Archive for September, 2011

DDoS detection and mitigation – in conversation with Tata Communications’ CSO Adam Rice

September 14, 2011 Leave a comment

The day after the Russian embassy in London was taken out by a DDoS attack (was it Russians objecting to a visit by a UK prime minister who had declined to join the KGB; or the Blue Rinse objecting to him going there at all) I was speaking to Adam Rice, global chief security officer for Tata Communications. He had just announced that Tata’s DDoS detection and mitigation service is now available to any company operating on the internet irrespective of its network provider (ISP). Tata Communications is a tier 1 ISP, and the fourth largest in the world. “With this scale, we have successfully defended every DDoS attack levied against our customers. By expanding our offering to be network agnostic, we’re now making the capability available to a much larger community – a community that requires access to a high-capacity infrastructure where their traffic can be scrubbed rather than black-holed.” It was an opportune time to learn more about DDoS in general, and Tata’s detection mitigation service in particular.

Adam Rice

Adam Rice, CSO at Tata Communications

“DDoS,” he told me, “by its very nature is an attack that overwhelms the target’s resources, so we’ll see an increase in traffic going to the customer. It might ramp up slowly or very quickly, but it draws our attention.” The key to this is a monitoring tool used for its customers. “The tool that we deploy becomes smarter and smarter over time. It analyses what is considered normal traffic for a site; and it does that for what is normal on a Tuesday at lunchtime, or what’s typical for a weekend, or what’s typical during Christmas. The longer we have these sites under management, the more the tool understands what is normal traffic.

“So when we begin to see variations against the mean,” he went on, “if the standard deviation goes beyond a certain point, left or right of normal, then an alert will occur. And that can be caused by either volumes or types of traffic. DDoS attacks come in several different flavours, and the tool will be able to see the kind of attack from the meta data of the packet. So we can tell whether it’s a UDP attack or a SYN flood attack or any other variety of DDoS attack. When the traffic crosses our threshold, then an alert is sounded and one of our security analysts will go in and, with the help of the tool, determine what type or types of attack is under way (usually the attacks can be mixed) and then we apply our filters which will scrub the bad out and deliver clean back.”

An attack, he told me, can build up pretty fast, but is detected before it can overwhelm the target. “We’ll see it coming from the four corners of our network. Although some of the traffic originates from within our network a lot of it comes from other networks, so we’ll see it coming through the peering points with other tier 1 ISPs [a peering point is the place where multiple networks meet and pass traffic from one to the other] – it doesn’t turn on like a light switch; we’ll see the traffic volume begin to build, build, build; and then depending on the SLAs that we’ve agreed with our customer, we do have thresholds that we watch. For a DDoS attack to be a DDoS attack it needs to have a certain volume, and once it crosses the threshold, we’ll alert the customer and let them know what’s going on and, with advice, ask them if they’d like us to mitigate. That’s typically how we do it.”

The next stage is to channel the traffic to Tata’s laundry sites. “We announce a route across our network that is advertised almost instantly across the entire internet. It draws in all the traffic destined for our customer to our scrubbing clusters that are situated globally near a peering point and we will scrub the traffic and then deliver it to the customer nice and clean.” Two things I wondered: how accurate is this scrubbing? and could the scrubbing clusters themselves be overwhelmed?

“We don’t start mitigating the attack,” he replied, “until after we’ve had a conversation with the customer. We do this every day, hundreds of times a month, with very large volumes of traffic. Before we start mitigating, customers have a hard time getting to their site, and after, we have no complaints. I am sure that legitimate traffic in some fashion now and then gets dropped. I think that’s inevitable. Any claim that we could get 100% accuracy on our filters would be wrong – but if we do drop good traffic it is an insignificant volume and would simply require the user to refresh the browser to get back.”

What about being overwhelmed? “That’s the big advantage – and one of the biggest advantages,” he said, “in having a very large network behind us. DDoS attacks are all about capacity; and we have the capacity. Tata Communications is the fourth largest ISP on earth. Theoretically, if we were to have a purely academic discussion, it is possible that any network could be overwhelmed; but there are a lot of reasons why that would be very unlikely. But if you were to buy your DDoS mitigation service from a provider that didn’t have such a large network then I think you are taking away one of those critical attributes of any DDoS mitigation service: having that huge network behind you to absorb the traffic, because that’s really what you need to do.”

