Legitimate ISP a Cover-up For a Cybercrime Network

ezabi writes "TrendWatch, the malware research arm of TrendMicro, has posted a white paper titled 'A Cybercrime Hub' (PDF, summary here) describing the activities of an Estonian ISP acting as a cover-up for a large cybercrime network. It's involved with malware distribution and DNS hijacking, which leads to credit card fraud. The story's interesting, and a typical internet user would be exposed in such a situation. What security measures should be taken to prevent normal users from falling victim to such malicious bodies? Note that they are represented legitimately and are offering real services like any other internet company."

Solution

[girlintraining]

Man in the middle attacks have a classic solution: Encryption and non-repudiation in the authentication protocols. Encrypt everything between the client and server (as IPv6 allows for) and the amount of damage a rogue ISP can do (or any peer point) is greatly reduced.

Re:Adware

[matria]

Did you even read the whitepaper?

The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States

For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software.

The whitepaper is totally different than you tried to portray, even in the first page. Your post is obviously an attempt at a coverup, presuming most people won't read the PDF.

Network neutrality

[MobyDisk]

From a US perspective: without network neutrality, this is all legal.

Page 8 of the PDF shows CNN.COM with an advertisement replaced. What stops them from replacing the content of the articles? Page 10 shows how they hacked Google results. What keeps them from changing those results to filter articles on politics, religion, gender issues, laws...

Re:Adware

[interkin3tic]

Yes adware is bad too, but its legal and calling adware companies cybercriminals is going to bring some lawsuits.

Others have adressed the actual legality, but I want to adress this anyway. I don't think we should refrain from calling bad guys "bad." Whether or not some asshole skates around laws faster than Estonia can make them (or outright bribes/lobbies lawmakers to keep what he's doing legal), or whether or not a particular asshole gets litigious for calling him an asshole, they're still an asshole. In fact, they're even bigger assholes if they bend laws and sue over it.

From estonian perspective...

[ZWoz_new]

First: I'm estonian and maybe not objective. But, in my opinion, this "research" are little bit inflammatory. I don't count, but if every third word is "Estonian" or "Estonia" or "Tartu", then this looks like "oww, look those foreign, maybe russian, cybercriminals!". Anyway, this is old and dead horse, what gets beaten, this infamous estdomains a.k.a Rove Digital (if anybody want proof, look Figure 1 in pdf and compare rovedigital.com). This article tries make impression, how in estonia this ISP is legal or somewhat "known and normal" business. In fact, i never heard about those guys before first scandals and court case, i afraid they don't have much business (legal or other kind) in Estonia.

Re:DNSSEC and ubiquitous SSL.

[jroysdon]

DNSSEC only helps you if you run your own DNS resolver. 99% of the population uses their ISP's resolver. The exception are corporate networks, etc. DNSSEC does nothing to protect or help the end-user know that queries are good. The data from the resolver to client isn't signed or authenticated in any way, so even if you ask for the +adflag, etc., if someone has a way to mess with your DNS queries with MitM, they can add the "ad" (authenticated data) flag so your client would thing the data had been verified by DNSSEC.

DNSSEC isn't hardly deployed either. Not even in the .GOV TLD domains, which has a mandate that all domains be signed by the end of this year.

Query Comcast's test DNSSEC resolver:
dig +adflag +dnssec gov @68.87.69.154

You get back NSEC3 keys and RRSIGs, and the "ad" flag will be set (meaning it is authenticated data). Try it again with just about any domain:
dig +adflag +dnssec whitehouse.gov @68.87.69.154
dig +adflag +dnssec fbi.gov @68.87.69.154
dig +adflag +dnssec cia.gov @68.87.69.154
dig +adflag +dnssec nsa.gov @68.87.69.154

Nah, none of them have deployed DNSSEC. Less than 3 months to go and they'll all slip past the mandate.

DNSSEC is a good step in the right direction, but it's not a magic bullet. Perhaps if there were some client apps that act as DNS resolvers and verify all DNSSEC keys and sigs (the same as resolvers do), but that's going to slow down the user experience with many queries before even requesting content. Further, how are end-user apps like this going to be kept up to date with new signatures that have to roll (yearly, I believe)? No magic bullet, that is for sure.

Re:DNSSEC and ubiquitous SSL.

[tialaramex]

Also, while I'm here, it's a lot harder to MitM the link between a user and their ISP in most cases. Both addresses are inside the ISP's range, so it should and probably does have border rules that prevent such packets traversing the border. That means to attack user X at ISP A, you need to be able to mess with packets inside ISP A. Whereas today, by doing MitM on some poor .com site's DNS servers, you get every user visiting the site. So "does nothing to protect" isn't really true.

If you're going to say "What if the bad guys just reconfigure the victim's machine to use their DNS server" Well, yeah, but in that case they broke in and changed system level configuration, it's game over. They could just as easily add an OS patch that redirects all IP traffic via their servers so that DNS is irrelevant.