Lost in the Noise (Archive)

The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedy engaged in spam activity was taken offline, according to security firms that monitor spam distribution online.

While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world's junk e-mail.

The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email. ad_icon

But the company's web site was not accessible today, when two Internet providers cut off MoColo's connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening.

Spamcop.net, another spam watch dog, found a similar decline, from about 40 spam e-mails per second to around 10 per second. (See their graphic representation here.)

Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. It's not clear what, if anything, U.S. law enforcement is doing about McColo's alleged involvement in the delivery of spam. An FBI spokesman declined to offer a comment for this story. The U.S. Secret Service could not be immediately reached for comment.

Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C.,. said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography.

In the case of child pornography, providers may be held criminally liable if they know about but do nothing to eliminate such content from their servers. For example, in 2001, BuffNET, a large regional service provider in Buffalo, N .Y., pleaded guilty to knowingly providing access to child pornography because the company failed to remove offending Web pages after being alerted to the material.

Rasch said liability in such cases generally hinges on whether the hosting provider is aware of or reasonably should have been aware of the infringing content.

"It's a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting their may be drug activity going on ," Rasch said. " There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying 'This is outrageous,' clearly the people doing the hosting should know that as well."

Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, which was one of the two companies providing Internet connectivity to McColo, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance, upon receiving information about this investigation from washingtonpost.com

We shut them down," Ng said. "We looked into it a bit, saw the size and scope of the problem [washingtonpost.com was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them."

Paul Ferguson, a threat researcher with computer security firm Trend Micro, said despite the apparently unilateral actions by McColo's Internet providers, his opinion is that U.S. authorities should have been examining McColo and its customers for a long time.

"There is damning evidence that [McColo's] activity (allegedly hosting purveyors of spam) has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care," Ferguson said."

Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert.

Reports by Joe Stewart, director of malware research for Atlanta-based SecureWorks, said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, "have their master servers hosted at McColo.

Stewart said he has complained to McColo several times about botnets operating out of the company's servers, and each time, he said, the company claimed it was addressing the problem. But according to Stewart, they did so by just moving the offending Web sites to a different section of their network.

"McColo runs a service that offers its clients quite a bit more protection from takedowns than the average Web host," Stewart said. "If they get abuse complaints they will try to appease whoever is complaining, but the end result is usually they just end up moving their Internet addresses around."

Collectively, these botnets appear to be responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

Vincent Hanna, a researcher for the anti-spam group Spamhaus.org, said Spamhaus sees roughly 1.5 million computers infected with either Srizbi or Rustock sending spam over an average one-week timeframe.

Hanna said McColo has for years hosted botnet and other suspicious activity, and that it has a reputation as one of the most dependable players in the so-called "bulletproof hosting" business, which are Web servers that will remain online regardless of complaints.

"These are serious issues, almost all relating to the very core of spammer infrastructure," he said.

Researchers have found that on any given day, about half of all spam sent through the top botnets are ads for male enhancement products and other knockoff designer drugs, with a fair number of the online pharmacy sites linked in spam messages that were hosted at McColo.

Last month, the Federal Trade Commission convinced a U.S. district court to seize the assets of an international spam network selling counterfeit prescription drugs, a network Spamhaus identified as the largest "spam gang" in the world. The spammers allegedly used the Mega-D botnet, which is capable of sending 10 billion e-mail messages each day.

Jart Armin, a private security researcher who documented the activity at McColo in a report published today, said McColo is currently hosting at least 40 different child pornography Web sites or sites that collect payment for the illicit content -- and that traffic analysis showed that one of the sites garnered between 15,000 and 25,000 visitors each day.

Ian Amit, director of security research for Aladdin Knowledge Systems, an Israeli security intelligence firm, said cyber criminals have for many months used servers at McColo to manage Web sites that push out new versions of the "Torpig," or "Sinowal" Trojan horse program, which is widely considered one of the stealthiest and most sophisticated families of malicious software in existence today.

In October, RSA FraudAction Research Lab learned a single cyber crime group has used the Torpig Trojan to steal more than a half million bank, credit and debit card accounts from infected PCs over the past two-and-a-half years.

Amit said he found that recent Torpig attacks were being coordinated out of a Web server in Florida, which in turn was controlled by a VPN server running at McColo. Aladdin's findings were mirrored by those of researchers at iDefense, a security firm in Sterling, Va.

"We traced back the management connections, and found that the criminals were logged into the attack server in Florida using connections from McColo," Amit said.

Over the past year, media attention paid to Internet service providers and hosting companies that were profiting from cyber crime activity forced two of the most notorious networks underground or off the Web entirely.

Late last year, stories published by washingtonpost.com and elsewhere about criminal activity and child pornography at the St. Petersburg based Russian Business Network (RBN) caused the hosting company's upstream Internet providers to cease routing traffic for the company. The same thing happened in September, when upstream Internet providers pulled the plug on Northern California based Intercage following media reports about the level of cyber-crime activity emanating from its network.