But what about the future? How can we prevent DDoS attacks from happening rather than just mitigate against them succeeding? Adam didn’t specifically say so, but I got the impression that’s a long way off. “We think that the majority of the sources of the attacks are infected PCs or laptops,” he commented. And we all know how secure the average home computer tends to be. “Usually, the source address is fake. There are other clues that enable us to track back to the source so we can get a geographical idea – often Eastern Europe or Asia – but DDoS is generally truly global.” And that’s a problem in itself. “If one of our own users is knowingly or unknowingly participating in a DDoS attack, that user is violating our acceptable use policy and we will tell them that they have to stop that.” In other words, Tata can try to keep its own network clean. “But TATA Communications works in almost 200 international jurisdictions. The privacy laws in Europe are a great example of exactly why it is impossible for us to be proactive – whether we would want to or not doesn’t really matter, it is actually illegal in many countries and jurisdictions for us to even monitor our own networks for that kind of traffic if it is customer data.” And if the traffic is coming in via a peering point from another ISP, the problem just gets more difficult.

So since there’s no quick fix to the DDoS problem, I guess we’d better just carry on mitigating them. Pass it on to the Russian Embassy.

Tata Communications

Categories: All, Security Issues

Beware: is a phisher!

September 14, 2011 2 comments

I’ve said it before, but it’s worth saying again: government is the biggest identity thief. And I’m so glad that I’m not alone in thinking this. VirusBarrier, the anti-malware product I use on Mac, agrees. It detected Her Majesty’s Revenue and Customs as a phishing site.

Sadly, the window saying this disappeared before I was able to ‘grab’ it. But good old VirusBarrier just blocked the page anyway.

HMRC phish

HMRC is a phishing site...

Beware: is a phisher!

Categories: All, Security Issues

Now they’re going to spend our money on training 700,000 EU lawyers…

September 14, 2011 Leave a comment

As the great European super tanker stumbles on towards economic implosion and, let’s face it, potential breakup, have you ever thought that perhaps, maybe, they should just ease up a bit on their increasingly interventionist policies against the individual?

Dream on. If you think that the EU is already too intrusive against citizens who are British first (or German, or Dutch or Spanish or whatever) and European second, think again. European law supplants national law. The EC has announced its intention to train 700,000 legal professionals in EU law.

The European Commission has set a clear target for increasing the numbers of judges, prosecutors, lawyers and other legal practitioners trained in European law. In a policy paper agreed today, the European Commission aims to ensure that half of all legal practitioners in the European Union – around 700,000 – participate in some form of European judicial training by 2020. The aim is to equip legal practitioners to apply European law…
European Commission sets goal of training 700,000 legal professionals in EU law by 2020

Categories: All, Politics

Appstore security: a new report from ENISA

September 13, 2011 1 comment

ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.

Appstore security

Appstore security: a report from ENISA

The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are

  • App review – bleeding obvious but not foolproof
  • Reputation – not foolproof
  • Kill switch – hang on a bit
  • Sandboxed apps – bleeding obvious
  • jailing – hang on a bit more

App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.

Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.

Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:

in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.

I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.

Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.

Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.

You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.


Categories: All, Security Issues

Why Cameron won’t honour his promises about Europe

September 12, 2011 Leave a comment

Will Cameron deliver us from the EU? Of course he won’t. Despite the wishes of the people. Despite the wishes of 60% of his own party.

Tory wishes

Grassroots to new Eurosceptic group of Tory MPs; 'Be bold'


And despite the pressure that will come from his own MPs today when the George Eustice group of Eurosceptics meet. “Today’s meeting needs to set out clearly that the EU is in crisis and is about to embark on another major step towards closer union as part of the Euro fix. This is the perfect time for the UK to allow them to do so in return for lessening our ties to this failing economic bloc,” says John Redwood.

But the EU is too valuable to our democratic leaders to be abandoned. It allows them to get the draconian laws they want to, not because they want to, but because they have to. “We had no choice, guv,” they tell us. “We had to because of the treaties foisted on us by the previous government. It’s the law.”

And right on cue, here’s an example. Bear in mind that weak governments need control; and the weaker the government, the greater the need for control. According to EDRi, the European Digital Rights organization,

The European Commission (EC) Information Society and Media Directorate-General have recently drawn up a series of six policy papers intended to increase government control over the Internet…

…The recent EC papers come to argue for increased government control and foresee the shift in power toward governments within the next 12 months.

