Thursday, December 23, 2010

36 Million Americans Buy Drugs Online -- Illegally!

On December 14th, the White House Intellectual Property Health and Safety Forum was held by Victoria Espinel, the first U.S. Intellectual Property Enforcement Coordinator (IPEC) appointed by President Obama.

Intellectual Property Rights Advancement under President Obama

In June the IPEC released the Joint Strategic Plan on Intellectual Property Enforcement, which was released by Victoria's office, with support from the Departments of Agriculture, Commerce, Health & Human Services, Homeland Security, Justice, State, and the Executive Office of the President. One of the strategic parts of that plan was "Identify Foreign Pirate Websites as Part of the Special 301 Process."

The United States Trade Representative is required by Section 182 of the Trade Act of 1974 (Title 19 USC 2242) to produce an annual review of the global state of intellectual property rights, which is called the "Special 301 Report." One portion of that annual review is the "Notorious Markets List." Listed in the 2010 Special 301 Report as Notorious Markets are Baidu (China) for music piracy, TaoBao (China) and Alibaba (China) for game piracy, TV Ants (China) for sporting event piracy, (Russia) for music piracy, Webhards (Korea) for many types of illegal content,

In the December 14th forum, the focus was not so much on "general" Intellectual Property or piracy, but Intellectual Property rights violations that have the capacity to impact the health and safety of Americans.

This focus area, especially with regards to the Internet portion, has been under development for several months, with President Obama calling for a meeting between ICANN and other stakeholders back in September. See Obama seeks action on online pharmacies domain names as reported by the Securing Pharma website. This action expands from a previous report back in May by LegitScript, a company working to verify online pharmacies. After blasting the industry in general, and eNom in specific, for failing to respond to domain names registered through their company, (See Knujon report: Audit of the gTLD Internet Structure, Evaluation of COntractual Compliance and Review of Illicit Activity by Registrars, and the LegitScript/Knujon report: Rogues and Registrars: Are some Domain Name Registrars safe havens for Internet Drug rings?), eNom came full circle and entered an agreement September 21, 2010 with LegitScript and the National Association of Boards of Pharmacies to ensure that rogue pharmacies are not able to use eNom to register their domain names. (The criminals responded to this news by registering hundreds of horrible porn and bestiality websites using the name and contact information of LegitScript founder John Horton, as reported by Brian Krebs.)

The Forum

In case you missed it, CNN Image Source has a One hour video of the panel, chaired by Victoria Espinel. What a panel - Attorney General Eric Holder, DHS secretary Janet Napolitano, and John Morton, Director of Immigration and Customs Enforcement.

"We need more data to inform our policies and ensure that we are making smart decisions."

"The Alliance for Safe Online Pharmacies estimate that there are between 30,000 and 40,000 active online drug sellers operating at any one time."

(09:43:35)"The Partnership at announced the results of a suvey of consumers of online drug purchasing behavior. The survey's results? 1 in 6 adults, approximately 16% of adult population have bought or currently buy medications online without a doctor's prescription."

The report was sponsored by the Alliance for Safe Online Pharmacies and sponsored by The Partnership at

The survey was conducted by CARAVAN Survey. 1,015 adults were contacted by telephone from November 4-7, 2010. The margin of error is +/- 3%.

(09:45:30) A group of founding private sector partners announced today that they will form a non-profit to work with each other and the US Government to rid the Internet of illegal online pharmacies. Today they have issued priniciples that will guide those efforts.

(09:46:00) The list of eleven companies participating in the initiative was invited to stand and be recognized: American Express, eNom, Go Daddy, Google, Mastercard, Microsoft, Neustar, Network Solutions, PayPal, Visa, and Yahoo!

In case any of them are reading this, UAB Computer Forensics Research Laboratory is ready, willing, and able to help!

The next speaker was Attorney General Eric Holder, who has posted a transcript of his remarks on the Department of Justice website. He pledged his support to the Strategic Plan, and shared some recent successes, including a counterfeit cancer drugs case in August, a Texas case involving he seizure of 6,000 counterfeit pills that actually contained ground-up sheetrock as an ingredient, and a groundbreaking $100 million case in Richmond Virginia. (That last would be the case against Chong Lam, and Siu Yung Chan, who were found guilty on June 11. They were arrested back in January 2008 for smuggling more than 300,000 counterfeit handbags from China. Eric Yuen was actually found not guilty.

