Tag Archives: chief technology officer

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”

Why Social Network Sites May Fail

Look at a social networking site lie Yaari and you can see where the social networking phenomenon may fail, simply by abusing the trust of its users.

Sites like LinkedIn, Plaxo etc rely on expanding quickly by offering a useful service: trawling your address book to find friends and contacts who use the same service. We’ve gotten used to this, and it’s a great way to build a network quickly if you sign up for a new service.

But any service that uses this needs to stress privacy, and put control in the hands of users. Plaxo learned this a few years back. Spam a user’s contact list without them realising and you invite a firestorm of opprobrium on your head.

But surprisingly some services still do it. And in so doing they risk alienating users from what makes Web 2.0 tick: the easy meshing of networks—your address book, your Facebook buddies, your LinkedIn network—to make online useful.

Take Yaari, a network built by two Stanford grads which has for the past two years abused the basic tenets of privacy in an effort to build scale.

What happens is this.

You’ll receive an email from a contact:

 image

It’s an invitation from a “friend” which

  • gives you no way to check out the site without signing up. The only two links (apart from an abuse reporting email address at the bottom) take you to the signup page.
  • neither link allows you to check out your “friend”  and his details before you sign up.

If you do go to the sign up page you’ll be asked to give your name and email address:

image

Below the email address is the reassuring message:

Your email is private and will stay that way.

But scroll down to below the create my account button and you’ll see this:

By registering for Yaari and agreeing to the Terms of Use, you authorize Yaari to send an email notification to all the contacts listed in the address book of the email address you provide during registration. The email will notify your friends that you have registered for Yaari and will encourage them to register for the site. Yaari will never store your email password or login to your email account without your consent. If you do not want Yaari to send an email notification to your email contacts, do not register for Yaari.

In short, by signing up for Yaari you’ve committed yourself, and all the people in your address book, to receiving spam from Yaari that appears to come from your email address. (Here’s the bit from the terms: “Invitation emails will be sent on member’s behalf, with the ‘from’ address set as member’s email address.”)

You should also expect to receive further spam from Yaari, according to the terms:

MEMBERS CONSENT TO RECEIVE COMMERCIAL E-MAIL MESSAGES FROM YAARI, AND ACKNOWLEDGE AND AGREE THAT THEIR EMAIL ADDRESSES AND OTHER PERSONAL INFORMATION MAY BE USED BY YAARI FOR THE PURPOSE OF INITIATING COMMERCIAL E-MAIL MESSAGES.

In other words, anyone signing up for Yaari is commiting both themselves and everyone else in their address book to receiving at least one item of spam from the company. Users complain that Yaari doesn’t stop at one email; it bombards address books with follow-up emails continually.

Needless to say, all this is pretty appalling. But what’s more surprising is that Yaari has been doing this for a while. I’ve trawled complaints from as far back as 2006. This despite the company being U.S.-based. I’m surprised the FTC hasn’t taken an interest.

So who’s behind the site? This article lists two U.S.-born Indians, Prerna Gupta and Parag Chordia, and quotes Gupta as saying, back in 2006, that to preserve the integrity of the network access is restricted to the right kind of Indian youth. I’m not young, I’m not Indian, and I’m probably not the right kind, so clearly that goal has been abandoned.

Here are some more details of the two founders.

Gupta, who is 26, is an economics major who graduated in 2005, was working for a venture capital firm in Silicon Valley called Summit Partners until 2005. Her facebook profile is here; her LinkedIn profile is here. According to this website she once won the Ms Asia Oklahoma pageant (her hometown is listed as Shawnee in Oklahoma, although she lives in Atlanta.

Chordia, chief technology officer at Yaari, has a PhD in computer music, and is currently assistant professor at the Georgia Institute of Technology, according to his LinkedIn profile. His facebook profile is here.

There’s a video of them here. An interview with Gupta last year indicates that they’re going hell for leather for size:

We are focused on growing our user base and becoming India’s largest social networking site within the next two years. Our goal for the next year is to become one of India’s Top 10 Internet destinations.

What’s interesting is that nearly every site that mentions Yaari and allows comments contains sometimes angry complaints from users. In that sense Web 2.0 is very effective in getting the word out. Unfortunately if Yaari and its founders continue to commit such egregious abuses of privacy, we can’t be sure many people will trust such websites long enough for the power of networking sites to be properly realised.

(I’ve sought comment from Gupta, which I’ll include in this post when received.)

Counting The Cost Of Online Crime

Phishing is beginning to bite.

