Journal Article Reviews

PayPal, FBI and Others Wage War on Botnet Armies. Can They Succeed?

Since botnets have absorbed threats such as spam and DDOS attacks, they have become the biggest threat to the Internet and activities like email, online gaming, and e-commerce. Not only can botnets disable the mechanisms used to protect against DDOS and phishing attacks, they can threaten the online activities of banks, online betting companies, ISPs, and entire countries.

A botnet army thought to have originated in Russia brought down the  computer infrastructure of Estonia in May 2007. In March 2008, the UK gambling site Gala Coral was taken down for 30 minutes by one of the most sophisticated DDOS attacks to be completed by a botnet army. This botnet army consisted of 30,000 PCs and Macs.

Botnets are successful because they can be easily launched to a large number of Internet-attached computers via a variety of malware programs. Once the computers download the malware program, they are connected to a Command and Control (CC) center via an Internet Relay Chat (IRC). A specific IRC server known as the Bot Herder issues commands to the botnet computers (pawns). Sample commands would be to launch a DDOS attack, a phishing and identity theft scams, spam, and click fraud. Each pawn executes these commands at a different speed, depending on its processing capability, its Internet connection, and its geographic location, which is another strength of the botnet attacks. It’s harder for defense programs to detect the activity because there isn’t a discernible pattern.

The Storm Worm Botnet was identified in January 2007 and is estimated to have included at least 200,000 pawns in a large-scale DDOS attack. The Storm targeted security vendors and analysts known to be investigating botnets. These types of attacks have discouraged some security companies from researching botnets directly. Additionally, Storm used peer-to-peer communications to issue commands from a subset of pawns, rather than from a single Bot Herder. These pawns issued commands on a rotating basis, which made for an elusive target. Storm also encrypted its instructions.

Botnets have also launched straightforward identity or banking frauds, aimed particularly at PayPal. Some of these scams are easily discovered, but many people have fallen victim to botnet scams. Furthermore, botnets allow fraudsters to “buy time” on an existing botnet, rather than launching their own attacks individually.

By tapping into the broadband bandwidth of a million or more computers, botnets can access bandwidth of a petabit per second (1 million Mbps). This enormous bandwidth can overwhelm any penetrated network or website during a DDOS, but can also delivery spam and phishing emails to large numbers of people very quickly.

During phase two of its “Bot Roast” in November 2007, the FBI uncovered a million compromised computers and secured two convictions. While significant, this may have merely exposed the scale of the problem. The anti-botnet vendor FireEye estimated that there are 150 million bot-infected computers worldwide. Another anti-bot vendor Damballa identified 7.3 million pawns carrying out commands each day in January 2008, which is over twenty times the 333,000 each day in August 2006. Included in the activity was a large amount of spam, which in March 2008 accounted for 91% of all email, up from 64% in June 2007.

Along with government agencies, the security industry is responding to the botnet threat. Symantec announced a new botnet detection capability through its Managed Security Services in October 2007. MSS can detect botnet activity and which malware was used to recruit the botnet pawn.

PayPal has developed a learning-based system which revises the profiles and customer, merchant, and bank behavior. This allows PayPal to identify fraud at various stages and take further action such as limiting or blocking certain customer or merchant accounts or seeking further identity verification. The biggest challenge is to attack botnets without impeding legitimate activities.

Mr. Hunter seems to think that it’s almost impossible to completely stop botnet attacks. While the FBI, security industry, and individual sites like PayPal are all working toward a common goal of hindering botnet attacks, Mr. Hunter spends most of the article explaining why this is almost impossible. This seems awfully pessimistic, but it may be a realistic conclusion that Mr. Hunter has come to as a result of his extensive research.

I think this article is important because it explains in detail one of the biggest threats to all Internet-users. Prior to reading the article, I had obviously heard of spam, phishing, and DDOS attacks, but I wasn’t aware that most of attacks are actually initiated by botnets, much less that botnets could shut down the entire computer infrastructure of an entire country. Drawing new attention to the threat that botnets pose can cause more Internet users to be more cautious and also demand that further strides be made in the fight against botnet attacks. If knowledge is power, then this article can provide an immense amount of power to those previously uneducated about the issue.

I would definitely recommend this article to other people. I think that it’s important for Internet-users to be educated about the potential dangers of their online activities. Understanding how botnet attacks are launched and taking steps to protect their own computer from becoming a pawn can help protect not only their identity and data, but also the identities and data of (potentially) millions of other Internet-users. In addition to becoming more knowledgeable about this topic, I think that Internet-users need to take steps such as setting strong passwords, downloading and using antivirus/anti-malware programs, and ensuring that their Internet connection is secure.

Hunter, Philip. “PayPal, FBI and Others Wage War on Botnet Armies. Can They Succeed?” Computer Fraud & Security 2008.5 (May 2008). 8 Dec. 2011 <http://www.sciencedirect.com/science/article/pii/S1361372308700824&gt;.

