Legitimate ISP a Cover-up For a Cybercrime Network

← Back to Stories (view on slashdot.org)

Legitimate ISP a Cover-up For a Cybercrime Network

Posted by Soulskill on Wednesday August 26, 2009 @05:01AM from the e-front-affront dept.

ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."

3 of 68 comments (clear)

Min score:

Reason:

Sort:

DNSSEC and ubiquitous SSL. by Timothy+Brownawell · 2009-08-26 05:07 · Score: 5, Informative

...and DNS hijacking .... The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.
1. Re:DNSSEC and ubiquitous SSL. by Timothy+Brownawell · 2009-08-26 08:43 · Score: 2, Informative
  
  DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.
  No, you can demand that the ISP's resolver forward all the records you need in order to verify the signatures yourself. The first thing google comes back with is this, from 2007:
  
  The current DNSSEC standards define a security-aware (stub) resolver that would be located at the users PC and which can indicate to a security-aware intermediate nameserver that it will perform its own DNSSEC validation by setting the Checking Disabled (CD) flag in the DNS query Header. This has the effect of inhibiting DNSSEC at the security-aware nameserver causing all necessary records to be supplied to the resolver to enable it to perform the security validation. The net result is we have achieved end-to-end security.
Re:Adware by Zocalo · 2009-08-26 05:50 · Score: 3, Informative

Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".

--
UNIX? They're not even circumcised! Savages!