Holder was praised during his introduction for re-establishing the DOJ Intellectual Property Task Force, which he announced in February 2010.

Secretary Napolitano spoke next (09:59:40), stressing that both CBP and ICE are seizing more counterfeit goods than ever (seizures increased 97% over 2009), and pledging support for IPEC's Strategic Plan. The National Intellectual Property Rights Coordination Center (which I was able to visit December 7th, and which I blogged about recently regarding their Cyber Monday Operation in Our Sites enforcements.) ICE initiated more than 1,000 IPR cases in 2010, and criminal charges increased 79% over 2009. DHS also participated in Operation Pangea and Operation Mercury this year, coordinated through the World Customs Organization. Her full remarks are transcribed by LexisNexis.

John Morton, whose full title is "Assistant Secretary of Homeland Security for Immigration and Customs Enforcement", also has his remarks transcribed thanks to LexisNexis. He stressed that we needed to speak in plain English and get our message out, and the message is that "counterfeiting spells trouble for America." It robs Americans of jobs, innovation, and creativity. It is organized crime, and creates a risk of harm to consumers. He mentioned counterfeit toothpaste, heart medicine, and air bags, and discussed counterfeit engine parts and ball bearings, not just in cars, but in aircraft with GE Engines. Fake kevlar in Iraq, fake baby formula, fake CISCO routers, and counterfeit Christmas lights were also on his list. One case he went deeper on was the Kevin Xu case in Houston that AG Holder also mentioned.

Xu imported more than $9 million in counterfeit medicines, including Plavix (heart medicine), Casodex (cancer medicine) and Zyprexa (schizophrenia and bipolar medicine). He was arrested in 2007 and sentenced in January 2009 to 78 months and $1.28 million in restitution. Xu was arrested when he flew to Chicago to meet with undercover agents. Forensic Chemists working for the FDA determined that his drugs had less of the active ingredient than claimed on the label and had countless impurities of unknown origin. Some of the drugs had no active ingredient at all. He had managed to get his counterfeits into the real supply chain in the United Kingdom, prompting massive recalls of the drugs in June 2007.

First Panel: Dangers of Counterfeit Pharmaceuticals

The First Panel was moderated by Tony West, Assistant Attorney General, Civil Division, including enforcement of the Food, Drug, and Cosmetic Act.

Panelists included:
John Clark, VP of Global Security at Pfizer (former assistant deputy at ICE)
Tom Kubic, President of the Pharmaceutical Security Institute
Carmen Catizone, President of the Natioanl Association of Boards of Pharmacies
and John Taylor, Counselor to Commissioner of the FDA

After introductions, John Clark of Pfizer did a presentation about counterfeit drugs.

One counterfeit's ingredients were shown: roach powder, powdered brick, road paint, and floor wax. Clark showed slides of the difference between a real drug manufacturer and a fake one. He played a telephone interview where a drug maker was counseling his undercover agent on what he would need to set up his own manufacturing facilities.

John Taylor shared information on how FDA provides consumer alerts, which are also a means to gather further information for investigators.

(continues in part 2 CNN Image Source )

Tom Kubic of PSI has been investigating and measuring counterfeits since 2002. There has been a 700% increase in drug counterfeiting from 2002 to 2009. They have identified at least 800 unique medicines that were counterfeited worldwide just in 2009. (In 2002, there were around 250.) The ones they have reviewed "are neither safe nor effective."

Carmen Catizone made several points. Quoted (with a slight paraphrase):

When you obtain a medication that has been approved by the FDA, [prescribed] by a licensed practitioner, [dispensed] by a licensed pharmacy, that product is safe.
When you go out of the system, you are dealing with criminals who have found it is easier to sell drugs online than to sell crack or heroin on the street. Consumers and legislators don't understand that this is a serious consumer health risk. Carmen says several years ago he was told by legislators they would not take action until they were shown the dead bodies.