A Comparison of Website User Authentication Mechanisms

As more and more websites store and allow access to sensitive personal information, Internet-users are going to have to be more cautious in the way they authenticate themselves online in order to combat unauthorized access and identity theft. Online banking, commercial sites that store payment card details, and social networking sites all require adequate safeguards. However, most online accounts are only protected by a username (or email address) and password.

A study by the UK’s Cyber Security Knowledge Transfer Network found that, “Most security mechanisms are currently chosen to protect the technology, with little or no consideration of the impact on individuals. This compounds the effect of increasing system complexity. Many existing mechanisms create a high workload for individual users.” Specifically, the researchers cited the sheer number of passwords and PINS users are expected to manage and remember as an example of the problem.

Beyond usability, it would be good to move away from passwords because they’re not user-friendly and are considered to be vulnerable. Trying to simplify security for the user often relies on information that someone familiar with the target user could be in the position to know (reduces security). Methods that attempt to reduce vulnerability result in decreased usability by requiring users to remember more information or follow more time-consuming processes.

In the case of online banking, users are willing to complete additional security steps, because they want to protect their actual assets. However, extensive security measures like requiring a user to enter his/her date of birth and specific digits from a security number (HSBC website) or certain digits from a PIN and a random date using an onscreen key pad (ING website) wouldn’t scale well. And other security measures like requiring a card reader in order to access an account remove usability as well. While the website can be accessed from any Internet-ready device, the user would have to carry his/her card reader around at all times in order to access the site away from his/her primary computer.

An alternate security method is the question and answer approach. The user answers a set of questions when he/she originally registers for the site and for subsequent logins, the system randomly selects a small subset of questions at each login that the user must answer in order to proceed. An advantage of the question and answer approach is that it uses easily memorable, but still secret, information. A disadvantage is that it requires a lengthy exchange in order to gain entry; this is why some websites currently use this as a secondary level of authentication, rather than a primary level.

Sites can also use visual and graphical methods of authentication, such as these three approaches:

  • The user remembers a sequence of images
  • The user remembers something about an image
  • The user has to draw an image

In theory, it’s easier for users to remember images than strings of characters. However, at this time, there isn’t much empirical data to support this in real users.

While all these methods are relatively straightforward, they all require different techniques and ongoing use would have different implications for the end-user:

  • Mental effort (user’s ability to memorize and recall, varying levels of precision)
  • Convenience (login speed, effort/engagement required)
  • Applicability (able to work on desktop, mobile, and handheld devices)
  • Flexibility (ability to change authentication credentials)
  • Mutual authentication (the user can verify that the site is authentic at the same time the site verifies that the user is authentic)

Table 2. Comparing the Authentication Alternatives

There is no perfect option, since all methods have pros and cons. Users will probably prefer to continue using passwords because it’s easy, and websites will probably prefer to continue using passwords because they can be used from any type of device. This may change over time, once users realize the consequences of their accounts being compromised.

Mr. Furnell seems to resigned himself to the fact that the current system of usernames and passwords will continue to be the method that websites use, until the users themselves decide that their data is important enough to warrant stronger security measures. It’s clear from the extensive research that Mr. Furnell thinks that the question and answer or visual and graphical methods would be better for the user’s protection, but he concedes that the heavy burden on the user and web developer make these methods virtually unusable at this time.

This article is important because it reveals the potential location of a major security breach for many Internet-users. Not only do people need to protect their online banking information for obvious reasons, but it’s becoming increasingly important for users to protect their identities on social networking sites. As more and more employers and potential friends and romantic interests use the Web to research individuals, it’s vital that users make sure that the information about them is accurate. Without sufficient security measures, a user’s personal data could be compromised.

Again, I would definitely recommend this article to other people. Since websites won’t implement stronger security measures until their users demand them, the users need to be aware of the potential for loss and the options for additional protection available to them. I think that if people used one or two sites with slightly stronger security measures, they could quickly adapt and accept these methods at more and more sites. For example, in order to access my US Bank Visa account online, I visit http://www.usbank.com/ and enter my Personal ID. The site then asks me a security question from a bank of questions I answered when I registered for the site. Finally, the site shows me a picture that I selected with a keyword and requests that I enter my password. If I don’t answer the security question correctly, I can’t proceed. And if the picture and keyword don’t match those that I selected, then I know that I’m on the wrong site and I shouldn’t enter my password. This method doesn’t take much longer than a traditional login, but it has multiple layers of security for both me and the bank.

Furnell, Steven. “A Comparison of Website User Authentication Mechanisms.” Computer Fraud & Security 2007.9 (Sept. 2007). 8 Dec. 2011 <http://www.sciencedirect.com/science/article/pii/S136137230770115X&gt;.

Advertisements

3 Comments

Filed under Assignments

U of I Comparison via Motion Chart

Motion Chart Comparing UIUC, UIS, and UIC

Leave a comment

Filed under Assignments

An Introduction to Google AdWords

Leave a comment

Filed under Assignments

Pandora Internet Radio

Pandora.com is a “personalized Internet radio that is designed to help you discover new music you’ll love mixed in with music you already know.”  Using their Music Genome Project research, Pandora suggests songs that are similar to those the listener has indicated that he/she likes.

