has recently vaulted above its 2008 peak, signalling the possibility of a double dip.”

Here’s the graph:

I’m a big fan of using Google search to measure, track and predict things. A few of my previous posts on the matter. And no, I’ve not made any money so far out of this crystal ball.

How To Use Google To Get Round Super Injunctions

Technoratis Decline, Death of Blogging?

Googling the Tsunami

Googles Suicide Watch: where I googled the word “suicide”

Has Quora Peaked?

Fail, Seinfeld and Tina Fey: A Zeitgeist

The Financial Crisis in Charts

Hoodiephobia, Or We Don’t Lie to Google

And this one from 2006: Mapping Trends With Google

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

The New Attack: Penetrate and Tailor

In its latest security report Cisco identifies a trend I hadn’t heard of before with malware writers: Closer inspection of those computers they’ve successfully penetrated to see whether there’s something interesting there, and then if there is targeting that company (or organisation) with a more tailored follow-up attack:

Attackers can—and do— segregate infected computers into interest areas and modify their methods accordingly. For example, after initial infection by a common downloader Trojan, subsequent information may be collected from infected machinesto identify those systems more likely to lead to sensitive information. Subsequently, those “interesting” machines may be delivered an entirely different set of malware than would other “non-interesting” computers.

This is, as Cisco says, a pretty good example of that much maligned term, the Advanced Persistent Threat. Unfortunately they don’t give more concrete examples. But it seems as if the most targeted sector is the pharmaceuticals and chemical industry: 500% more than the median infection rate, or twice the next industry, oil and gas.

On DoS (Denial of Service) attacks, Cisco says that “while once largely prank-related, DoS attacks are increasingly politically and financially motivated.” It doesn’t add more, unfortunately, and much of the rest of the report is sales-pitch. I’ll try to get more out of them, because there might be some interesting trends lurking behind the rather thin data.

Podcast: Bad Things

The BBC World Service Business Daily version of my piece on link scams.  (The Business Daily podcast is here.)  

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 

East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.

Taking Shady RAT to the Next Level

I know I’ve drawn attention to this before, but the timeline of McAfee’s Operation Shady RAT by Dmitri Alperovitch raises questions again about WikiLeaks’ original data.

Alperovitch points out that their data goes back to mid-2006:

We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises.

This was around the time that Julian Assange was building up the content that, he recounted in emails at the time, that his hard drives were filling up with eavesdropped documents:

We have received over 1 million documents from 13 countries, despite not having publicly launched yet! (Wikileaks Leak, Jan, 2007)

Although Assange has since denied the material came from eavesdropping, it seems clear that it was, until McAfee’s report, the earliest example of a significant trove of documents and emails stolen by China-based hackers. This may have been the same channel stumbled upon a year later by Egerstad (Dan Egerstad’s Tor exit nodes get him arrested and proves a point I made in July | ZDNet).

There were, however, reports in mid 2006 of largescale theft of documents: State Dept (May), and NIPRNet (June), US War College (Sept) and German organisations (October).

I would like to see more data from McAfee and, in the interests of transparency, at least the metadata from the still unrevealed WikiLeaks stash in order to do some note comparing and triangulation. I’d also like to see this material compared with the groundbreaking work by three young Taiwanese white hats, who have sifted through malware samples to try to group together some of these APTs: APT Secrets in Asia – InSun的日志 – 网易博客.

The work has just begun.

Getting Paid for Doing Bad Things (12″ version)

This is the extended version of my earlier blog post. The BBC finally ran my commentary so for those of you who want more info, here it is:

Think of it as product placement for the Internet. It’s been around a while, but I just figured out how it works, and it made me realise that the early dreams of a blogging utopia on the web are pretty much dead.

Here’s how this kind of product placement works. On the Internet Google is like a benevolent dictator: it creates great stuff we love, and with which most of the net wouldn’t work. But it also wields great power–at least if you’re someone trying to make money off the web. Because if you don’t show up in Google’s search results, then you’re nobody. It’s the equivalent of exile, or solitary confinement, or something.

A lot of money is spent, therefore, in gaming your website’s position in Google’s rankings. But you have to be careful. Google also spends a lot of money tweaking its algorithms so that the search results you get are not gamed. Threat of exile is usually enough to keep most web players in line.

But because Google doesn’t issue a set of rules, and doesn’t explain why it exiles web sites, the gray area is big. And this is where the money is made.