…These EC papers were developed not under public consultancy, but secretly, thus lacking in democratic legitimacy. The plans are to formally raise or even implement the proposed measures by the end of this year, in particular at ICANN’s meeting in Senegal in October.
The EC tries to increase government control of the Internet

Cameron will not be able to resist gaining control over the internet without having to get unpopular, unwanted, unwarranted, unethical and definitely un-British laws through an unsympathetic parliament. And Clegg? Well he seems to have had a complete about-face since his comment some 10 years ago when

…he described the European Council – the EU’s strategic body – as ‘one of only three legislatures in the world in which laws are adopted behind closed doors. The others are to be found in Havana [Cuba] and Pyongyang [North Korea]’.
‘As undemocratic as North Korea': What Nick Clegg used to think of the EU as he condemned ‘grubby deals’ thrashed out in Brussels

Clegg was right then, and wrong now. But John Redwood has a simple, workable and obvious solution to the EU problem:

The proposal would be that we will happily allow the other members to do whatever they like without our seeking to block or veto it. In return we will be given the right to opt out of anything that the EU has agreed or may agree in the future, as Parliament sees fit. The rest of the EU would be spared the UK acting as the brake on the train, the wrecker at the unification party. The UK would be spared having  law and regulation forced upon us with which we did not agree.

Normally we would go along with new and old EU legal proposals. We would still sit down to negotiate and draft with the others. We often  might reach collective agreement with them and happily implement what was decided. We would not however, be able to hold them up  or resist if they were determined to do something, and they would not be able to force us to do it. We would need to be able to go back over past agreements, but would do so sparingly and only after raising it with them to see if all EU members might like to repeal or amend the offending law.

The UK would be a democracy again, where one Parliament could not bind another in perpetuity by including the measure as an EU law. Moderate Eurosceptics would no longer feel oppressed by EU measures, as extreme ones could be suspended in the UK. Pro Europeans could relax that we have not tried to withdrawn from the EU – they are still in and they can try to persuade us to accept more not less. Those who want to come out completely can press for less, seeking to use Parliamentary channels to remove blocks of EU law which they do not like. It seems to me to be the best way to let us all have our views on how much Europe we want, and to channel them within a UK Parliamentary framework.
Letter sent to George Eustice and the other MPs who say they are forming a new group to reverse moves to ever closer European Union.

The UK would regain its sovereignty. Parliament would regain its supremacy. The people would regain their freedom and self-respect. And Cameron will have none of it.

Categories: All, General Rants, Politics

Comment is Free provided we agree with you

September 10, 2011 5 comments

Richard Aitken (@rajakarta) has had his comment removed from the Guardian’s Comment is Free by its moderators. This is perfectly acceptable behaviour: moderators have a duty to remove profanity, illegality, sedition and so on. But I thought I’d have a look at Richard’s comment noir, which he has reposted here: Paste ID e73dd5950b at PrivatePaste, to see just how evil and immoral he is.

I can find nothing wrong. It is an opinion – but it does criticise our Darling Tony B’s story “Blaming a moral decline for the riots makes good headlines but bad policy” in the Observer. Richard points to the contradiction between the establishment’s hard line against those at the bottom of the social scale and those at the top:

I think the lack of justice meted out to those guilty of malfeasance related to the financial crisis may be indicative of that. It might also explain the double standard, which has permitted expense account abusing politicians to cut a cheque for the balance owing on their transgressions, whereas “otherwise ordinary young people who got caught in a life-changing mistake” (vis-a-vis the riots) wind up in the dock.

In fact, Richard’s views are quite similar to my own:

Until the people feel they have a real say in our country, until equal before the law is a fact not a hollow platitude, until the rich actually pay their tax levies in the same way as the poor, then last week will be just the beginning.
Broken Britain? Disconnected, more like…

I can find no justification for the moderators to remove this comment – other than they might disagree with Richard Aitken. Frankly, the Guardian should change its name: it is certainly not guarding our freedoms. And Comment is Free should change to Comment is Free Provided You Don’t Say Anything Contradictory to Our Editorial Policy.

Categories: All, General Rants, Politics

Hollywood is a staunch and effective government propaganda machine

September 8, 2011 Leave a comment

Hat tip to one of my favourite people, Josie Herbert (@phinessence), for this pointer: a rather disturbing article in El Reg. It shows that a surprisingly high proportion of Americans (nearly half) think that “the government should be able to review someone’s search history without court permission, and 55 per cent thought financial records were fair game for unwarranted scrutiny.”

