SHODAN related infosec assortment

I never attended DEFCON, though it remains a dream I hope to realize one day, soon. It may soon become too logistically awkward due to increasing numbers of attendees.

Shodan is a remarkable search engine. Traditional search engines use “spiders” to crawl websites. Shodan culls data from ports. It was created by John Matherly in 2007. He continues to develop it.

Shodan is helpful for locating web server vulnerabilities. It is available as a free service, for up to 50 searches. Query syntax includes searches by country, host name, operating system and port. Shodan can search for software AND hardware. It has been acknowledged by mainstream media. The most prominent coverage was in early June, via The Washington Post, when Stuxnet received so much press attention.


Cutting corners on telecom infrastructure with Huawei

In January 2013, I wrote a blog post about Huawei’s twisty, winding path to prominence. There were plenty of oddities, e.g. Huawei was supplier to the Taliban and nearly acquired by GOP presidential Mitt Romney… but not a the same time!

Huawei is back in the limelight. Curiously, the problem is not one of Chinese state interference but of sloppy software development. I’ll get to that, but first, let’s take an illustrated tour of the Huawei story.


Will the Pentagon use a contractor to merge information networks?

I read an article the other day, Pentagon to merge information networks. The following section caught my eye in particular,Defense Department leaders have decided that the best way to protect sensitive information from cybercriminals and internal leaks is to consolidate its 15,000 networks into a single “joint information environment.” JIE is a set of security protocols — which the Pentagon calls a single security architecture…Although the JIE is not a “program of record” with its own funding line, it will be financed under the Pentagon’s $23 billion cybersecurity budget. Leading the massive network integration effort is the Joint Staff, U.S. Cyber Command and Defense Information Systems Agency [DISA].

                                                — via National Defense Magazine, 13 September 2013


Bitcoin in the limelight: Questions for buyers and investors

DDoS attacks manipulate vulnerable markets

The vulnerable market was the Mt. Gox Bitcoin exchange. In April 2013, Mt. Gox was overwhelmed by DDoS. The point, the company speculated, was to destabilize Bitcoin and fuel panic-selling. After driving market prices down, the attackers can then rush in and buy Bitcoin at the lower price. Obviously, this isn’t fair.

Life isn’t fair but Bitcoin must be

Life may not be fair in general, but securities and currency markets require fairness and avoidance of market manipulation in order to function. Without it, they will die. Trust is essential. Apparently, Mt. Gox was robust enough to withstand this volatility. The attackers were fortunate. In their pursuit of unfair profits, they are taking a selfishly short-term view. DDoS attacks could destabilize Mt. Gox, or any other entity that serves a similar purpose. If that happens often enough, or in sufficient size, it will undermine credibility in Bitcoin.

Mt. Gox wasn’t uniquely vulnerable. In the past few months, there were other DDoS related Bitcoin extortion incidents. BTC-China was brought down in September 2013, and BIPS, a European payment provider, experienced a DDoS attack two days ago, on 26 November 2013.

Regulation and volatility

Using DDoS for extortion is possible due to Bitcoin’s lack of fraud control measures, which would usually be imposed by regulatory requirements. Of course, market manipulation and extortion are possible even when there are regulations! (I suspect that if one wanted to, one could DDoS forex exchanges.) Regulation and law enforcement is partly responsible for discouraging such behavior. Market participants’ own self-restraint and willingness to obey the rules is equally important.

Bitcoin’s current price volatility is very high. That is unsurprising for a new financial product. Volatility isn’t inherently bad, but it should be caused by normal market activity, not manipulation due to DDoS-facilitated extortion. Bitcoin price volatility will need to diminish to no more than 25% in order for it to function as a viable currency.

Structural boundaries

If I were to trade or invest using Bitcoin, my first question would be, “What are the boundary values?”

  • The number of Bitcoins is fixed at 21 million.
  • Are there are price levels that have any contextual meaning, i.e. are associated with limits? For example, stock prices are always greater than or equal to zero. For fixed income markets, negative interest rates should not be possible. Is there a scenario where Bitcoin could ever have a negative value?
  • Are there are vagaries of the block chain that would cause short term price or volume discontinuity?
  • What about market dominance due to collusion? That can happen in many markets, especially commodity markets. There are scholarly articles that establish a floor beyond which Bitcoin can no longer function, specifically, if there is collusion of selfish miners such by a Bitcoin mining pool.


The financial press and even well-known information security personalities seem to be caught up in the thrill of Bitcoin. The odd aspect is that some don’t seem to distinguish between good news and bad, as with Mt. Gox.

The excitement is infectious. Perhaps it is a means of escape from interminable and usually dreary economic news, as well as the powerlessness most of us feel about monetary policy and government in general.


Account hijackers

If a message originates from a familiar name or email address, its likelihood of making it through spam filters is greater.

Google described their efforts to minimize harm to users due to email account hijacking:

“Our security team…saw a trend of spammers hijacking legitimate accounts to send their messages. [We developed] a system that uses 120+ signals to…detect whether a log-in is legitimate, beyond just a password.”

Less than 1% of spam emails make it into a Gmail inbox.

The number of compromised accounts decreased by 99.7% since 2011. That’s impressive, for a sustained reduction! How does Google avoid false positives? I am so curious about the specific details of their filtering rules!

The blog post was written in March 2013. It is remarkable that the same methods continue to be effective, as Gmail spam-attackers would perceive this as a new challenge to be overcome.

120 Signals

I suspect that Google’s methods are analogous to those used by the U.S. Department of Health & Human Services’ Centers for Medicare & Medicaid Services (CMS) in detecting medically unlikely edits (MUEs). MUEs can be accidental, due to claim coding or data entry errors. MUEs can also be deliberate, when there is fraudulent intent, e.g. by filing for more services, or for more expensive services. Regardless of intent, MUE identification reduces paid claims error rates.

