InBoxRevenge KS Forum

[AlphaCentauri]

One of the changes going on with the new US presidential administration is the appointment of a new chairman for the Federal Trade Commission, which is concerned with spam and other advertising, as well as with identity theft and internet fraud. In addition, President Obama has promised greater attention to the risk of cyber attacks on national security.

The following open letter to the new chairman, Jon Leibowitz, is the result of contributions from a number of the members of InboxRevenge.com. In light of recent news articles about cyber attacks on the US power grid and on military computers, it's something that deserves attention.

====================================================================

We very much support the efforts the FTC is taking to educate consumers about internet fraud and identity theft, and we recommend that everyone view the excellent materials online at ftc.gov. However, those types of problems require a level of coordinated effort beyond what any one individual or business can accomplish. We urge the next head of the FTC to see the big picture. And one obvious part of the picture is spam.

Spam is like a flashing light alerting us to far more serious criminal activity beneath the surface. By minimizing the severity of spammers' offenses, you lose the ability to expose and investigate much deeper risks to the US, even impacting on national security.

Spam -- unsolicited commercial email -- is a nuisance. Because it is so inexpensive to advertise through email, spam volume has ballooned to comprise the vast majority of email messages. And the majority of the spam being mailed advertises products that are fraudulent or illegal, whose sponsors do not care about building a positive brand image. Most users have little idea how much spam would be arriving in their inboxes if their internet service providers were not using strategies to block the worst of it.

This is obviously a problem in terms of time/money spent on spam filtering systems and in deleting spams that pass through filters. More importantly, the loss of valid emails due to spam filtering is making some types of email communication extremely difficult. Legitimate commercial email is lost in the deluge of spam messages.

But the problem in the inbox pales by comparison to the multiple layers of illegal activity spammers employ to circumvent users' attempts to avoid their garbage. Spammers are hijacking the computers of innocent users to send their email and host their web sites. They are using stolen identities to register their website domain names, and using stolen credit/debit/PayPal accounts to pay for them. Their websites flagrantly violate trademarks, fraudulently claim approval from agencies like the FDA and Better Business Bureau, use stock photos of buildings and people to create imaginary locations and corporate officers for themselves, display forged pharmacy licenses, and sell counterfeit copies of drugs still protected by patents within the US. They abuse voice-over-internet phone service, using US local phone numbers to give unwitting consumers the impression they are located within the US. They transmit protected health information and credit card numbers via insecure connections, and use fake images of SSL icons to deceive consumers about that fact. They require no prescription for drugs that require one in the US, often including controlled narcotics. They ship pills of questionable content into the US, competing with those produced under FDA oversight, and they smuggle them through customs via fraudulent declarations. They use spam emails to lure additional people to websites where their computers will become infected with malicious programs like computer viruses and Trojan horses, allowing the spammers to continue to expand their power to abuse the internet.

While CAN-SPAM attempted to provide a safe haven for legitimate emailers, it is totally ignored by the criminal spammers whose products would still be illegal no matter how "compliant" their emails might be. Enforcement is hampered because spammers can maintain anonymity by using other people's hijacked computers, and because many of the most prolific spammers operate in countries which tolerate or even condone their activities.

But the situation is not as hopeless as it would appear. Not all reasonable measures are being taken to control the problem. Spammers could not continue at this level of activity without the passive cooperation of legitimate businesses. For instance, there are multiple systems in existence to identify the hijacked computers and illegally registered domain names that spammers rely on to conduct their business. Spam filtering products rely on them to obtain the necessary information to identify spam. Yet that information is often ignored by the otherwise legitimate registrars, hosting companies and telecommunications services which have the power to do something about it.