On the much-debated topic of torture over half of those surveyed thought that torture of suspected terrorists was OK, and a similar number favoured “harsh interrogation techniques.”
Three in ten Americans urge feds to read their email

Compare this to the more reassuring view of Eliza Manningham-Buller, former head of MI5, in the second of her BBC Radio Reith lectures:

The use of torture is “wrong and never justified”, the former head of the security service MI5 has insisted.

Eliza Manningham-Buller said it should be “utterly rejected even when it may offer the prospect of saving lives”.
Former MI5 head: Torture is ‘wrong and never justified’

I suspect, but have no figures to support this, that hers is the majority view in the UK. Which begs the question: why this difference between two peoples separated only by language (and the Atlantic, and history, and 9/11)? I have one suggestion: US social attitudes are shaped by Hollywood while UK social attitudes are shaped by the BBC. I’m being simplistic, and you could argue that the media is shaped by society rather than the other way round – but at the very least the media will reinforce social attitudes.

Consider the law enforcement hero in Hollywood. If necessary, he will beat a confession out of the suspect. Where necessary he will break the law in order to protect the public. He does what we don’t want to accept, reluctantly but efficiently, for our own safety. The BBC copper, however, won’t do this. He’ll find some other way to protect us. He’ll stay within the law and treat his suspect with courtesy, whatever he privately thinks.

Incidentally, and don’t just dismiss this but consider it: one reason why governments on both sides of the Atlantic seem so willing to do Hollywood’s bidding is that Hollywood is a staunch and effective propaganda machine.

Categories: All, Politics

Shadowserver’s new anti-virus test suite – how good is it?

September 7, 2011 7 comments

“Our little gnomes in the backroom,” says the excellent Shadowserver in an announcement headed ‘New AV Test Suite’, “have been working feverishly for the last several months to put the finishing touches on our new Anti-Virus backend test systems.”

Malware testing, as we know, is a tricky business. AMTSO, the Anti-malware Testing Standards Organization, has expended much energy and expertise in developing detailed methodologies designed to ensure fair, unbiased and accurate anti-virus tests. But do we get this from Shadowserver? Do we get a new AV comparison source that we can realistically access for accurate unbiased information on the different AV products available to us? Let’s see.

Shadowserver starts off with a fair comment.

No single vendor detects 100%, nor can they ever. To expect complete protection will always be science-fiction.

That being said, it goes on…

…you can see the different statistics of the different vendors in our charts.

Here’s a couple of examples.


Shadowserver's results for Avira


Shadowserver's results for Panda

The one thing that really leaps out here is that Panda apparently misses (shown in green) far more of the test samples than Avira. This is counterintuitive. Panda is a commercial product backed by one of the world’s leading security companies. Avira, which I personally trust sufficiently to use on my XP netbook, is a free product. Shadowserver provides a partial answer:

The longest running issue has been our inability to use Windows based AV applications. We can now handle that, however it is still not what you might buy for home or commercial use.  We are utilizing a special command-line-interface version from each of the vendors that we are using.  This is not something you can purchase or utilize normally.  These are all special version but most of them do use the same engines and signatures that the commercial products use.

Luis Corrons, PandaLabs

Luis Corrons, technical director, PandaLabs

This is important. Luis Corrons, technical director at PandaLabs elaborated:

What ShadowServer does is not an antivirus test. As they say, they do not even use commercial products, but special versions. Furthermore, it is static analysis of files they capture. It is a statistic. But the data cannot be used to say “product x detects more than product y” or “product x detects this percentage” as they are not using any of the other security layers used in real products (behavioural analysis/blocking, firewall, URL filtering, etc). The most you can say with this system is product x was able to detect y percent of files using their signatures and heuristics (the oldest antivirus technologies).

This is important. The AV companies have long recognised that the original signature database solution to malware cannot match the speed with which new signatures are required for polymorphic virus families. So they have supplemented their signature detection with more advanced and sophisticated methodologies.

In our case (Panda) ShadowServer is using an engine which is a few years old (at least 5) and of course is not using the cloud, so I can guarantee that our results are going to be awful. We have been asking SS for years to use a new version, but they were not supporting Windows. Now that they are supporting it, they forgot to mention it, but it’s not a problem as we’ll be sending them a new version with cloud connection. Anyway, even though in that way the results will be way better, or even if we are the number 1 vendor, that doesn’t mean anything, as it is only a static analysis of some files.