John Taylor follows up on Carmen's comment showing that the fakes don't have to produce death in order to be harmed. In one case the supplier of an active ingredient component TO the manufacturer caused an effective epilepsy drug to be suddenly ineffective. Patients around the country began to have seizures!

A guest from the audience joined the panel to share his story. As an AIDS patient, taking nearly 10,000 pills a year, found that his injectable medications were now giving him pain that had not been previously present when injecting. It turns out that his medicine, obtained from a national pharmacy chain, with a prescription, was a counterfeit. For six week period, he has no idea what he was injecting into himself.

Second Panel: Health and Safety Risks of the Counterfeiting of Trademarks

The Second Panel was moderated by Lanny Breuer, Assistant Attorney General, Criminal Division. This panel focused more on computer and electronic components. A bit off topic for today's blog post.

Panelists include:
Neal Rubin, VP and Director of Litigation at Cisco
Keith Williams, President of Underwriter Laboratories
Robert Barchiesi, President of the International Anti-Counterfeiting Coalition
Brett Brenner, President of the Electrical Safety Foundation International

(continues in part 3 CNN Image Source)


CNN Image Source

Prior activities

Many of the companies named in the new announcement have already been taking strides to reduce the sale and advertising of online drugs. In October, the National Assocation of Boards of Pharmacies released their report Internet Drug Outlet Identification Program: Progress Report for Federal Regulators which shared some of the findings of the International Internet Week of Action (IIWA). During October 5-12, 2010, the Food & Drug Administration, Interpol, and agencies in 45 countries took a concerted week of enforcement actions. Interpol calls the enforcement actions Operation Pangea III.

During the operation which saw the 45 participating countries send intelligence to a dedicated operations centre at INTERPOL's General Secretariat headquarters in Lyon, Internet monitoring revealed 694 websites engaged in illegal activity, 290 of which have now been shut down. In addition, some 268,000 packages were inspected by regulators and customs, almost 11,000 packages were seized and just over 1 million illicit and counterfeit pills were confiscated - including antibiotics, steroids, anti-cancer, anti-depression and anti-epileptic pills, as well as slimming or food supplement pills. Some 76 individuals are currently under investigation or under arrest for a range of offences, including illegally selling and supplying unlicensed or prescription-only medicines.

Operation Pangea III featured a series of YouTube videos themed "Don't Be Your Own Killer". Here are two examples:

Other organizations and actions

In 2009, US Customs & Border Protection (CBP) and Immigration and Customers Enforcement (ICE) seized over $260 million worth of couterfeit goods arriving at US ports.

The International AntiCounterfeiting Coalition (IACC) President, Robert Barchiesi, attended the forum as well.

Monday, December 20, 2010

DIICOT: Romanians Bust Up VOIP Ring

Any day that starts with a video of DIICOT in action is a good day! Over the weekend I saw Lucien Constantin share the good news on Softpedia that a Major VOIP Fraud Gang was Dismantled in Romania. Lucien was kind enough to point to the DIICOT press release from December 14th.

A Google translated version of the press release can be found here: For those who prefer to read their own Romanian, see here: DIICOT Press Release.

DIICOT is the Directorate for Investigating Organized Crime and Terrorism, and they have been gaining a world-wide reputation for scooping up cyber criminals. Regular readers of this blog will know I am in the DIICOT Fan Club, as we've previously written about on several occasions, including:

23SEP2010: eBay Spear Phisher Liviu Mihail Concioiu Arrested in Romania

12APR2010: Nicolae Popescu, Romanian hacker, at large!

06APR2010: 70 Romanian Phishers & Fraudsters Arrested

16JUL2008: 22 More Romanians meet the Long Arm of the Law


On 14DEC2010, there were 42 houses searched, with 31 in Constanta, 4 in Neamt, 3 in Brasov and others in Olt, Maramures, Cluj, and Dolj counties.

From Oct 2009 to Feb 2010, Cătălin Zlate is accused of running a team of over 50 individuals to commit computer crimes and to use fraudulent access to data to commit VOIP Fraud. Team members configured a VOIP client called "ZoIPer" to allow members to place Voice Over IP calls using fraudulently obtained credentials from other VOIP services. During the period Oct 2009 to Feb 2010, they generated 23,500 calls or 315,000 minutes of long distance charges, stealing from companies in Romania, South Africa, United Kingdom, Italy, and the United States.

