IRW-2009-6:Hackers: Taxonomy & Writing Styles

The current issue of IRW should reach subscribers inbox during the day or at the latest, tomorrow.

In this issue:

• Featuring article: Hackers: Taxonomy and Writing Styles
  Due to the increasing interest in developing Information Retrieval and Data Mining courses at the intersection of Information Security, this issue of the newsletter covers a brief taxonomy on hackers and their writing styles.
• QA: Excel Matrix Multiplications: How to convert a term-document occurrence matrix into a term-term or document-document co-occurrence matrix?
• Vacuum Tubes & Transistors Historical
• Who is Who in IR: Thomas K. Landauer
• Top CS Departments: Dartmouth College
• Outstanding Graduate Theses
• Calls and Events
• IR Blogs
• and more…

Ethical Hacking: An Oxymoron, a Misnomer, or Both?

According to a report from the British Computer Society (BCS) covering a Security Panel Strategic Forum, “ethical hacking” is an oxymoron.

The report highligths do’s and don’t when it comes to defining terms like “hacker”, “ethical hacking”, “penetration tester”, “white/black hats”, and derivatives terms. These labels are frequently used in the IT industry. The report also underscores which terms should not be used by schools offering IT courses.

The problem with defining and redefining such labels is that there will always be others disagreeing with/circumventing said definitions.

For instance, in the December 1986 issue of MicroTimes, Bob Bickford wrote:

“A Hacker is any person who derives joy from discovering ways to circumvent limitations.”

If we accept this definition then a person that doesn’t derive any joy from discovering ways to circumvent limitations is not a hacker. Similarly a spouse cheater, an SEO, a spammer, a politician, a mobster, or a kid trying to get some candies from mom is a hacker.

I am taking this extreme, off-topic interpretation to illustrate the problem of semantics when it comes to defining things.

Whether you agree or disagree partial or totally with the report, it is a good read. For sure it will be a good piece for students planning to take my AIRWeb graduate course.

IRW: RIA Vulnerabilities

The current of issue of IRW should reach subscribers inbox tomorrow.

In this issue:

Featuring article: RIA Vulnerabilities

This issue of the newsletter discusses how hackers might be exploiting Web vulnerabilities found in Rich Internet Applications (RIAs). As mentioned in our previous issue, some RIAs are based on Adobe’s technologies like Flash, Flex, or AIR. Some are designed to be run online or offline. Their rising popularity has attracted developers and marketers, and -as expected- hackers and spammers.

QA: Excel Vector Normalization: How do I convert a row vector into a unit vector?
Who is Who in IR: C.J. van Rijsbergen
Top CS Departments: Polytechnic University of Puerto Rico
Historical Notes: ENIAC Computer
Outstanding Graduate Theses
Calls and Events
Research Blogs
and more…

Hackers Hit Pentagon

It happened again: Thanks to Web vulnerabilities, hackers were able to hit the Pentagon. 

According to CCN (http://www.cnn.com/2009/US/04/21/pentagon.hacked/),

Thousands of confidential files on the U.S. military’s most technologically advanced fighter aircraft have been compromised by unknown computer hackers over the past two years, according to senior defense officials.

The Internet intruders were able to gain access to data related to the design and electronics systems of the Joint Strike Fighter through computers of Pentagon contractors in charge of designing and building the aircraft, according to the officials, who did not want to be identified because of the sensitivity of the issue.

In addition to files relating to the aircraft, hackers gained entry into the Air Force’s air traffic control systems, according to the officials. Once they got in, the Internet hackers were able to see such information as the locations of U.S. military aircraft in flight.

This news is quite relevant to my Fall 2009 Web Vulnerability graduate course (http://www.miislita.com/courses/airweb-web-spam-syllabus.pdf)

BTW. Associate Director of the CS Department at PUPR.edu, also a colleague and friend, Dr. Alfredo Cruz, called me two days ago with some great news: The department has been accredited for 2009-2014 as a National Center of Academic Excellence in Information Assurance Education. Soon they will be listed with members of this exclusive “club” in the National Securing Agency web site (http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml)

An official press release and formal presentation before the pertinent authorities is being coordinated for within the next few weeks or so.

The next issue of IR Watch – The Newsletter provides additional coverage of such an exciting news.

I have tied these two news in a single post to underscore the need for IR/data mining courses at the intersection of Information Security, which is precisely the mission statement of IRW, reaching now more than 300 investigators/research centers.

IRW: Data Mining Credit Cards

The current issue of IR Watch – The Newsletter will be available during the day. It consists of the following sections.

Featuring Article: Data Mining Credit Cards

In this issue of the newsletter we cover Luhn’s Algorithm, also known as the Modulus 10 or Mod-10 Test. This algorithm is used for data mining and validation of credit cards. Credit cards fraud is a topic that never goes away.

QA: Types of Links

What is the difference between in-links, out-links, co-citation, and co-reference?

Historical Notes: The Whirlwind Project

Top CS: State University of New Jersey, Rutgers

Who is Who in IR: Tefko Saracevic

Graduate Theses

Data Mining Blogs

and more.

Tons of Credit Card Transactions Exposed at HPY

We learned about this news from a business associate:

According to USAToday, Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.

In IRW – The Newsletter, we have covered data mining of VINs, SSNs, web analytic frauds, and email headers. It might be time to cover credit card mining so readers will understand the risks involved when servers, even test servers, are not properly secured or supervised.

Data Mining at the intersection of Information Retrieval, Business Intelligence, and Information Security is here to stay.

Spammers from Forums.SearchEngineWatch.com?

Good question to ask.

Once a while I receive email spam, but in the last few months I am getting it apparent and allegedly from forums.searchenginewatch.com as private email. I am not sure how big is the problem at this IncisiveMedia property, but lately it is becoming a pain in you know where. Here is a header section of the latest email. Emphasis added in bold text.

Received: from unknown (HELO web-2.rpm.incbase.net) ([62.140.213.243])
by mx10.prw.net with ESMTP; 11 Jan 2009 03:45:05 -0400
Received: from web-2.rpm.incbase.net (localhost.localdomain [127.0.0.1])
by web-2.rpm.incbase.net (8.13.1/8.13.1) with ESMTP id n0B75Lp9028420
for ; Sun, 11 Jan 2009 07:05:21 GMT
Received: (from apache@localhost)
by web-2.rpm.incbase.net (8.13.1/8.13.1/Submit) id n0B75Kfu028419;
Sun, 11 Jan 2009 07:05:20 GMT
Date: Sun, 11 Jan 2009 07:05:20 GMT
To: admin@miislita.com
Subject: New Private Message at Search Engine Watch Forums
From: “Search Engine Watch Forums” <webmaster@forums.searchenginewatch.com>
Auto-Submitted: auto-generated
Message-ID: <200901110719.5efc68459520@forums.searchenginewatch.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=”ISO-8859-1″
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP

The from claims is from their webmaster, but the first Received indicates incbase.net and the HELO gives an IP to follow.

A WhoIs using http://whois.domaintools.com/incbase.net  gives:

Registrant:
Incisive Media
28-29 Haymarket House
Haymarket
London, London SW1Y 4RX
GB

Registrar: 000DOM
Domain Name: INCBASE.NET
Created on: 16-APR-08
Expires on: 16-APR-10
Last Updated on: 16-APR-08

Administrative, Technical Contact:
Bartlett, Chris
Incisive Media plc
28-29 Haymarket House
Haymarket
London, London SW1Y 4RX
GB
44.2074849860

Domain servers in listed order:
L3DNS1.VNU.CO.UK
L4DNS1.VNU.CO.UK

And a WhoIs using http://whois.domaintools.com/62.140.213.243  gives

inetnum: 62.140.213.0 – 62.140.213.255
netname: VNU
descr: London office 1st assignment
remarks: all abuse complaints to
remarks: all abuse complaints to
country: GB
admin-c: RD4902-RIPE
tech-c: BJ441-RIPE
status: Assigned PA
mnt-by: MNET-MNTNER
source: RIPE # Filtered

person: Ron Doobay
address: 32-34 Broadwick Street
address:
address: London W1A 2HG
phone: +44 020 7316 9677
fax-no: +44 020 7316 9695
e-mail:
nic-hdl: RD4902-RIPE
source: RIPE # Filtered

person: Byron Jones
address: 32-34 Broadwick Street
London
W1A 2HG
phone: +44 20 7816 9650
e-mail:
nic-hdl: BJ441-RIPE
source: RIPE # Filtered

route: 62.140.192.0/19
descr: Aldgate LONDON POP
origin: AS24867
remarks: Abuse reports to
remarks: Peering contact is
mnt-by: MNET-MNTNER
source: RIPE # Filtered

It appears spammers got Incisive Media and SEW number!

Data Mining Email Headers Part II

This is a follow up of yesterday’s post. The following trick, discussed in IRW newsletter, helps you to mining email headers from even automatic responders and failed delivery emails.

The trick is to read email headers from the bottom up. The last “Received” is more trusted than the others which are forgeable. The line corresponds to the original sender.

Here is a technique discussed in IRW that you can use to identify which headers are inserted by your ISP. Send an email to yourself through your ISP account and check the email headers of both documents. If your ISP is not using an SMTP proxy masquerade, chances it might leak the name of the workstation used to create the email in the HELO command along with your ISP name, IP, and possibly other interesting information.

Armed with this information, analyze the headers of emails you receive from automatic responders and “failed to deliver” email messages. Now you know which headers are from your ISP and which are inserted as the email traveled from servers to servers before reaching your inbox.

For instance, I recently got an automatic response wherein the HELO says

Received: from unknown (HELO UKMAIL.sportex.com) (213.86.197.130)
by server-3.tower-157.messagelabs.com with SMTP; 6 Jan 2009 05:04:59 -0000

An IP lookup reveals additional information. The rest of the headers also leaks interesting stuff.

Data Mining Email Headers

The featuring article of IRW explains how to access, read, and interpret email headers. Several techniques for tracking down spammers are also disclosed.

We show whether your ISP or email client might be adding headers that unnecessarily disclose important information like the name of the machine used to send an email, your isp name and IP, your email vendor, which antivirus software your isp might be using, etc.

For instance, this morning I received the following unsolicited emai asking for a link exchange:

Hi,

My name is David Stern, and I am contacting you on behalf of our client ***

*** is London’s most exclusive personal training and therapy centre.

I have visited your site and see that your site is sufficiently related to their domain. It would be great if we can have website *** linked to yours. In lieu of this link, we will provide a link back from one of our best directories and from same Google PageRank page.

The email headers identify in the HELO command the sender’s local machine. I’m disabling the link using asterisks.

Received: from [122.162.66.40] (helo=smtp.net4india.com)
by smtp.net4india.com with smtp (Exim 4.66) <*a href=*mailto:linkmanager@business-onlinedirectory.com”>linkmanager@business-onlinedirectory.com<*/a>)

If HELO is not present, there are plenty of data mining techniques to use.

More SSNs Compromised

As mentioned in recent posts, the current issue of IRW features an article covering incidents where social security numbers (SSNs) have been leaked to the Web. Along the same line, a cardinal rule in Web security is to never provide a connection between an intranet and the Internet. Once such a connection is established (hardware-based or via links), chances are that you no longer have an intranet. So, why take the risks?

In addition, never place sensitive information in a test server with access to the Web. Unfortunately the first offenders frequently are government agencies and universities. Stubborn IT administrators never get it!

For instance adding insult to injury, here is a report from the Orlando Sentinel, wherein 250,000+ users accounts containing SSNs were compromised:

http://blogs.orlandosentinel.com/news_politics/2008/12/state-agency-pu.html

According to this news and quote:

“The state Agency for Workforce Innovation blamed a “security breach” Wednesday for why it accidentally placed the names and Social Security numbers of 250,000 job-seekers on a “test server” that could have been accessed online.”

“The names and information were online for 19 days and removed in late October after the state Department of Revenue came across it during “routine work,” officials said. The only common denominator among the names placed online was that they all got services over the last six years from one of the 81 Florida “career centers” that provide job-training and resources around the state.”

The breach is giving bad publicity to Agency for Workforce Innovation (AWI). According to http://infosecurity.us/?p=4041, the Liberty Coalition asked AWI the following questions:

1. Why did the Agency for Workforce Innovation store sensitive Excel files on a server at all?
2. Why was this website left open to the public for more than a month, undetected by AWI’s IT department?
3. Why were the files on the server not behind a firewall, password protected or encrypted?
4. How many other servers store sensitive personal information, and how many of those are available to the public right now?
5. How many AWI employees have access to clients’ social security numbers, and do they all need access?
6. How do you plan to train employees to appropriately handle sensitive personal information?
7. Do you have a regular schedule of scanning your internal networks and external servers for personal information? If so, why was this breach not discovered?
8. Does the Agency for Workforce Innovation intend to pay for identity theft protection services for the victims of this breach?
9. Will the Agency notify victims by mail?

Infosecurity states that the Liberty Coalition has raised the following issues:

1. AWI has not offered to protect victims with identity theft protection services.
2. AWI relied on public search engines and a member of the public 800 miles away to discover the breach.
3. The Agency should destroy the information, not just restrict access.
4. How many other AWI servers are currently exposing personal information.
5. Why the need for AWI to collect minors’ social security numbers.
6. AWI has not indicated how many employees have access to clients’ social security numbers, and whether these employees require access to fulfil their job descriptions.
7. AWI does not appear to regularly scans its networks for sensitive personal information.

To play pr/damage control after the facts and gross incompetence, the FloridaJobs.org site published the following:

“The Agency for Workforce Innovation is continuing to take action to address a security breach that recently occurred on a test server. Upon discovery, the Agency immediately contacted the appropriate law enforcement agencies, began a thorough investigation and promptly coordinated with all major external search engine companies to ensure the information was no longer accessible to the public. The Agency has no reason to believe any personal information has been accessed for unlawful purposes.”
http://www.floridajobs.org/publications/news_rel/securityBreach.html

They have “no reason to believe any personal information has been accessed for unlawful purposes.” Good pr try. How do they know that? After their comedy of errors, why would anyone want to submit resumes to their databases? The rest of their pr excuses are a wall of smoke.

Note also how they quickly contacted search engines, just in case these have indexed the documents. At least they are realizing the power of search engines. Chances are they have cached copies of these documents.

Getting Ready for AIRWeb2009

For the last few years I have served as PC member of AIRWeb. I just received and accepted invitation to be a PC for AIRWeb 2009.

For those of you not familiar with, the International Workshop on Adversarial Information Retrieval on the Web (AIRWeb) http://airweb.cse.lehigh.edu/ has been held four times: in conjunction with the WWW’05, SIGIR’06, WWW’07, and WWW’08.

Topics discussed at the workshops include all forms of search engine spamming and hacking practices. SEO spamming practices are exposed and countermeasures are tested. It is a lot of fun examining in advance manuscript describing these malicous practices, months before the accepted papers hit mainstream.

Incidentally, the next issue of the IR Watch newsletter features Fraudulent Web Analytics, an article on adversarial techniques. We expose several practices spammers and hackers use to produce fake analytics and to defraud advertisers.

On Online Hackers, Marketers, and Criminals

Hackers that market themselves are fully getting into the crime scene.

We have seen marketers getting into hacking and vice versa: hackers getting into marketing. Designing web pages that rank high in the search engines for the sole purpose of using these to spread malicious resources and tools is one example. We call them hacketers = hackers + marketers.

Now hackers are getting physical.

Back in March, 2008 it was reported how hackers were causing harm to folks suffering from epilepsy. Some usability and accessibility marketers are using those incidents to better promote their own services a la your-problem-is-my-opportunity.

Other marketers are creating reputation management problems and then ‘go back through the kitchen’ to market “reputation management” solutions. A scam not any different from the click fraud scam promoted by marketers part of a mob organization. Hah, Hah.

Now, we have the news of a hacker allegedly kidnaping and torturing another alleged hacker.

These probably are the first cases of hackers physically hurting others.

What is next? Google worse than ISP Snooping? –as AT&T claims.

Some times controlling information is worse than physically controlling others.

Ah, the many faces of opportunism.

Gaming the Gamers: The SEOs Exposed Story

Edward Lewis, from SEO Consultants, is writing an interesting piece on how apparently SEOs are gaming each other. The Sphinn Expose article is available at http://www.seoconsultants.com/sphinn/expose/

We don’t take position on why he took the challenge or how he gathered the data, but we need to respect Lewis for the time and effort he has put into opening this apparent ”can of worms”.

If true, his findings show how SEOs allegedly abuse electronic outlets to promote themselves and or their peers.

Of course, there are two sides of a story. It will be interesting to hear the version of the alleged gamers.

For links about this SEO “soap opera”, check http://www.seroundtable.com/archives/017750.html

Again, if true, Lewis’ findings are a blow to the credibility of an industry already plagued with reputation problems and spammers disguised as pseudo experts. 

If true, more than a sad story, it is a disgrace for the ethical sector of the industry.

Verizon, FCC, and the C Block Competition

Now that the B and C blocks of the spectrum has been allotted by the FCC things are set-ready-go to open mobile broadband U.S. networks, broadband IR, and, yes, to a whole new hacking space. It’s a matter of time. The C Block hacking competition is coming. Never ignore what can be done with such new playground.

I wonder how the FCC is going to enforce regulations on the 22-MHz portion of the spectrum, already handled to Verizon. http://www.pcworld.com/article/id,143705-c,industrynews/article.html

Meanwhile, IR research centered around open broadband networks are needed, so as search engines.

IRSeek, Polymorphic JavaScript, and Hacketers

According to a DarkReading report IRSeek is a start-up designed to target hackers and their IRC anonymous chat activities. Hacking the hackers?

The report states:

“Hackers favor IRC because it allows them to protect their identities and cover their tracks. But a new search engine startup called IRSeek is now calling those features into question…”

“This could all be bad news for hackers, who don’t want their conversations indexed or searchable by nickname. While they could partially beat the system by simply changing their nicknames frequently, hackers may eventually feel that IRSeek threatens their anonymity, and ultimately, their privacy.”

Here is more on the topic.

Well, this can be fun to watch/test for those that conduct Web Mining for security purposes.

Meanwhile, according to a CNN report Search Engine-based hacking attacks are on the rise and becoming a preferred targeting method. This includes link-based spam, polymorphic JavaScript scripts also referred to as “Polyscripts”, and or combined with dark marketing practices. Here is a Top 10 List to watch.

1. Phishing
2. Malicious link injections through forums, blogs to rank high in search engines.
3. Attackers use Web’s ‘weakest links’ to launch attacks.
4. Compromised Web sites will surpass number of created malicious sites.
5. Cross-platform Web attacks .
6. Web 2.0-based attacks.
7. Polymorphic JavaScripts, designed to evade anti-virus scanners.
8. Data concealment methods.
9. Key hacker groups.
10.Vishing and voice spam.

Hackers + Spammers + Crook marketers/SEOs = What A Killer Combination. Compromised sites ranking high means trapping more users in the mess. I wonder how many of the folks from the seophere are involved and making few bucks. The usual suspects?

Perhaps not all are real SEOs, but as we say in Spanish: “Ante la duda, saluda.”

Here is a nice one: Hacking Duke University to rank high via link injection

And some how related, how about cracking passwords with Google?

Welcome to an-on-the-rise new breed:

Hacketers = Hackers + Marketers

PS. I coined the name after noticing with the Levenshtein Edit Distance Calculator that it only requires of two edits between hacketers and marketers.

http://www.miislita.com/searchito/levenshtein-edit-distance.html

Heh, Heh. Apparently “peer” pressure forced IRSeek to shutdown. Nevertheless, it is still a great concept: I wonder how many of these mole  projects are in place all over the Web. Check the whole deadpool story here:

http://www.techcrunch.com/2007/12/03/fastest-deadpool-ever-irseek-shuts-down/#comment-1813205

http://www.irseek.com/blog/