Pandora’s value propositions include personalization, customization, and convenience.  Pandora allows the user to create up to 100 stations based on songs, artists, or genres.  Once the station is created, the user can vote songs up or down to determine whether the song will stay on the station and help Pandora suggest future songs.

Pandora utilizes advertising and subscription models for revenue.  Free accounts are supports via video, audio, and visual advertisements.  For $36 per year, users can upgrade to Pandora One, which eliminates all external ads and gives the user additional benefits.

While Pandora has many competitors in the Internet radio market, none of them offer a service exactly like Pandora’s Music Genome Project.  Entering the market is relatively easy, but many users may be unwilling to switch between service providers once they invest time in creating stations and building their preferences.

Pandora currently relies mostly on word of mouth marketing.  Music is an excellent candidate for this strategy because people enjoy passing on good recommendations.  This is great for Pandora right now because it’s an extremely low-cost approach.  But it’s also good because it leaves Pandora a lot of room to expand their marketing techniques in the future.  Potential techniques could include banner ads and product placement in TV shows or movies.

I believe the biggest threat to Pandora’s survival is also their biggest asset: their large number of users.  Pandora has to pay royalties for every song that every user listens to.  As the number of listening hours increases, the number of ads that users see or hear decrease sharply after a certain point.  It it imperative that Pandora increase the number of Pandora One users and/or generate additional revenue streams from music downloads or other sources.

Leave a comment

Filed under Assignments

Pay with PayPal? Or Moneybookers?

Leave a comment

Filed under Assignments

Sony PlayStation Security Breach

This first video discusses the Sony PlayStation hacking scandal as it was unfolding.  At that point, it was unclear exactly how many people would be affected and how long the service interruption would last.

In the second video, it’s revealed that Sony’s service to 77 million users was interrupted for 3 weeks in the US while the breach was secured and security measures were increased.

I think that security breaches like this are very troubling, because they’re not something that people are necessarily guarding against as well as they might be protecting their information in other places.  More and more people know to check their credit card statements and credit reports regularly for fraudulent activity.  Spam filters are becoming better at identifying emails that are actually attempts at phishing, and as the infamous story about a Nigerian prince who wants to share his inheritance with you (if only you’ll send him $1,000 first) becomes more well known, fewer people will fall for those types of schemes.

However, it is becoming increasingly difficult to avoid putting your identifying information and credit card numbers at least a few places on the web.  If you want to download the Amazon AppStore free app of the day, they require a credit card on file.  If you want to download additional tracks for your Rock Band video game, you have to pay for them somehow.

I think there are a few main things that people can do to protect themselves online:

  • Use different user names and/or passwords for different sites.  That way, if a hacker gains access to one account, he/she won’t necessarily have access to all of your accounts.
  • While you’re at it, use a strong password.  Make sure that it’s something you can remember, but not something that’s easy to guess.
  • Choose which sites and services you give your information to carefully.  If possible, use a secure service like PayPal instead of putting your personal info into every form that asks for it.
  • Use credit cards for purchases instead of debit cards.  That way your bank account is less vulnerable and you’ll have stronger consumer protection on your side in the event of a breach.
  • Watch your accounts like a hawk!  I know so many people who don’t balance their checkbook on a regular basis or keep track of their credit card purchases.  Just because you still have a positive bank balance doesn’t mean that everything is OK.  Make sure that nothing is coming out of your account unless you authorized it to do so.
  • Check your credit report on a regular basis.  You can get a free credit report from the big three reporting companies (Experian, Equifax, and TransUnion) once a year at annualcreditreport.com.  If possible (and financially feasible), sign up for a service that monitors your credit on a more regular basis.  I get a quarterly update of my credit report through my Capital One card for a $5 fee every month.

Leave a comment

Filed under Assignments

iOS and Android and RIM… Oh, my!

iOS Android RIM
Current Verson 4.3 and 4.3.5 2.3.6 Gingerbread & 3.2 Honeycomb 6.0.0 & 7.0.0
Device #1 Apple TV HTC Evo 4G Curve 9350
Device #2 iPhone 4 Droid Bionic Torch 9810
Device #3 iPod Touch (4th gen) Droid 3 Bold 9780
Device #4 iPad Samsung Galaxy Tab 10.1 Pearl 3G 9100
Device #5 iPad 2 Toshiba Thrive Curve 3G 9330

 

This article from VentureBeat.com discusses consumer preference among these three operating systems.  Nearly half of the ChangeWave survey respondents say they would prefer an iOS-equipped iPhone.  Thirty-two of respondents say they prefer the Android OS, and only 14% of respondents said they would prefer a RIM-equipped BlackBerry.  iOS and Android both experienced growth in demand since ChangeWave’s previous March survey (two points and one point, respectively), while RIM experienced a one point drop in demand.

This humorous article from AndroidandMe.com compares the stereotypes of Android and iOS users.  Windows, RIM, and Palm operating systems were relegated to two small cells at the bottom of their chart.

Leave a comment

Filed under Assignments