Zlate is no stranger to computer crime. He was actually arrested in 2009, and sentenced to 1.5 years in jail for phishing. Unfortunately, the court system in Romania allowed him to be released with a suspended sentence. While I believe Romania has some of the best investigators and some of the hardest working police officers, they also have one of the most corrupt court systems in Europe. All the police can do is keep doing their job, and pray for a change in the court system.

According to, Zlate used the handle "Roşcatu" and was involved in a phishing gang with Manuel Sorin Paun, AKA "Puia", Mangue Barry, AKA "Dumbo", and Bogdan Nistor, AKA "Bobo". The four received "suspended sentences" of 2.5 years, 1.5 years, 3 years, and 3 years respectively for phishing, creating fake ATM cards, and withdrawing money from ATMs using those cards. DIICOT has been following "Roşcatu"'s exploits since at least 2006. The news of their previous conviction made the Ziu Constanta back on November 20, 2009.

Zlate came back with a passion, founding a new business in March of 2010.

That's when things really got out of hand. Through a new fraud company called "Shadow Communication Company Ltd", from February through June 12, 2010, 1,541,187 fraudulent calls were made, running up 11,094,167 minutes of talk time! The defendants were selling these fraudulently obtained minutes at about a 90% discount. While the actual costs should have been more than 11 MILLION EUROS, they actually sold the minutes for just over 1 MILLION EUROS. (Hint: If your telephone company is named something league "Shadow Communications" or "League of Evil", perhaps you should consider switching to AT&T.)

Charges brought against the group include:

- Article 7, Paragraph 1.3 - membership and support of an organized criminal group
- Article 18 Section 2 letter b of law 39/2003 - Money laundering
- Article 23 Paragraph 1 letter a, b, & c of law 656/2002 - Wireless access to a computer system to obtain data by breaching security measures
- Article 42 Paragraph 2.3 of law 161/2003 - Possession of a computer program in order to commit offenses
- Article 49 of law 161/2003 - Causing a loss of property through the introduction of computer code in order to obtain benefit for oneself or another

42 people have been brought to Bucharest to be charged of these crimes.

Here's the DIICOT video of the arrests and seizures:

Hopefully, this time the criminals will actually serve time in prison!

Wednesday, December 15, 2010

Minipost: Operation: Payback origin

Yesterday in our story about Crowds, Mobs, and Anonymous, Internet Anarchy: Anonymous Crowds Flex their Muscles, we mentioned that Operation Payback started back in September. Here is the letter that was sent to the media on September 19th:

After seeing Salon's story A brief history of Operation: Payback, which lists November 29, 2010 as the starting date, we thought it especially important to point out that this is NOT the start. The adoption of Wikileaks was an expansion of a three month old campaign in an effort to legitimize and expand the number of attackers Anonymous had at their disposal. For more on that "crowd action" mindset, the reader is referred back to yesterday's blog post.

Some have been asking "how do you know this is 4chan related?" Again, we refer readers back to early posts by Anonymous.

(Click to enlarge)
"I know that many of you, many of you whom I have seen on 4chan over the years, have grown cynical of the usefulness of anons as an army, especially since the mess that was Chanology*."

One of the places this image was posted back on September 20th was a hacker website run by a South African hacker. To put the message into context, the post immediately before this one read:

Anonymous vs Aiplex, MPAA, RIAA
This is happening right now. Join if you can.
/join #savetpb

We're targeting all the sites mentioned in the topic, but Aiplex first.

For piracy, for freedom, for victory.

* - While Operation Payback began September 19th, Anonymous has been involved in DDOS Protests since early 2008. (Project Chanology refers to the DDOS campaign that 4chan users waged against Scientology. The concept of that campaign was that because Scientology tried to remove all copies of a controversial Tom Cruise interview from the Internet, they were "censoring the Internet" and should be stopped. The campaign included DDOS attacks, fax campaigns, protests, and even an attempt to get the IRS to take away Scientology's tax exempt status. LOIC was one of their tools. Anonymous vs. Scientology ran "daily news" on YouTube documenting their in-person protests and raids. The same YouTube channel has been used for Anonymous messaging since at least April 20, 2008 (See: Reinstate Mark Bunker XENUTV1) and as recently as this week (see: Anonymous: Operation Leakspin.