But some security experts worry that if major Internet providers similarly shun McColo, it will only make the criminals and their activities harder to track and to block. Stewart, of SecureWorks, notes that in the case of the RBN, the company's clients didn't really go away, but instead simply dispersed their operations to less concentrated areas of the Internet.

"Everything will just be more spread out and harder to mitigate," Stewart said. "We rather like knowing where the bad activity is coming from, so protecting our networks is easier."

Jon Praed, founder of the Internet Law Group in Arlington, Va., and an attorney who has pursued spammers in cases filed by some of the nation's largest ISPs, said many security companies do not want safe havens to go away because it merely forces those companies to work harder to find the cyber-crime intelligence that powers their businesses. What's more, he said, if enough Internet providers begin severing ties with known sources of illegal activity, the cyber-criminal groups will be increasingly forced into a smaller number of areas on the Internet, ultimately increasing their costs and making them easier to isolate, identify and block.

"Good network providers are going to have to step up and separate themselves from these providers who are increasingly depedent on criminal operations," Praed said. "The fact that McColo, a virtual den of iniquity, is able to survive into 2008 in the United States is a willful sign that we haven't yet begun the job of driving these operations to places where we can begin to curtail their existence."

If you think they're out to get you, you're not alone.

Paranoia, once assumed to afflict only schizophrenics, may be a lot more common than previously thought.

According to British psychologist Daniel Freeman, nearly one in four Londoners regularly have paranoid thoughts. Freeman is a paranoia expert at the Institute of Psychiatry at King's College and the author of a book on the subject.

Experts say there is a wide spectrum of paranoia, from the dangerous delusions that drive schizophrenics to violence, to the irrational fears many people have daily.

"We are now starting to discover that madness is human and that we need to look at normal people to understand it," said Dr. Jim van Os, a professor of psychiatry at Maastricht University in the Netherlands. Van Os was not connected to Freeman's studies.

Paranoia is defined as the exaggerated or unfounded fear that others are trying to hurt you. That includes thoughts that other people are trying to upset or annoy you, for example, by staring, laughing, or making unfriendly gestures.

Surveys of several thousands of people in Britain, the United States and elsewhere have found that rates of paranoia are slowly rising, although researchers' estimates of how many of us have paranoid thoughts varies widely, from 5 percent to 50 percent.

A British survey of more than 8,500 adults found that 21 percent of people thought there had been times when others were acting against them. Another survey of about 1,000 adults in New York found that nearly 11 percent thought other people were following or spying on them.

Dennis Combs, an assistant professor of psychology at the University of Texas at Tyler, has been studying paranoia for about a decade. When he first started conducting paranoia studies, mostly in college students, he found that about 5 percent of them had paranoid thoughts. In recent years, that has tripled to about 15 percent, he said.

In a small experiment in London, Freeman concluded that a quarter of people riding the subway in the capital probably have regular thoughts that qualify as paranoia. In the study, 200 randomly selected people (those with a history of mental problems were excluded) took a virtual reality train ride. They recorded their reactions to computerized passengers programmed to be neutral.

More than 40 percent of study participants had at least some paranoid thoughts. Some felt intimidated by the computer passengers, claiming they were aggressive, had made obscene gestures, or tried to start a fight.

Freeman said that in big cities, many ambiguous events can lead to paranoid thoughts. Because we constantly make snap judgments based on limited information, like which street to take or whether or not strangers are dangerous, the decision-making process is prone to error.

Van Os said Freeman's virtual reality experiment was solid and confirmed previous research. Experts say not everyone with paranoid thoughts needs professional help. It all depends on how disturbing the thoughts are and if they disrupt your life.

"People walk around with odd thoughts all the time," said David Penn, a professor of psychology at the University of North Carolina. "The question is if that translates into real behavior."

Van Os recalled a delusional patient who was convinced that the French singer Charles Aznavour was in love with her, and had been whispering to her before she went to sleep every night for more than two decades.

"You could call it a psychotic experience, but she was very happy about it," van Os said. "There isn't always a need for care when there's an instance of psychosis."

He hoped that being able to identify milder delusional symptoms in people could help doctors intervene earlier to prevent more serious cases.

The post-Sept. 11 atmosphere and the war on terror also have increased levels of paranoia in the West, some experts said.

"We are bombarded with information about our alert status and we're told to report suspicious-looking characters," Penn said. "That primes people to be more paranoid."

Traumatic events can make people more vulnerable to having paranoid thoughts. Since the attacks, Penn said Americans have been conditioned to be more vigilant of anything out of the ordinary.

While heightened awareness may be good thing, Penn said it can also lead to false accusations and an atmosphere where strangers are negatively viewed.

That can result in more social isolation, hostility, and possibly even crime. And it can take a toll on physical health. More paranoia means more stress, a known risk factor for heart disease and strokes.

Still, some experts said that a little bit of paranoia could be helpful.

