Cyberwar, Or Just a Taste?

Some interesting detail on the Estonian Cyberwar. This ain’t just any old attack. According to Jose Nazario, who works at ARBOR SERT, the attacks peaked a week ago, but aren’t over:

As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.

There’s some older stuff here, from F-Secure, which shows that it’s not (just) a government initiative. And Dr Mils Hills, who works at the Civil Contingencies Secretariat of the UK’s Cabinet Office (a department of government responsible for supporting the prime minister and cabinet), feels that cyberwar may be too strong a term for something that he prefers to label ‘cyber anti-social behaviour’.

Indeed, what surprises him is that such a technologically advanced state — which uses electronic voting, ID cards and laptop-centric cabinet meetings — could so easily be hobbled by such a primitive form of attack, and what implications that holds:

What IS amazing is that a country so advanced in e-government and on-line commercial services has been so easily disrupted. What more sophisticated and painful things might also have already been done? What else does this indicate about e-security across (i) the accession countries to the EU; (ii) NATO and, of course, the EU itself?

Definitely true that this is probably just a little blip on the screen of what is possible, and what governments are capable of doing.

(Definition of Cyberwar from Wikipedia here.)


Is Guy The Citizen Pundit In Danger?

Disastrous news for instant celebrities everywhere: Being mistaken for an Internet pundit on the BBC can bring you to the attention of the wrong people. Our hero Guy Goma, whom we (mistakenly) called a taxi driver when he was in fact an expert in data cleansing when the BBC mistook him for an Internet pundit and interviewed him live on TV, is in fact an illegal immigrant, according to UPI. (In turn, the BBC has possibly taken my suggestion that he be given his own showed too literally and has also mistaken him for a TV celebrity who can be wheeled on to answer questions about EU membership for Bulgaria and Romania. Painful stuff. (Here’s the clip. ) )

Anyway, the UPI story, which could take a lesson or two from my rather pompous diatribe on sourcing) rather brushes over the fact that that the Mail on Sunday story is not based on any interview with any British officials:

LONDON, May 21 (UPI) — BBC’s fake interviewee — an illegal immigrant from the Congo mistakenly plucked from the lobby and interviewed as an expert on British TV — may be deported. <snip> Goma — who coincidentally has a master’s degree in business from the Congo — tried to blunder through the question and answer session, the Sunday Mail reported. <snip> But it also brought the immigrant to the attention of British authorities who may deport him. That would be unfortunate because Goma recently applied for a technology position and wanted to capitalize on the publicity he’d received.

I may be missing something but I don’t see anything in the Mail on Sunday report suggesting the UK authorities are after him. Indeed, the entire story is based on an interview with Goma himself, which itself makes for hilarious reading (he’s hired a PR person to cope with the fame). True, he may be skirting on the wrong side of the law given he only has a tourist visa, but until the Immigration folk actually finger him, or say they’re about to finger him, I don’t see how one can say, as UPI said, his fame has “also brought the immigrant to the attention of British authorities who may deport him.” The Mail on Sunday didn’t say that, so why did UPI?

Anyway, I’m hoping that even if the authorities do start to think along those lines, they will recognise Mr. Goma as just the kind of addition the Brits could do with, and grant him whatever is necessary to keep him on our streets.

Plaxo, Privacy and ‘Suspicious Behavior’

It seems that there’s renewed interest in Plaxo, the contact sharing service that has attracted attention both for its inventiveness and its privacy implications. First off, a reader from France, Vincent Prêtet, wrote in comments to a previous post that

Plaxo is an amazing great tool to manage an adressbook. I use it since a few months and I am really happy of doing so. However, in France too the use of Plaxo gives rise to a real debate: is Plaxo’s system and are Plaxo’s users respecting the Laws as far as individual rights are concerned.

An EU-law (directive) goes as far as writing that nobody is allowed to transmit “personal data” like contacts of an addressbook to a Third without having first noticed each of the contacts.

Vincent asks whether any similar case being made in the U.S. He’s also started his own blog on the subject (in French).

