Tag Archives: Computer networking

We’re Not in the Business of Understanding our User

Za-tray2

A few years ago I wrote about sometimes your product is useful to people in ways you didn’t know—and that you’d be smart to recognise that and capitalize on itn (What Your Product Does You Might Not Know About, 2007).

One of the examples I cited was ZoneAlarm, a very popular firewall that was bought by Check Point. The point I made with their product was how useful the Windows system tray icon was in that it doubled as a network activity monitor. The logo, in short, would switch to a twin gauge when there was traffic. Really useful: it wasn’t directly related to the actual function of the firewall, but for most people that’s academic. If the firewall’s up and running and traffic is showing through it, everything must be good.

The dual-purpose icon was a confidence-boosting measure, a symbol that the purpose of the product—to keep the network safe—was actually being fulfilled.

Not any more. A message on the ZoneAlarm User Community forum indicates that as of March this year the icon will not double as a network monitor. In response to questions from users a moderator wrote:

Its not going to be fixed in fact its going to be removed from up comming [sic] ZA version 10
So this will be a non issue going forward.
ZoneAlarm is not in the buiness [sic] of showing internet activity.
Forum Moderator

So there you have it. A spellchecker-challenged moderator tells it as it is. Zone Alarm is now just another firewall, with nothing to differentiate it and nothing to offer the user who’s not sure whether everything is good in Internet-land. Somebody who didn’t understand the product and the user saved a few bucks by cutting the one feature that made a difference to the user.

Check Point hasn’t covered itself in glory, it has to be said. I reckon one can directly connect the fall in interest in their product with the purchase by Check Point of Zone Labs in December 2003 (for $200 million). Here’s what a graph of search volume looks like for zonealarm since the time of the purchase. Impressive, eh?

image

Of course, this also has something to do with the introduction of Windows’ own firewall, which came out with XP SP2 in, er, 2004. So good timing for Zone Labs but not so great for Check Point.

Which is why they should have figured out that the one thing that separated Zone Alarm from other firewalls was the dual purpose icon. So yes, you are in the business of showing Internet activity. Or were.

(PS Another gripe: I tried the Pro version on trial and found that as soon as the trial was over, the firewall closed down. It didn’t revert to the free version; it just left my computer unprotected. “Your computer is unprotected,” it said. Thanks a bunch!)

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

The New Attack: Penetrate and Tailor

In its latest security report Cisco identifies a trend I hadn’t heard of before with malware writers: Closer inspection of those computers they’ve successfully penetrated to see whether there’s something interesting there, and then if there is targeting that company (or organisation) with a more tailored follow-up attack:

Attackers can—and do— segregate infected computers into interest areas and modify their methods accordingly. For example, after initial infection by a common downloader Trojan, subsequent information may be collected from infected machinesto identify those systems more likely to lead to sensitive information. Subsequently, those “interesting” machines may be delivered an entirely different set of malware than would other “non-interesting” computers.

This is, as Cisco says, a pretty good example of that much maligned term, the Advanced Persistent Threat. Unfortunately they don’t give more concrete examples. But it seems as if the most targeted sector is the pharmaceuticals and chemical industry: 500% more than the median infection rate, or twice the next industry, oil and gas.

On DoS (Denial of Service) attacks, Cisco says that “while once largely prank-related, DoS attacks are increasingly politically and financially motivated.” It doesn’t add more, unfortunately, and much of the rest of the report is sales-pitch. I’ll try to get more out of them, because there might be some interesting trends lurking behind the rather thin data.

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”

Broadband on a Moving Bus

I don’t know if it’s anything to do with my recent column  (probably not) about the need for flat data rates(“The Price is Wrong,” from Nov 2’s WSJ.com), but m1 of Singapore is now offering unlimited data for its mobile broadband plans. So now you can get 512 kbps for about $15 a month, 1.8 Mbps for about $25, and 3.6 Mbps for $45.

I use the 512 kbps service and frankly, it’s fast enough for me. Of course, with the island state embracing free WiFi this all becomes a bit academic at some point, but I still find it easier to crank up the Huawei modem than log in to the WiFi, and there’s something about surfing on a bus that is positively liberating. Not something I ever tried on the moving robbery carts that are buses in Jakarta, I must say.