Chanology was covered by:

Dan Kaplan at SC Magazine: "DDOS Hack Attack Targets Church of Scientology" - Jan 28, 2008.

John Leyden at The Register: "Critics Split over DDOS attacks on Scientology" - Jan 25, 2008. has the "" description of the project from July 2008, which showed substantial evolution from the original January 15, 2008 post archived here, by Encyclopedia Dramatica (caution, ED has crude and offensive messaging and is not 'work-friendly').

Monday, December 13, 2010

Internet Anarchy: Anonymous Crowds Flex their Muscles

One of the things I love about working in the UAB Computer Forensics Research Laboratory is having the opportunity to learn from professors from so many different specialty areas. In addition to the Computer Science professors who visit our lab for the weekly Spam Researchers Meeting, where we entertain guests from the Knowledge-Discovery & Data Mining Lab and the Artificial Intelligence Lab I also get to work with criminologists, sociologists, and forensic chemists who make up the rest of our "CIS-JS Working Group." Last week I had the pleasure of visiting a DEA Drug Testing lab with my colleague Dr. Elizabeth Gardner. Today I was able to compare data mining techniques with a visiting Bioinformatics professor from Colorado State. But some of the times I learn the most though are when I visit with my department chairs, Dr. Anthony Skjellum in Computer & Information Sciences and Dr. John Sloan from Justice Sciences.

A Sociologist looks at AnonOps

Like most Computer Security people, I've been following the Wikileaks responses from Anonymous with interest. As I've watched Anonymous recruit their activist army, I've been thinking more and more about lynch mobs, so I asked Dr. Sloan to come up to the lab and help me understand how mobs work. I made my best pitch to him, explaining how "AnonOps" as the Anonymous Operations group calls themself, calls to mind a mob that was a cross between the angry villagers storming Dr. Frankenstein's castle, and childhood memories of Detroit fans burning cars in the streets.

Dr. Sloan explained that the public (like me) have a lot of misconceptions about mobs. He said what we are dealing with in the Anonymous DDOS attacks are actually instances of "Diffuse Crowds." In the case of Anonymous, Sloan says that "Convergence Theory" explains this type of crowd. Its not that a group of people spontaneously erupted into acts of cyber vandalism, but rather that people who share similar passions come together with an intention to "make a difference" but without a clear agenda on how to do so. Some of the people who come to these online gatherings are bystanders, some followers and some leaders, but these roles are not set in stone. When the crowd has gathered - in this case on an IRC channel - various members of the crowd propose courses of action. When one of the proposals is adopted by the group, that person, whether or not they intended to be, is suddenly, and perhaps only temporarily, a leader.

The earlier prominent theory of crowd behavior was called "Contagion Theory" and proposed that membership in a crowd results in "irrational, emotionally charged behavior."

My early suggestions to Dr. Sloan was that it was because of being Anonymous that the crowd was choosing to participate in DDOS attacks. Perhaps the leaders of the group also counted on that affect. Their instructions for how to volunteer your computer to participate in the DDOS attacks against Mastercard said "if you get caught, don't admit to anything and tell the authorities that your computer must have a virus!" The belief of the general public is that mob behavior, such as that which lead to race riots and lynchings in previous generations, counts on the anonymity and the irrational frenzy of the mob for its success.

Crowds that take action are "Expressive Crowds" or "Mobs" if those expressions lean towards violence towards a target or "Riots" if those expressions lean towards generalized violence and lawlessness. Expressive Crowds gather around strong emotions, such as joy, excitement, anger, or fear.

While Dr. Sloan said that Convergence Theory also says that groups come together along strongly felt emotions, that they should be seen as "rational" with individuals understanding their decisions and acting by choice, not due to some "mass hysteria" or "frenzy."

Expressive Crowds in Cyberspace

As we look at previous expressive crowds that turned towards cyber attacks in the past we see that this seems to be a correct characterization.