Another reader has sent in a screen capture from Zone Alarm that seems to indicate Plaxo “does much more than just collecting personal info”:


I’ve asked Zone Labs about this message, who offer the following:

Yes, it does appear to be one of our alerts. The “Enables Plaxo to Securely Integrate with Outlook Express” is probably the name of Plaxo’s process that that triggered the alert. The rest of the copy is the standard message for all “suspicious” alerts. The idea is to let consumers know when a process is occurring that we believe can have security ramifications and let them choose to move forward or not. One of our primary goals is to make sure people have control over what installs on their PC.

Let me know if you’d like me to check with our security team on Plaxo specifically, but typically with the OSFirewall we aren’t looking so much at specific programs, more at the actual behavior of a process (at a glace, I suspect any program that tries to integrate with Outlook that we don’t have specifically whitelisted would trigger the same alert).

At first glance, then, it looks suspicious. But on closer inspection I feel this is more a case of Zone Alarm being a bit too alarmist, or at least not building up a decent database of programs it can whitelist. Plaxo is not exactly a new kid on the block, and although I have my reservations about what Plaxo does, I’m not sure it’s tracking keystrokes, mouse movements or other ‘user behavior’.

Doubtless Stacey, Plaxo’s privacy officer, will weight in shortly on this!

How To Make A Phish Look Real

Here’s an interesting — and troubling — variation on the phishing scam: Using country-specific domain name to make a phishing link look real.

The problem for phishers has always been to conceal the fact that the link victims are asked to click on takes them to a website address that looks dodgy — either the URL clearly does not belong to the company the phishing email claims to be from, or the link has to so heavily disguised in the email the victim doesn’t get suspicious. Phishers have tried registering real sounding domain names (, or somesuch) to get around this, but it’s not easy to come up with names that aren’t taken, and nowadays unless the name has paypal or ebay or citibank somewhere in the URL, victims are not going to be fooled. Hence this new twist:

The phishing email in question is the same as any another PayPal phish – “We recently reviewed your account, and suspect that your PayPal account may  have been accessed by an unauthorized third party.” But the link victims are expected to click on, visible as”/A”> resolves to , which looks credible as a legitimate PayPal website in Germany. is actually owned by CentralNic Ltd, a private London Based domain name registry, which also own US.COM, EU.COM, UK.COM, CN.COM, RU.COM, and twelve others that “represent the worlds most populated countries.” According to eNom, Inc, one of the Internet’s accredited registrars which issued the country specific domains, ”there are no restrictions or rules when registering these domains, unlike other domains which require you to be a citizen of the country in order to make a purchase.”

In other words, easy pickings for phishers. And of course, this means that anti-phish devices such as SpoofStick, which look at the underlying domain name to gauge whether a website is fraudulent or not, are not going to be much help here because they would only show the domain to be, which doesn’t sound phishy enough to deter anyone but the most alert user.

My tupennies’ worth: Domain registrars must take on some of the responsibility for these registrations. It’s not acceptable to just let anyone register a paypal domain and say it’s not your business. Secondly, anti-phishing devices must make clear they can’t guard against every phishing attack.

Spam Law Passed, Not Many Impressed

The U.S. Congress has passed the anti-spam bill, after the House voted to approve minor Senate amendments, The Register reports. Not everyone thinks it’s a good idea. The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act does more harm than good in the fight against spam, according to critics.

The bill criminalises common spamming tactics, such as using false return address. But it overrides Californian laws which had allowed spam recipients to sue spammers. The bill requires online marketeers to act on requests to “opt out” of future emails, unlike European Union legislation which requires them to seek the permission of consumers first.

The Can-Spam Act is expected to be signed into law by President Bush before the start of next year.

Update: More On Those Exploding Phones

 Just when you thought it was over…. The Register reports that Test-Aankoop, the Belgian consumer watchdog that reported Nokia batteries as dangerous and then had it corrected, says Nokia still has a problem. The Finnish mobile phone maker cannot guarantee that its batteries are safe, because consumers cannot distinguish between original and non-original batteries, the watch dog says.
Nokia yesterday admitted that “tens of thousands counterfeit batteries were seized in recent raids in Holland, the United Kingdom, and other countries in the EU”.
Reminds me of the fake Bluetooth story a while back. How do we know what’s kosher and that it won’t blow up in our face, or ear?