M1 broadband

Turn It Off, Turn It On Again

Having spent the best part of a day trying to do something very basic, and yet failing, here’s another public service announcement for anyone having problems connecting their router, wireless or otherwise, to a cable modem:

  • If you have a cable Internet connection, but only through one computer, and nothing seems to correct the problem, you probably need to unplug the ethernet cable from your computer and turn off your cable modem.
  • Turn it off. Leave it off for a minute, and then turn it back on again. Reconnect the cable.
  • Chances are it will now connect. If it doesn’t, either you didn’t leave it turned off long enough, or something more sinister is afoot. But it worked for me.

Now, I know this is stupid of me not to think of, but in my defence I was out of sorts:

  • the modem was new, the setup was new, and I didn’t have a lot of faith in my Netgear WiFi Travel Router, mainly because I hadn’t used it for cable modem-ing. Nowhere in all the set-up palaver did it mention turning off your cable modem.
  • So I dashed off to buy a Linksys WRT54GC something or other. The installation CD wouldn’t run on my laptop, so I downloaded their impressive sounding troubleshooting software, EasyLink Home Networking Tools (note to self: anything with ‘easy’ in the name isn’t).
  • None of the EasyLink products worked for me, so I was reduced to copying the contents of the installation CD (which for some odd reason, worked fine on a Mac) to a USB drive and running the router set up from there. This is far more information than you’re interested in getting, but I’m trying to show that I wasn’t completely useless. This didn’t work either, by the way. The Linksys software just sits there like a useless lemon telling you that it’s not connecting. (Another note to self: The term ” wizard” for installation and troubleshooting software is vastly overused. Of course, they don’t take into account turnips like me, but they pretend they do. I don’t know which is worse.)
  • I have a Mac sitting around looking pretty, so I thought I’d give Mr Jobs a chance. He was no better. Couldn’t connect, but neither did he offer the sort of sage, grounded advice I’d expected: “Turn stuff off and turn them on again.” I guess, once again, Mac dudes are too smart for that kind of trash talk.
  • Finally I called up the guys who installed the modem, got bounced through a voice menu, until a sweet, albeit automated, voice said “If you’re having problems installing a router to your cable modem, switch off the modem first. Then reconnect. Have a nice day.” And hung up.
  • Now one final point: the modem in question doesn’t actually have an off/on switch. Or a reset switch. And nowhere in the manual could I find the words: “From time to time you may feel the need to switch the modem off and on again, to see whether that helps. Good idea. It might. We don’t know why exactly. If we did, we’d have mentioned it, and put an on/off switch in. But we felt that by putting one in that might have implied our products were not as cool as we like to think they are, so we haven’t put one in. Please don’t throw this manual or the modem across the room in frustration at hours of wasted productivity because this fact was not mentioned, as that voids warranty.” So I switched off the modem, counting to 20 in Thai, just because I can, and turned it on again.

So the little sweet-sounding lady was right. It all worked like a dream after that. So the moral of the story is: Don’t assume anything on the part of the products you’re testing. Just because your cable modem — or any other appliance — doesn’t actually have an on/off or reset switch doesn’t mean you shouldn’t try to turn it off. In fact turn everything off once or twice. Who knows, everything might work better that way.

Tags: , , , , , ,

Why Hasn’t China Cracked Down on Its Rainmen?

Another mainstream media look at the alleged “Titan Rain” cyberwar strategy of the Chinese, where organised, highly disciplined and experienced gangs ferret around in Western computers. This one is from today’s Guardian Unlimited — Smash and grab, the hi-tech way:

Sources involved in tracking down the gang say the Chinese group is just one of a number of organised groups around the world that are involved in a hi-tech crime wave, some working for governments, others highly organised criminal gangs. “We have seen three attacks a day from this group in the past week and there are a lot of other groups out there,” said the source. “You could say that the iceberg is now in view.”

That said, it seems clear that this kind of thing has some government sanction:

Privately, UK civil servants familiar with NISCC’s investigation agree that the attacks on the UK and US are coming from China. This almost certainly means some state sanction or involvement – perhaps even a “shopping list” of requirements. Some of the attacks have been aimed at parts of the UK government dealing with human rights issues – “a very odd target”, according to one UK security source.

The point is that Internet activity is heavily circumscribed in China:

There is another, more compelling reason. “Hacking in China carries the death penalty,” says Professor Neil Barrett, of the Royal Military College at Shrivenham. “You also have to sign on with the police if you want to use the internet. And then there is the Great Firewall of China, which lets very little through – and lets [the Chinese government] know exactly what is happening.” The internet traffic to the UK, and its origin, would all be visible to the Chinese government. Finding the culprits would, in theory, be a simple process.