One of the mini industries is something called link building. Google reckons a site with lots of links to it is a popular site, so it scores highly. So if you can get lots of sites to link to yours, you’re high up in the results.

Now it just so happens that some of the pages on my modest decade-old blog score quite highly here. So I suppose it was inevitable that link building companies would seek me out.

A British company, for example, called More Digital offered me a fixed upfront annual fee for a “small text-based ad” on my website. As intriguing was the blurb at the bottom of the email:

You must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of More Digital.

Clearly these guys mean business, I thought, so I wrote back to Alicia Ross. She was excited to hear from me, and offered two options: one was a simple link in my collection of recommended web sites. The idea would be that I would include a link to their client’s website–whoever it was–alongside my real recommendations.

The other was “one page simple text”:

The advert will be text, not a visual banner It will appear in the content, and only on a single page of your website. Our writers will provide you with a copy that will fit naturally into your existing content.

(I think she means “copy” rather than “a copy”). For this I would earn $200 a year per ad if the client was a poker, casino or bingo site;

Now in Internet terms this is big money. It would take me a month or so to make that kind of dosh on simple Google ads on my website. Now they’re talking about one simple text link and I get the cash in two days!

But hang on a minute. There’s that ethics thing in the back of my mind. I have to listen to it a second.

The first one I’m not crazy about: What’s the point of a collection of recommended links if I don’t actually recommend them myself?

But the second one took some getting my head around. I couldn’t figure out what she had in mind, so I asked her. And this is when I started to get really depressed.

Basically what they’re after is me inserting a sentence into an existing blog post that links to their client. These guys are not interested in a new post. That would take time to rise up through the ranks of Google; they want to tap into my micro-Google fame. And remember this is not an ad. It’s a plug. It’s product placement. In a piece that is supposed to otherwise be straight, authentic and, well, me. I like to think that’s why it has Google juice.

By the time I got back to Alicia the offer was off the table as all the spots had been picked up. Clearly this is a well-oiled business. But then I got another, from a different company. Mayra Alessi was contacting me on behalf of a U.S. company selling identity theft protection, which she wanted me to link to in a piece I wrote two years ago about a privacy problem with Facebook. For $30 a month.

Mayra, if it was she, proposed I add a sentence at the end of a paragraph on how Facebook needs to fix the way they handle friendshipt requests as follows:

Mistakes like these from Facebook, make us more and more vulnerable to identity theft, that is why it is important to understanding identity theft in the USA.

Clearly Mayra hasn’t made her way in the world based on her copyediting, grammar or punctuation skills.  And the irony hasn’t escaped me of a company peddling identity theft protection is at best unaware that companies operating in its name are paying websites to mislead their readers, and Google.

What’s wrong with all this? Well, I guess the first thing is the seediness. A company is basically hiring another company to fiddle its rankings on Google–instead of just producing the kind of kick-ass content that it should be building it leeches off my kick-ass content.

And it’s not just seedy, it’s illegal. Well, as far as Google is concerned. Only the other day someone complained on a Google forum after getting his sites bumped off Google’s index. The reason, he suspects, is that he took $75 from one of the companies that contacted me for linking to a site about bikes. And these companies must know that. I guess that’s why the fees seem quite high for the chicken feed that niche blogs like ours are used to earning.

The point is, that the companies apparently funding this kind of activity–those whose websites benefit from the link love–are not necessarily sleazy gambling sites. I was invited to link to were an Internet security company. Among companies willing to pay me $150 for a link are, according to one of these link building outfits trying to get me aboard, are those selling mobile phones, mobile phones, health and fitness, travel, hotels, fashion, Internet services, insurance, online education and, somewhat incongruously, recycling companies.

To me this is all the more sleazy because these are real companies with offices in the UK and US and they’re clearly proud of what they do. We’re not talking Ukrainian spammers here. But their impact, in a way, is worse, because with every mercenary link sold they devalue the web. I’ve been doing a blog for nearly 10 years now, and the only thing that might make my content valuable is that it’s authentic. It’s me. If I say I like something, I’m answerable for that. Not that people drop by to berate me much, but the principle is exactly the same as a journalistic one: Your byline is your bond.

All in all, a tawdry example of where the blogosphere has gone wrong, I reckon. Keep your money. I’d rather keep the high ground.