British police at a high-tech crime congress (noted by USC Annenberg Online Journalism Review) say that 83% of Britain’s 201 largest companies reported experiencing some form of cybercrime. The damage has cost them more than £195 million ($368 million) from downtime, lost productivity and perceived damage to their brand or stock price.

Much of the damage is being done to financial companies, three of whom lost lost more than £60 million ($130 million). Phishing has hit banks like Barclays, NatWest, Lloyds TSB and 50 other British businesses, Reuters quoted Len Hynds, head of Britain’s National Hi-Tech Crime
Unit (NHTCU) as saying.

Of course, it’s probably much worse than this. Most companies don’t report ‘cyber-crime’ to the police for fear that making the matter public would harm their reputation.  The National Hi-Tech Crime Unit (NHTCU) said that of the companies hit by cyber-crime, less than one-quarter reported the matter to police. But that’s better than two years ago, when NO companies were reporting.

Security experts warn that a new wave of cybercrime attacks will be nastier than what companies have already experienced. David Aucsmith, chief technology officer for Microsoft Corporation’s security and business unit predicted criminals would target banking systems, company payroll and business transaction data.

Here are some other interestnig facts from Bernhard Warner’s Reuters report:

  •  Seventy-seven percent of respondents said they were the victim of a virus attack, costing nearly 28 million pounds.
  •  Criminal use of the Internet, primarily by employees, was reported by 17 percent of firms at a cost of 23 million pounds.
  •  More than a quarter of firms surveyed did not undertake regular security audits.

No Sign Of Letup On Spam So Far

Unsurprisingly, the new U.S. anti-spam law has had no effect whatsoever.

Commtouch, a provider of anti-spam solutions, said it saw no significant change in the number of spam attacks in the first week of 2004, and that less than 1% of all bulk email complied with the new CAN-SPAM regulations.

Although Commtouch notes it is too early to tell, as spammers are still on holiday, I’ve noticed no slowdown at all. This is not unexpected, since most spammers operate outside the law – when was the last time you had a legitimate-looking junk email that was not trying to disguise itself?

But it’s not just the really sleazy guys still doing it. MX Logic, another anti-spam provider, looked at a random sample of over 1,000 unsolicited commercial emails during the course of a seven day period beginning New Year’s Day and found only three of the messages complied with the CAN-SPAM Act. “Calling this a high rate of non-compliance would be a gross understatement,” said Scott Chasin, MX Logic’s chief technology officer. “It is no surprise that rogue spammers would fail to comply, but the non-compliant messages we saw appeared to be from all types of companies.”

This could be just reputable (I use the term loosely) email marketers not getting up to speed on something that was only signed into law on December 16. If you are an email marketer and you do want to comply, here’s a checklist of what you should do, courtesy of Intermark Media, itself a an email marketer (the list is somewhat revealing to us normal folk, in that it shows what kind of tricks spammers tend to do to give the impression everything is hunky dory and that, at some point of personal weakness, we actually agreed to receive spam from them):

— Collect this information on every member of your opt-in database: IP address, date and time of opt-in, and source URL of sign-up.
— Be wary of any list managers who do not require this sensitive information from you as it is of crucial importance that all parties involved have it.
— Provide a clear opt-in process for the consumer.
— State your intentions in your privacy policy.
— Make your privacy policy easily accessible to the consumer.
— Upon receiving a customer’s permission to send offers you should notify them of their consent. This also allows the consumer to become double opt-in or unsubscribe from receiving any offers.
— Upon receiving a database to manage always run a permission email to the database in order to notify the consumers that you are the source of the emails they will be receiving and this will allow them to unsubscribe from your mailings or become double or even triple opt-in.
— Never change the headers that you send emails from.
— Use valid and relevant from and subject lines for all campaigns.
— Do not use misleading subject lines for any purposes, including creating new responsive lists from recipients that open or click on a campaign.
— If you receive a subject line you feel is questionable ask the advertiser to provide another one.
— Make sure the email address you are sending campaigns from is valid and working.
— In the footer, provide an explanation of why the consumer is receiving the ad.
— In the footer, provide your company’s valid postal address. If you are managing a client’s list, make sure their address appears as well.
— Make sure every campaign has a valid, working and obvious unsubscribe mechanism that easily removes the consumer from your database.
— Keep a real-time update of unsubscribes and remove them from your database and the databases of all parties involved.
— Do not email to consumers who unsubscribe from your database.
— Do not allow others to email to consumers who have unsubscribed from your database.