Does anyone really believe the spammer smuggling counterfeit Viagra into the US is sitting at home at the address provided in the domain registration, waiting for law enforcement to drop by? Then why is there unwillingness to investigate and suspend these domains? Do internet service providers think their customers would rather not know their computers are controlled by strangers in foreign countries, sending spam and helping themselves to users' personal information? Then why are they so unreceptive to reports of hijacked servers within their own networks? Do banks consider it acceptable for their clients' credit card numbers to be stolen to register illegal domains? Then why is there no effort to identify and close the credit card merchant accounts being used to process orders at those same sites? And when it would be simple to block all traffic from rogue countries which allow these criminals to operate, why are US internet companies so lax at shutting down bots on their own networks, making it impractical for American companies to block traffic from the worst spam-spewing IP address ranges?

The other issue is that these armies of zombie computers, called "botnets," do more than just send spam or host websites. They are also used to conduct Distributed Denial of Service attacks. In such attacks, large numbers of computers access the resources of an internet target simultaneously, making it impossible for that web site to continue to operate without spending large sums of money for mitigation.

We in the antispam community saw an extreme example of such an attack in 2006 when angry spammers attacked the company Blue Security, whose product submitted automated unsubscribe request for its members. The high volume of that DDoS attack not only shut down Blue Security, it knocked many other innocent firms off-line as well. Yet this was apparently dismissed as a private matter between Blue Security and the spammers, and there was no notice given of the potential risk to national security posed by criminals with control of such a powerful botnet. A year later, a DDoS was used to attack government agencies in the nation of Estonia. While our government expressed concern, there was little evidence of action. Now similar attacks on the nations of Georgia and Kyrgyzstan have been in the news, and non-governmental targets continue to be attacked for the purpose of extortion or harassment. This is more than merely a commercial or consumer nuisance; it is a threat to national security.

These botnets are in fact being purchased and maintained by the spam economy. That's the "military budget" keeping those "standing armies" available for rental by any terrorists who might wish to attack the US. There is serious potential for cyberterrorism to cripple significant parts of the US government and private sector, and spam is just one particularly visible part of the problem. The silly messages and sexually oriented products should not deceive anyone about the danger. We ask you to work to coordinate the various companies whose actions and inaction enable spammers to operate, so that the current state of extreme lawlessness can be brought under control.


-- from the spam and
internet security investigators
at InboxRevenge.com

[spamislame]

Thank you for posting that.

SiL

[meep]

Very well thought out. - Should this be posted on a blog that gets a lot of readers? - say SiL's?

[AlphaCentauri]

I'd suggest everyone contacting their local media outlets and US congresspersons. If national media outlets hear it from more than one of us, that might help, too. Blogs and twitters go without saying.

[spamislame]

Posted to my blog. I'm sending a quick email to several other outlets.

SiL

[meep]

nice, looks good there.

Blog link:

http://ikillspammers.blogspot.com/2009/ ... n-jon.html

[AlphaCentauri]

Posted to my blog. I'm sending a quick email to several other outlets.

Great!

[spamislame]

Email with full text and link sent to:

- Brian Krebs
- Wired "Threat Level" blog
- Wired editorial
- NY Times editorial (with mention for their technology editors.)

Working on:

- Canadian news outlets
- British news outlets

SiL

[AlphaCentauri]

Let me say how nice it is to have someone with your background on this forum.

[meep]

100% agreed, AC. +2

[spamislame]

Well: It may not amount to much. I appreciate the kind words but it's only if one of them actually reads or picks up that story that anything will really come of it in terms of expanded audience.

More as I get to it. Busy week again.

SiL

[BlueFrog]

Well said.
You musta been standing on your tongue to avoid mention of the 'heck of a job' done by toothless ?
Spam ? What Spam ?

[AlphaCentauri]

Well said.
You musta been standing on your tongue to avoid mention of the 'heck of a job' done by toothless ?
Spam ? What Spam ?

Ultimately, this should not be about ICANN. Registrar and ISP abuse employees should be able to identify illegal activity and quickly suspend domains/terminate hosting/address hijacked servers, preferably using automated processes that reduce the need for the spam to actually hit an inbox and get reported by an altruistic third party. ICANN should only have to come into play for the few registrars that willfully cater to criminals.