"In a world full of threat, it may be kind of beneficial for people to be on guard. It's good to be looking around and see who's following you and what's happening," Combs said. "Not everybody is trying to get you, but some people may be."

Online media have been slow to take off in Mauritania, but already several websites critical to the regime are coming under attack from hackers, which they say are linked to the military junta.

NOUAKCHOTT, November 12, 2008 (MENASSAT) – The Sahara Media news agency, considered the first news site in Mauritania, was the latest victim in a series of deliberate attacks on the country's websites.

After two previous failed attempts, the latest attacks were enough to disrupt the website for two days at least, which forced the management to change the site's domain name. In a statement to its readers, Sahara Media described the attack as "very dangerous and possibly be the start of an open war on free media in the country."

The hacking of the website came two days after a similar attack on the al-Anba' al-Ikhbari website, which was launched at the beginning of the latest political crisis in Mauritania. On August 6, 2008, Mauritania's democratically elected president, Sidi Mohamed Ould Cheikh Abdallahi, was ousted in a military coup. The country has been ruled by a military junta ever since.

Sahara Media has accused "national and foreign parties" of aiming to muzzle the site.

Al-Anba', for its part, was far more specific in assigning blame. It said "some parties in the military regime in Nouakchott" are responsible for the sabotage.

Al-Anba's editor in chief, Sheikh Ould Ahmad Amin, who is currently living in Canada, said in a statement to MENASSAT that the hacking came from parties close to the technical department of the site, without giving any additional information.

"Our website was subject to an internal sabotage operation. We can't uncover all the facts by giving name because of the danger still hanging over our website."

According to Ahmad Amin, the attack is connected to the website's stated intent to publish articles about various scandals involving politicians and high ranking personalities in the country.

"We are fully aware that the current military regime that ousted the first elected government in Mauritania, is directly or indirectly linked to what happened," Ahmad Amin said.

The website says it is still planning to publish said stories.

Many journalists in Mauritania fear that these attacks are part of a campaign targeting press freedom in the country.

The attacks are reminiscent of earlier hacking incidents that targeted a number of websites opposed to the rule of Ould al-Taya', Mauritania's dictator from 1984-2005. However, these sites later developed protective systems to face the hackers.

MENASSAT met with some IT technicians who said that part of the problem is that most Mauritanian websites have very weak security systems.

But despite all these attacks, people are still sticking their necks out, as proved by the recent launch of For Mauritania, a trilingual website proposing a media opposition platform to the military coup.

Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator.

“We’re going on the offense with this reward,” says Steve Littlejohn, Express Scripts spokesman and vice president of public affairs. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company’s pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it.

Express Scripts has refused to cave in to the extortionist’s demand. But Littlejohn said that now a small number of its clients, such as companies offering healthcare plans to employees, are also now receiving extortion threats with personal information about members. “The letters are similar enough that we are inclined to think it’s the same person,” says Littlejohn.

He says Express Scripts and its clients are agreeing not cave in to the extortionist’s demand for money.

Express Scripts, which is working with the FBI, is investigating how the company may have suffered a data breach, whether it might be an inside attack or outsider crime. “We have a 24 x 7 investigation underway,” Littlejohn says. “We’re not excluding anything.”

For more information about the extortionist demands and the data breach to The Express Scripts Web site.

The 48-year-old engineer charged with attempting to blackmail Saab Microwave Systems for 16 million kronor ($2.1 million) was sentenced on Monday to four years in prison.

He was convicted of serious unauthorized possession of classified information, bribery, as well as attempted bribery, but was acquitted on charges of industrial espionage.

The man, who worked as a consultant at Saab Microwave Systems, obtained various sensitive documents which he threatened to make public of the company didn’t pay him several million kronor.

According to the prosecutor, the documents contained company secrets which were also considered classified military secrets.

The man has confessed that he tried to get the company to buy back the secret documents, but denied his guilt.

He claims that he was forced into the deal by a man referred to as Defence Harry, a person who police and prosecutors have yet to locate.

The prosecutor had originally asked the man receive an eight year prison sentence.

An unauthorized intruder accessed a University of Florida College of Dentistry computer server containing personal information of more than 344,000 current and former dental patients, UF announced Wednesday.

The information included names, addresses, birth dates, Social Security numbers and dental procedure information for patients dating back to 1990. The breach was discovered Oct. 3, when college staff members were upgrading the server and found software had been remotely installed on it, according to the university.

While UF officials have no evidence the intruder used the information for fraudulent purposes, letters were mailed to 336,234 people who had information on the system to alert them. The university lacked mailing addresses for nearly 8,250 additional patients with data on the server and is seeking help in locating them. A hotline, 866-783-5883, has been established for patient inquiries.

FBI and University Police officers are investigating the security breach. After it was discovered, university officials reported the server was disconnected from the Internet to cut off the intruder's access.

The system was subsequently rebuilt with more stringent security controls. UF officials are in the process of screening up to 60,000 more computers to ensure appropriate safeguards are in place.