How will the Affordable Care Act impact existing processes for detecting MUEs, and for setting benchmarks? CMS does not disclose its MUE criteria for the same reasons that Google will not reveal details about their 120 signals.

Continuous improvement is a part of life, for email-spam account hijackers, Google and the fraud detection team at the Centers for Medicare and Medicaid Services.

I wrote a post about health care, with a much more Ellie-centric theme, a few years ago. That was when I worked as statistician for ACCCHS, Arizona’s state-administered Medicaid/Medicare program, monitoring program performance and quality of care.

political science

Internet Voting in the U.S.

The tone of urgency in this newly published article Internet Voting in the U.S. in the Communications of the ACM* (October 2012) is striking. The article doesn’t waste any time with niceties. The unusual urgency was, in its own right, a signal of the importance of the issue to me.

Internet voting is not trustworthy

Use of the internet is not recommended at this point in time because the possibility and variety of errors and security breaches that can occur are myriad. They are not hypothetical, but were demonstrated recently, in a large test in Michigan, which the article describes.

Sources of error can be human or electronic mishap. There is also the possibility of malicious intent. 

Is Internet voting, despite problems, superior to alternatives?

In fact, the answer is “No”. Internet voting is shown to be less secure than traditional paper voting and less secure than electronic voting.

The point is that voting at a physical polling location, despite vote collection method, is more trustworthy. This is true, given the current status of internet security.

Internet voting under unusual circumstances

Many registered voters are geographically distant from polling places, whether within the U.S.A., or more dramatically, when overseas, e.g. as part of a tour of duty in a war zone. Other examples include U.S. citizens working for the State Department or Peace Corps public service, or ex-patriots who happen to be in less accessible parts of the world, for any reason.

These scenarios were researched. Absentee ballots were dispatched by means determined to be most expeditious and secure. Ballots that were completed and returned by even the slowest and (probably) least reliable methods, international overseas mail, arrived intact and in time to be counted, based on the ACM article’s findings and review of electoral research.

Why worry?

Why is this of such importance? Because there are already some counties in the U.S. that have transitioned to internet voting, with others contemplating it.

It is vital to keep the decision to use or not use internet voting distinctly separate from external influences. Regardless of opinion about voter identification requirements, Internet voting is unwise, and subject to numerous errors at this time.

* The ACM is the Association of Computing Machinery. It is non-partisan, apolitical and acknowledged throughout the world as the primary professional association for scholarship in the field of computing.


Why is Amazon Legal Dept accessing my Gmail again?

Activity on this account
This feature provides information about the last activity on this mail account and any concurrent activity. Learn more
This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.


Cryptome sampler

ia website, a nice handy ASCII graph of all tables and their default chains:

         { network }   <---------------------- packets enter your computer via a
              |                                physical or virtual interface
              | (PREROUTING)                   *nom nom nom nom*
 { kernel decides which table should be used }   <---- if the packet has destination equals to any
             /        \                                of the computers own IP-addresses, it will
(FORWARD) /          \  (INPUT)                    be sent to the INPUT table. Otherwise it is
        mangle         mangle                          sent to the FORWARD table, assuming that
          |              |                             net.ipv4.conf.*.forwarding = 1, otherwise
        filter         filter                          it should be dropped.
          |              |
          |         { program }   <----------- Programs that run on the computer AND is listening on
          |              |                     the destination protocol AND port of arriving packets
          |             raw  (OUTPUT)        from the INPUT chain will be fed with them. Programs
          |              |                     running on your computer poops their packets out at
          |            mangle                  the OUTPUT table.
          |              |
          |             nat                    
          |              |                     
          |            filter                    Legend:
           \             /                          (X) -> X is a table
            \           /                           {X} -> X is something obvious
  { the packet is put in POSTROUTING }               X  -> X is a chain
              mangle (POSTROUTING)
               nat                              The packet is ejected by some network interface. It could mean
                |                               that the packet is put on a physical network or that it is
           { network }   <--------------------- sent by a virtual networkinterface to a real network interface,
                                                in which case it could *again* enter the PREROUTING table.

Additional links of a similar nature, all from the same website


Computer Virus Related Crime

Whac-A-Mole seems like it could be endless fun. Moles pop out of five holes in the arcade game and a soft mallet is used to force them back into the holes to score points. Children and adults alike could whack the moles for hours at a time.

Or at least they could until a worker programmed a virus into the machines to make them shut down after a pre-determined number of plays.

Now police have arrested that 61 year old man, a resident of Orlando, Florida. He will face intellectual property offense related charges. He was motivated by a combination of job security concerns and avarice. Bob’s Space Racers, an amusement game manufacturer and creator of the Whac-A-Mole game,was the injured party.

[The accused] was treated as an independent contractor and began working for Bob’s  Space Racers in 1980. He received a fee for creating and maintaining the company’s computer programs.

In 2008, company officials began encouraging him to transition his status from contractor to full-time, salaried employee.

His response was to increase the maintenance fee he was charging by 250%.

Company officials believe [the accused] intended to start a company that would sell working modules of Whac-A-Mole to customers of Bob’s Space Racers who were having issues with the modules he had infected with the virus. 

via Whac-a-Mole virus arrest, The Orlando Sentinel.

With thanks to @lcamtuf.


FeedBurner Security and Sensibility

Feed Security

For any blogger or creator of syndicated content who might happen to pass by The Annex, I’d like to pass on this tip about the importance of keeping your Feed Bulletin feed private.