We're still at the stage where even companies that think of themselves as good corporate citizens are being manipulated by criminals because they aren't aware of the underlying issues, and because they think spam reporters are a bunch of cranks who don't know how to click "delete." Just changing ICANN policy wouldn't begin to address that.

Things are changing. We just have to take the long view and keep at it.

[AlphaCentauri]

more mentions:
http://www.spamzy.com/2009/04/09/an-ope ... leibowitz/
http://mrrockford.blogspot.com/2009/04/ ... s-ftc.html
http://technorati.com/r/tag/phishing
http://www.spamtrackers.org/index.html#leibowitz

add: and it actually is fairly pertinent to Brian Krebs' column today, so I left a comment:
http://voices.washingtonpost.com/securi ... r_911.html

[faith_michele]

Thank you!

You always have to follow the money and now that Conficker is showing signs of alliance with Waledac, it is getting harder to ignore. The wasted evidence that you mentioned in the SecurityFix reply is a really good point.

A little irony........

This was written in 2003.

The digital Pearl Harbor: What it's not

The phrase digital Pearl Harbor was first seen in print in 1991. D. James Bidzos, then president of RSA, said the government's digital signature standard provided "no assurance that foreign governments cannot break the system, running the risk of a digital Pearl Harbor."

By 1998, the term's use was reasonably common, a dark, lowering cloud on the horizon of the Internet revolution. Newsweek, in an article from that year, suggested it would come in the form of a "sophisticated attack on our digital workings [which] could create widespread misery: everything from power failures to train wrecks."
Since then, the phrase has become bromidic to the point that former cybersecurity czar Richard Clarke declared that "digital Pearl Harbors are happening every day."

Whether conceived of as rare or quotidian, the digital Pearl Harbor's definition has remained constant: It's a computer outage, a big one, a physically and financially damaging one. More recently, it has become a shorthand way to say, "Terrorists will take down the Internet."

In either case, this definition is wrong. Not only is it wrong, it's not even useful.

"I hesitate to even use the term," says Jeff Schmidt, an elected member of the FBI's InfraGard national executive board. "It's come to mean any attack that's massively inconvenient. But I don't think they merit the term digital Pearl Harbor."
"We need to distinguish between the mischievous and the malicious," says Darwin John, who served recently (albeit briefly) as CIO of the FBI and is considered one of the godfathers of the CIO profession. "We've tolerated the attacks until now because they're mischievous. The malicious attack will be the one that moves the public consciousness, and it's so much harder to know what that attack will be."

It's much easier to know what a digital Pearl Harbor won't be. Taking down the Internet or ATM networks, compromising the Social Security database, even hacking into the electric grid--Schmidt and others argue that while each event may be part of a digital Pearl Harbor, none qualifies in and of itself. None would galvanize society, spurring it to action.
And it needn't be a terrorist attack. Open networks coupled with vulnerable software make it more likely that a transformational event will arise from a more banal source, like a motivated group of computer experts, a common thief or, most fickle of all, an accident.

The coming digital Pearl Harbor doesn't even have to be a single event. Thinking about the nature of disasters, Software Engineering Institute fellow Watts Humphrey consulted nuclear power people. "I talked to one guy who did nothing but review incidents," Humphrey says. "And typically, these kinds of disasters result from a combination of many smaller events that each seem highly unlikely. But they all happen at once to create unforeseeable consequences."

That's the "Perfect Storm" theory, and what makes an event perfect (in a negative sense) is the apparent lack of relationship between systems in a complex environment. The blackout last August was a Perfect Storm. Random, seemingly unrelated factors--an aging power grid, certain corporate decisions, a heat wave, a history of deregulation and some human errors--all came together to darken a significant chunk of the northern hemisphere.

"That's how modern systems fail," says Humphrey. "And our networks are so big and fast that things which seem damn near impossible happen every few days."

http://www.computerworld.com/printthis/ ... 46,00.html