One solution would be for Shadowserver to work more closely with AMTSO. Shadowserver is not currently a member of AMTSO. I urge it to join. And I urge AMTSO to waive all membership fees so that this non-profit free service organization can do so. Both parties would benefit enormously. In the meantime, I asked David Harley, a director of AMTSO and research fellow at ESET, for his personal thoughts.

David Harley

David Harley, senior research fellow at ESET; director at AMTSO

Shadowserver has never been discussed within AMTSO, that I remember… In the past they’ve shied away from suggesting that their statistics are suitable for direct comparison of vendor performance. One of the reasons they cited for that is that their testing has been focused on Linux/gateway versions, and you can’t assume that desktop versions will perform in the same way across a range of products. Including some Windows products will make a difference in that respect, but I can’t say how much, because I don’t know which versions they’re using. Where gateway products are used, it’s unlikely that the whole range of detection techniques are used that an end-point product uses. Detection is often dependent on execution context, certainly where detection depends on some form of dynamic analysis. A gateway product on an OS where the binary can’t execute may not detect what its desktop equivalent does, because the context is inappropriate. On the other hand, the gateway product’s heuristics may be more paranoid. Either way, there’s a possibility for statistical bias…

This isn’t a criticism of Shadowserver, which does some really useful work. I just don’t think I could recommend this as a realistic guide to comparative performance assessment…

Neither Luis nor David are known to shy away from the truth, whether of themselves or their products. But both seem fairly clear: Shadowserver is good; but this service is not yet ready. Shadowserver’s AV test suite will not give a realistic view of different AV products’ actual capabilities. Not yet. It needs more work. I’m certain that will happen. But for the time being at least, don’t use Shadowserver’s statistics to form an opinion on the relative merits of different AV products.


UPDATE from Shadowserver
It is difficult to not compare one vendor to the next due to how we have the data
structured on the pages.  It would be impossible not to try and derive conclusions
from those results.  While that is the case, our goal is not to create a real
comparison site for everyone to try and compete to see which AV vendor is better
than the next…

That is not our purpose…

That being said, our purposes in doing AV testing is simple.  We wanted to know what
each malware was supposed to be for categorization purposes, and of course just to
see what happened.  We collect a lot of malware daily and trying to find ways of
tying our data together is important.

Because we are volunteers and a non-profit we really enjoy sharing what we find
no matter how odd.  We even enjoy talking about when we screw something up or
when we encounter something exciting.  Everything here is for you our public to
enjoy, discuss, and even criticize…
Shadowserver, 8 September.


Shadowserver’s AV test suite


Categories: All, Security Issues

WordPress ‘pauses’ Pulse360 adverts

September 6, 2011 Leave a comment

For the time being, we’ve paused the Pulse360 advertisements.” (WordPress)

For the history, see WordPress Pulse360 advertising: block them with NoScript and TACO with Abine on Firefox

Categories: All

NSA, wire tapping surveillance, and retroactive laws; but we mustn’t complain…

September 6, 2011 1 comment

The ‘warrantless wire tap’ law suit in the US rumbles on, and is rather disturbing (details from CourthouseNews). The plaintiffs (ie, Joe Phone User) are suing some of the leading US telephone companies and the National Security Agency (NSA) for illegal surveillance.

U.S. District Judge Vaughn Walker in San Francisco had tossed lawsuits against the NSA for lack of standing and dismissed claims against the telephone companies because a 2008 federal law gave retroactive immunity to telecommunication firms that helped in the dragnet surveillance.

But the plaintiffs, supported by the Electronic Frontier Foundation (EFF) want to appeal. ‘Lack of standing’ and ‘retroactive immunity’ are more than a bit disturbing.

EFF’s Kevin Brankston said that the court had been mistaken in “basically concluding that so long as everyone is being surveilled, no one has standing to sue.” That is worrying enough: if governments behave illegally to everyone equally, then no-one can object. Really?

But the retroactive immunity is equally worrying. If this is allowed to stand (Co-counsel Bruce Afran commented: “No precedent allows Congress to give the attorney general authority to declare lawful today what was unlawful the week before.”) then a government can get away with doing anything simply by making it legal later.

An inability to complain and retroactive immunity are hallmarks of dictatorship, not democracy.

Categories: All, Politics, Security Issues

Get every new post delivered to your Inbox.

Join 139 other followers

%d bloggers like this: