Security Predictions of 2004

scubacuda writes "Computer World's security predictions for 2004: R.a..n,d,o.,m p,u,,n,c.t,,u_a.t.1..0.n evading spam filters, Internet access filtering, better desktop management, enterprise personal firewall deployment, tools that securely scrub metadata, corporate policies against USB flash drives, Wi-Fi break-ins, Bluetooth abuses, cell phone hacking, centralized control over IM, public utility breakin publicized, government defense against cybercriminals, organized cybercrime, and a shorter time to exploitation."

Random Punctuation in spam

[91degrees]

This is a good thing. It makes it harder for the victims to read, and gives a lot of anomolies that any modern statistical filter will find extremely useful.

randomness and other things

[CAIMLAS]

That random punctuation stuff is more difficult to read than 1337speak, and will continue to be: leetspeak, at least, has a fairly broad group of people that -want- to understand it and use it conversationally, and thus its more understood.

At any rate, I doubt such punctuation will be a problem. I've already seen a good deal of it get killed with bayesian filters anyway.

The other things though - very interesting. It's not like we can't predict these things ourselves, though - it's only a mattre of time before they happen, what with the increasingly dense levels of tech in our society.

Being the thrill-seeking geek that I am, the prospect alone of bluetooth hacking (wartoothing? :P) sends an adrenaline rush through me. I look forward to dealing with such attacks (either preventatively, directly, or for clients, etc.) - seriously. It's exciting stuff.

I can see there being a definate increase in the need for serious, intelligent, and knowledgeable computer security staff; they'll likely start supplanting what's left of IT staff, as well as replacing some of the positions that were dumped in the last several years. After IS? Who knows. Maybe we'll be batteries by then, or maybe fighting the machines.

Don't put your email address online

[arvindn]

Stop spam at the source, stupid!

Don't put your email address online, period. Other solutions like filters only address part of the problem, because you still have to pay for the bandwidth and there's the problem of false positives. I wrote a little Javascript Turing email obfuscator, which prevents renders your email address invisible to bots, even those that can execute javascript.

An ounce of prevention...

Re:Don't put your email address online

[arvindn]

Bad analogy.

I never said anything about not fighting spammers. Please do fight them. But at the same time, also protect yourself. What you're saying is more like: "I'll go out at night alone and unarmed and I'll fight if I'm attacked." I'm just saying take a gun with you.

Not putting your email online doesn't mean not giving it out at all. It just means don't put it in nice cleartext which spambots can harvest. Obfuscate it so that humans can still gets it while bots can't.

Re:Nearly impossible?

[wiggys]

I already get some spam with random puncutation yet PopFile still manages to classify it as spam.

Why? Because it knows which combination of words, used together make it more likely the mails are for me, eg spammers only have my email address, they do not know my name... therefore any emails containing either my first name or surname (or better still, both together, will make PopFile flag the message up as "high probability non-spam mail". Of course it looks for other clues.

Anyway, if spammers do find a way to circumvent my filters (and at the moment I'm filtering spam with 99.62% accuracy) then my filtering software will be updated and will check for stupid punctuation tricks.

Re:Nearly impossible?

[Crasoum]

The thing I had thought is, most people use very little punctuation, if any at all.
Why not filter out spam by anything with > 3 periods, and/or commas?

Quick and simple work around, right?

Forget the flash drives... think USB HARD DRIVES

[Neo-Rio-101]

I use a 2.5" 20GB USB hard drive when I move between branch offices for work as it carries all my data and stuff with me. I also use my HD as a kind of FTP directory when I want to install client software across a server network.

Come to think of it, there's nothing to stop somebody with one of these Hard drives from importing and exporting several CDs worth of data on it, and importing all kinds of strange software or even CD-copying software into the workplace to make nice CD ISO images or even whole drive dumps of code that should not be freely distributed.

The USB hard disk is probably way more risky than a flash drive, because 512MB while it can still hold a lot of info, is still expensive and is limited by its size.

What I encountered yesterday

[quigonn]

Spammers actually seem to try defeating bayesian spam filters by "training" them with random words:

From: Noah Poe
Date: Sun, 04 Jan 2004 15:58:49 -0600
To: a.konrad@aon.at
Subject: canberra happen

aides bone emmanuel rumania persistent josephine pencil majesty bottom
anarch molecular cafe hepburn done ellipsoid monoceros chokeberry pungent decontrolled
orphanage keel cessna lippincott drugstore onion inclement empire

This is just sick.

Re:What I encountered yesterday

I've been getting a lot of these too, and I wonder how easy it is to create a filter that calculates the amount of short (say 4 characters) in a message. If there aren't enough of these (and note the difference between what you posted and this post for example) then it's very likely spam.

And really, even if you use a Bayesian filter, how many emails contain the words "majesty" "ellipsoid" and "lippincott"? Is it really a problem to have these associated with spam? As long as you need a few of them to trigger the filter I don't see how this is going to cause false positives. In effect, the spammers are tagging their junk for us. Handy :-).

Lourens

Re:What I encountered yesterday

[Texas+Rose+on+Lava+L]

I don't think this will work too well for the spammers. When was the last time you got a legitimate email containing "lippincott" or "monoceros" or "emmanuel?" The Bayesian filter will notice that words like this only show up in spam, and the next email you get with "lippincott" in it goes to the spam folder. This is particularly true if the spammers get lazy and reuse the same set of "random" words.

As for spammers training your filter to accept spam, I think the spammers would have to be really sophisticated to pull that off. They would have to guess which words show up in your legitimate email but not in your spam. For my work email, for example, that would probably be things like technical jargon, coworkers' names, product names - stuff the spammers won't be able to guess (and that will vary from one person to the next). So even if spammers add random dictionary words to their spams, there will still be individual words that are far more common in legitimate email than they are in spam, and the spammers' plot will fail.

Dumb question - spell check the incoming mail?

[MachDelta]

Ok, this is probably a dumb question, but why the hell doesn't anyone make a spell checking spam filter? Just set it to junk any incoming email with more than x% spelling mistakes, and voila! All y,o.ur.,. r,a.,n.d,.om.,,. p,.u,.nc,.tu,at,i.on and |33t 5p34k is fucked. Combine it with a regular spam filter, and you're set!
It'd also have the added bonus of keeping idiots who can't spell worth crap out of your inbox. And since it would work off a dictionary (preferably the same one as your outgoing spell checker, if equipped), you could always add whatever names, phrases, and abbreviations you wanted, while still keeping the "0MG L1EK MAK UR P3N0R 9 INCHZ LONGR!!" crap out of your inbox.
Surely we have the ability to create something like this. So where is it?

Re:Dumb question - spell check the incoming mail?

[Texas+Rose+on+Lava+L]

From: Boss@personalispaccount.com
To: Employee@work.com
Priority: Extremely Urgent

Michael,
The TPS report for 3Q03 NPT TLAs is late. Please attach HEL and HPQ-4 to GNAA and send (w/TPS) to VP of Ops by EOD.

Thx, Ackbar

On random punctuation

[Richard+W.M.+Jones]

At my last job I wrote a chat server which was used by school age children.

One of the requirements (coming from "concerned parents", of course) was to filter out swearing in the chat rooms. So if someone typed in, say, "you're a shit", what would actually appear for everyone else would be "you're a $!%^" or something similar.

Eventually, of course, we got into an arms race with the kids, who would write "sh1t", "s.h.i.t", "sh*t" and so on.

However, I came up with a program which generated a regexp which matched pretty much all the variations, and - to date - none of the kids have worked out a way around it.

This is how it worked.

(Actually, I can send anyone the original regexp generator code if they're interested - just mail me).

The basic concept was to use a table of "equivalences", for, eg. "a" => [ "@", "4", "A", ....], "f" => [ "ph", .... ]

For each swear word we generate a regexp with (r1|r2|r3|...) for each letter in the bad word, where r1, r2, r3, ... are the list of equivalences for that letter.

That produces a list of swear word - matching regexps which we then combined into a super mega regexp which would match any of the 50 or so banned words.

One interesting thing is that you can end up with a regexp which is too big for GNU regexp to handle ... But there are ways to get round that and you can code it up as a flex parser too which doesn't have any limits as far as I can tell.

The actual code is slightly more complex and does a few more things than above (eg. it works for "s.h.1.t" too, or even "s---h--1----------t". And it has a concept of "obliterator characters", so "sh*t" can be banned also.

If anyone's interested I can send the code.

Rich.

I wondered what those were...

[Skreech]

Subject: fodder gallonage

neglecter appease luis seagram bratwurst bluet
burgundian seamstress adair embolden frontal
rhodonite bitwise neither clara mercy footstool delivery

or how about....

Subject: dewdrop

perspicuous dinosaur fluency depart colombia oaken balfour odometer
because propel bead cowry nihilism
melanesia down mccluskey cryostat elena alphameric

----

I wondered what these emails were, but trying to poison spam filters seems correct. I figured spammers were doing it, but I thought the reason was just to spite us all. I'm sure people are doing this to email addresses and selling lists of "prepared email addresses" with compromised spam filters for extra message penetration panel sandman eyeglass conclusion inhibition globular irrigate -- er, sorry... yes, yes I have been checking my mail lately, why do you ask?

defeating random punctuation

[C0vardeAn0nim0]

My boss (hardcore BSD hacker and anti-spam activist) added a simple rule to our spam filters: more than 5 consonants in a row in the From: field and it's tagged as spam. I'm pretty sure if neccessary he can add a rulle to check how many characters in a sentence are vowels, consonants, digits and punctuation. more than x% of punctuation in a sentence plus y% digits and the filter tags as spam.

I'm not as good as him but I'm sure this can be done quite easily in perl with regexes.

Re:Spam Spam Defeatable Spam

[dorward]

Your whole post makes it sound like it's easy. If it were easy, we would stop a lot more spam.

In my experience, it is. I can't remember the last time I got a false positive or negative, and I haven't even bothered training the bayesian filter.

Maybe I just get targetted by clueless spammers, but spam is not a major problem for me.

Spammers are always going to keep ahead of the curve if they can, and as long as they're making money, they will continue to increase volume

Spammers make money becuase most people don't run spam filters, and some people are clueless enough to do what the spammer wants.

While the spam might be increasing, I don't see it until I go and look in my spamtrap Maildir, and I don't expect that to change any time soon.

Re:Desktop management

[danheskett]

And I thought the main selling point of Windows was that it was easy enough that any baboon could install/user/administer it.
It is massively easy to admin a large number of similiar Windows machines.

As a part time thing, for charity, I admin a largish network for a non-profit in New England. Something like ~150 desktop PCs - running Win2k and WinXP and 3 Win2k Servers.

I do it all remotely, in about ~45 minutes or so weekly. When they need a new PC they get it straight from Dell, plug it in, and after a very simple operation (which, granted, required me writing out detailed instructions with pictures and lots of hand-holding), the PC is in the network. After a quick reboot, all the software is configured, printers configured, network access configured, and any of the 175 users can log in and experience the same consistent environment.

Patching machines is virtually painless, virus/trojans/spyware never gets through, e-mail is rock-solid, machines don't crash unless it's a hardware failure (quite common with Dell sadly..), the machines are locked down and unable to be user-f'd, and things are generally smooth.

They used to have a full-time fully-clueless IT guy. He went to a different career, and I took over a few years ago. After a single weekend of re-engineering I can say that the network operates without any trouble. The users are happy, things are reliable, all major maintenance is automated and scripted, and things *just work*.

Honestly, it all depends on the person. I've known networks with really bad UNIX-ish admins where nothing working, machines, crashed non-stop, etc etc. Same with Windows.

Don't mean to be immodest, but really, it just takes someone with a good grasp of IT and some Windows skills. My one power user on-site handles some of the hands-on stuff (unjamming printers, unpacking new PCs, changing backup tapes, etc).

Anyways... in this case, Linux would work except for about ~6 or so critical apps that are Windows-only. Bummer.

My Prediction: the first OS X virus/worm appears

[Selecter]

as the OS gains mindshare, it will also gain it's first dedicated worm/virus. I hope I'm *not* right.

New email protocol?

[BaconLT]

To battle spam, how about a new email protocol?

Email, right now, is not very restrictive. Up the standard, and you'll have many more constraints within which to work.

People have been calling for a p2p solution to email for a while, which presents its own challenges, but does suggest that those in the know are open to change.

Just a thought...

Even worse than random punctuation: Random HTML

[phoxix]

I've noticed a trend with a bit of the spam i've been getting recently: Random HTML.

The following is an example:

<Aegf>Bigger</gorR>><feakj> feet today!<alefa>

I have to admit, its rather effective in tricking many spam filters. Most spam filters can't tell the difference between real and fake HTML. Additionally, most HTML rendering engines automatically skip the false HTML, and still show the spam message.

Sunny Dubey

Re:Nearly impossible?

[Jjeff1]

Folks looking for a decent spam filter should check out ASSP. It's a SMTP proxy written in perl. I've got it up and running on my MS Exchange server, but apparently it supports virtually any platform that supports Perl. It has a good web based interface that makes configuration a snap.

Re:Nearly impossible?

[BalloonMan]

If you need to keep changing your filter, the spammers have already won.

Nonsense, if you [need to] keep changing your filter, the spammers need to keep changing their tricks, too. At worst, this situation is a stalemate. When you get to the point where you no longer try to avoid the spam, then the spammers have won.

In an unrestricted e-mail world, this will simply remain as a little competive ecosystem. Plenty of lesser spammers will be caught by your existing filters, just like your body rejects the old germs you've already been exposed to. Sometimes, new germs come along and trigger a fresh immune reaction, and you need a little time to adjust, but at least you don't have to actively fend off every existing bug all the time. And your experience with a new germ can be input for a vaccine that will protect others in advance. Your (or somebody else's) experience with new spam tricks has the same potential communal benefit. The spam filters are improved, the updates are broadcast, and you might never notice the uptick in the ongoing state of spam warfare.

Re:Nearly impossible?

[shadowcabbit]

Maybe I'm just being speculatively retarded here, but how difficult would it be to code an anti-spam agent bot? This bot would run on one machine somewhere, doesn't matter where, and monitor your POP3/IMAP/whatever account(s) every x minutes (let's say 30). At that time, the bot reads all the mail in the inbox, use a bayes filter/rules/whatever to determine spam, and sort/delete messages accordingly? Seems like an interesting solution, and it would be platform- and client-independent since the email client doesn't have to do anything besides collect what's left over. Feel free to flame me if this has been done before or is simply a stupid idea, but I think it might work. Hell, you could probably code it in VBasicrap if you knew the protocols necessary.

Re:Forget the flash drives... think USB HARD DRIVE

[cableshaft]

Yeah, the USB ports don't work on my workplace desktop. It was annoying when I discovered that, as I purchased a USB flash drive for precisely that purpose, transferring files I work on during breaks to and from home. Although I still circumvented it by writing a script on my home PC that allows me to transfer just about anything between the two. Go figure.

Clogging up the spammers

[Cruciform]

I just got one of those "Millions of email addresses on a CD" spams. It includes the fax number required to request them.

Anyone in the 240 and 416 area codes that feels like clogging up someone's fax machine with tubgirl and goatse?

Here's the meat of this junk (I removed several hundred asterisks):

--quote begins--
DON'T YOU WANT TO KNOW!

PURCHASE OUR Email Addresses Directory ONLY
IF YOU WANT TO PURCHASE OUR Email Addresses Directory with
525 MILLION in 5-disk set.
Complete package 5-disk set only $99.00!!
DO NOT REPLY TO THIS EMAIL ADDRESS. TO ORDER, READ BELOW:

Fill out the Form below and fax it back to
1-240-371-0672 OR 416-467-8986