Schneier on Security linked to an excellent paper on the economics of spam. Interestingly, the authors were able to infiltrate the Storm worm network and monitored its doings in the course of their study.
After 26 days, and almost 350 million e-mail messages, only 28 sales resulted — a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88 — a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network — we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than “millions of dollars every day,” but certainly a healthy enterprise.
Of course, the authors point out that it’s dangerous to make these sorts of generalizations:
We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context. [link]
An analyst at Websense Security Labs did a study of the “wolfteeth bot catcher”, a tool coming out of China that allows a user to specify a particular range of IP addresses and then search for and exploit the MS08-067 bug in Windows, installing any malicious code they may choose. Careful though! It seems the authors of this program included a backdoor so that installing it also pulls you into their botnet. Here is the link for the disection, an interesting bit of thick texture even if the details are lost on you.
IEEE Spectrum published an article this past May about the growing concern within defense circles about the loss of oversight along the military hardware supply chain. With many of the semiconductor components manufactured in the People’s Republic of China, rumors and fears of maliciously implanted “backdoors” abound:
According to a U.S. defense contractor who spoke on condition of anonymity, a “European chip maker” recently built into its microprocessors a kill switch that could be accessed remotely. French defense contractors have used the chips in military equipment, the contractor told IEEE Spectrum. If in the future the equipment fell into hostile hands, “the French wanted a way to disable that circuit,” he said. Spectrum could not confirm this account independently, but spirited discussion about it among researchers and another defense contractor last summer at a military research conference reveals a lot about the fever dreams plaguing the U.S. Department of Defense (DOD)…
Vetting a chip with a hidden agenda can’t be all that tough, right? Wrong. Although commercial chip makers routinely and exhaustively test chips with hundreds of millions of logic gates, they can’t afford to inspect everything. So instead they focus on how well the chip performs specific functions. For a microprocessor destined for use in a cellphone, for instance, the chip maker will check to see whether all the phone’s various functions work. Any extraneous circuitry that doesn’t interfere with the chip’s normal functions won’t show up in these tests…
Nor can chip makers afford to test every chip. From a batch of thousands, technicians select a single chip for physical inspection, assuming that the manufacturing process has yielded essentially identical devices. They then laboriously grind away a thin layer of the chip, put the chip into a scanning electron microscope, and then take a picture of it, repeating the process until every layer of the chip has been imaged. Even here, spotting a tiny discrepancy amid a chip’s many layers and millions or billions of transistors is a fantastically difficult task, and the chip is destroyed in the process…
The Pentagon is now caught in a bind. It likes the cheap, cutting-edge devices emerging from commercial foundries and the regular leaps in IC performance the commercial sector is known for. But with those improvements comes the potential for sabotage. “The economy is globalized, but defense is not globalized,” says Coleman. “How do you reconcile the two?” [link]
With respect to recent news pertaining to electronic security and surveillance see also:
Accompanying the recent military action on the ground in Georgia was a cyber campaign that took down many government sites and generally impeded the dissemenation of information throughout the country. Shortly after things cooled down in Georgia, a collection of security researchers in and around the intelligence community got together under the banner of “Project Grey Goose” in an attempt to see if open source information, particularly through semantic analysis of Russian hacker forums, could be used to unmask those responsible. The team drew widely from the community:
- Lewis Shepherd - former CTO, Defense Intelligence Agency; CTO, Microsoft Institute for Advanced Technology in Governments
- Bob Gourley - former CTO, Defense Intelligence Agency; founder, Crucial Point LLC, a technology research and advisory firm
- Matt Devost - former Senior INFOSEC Engineer at SAIC; Security Consultant to foreign governments and corporations; President, Total Intelligence Solutions
- Preston Werntz - Project Manager, Newbrook Solutions, currently engaged at DHS Office of Intelligence and Analysis
- Derek Plansky - former Director, Lexis-Nexis Risk and Information Analytics Group; President, Informatic Ideas Consulting
- Andrew Conway - former analyst performing classified work for a three letter agency analyzing leadership emergence in covert networks; currently a Ph.D candidate in Politics, NYU
- Jeremy Baldwin - Analytic Tradecraft Developer, The Analysis Corporation [source]
Following 56 days of investigation the group has published its findings [pdf] [intelfusion blog]. The conclusions?
- We assess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions.
- We assess with high confidence that nationalistic Russian hackers are likely adaptive adversaries engaged in aggressively finding more efficient ways to disable networks.
- We judge with moderate confidence that a journeyman-apprentice relationship will continue to be the training model used by nationalistic Russian hackers.
- We estimate with moderate confidence that hacker forums engaged in training Russian cyber warriors will continue to evolve their feedback loop which effectively becomes their Cyber Kill Chain.
- After analyzing over 200 posts in the Xakep.ru and StopGeorgia.ru forums, as well as Georgian network server data, Grey Goose analysts were able to discern a cyber kill chain which is comprised of the following steps:
- 1) Encourage novices through patriotic imagery and rhetoric to get involved in the cyber war against Georgia
2) Publish a target list of Georgian government Web sites which have been tested for access from Russian and Lithuanian IP addresses.
3) Discuss and select one of several different types of malware to use against the target Web site.
4) Launch the attack
5) Evaluate the results (optional step)
- We assess with high confidence that all visitors to Russian hacker forums which originate from U.S. IP addresses will be monitored.