So why are they still out there, and why can we narrow down their workplace to a single province?

When Firewalls Move

Here’s the details on the Zone Alarm deal I promised a couple of days back:

Effective immediately, Sygate and Kerio users switching to ZoneAlarm Pro will receive a $20 instant rebate, over 40% off the retail price of $49.95. “A firewall is the most essential, fundamental element of protection against hackers,” said Laura Yecies, general manager of Zone Labs and vice president at Check Point. “Innovation in firewall development is critical, because threats are dynamic and ever-changing. Consumers must seek a solution that is not only vendor-supported but has new features added regularly to protect against novel attack strategies.”

Of course, there’s still the free version.

And here’s details of the purchase by Sunbelt Software of Kerio:

Sunbelt Software and Kerio Technologies Inc. today announced that the parties have signed an agreement for Sunbelt to acquire the Kerio Personal Firewall. The acquisition is expected to be finalized by the end of the month.

The Kerio Personal Firewall will be re-branded on an interim basis as the “Sunbelt Kerio Personal Firewall”. All existing customers of the Kerio Personal Firewall will be able to receive support through Sunbelt once the acquisition is completed.

Upon the close of the deal, Sunbelt will also announce new reduced pricing for the full version of the product and a variety of special offers for both Kerio and Sunbelt customers. Additionally, Sunbelt will continue Kerio’s tradition of providing a basic free version for home users.

Zone Labs to Offer Sygate, Kerio Users a Deal

From a press release emailed to me by Zone Labs, makers of Zone Alarm:

The personal firewall market is currently undergoing a major shift, with Symantec set to retire the Sygate line of personal firewalls tomorrow (including the free version and Sygate Pro), and Kerio discontinuing its personal firewall at the end of December to pursue an enterprise strategy. […] In order to help consumers affected by recent events, Zone Labs will be announcing a new promotion to Sygate and Kerio users later this week to ensure that consumers have essential firewall protection available at an affordable price.

Not clear what kind of offer yet, but I’ll let you know.

‘Push Button to Connect’

One of the big holes in Wi-Fi setup has been security. In a lot of cases it’s not on by default and many folk have no idea how to set it up or even that their network is not secure.

Linksys reckon they have the answer with something called SecureEasySetup (SES) technology:

The SES technology enables users to create their wireless security protocols and set up their Wi-Fi networks by pushing just one button on the router and another on the wireless device being networked, the company said. The button enables the unit’s Wi-Fi Protected Access security and configures the network’s Service Set Identifier (SSID), eliminating the need for the user to manually create a passphrase to enable WPA protection.

Just push the button on each device and you’ve set up a secure connection between the two.

I like the idea of having a physical button, which removes the need for lots of fiddling about in design-challenged menus (most of the software that comes with routers seems to be have been designed by three year olds with premature acne.)

There is a downside to this, of course: It locks the user into buying both access point and Wi-Fi card from Linksys, otherwise it’s not going to work. And how would it work with more than one device? Could you add a non Linksys, SES-enabled device to a SES network?

But the button thing is good. People will like that. Could this kind of thing extend to other areas where technology runs up against usability? Could buttons make Bluetooth pairing easier, say? Press a button on each device simultaneously and hook them up?

Certainly the whole ‘button vs software’ thing has taken an interesting route. For a long time we thought it was better to have no buttons, or at least designers did. Macs have very few buttons, which looks great but isn’t always a good thing, especially if you can’t eject a bum CD, or the computer hangs. iPods are great examples of what to do with buttons, and later models cut down the number of buttons without cutting down the intuitiveness.

But elsewhere things have started reversing themselves. Laptops and external keyboards have toyed with the idea of dedicated buttons, but with mixed results. I’ve never really got excited about them. Some Logitech keyboards have lots of dedicated keys and even reassigned function keys (which are on by default, a rare example of Logitech silliness.) My ThinkPad has an ‘AccessIBM’ button and to be honest I’ve never figured out what it is. But the physical sound mute and volume buttons are necessary, because you may need to get at them quickly, especially if you’re in a meeting.

I certainly think there’s room, as we move more and more to wireless, for a standard button that creates a secure connection between two devices. It could even be protocol-agnostic: press it and the device does its best to connect securely to whatever other device is having its button pressed, so to speak, with whatever protocol it has at its disposal, whether it’s Bluetooth, ZigBee, Wi-Fi, InfraRed or whatever. Could that break the remaining logjams in user acceptance of these technologies?