Using Google to Predict the Future

By | November 22, 2011
0 Comment

Elegantly simple proposal to measure economic confidence in The Economist’s search for other quirky indicators: searches in the U.S. on Google for “gold price” in the piece Alternative indicators: Behind the bald figures

But the hottest tip came from Edward Ritchie, an investment analyst in London. He tracks Google searches for the “gold price” as an indicator of economic confidence. This does not follow the gold price itself. For example, during most of 2008 when the world’s financial system was melting down, the gold price tumbled yet the number of searches soared. The number of gold-price searches shoots up when American consumer confidence dives and subsides when households perk up again (see chart). That makes it a handy device for spotting turning-points in economic confidence, with the added advantage that the data are available earlier than for conventional survey-based figures. Worryingly, the number of searches has recently vaulted above its 2008 peak, signalling the possibility of a double dip.”

Here’s the graph:

I’m a big fan of using Google search to measure, track and predict things. A few of my previous posts on the matter. And no, I’ve not made any money so far out of this crystal ball.

How To Use Google To Get Round Super Injunctions

Technoratis Decline, Death of Blogging?

Googling the Tsunami

Googles Suicide Watch: where I googled the word “suicide”

Has Quora Peaked?

Fail, Seinfeld and Tina Fey: A Zeitgeist

The Financial Crisis in Charts

Hoodiephobia, Or We Don’t Lie to Google

And this one from 2006: Mapping Trends With Google

The Battery DDOS: Tip of An Iceberg

By | November 22, 2011
0 Comment

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

The New Attack: Penetrate and Tailor

By | November 22, 2011
0 Comment

In its latest security report Cisco identifies a trend I hadn’t heard of before with malware writers: Closer inspection of those computers they’ve successfully penetrated to see whether there’s something interesting there, and then if there is targeting that company (or organisation) with a more tailored follow-up attack:

Attackers can—and do— segregate infected computers into interest areas and modify their methods accordingly. For example, after initial infection by a common downloader Trojan, subsequent information may be collected from infected machinesto identify those systems more likely to lead to sensitive information. Subsequently, those “interesting” machines may be delivered an entirely different set of malware than would other “non-interesting” computers.

This is, as Cisco says, a pretty good example of that much maligned term, the Advanced Persistent Threat. Unfortunately they don’t give more concrete examples. But it seems as if the most targeted sector is the pharmaceuticals and chemical industry: 500% more than the median infection rate, or twice the next industry, oil and gas.

On DoS (Denial of Service) attacks, Cisco says that “while once largely prank-related, DoS attacks are increasingly politically and financially motivated.” It doesn’t add more, unfortunately, and much of the rest of the report is sales-pitch. I’ll try to get more out of them, because there might be some interesting trends lurking behind the rather thin data.

Podcast: Bad Things

By | July 28, 2020
0 Comment

The BBC World Service Business Daily version of my piece on link scams.  (The Business Daily podcast is here.)  

Loose Wireless 110803

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.

Australasia: Mon-Fri 0141*, 0741 

East Asia: Mon-Fri 0041, 1441 
South Asia: Tue-Fri 0141*, Mon-Fri 0741 
East Africa: Mon-Fri 1941 
West Africa: Mon-Fri 1541* 
Middle East: Mon-Fri 0141*, 1141* 
Europe: Mon-Fri 0741, 2132 
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.

Taking Shady RAT to the Next Level

By | November 22, 2011
0 Comment

I know I’ve drawn attention to this before, but the timeline of McAfee’s Operation Shady RAT by Dmitri Alperovitch raises questions again about WikiLeaks’ original data.

Alperovitch points out that their data goes back to mid-2006:

We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises.

This was around the time that Julian Assange was building up the content that, he recounted in emails at the time, that his hard drives were filling up with eavesdropped documents:

We have received over 1 million documents from 13 countries, despite not having publicly launched yet! (Wikileaks Leak, Jan, 2007)

Although Assange has since denied the material came from eavesdropping, it seems clear that it was, until McAfee’s report, the earliest example of a significant trove of documents and emails stolen by China-based hackers. This may have been the same channel stumbled upon a year later by Egerstad (Dan Egerstad’s Tor exit nodes get him arrested and proves a point I made in July | ZDNet).

There were, however, reports in mid 2006 of largescale theft of documents: State Dept (May), and NIPRNet (June), US War College (Sept) and German organisations (October).

I would like to see more data from McAfee and, in the interests of transparency, at least the metadata from the still unrevealed WikiLeaks stash in order to do some note comparing and triangulation. I’d also like to see this material compared with the groundbreaking work by three young Taiwanese white hats, who have sifted through malware samples to try to group together some of these APTs: APT Secrets in Asia – InSun的日志 – 网易博客.

The work has just begun.