Legitimate ISP a Cover-up For a Cybercrime Network

ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."

This is new?

[R2.0]

Look up the mafia and trash collection.

Re:This is new?

[fuzzyfuzzyfungus]

Or the financial industry and the financial industry.

Re:This is new?

[swanzilla]

Or Microsoft and the Association for Competitive Technology...

DNSSEC and ubiquitous SSL.

[Timothy+Brownawell]

...and DNS hijacking .... The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies?

DNSSEC so they can't do anything to your DNS queries (not even by directing you to an evil resolver), and SSL or similar for everything else so your connections can't be edited or sniffed. Then there's not really much the can do, besides just dropping all your connections.

Re:DNSSEC and ubiquitous SSL.

[fuzzyfuzzyfungus]

If the packet goes through somebody else' hardware and isn't cryptographically signed, their ability to fuck with it is constrained only by their computational capacity and knowhow. It'll be trickier if they have to rewrite packets on the fly, rather than just maliciously reconfigure their DNS server; but I'm sure Sandvine or one of their ilk could manage it.

However, while OpenDNS is unaccountably popular with many, it does a lot of DNS meddling of its own, including breaking NXdomain(it also uses false DNS data to implement its filtering; but I don't know whether that is opt-in, opt-out, or mandatory). While the fact that you have to manually opt in to use OpenDNS makes them better than the crap that ISPs try to pull, they aren't exactly on the side of angels.

Re:DNSSEC and ubiquitous SSL.

[jroysdon]

DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

DNSSEC isn't hardly deployed either. Not even in the .GOV TLD domains, which has a mandate that all domains be signed by the end of this year.

Query Comcast's test DNSSEC resolver:
dig +adflag +dnssec gov @68.87.69.154

You get back NSEC3 keys and RRSIGs, and the "ad" flag will be set (meaning it is authenticated data). Try it again with just about any domain:
dig +adflag +dnssec whitehouse.gov @68.87.69.154
dig +adflag +dnssec fbi.gov @68.87.69.154
dig +adflag +dnssec cia.gov @68.87.69.154
dig +adflag +dnssec nsa.gov @68.87.69.154

Nah, none of them have deployed DNSSEC. Less than 3 months to go and they'll all slip past the mandate.

DNSSEC is a good step in the right direction, but it's not a magic bullet. Perhaps if there were some client apps that act as DNS resolvers and verify all DNSSEC keys and sigs (the same as resolvers do), but that's going to slow down the user experience with many queries before even requesting content. Further, how are end-user apps like this going to be kept up to date with new signatures that have to roll (yearly, I believe)? No magic bullet, that is for sure.

Re:DNSSEC and ubiquitous SSL.

[tialaramex]

Also, while I'm here, it's a lot harder to MitM the link between a user and their ISP in most cases. Both addresses are inside the ISP's range, so it should and probably does have border rules that prevent such packets traversing the border. That means to attack user X at ISP A, you need to be able to mess with packets inside ISP A. Whereas today, by doing MitM on some poor .com site's DNS servers, you get every user visiting the site. So "does nothing to protect" isn't really true.

If you're going to say "What if the bad guys just reconfigure the victim's machine to use their DNS server" Well, yeah, but in that case they broke in and changed system level configuration, it's game over. They could just as easily add an OS patch that redirects all IP traffic via their servers so that DNS is irrelevant.

Re:DNSSEC and ubiquitous SSL.

[Timothy+Brownawell]

DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

No, you can demand that the ISP's resolver forward all the records you need in order to verify the signatures yourself. The first thing google comes back with is this, from 2007:

The current DNSSEC standards define a security-aware (stub) resolver that would be located at the users PC and which can indicate to a security-aware intermediate nameserver that it will perform its own DNSSEC validation by setting the Checking Disabled (CD) flag in the DNS query Header. This has the effect of inhibiting DNSSEC at the security-aware nameserver causing all necessary records to be supplied to the resolver to enable it to perform the security validation. The net result is we have achieved end-to-end security.

Solution

[girlintraining]

Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.

Re:Adware

[matria]

Did you even read the whitepaper?

The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States

For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software.

The whitepaper is totally different than you tried to portray, even in the first page. Your post is obviously an attempt at a coverup, presuming most people won't read the PDF.

Network neutrality

[MobyDisk]

From a US perspective: without network neutrality, this is all legal.

Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...

Re:Adware

[interkin3tic]

Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.

Others have adressed the actual legality, but I want to adress this anyway. I don't think we should refrain from calling bad guys "bad." Whether or not some asshole skates around laws faster than Estonia can make them (or outright bribes/lobbies lawmakers to keep what he's doing legal), or whether or not a particular asshole gets litigious for calling him an asshole, they're still an asshole. In fact, they're even bigger assholes if they bend laws and sue over it.

Re:Adware

[Zocalo]

Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".

From estonian perspective...

[ZWoz_new]

First: I'm estonian and maybe not objective. But, in my opinion, this "research" are little bit inflammatory. I don't count, but if every third word is "Estonian" or "Estonia" or "Tartu", then this looks like "oww, look those foreign, maybe russian, cybercriminals!". Anyway, this is old and dead horse, what gets beaten, this infamous estdomains a.k.a Rove Digital (if anybody want proof, look Figure 1 in pdf and compare rovedigital.com). This article tries make impression, how in estonia this ISP is legal or somewhat "known and normal" business. In fact, i never heard about those guys before first scandals and court case, i afraid they don't have much business (legal or other kind) in Estonia.

Re:Adware

[Runaway1956]

It seems Mr. Tsastsin has a rather colorful past, and is no stranger to organized crime. According to the local court and news media, he was recently sentenced to three years in an Estonian prison after being found guilty of credit card fraud, document forgery, and money laundering.
_____________________________________

If you happen to be Tsastsin's wife, I can understand that you'd like to stick up for his "good name". Maybe you feel that you need to do so, for the kids.

But, the bastard is a criminal bastard. Your astroturfing won't change the fact.