In 2008, when Russia invaded the area of Georgia known as South Osettia, the interest was nationalism. As online chatrooms and forums discussed the rightness of the Russian cause, the idea was planted and began to spread that individuals could help with a DDOS against Georgian government and media computers.

August 19, 2008 - Evidence that Georgia DDOS Attacks are Populist in Nature

In 2009, when the Iranian government cracked down on the process of a free election, Facebook and Twitter users colored their profile pictures green to show solidarity with the oppressed voters. As more Twitter followers started watching the "#IranElection" hashtag, some began providing information on how to DDOS the Iranian government. The number of participants in the group grew, with some reading the tags (bystanders), some choosing passive signs of response (green profile pictures), and some choosing active measures (DDOS Attacks).

June 16, 2009 - Armchair Cyberwarriors: Twitter and #IranElection

This past summer Islamic activists, already in chat rooms and forums to communicate about proselytizing the Islamic way of life in the west, began sharing information on how to attack Facebook by downloading an attack tool.

June 1, 2010 - Virtual Jihad Against Facebook

Anonymous and Operation Payback

Operation Payback takes its name, and its tactics from a company that claims to have been contracted by the Motion Picture industry to shut down websites that are trading in pirated movies. Girish Kumar, the managing director of Aiplex Software, explains that the Film industry hires cyber hitmen to take down internet pirates. He claimed that his company is hired "to launch cyber attacks on sites hosting pirated movies that don't respond to copyright infringement notices sent to them by the film industry."

The die was cast in September 2010 when AIplex pointed its attention at the greatest source of pirated movies on the internet, The Pirate Bay. In response, one of the /b/rothers from 4chan pointed a botnet under his own control at AIPlex, taking the company's website offline while other members of the channel were still talking about the best way to do so.

Almost immediately, the 4chan buzz began looking for a new target. TechCrunch ran a story that contained the original call to arms:

How fast you are in such a short time! Aiplex, the bastard hired gun that DDoS’d TPB (The Pirate Bay), is already down! Rejoice, /b/rothers, even if it was at the hands of a single anon that it was done, even if ahead of schedule. now we have our lasers primed, but what do we target now?

We target the bastard group that has thus far led this charge against our websites, like The Pirate Bay. We target MPAA.ORG! The IP is designated at “″, and our firing time remains THE SAME. All details are just as before, but we have reaimed our crosshairs on this much larger target. We have the manpower, we have the botnets, it’s time we do to them what they keep doing to us.


(The original Anonymous image, according to's Anonymous entry)

They were able to knock offline, at least temporarily, the Recording Industry Association of America, the Motion Picture Association of America. Later in the month, the Low Orbit Ion Cannon, or LOIC as the chosen 4chan attack tool is called, was pointed at AFACT - the Australian Federation Against Copyright Theft. Nearly 8,000 other websites were casualties of that attack which overwhelmed the hosting platform. Many major organizations that deal with copyright and the protection of intellectual property have been attacked as part of Operation Payback at one time or another, including:
AIPlex Software
Davenport Lyons
Australian Federation Against Copyright Theft
DC Legal
Ministry of Sound
Ministerio de Cultura (spain)
Sociedad General de Autores y Editores
Federation of the Italian Music Industry (FIMI)
United Kingdom Intellectual Property Office
Associação do Comércio Audiovisual de Portugal
Gene Simmons (finland)
US Copyright Office
Irish National Federation Against Copyright Theft
Warner Brothers

Anonymous went after RIAA again in late October after the RIAA achieved a court order to terminate the LimeWire file sharing network.

Wikileaks and AnonOps

While a group may have leaders of the moment, there are permanent roles assigned by the "true" leaders of AnonOps, as well as "talent-based" roles. As AnonOps tries to move through its paces, it needs developers to improve and modify its attack tools, graphic artists to create its images. Video editors to create its YouTube videos, and network designers to help it build stable infrastructure.

But mostly, it needs a cause that the public supports. Those causes go back to the basic emotions upon which Diffuse Crowds converge. Wikileaks stirred up the passion of the press and the public as it began releasing revelation after revelation.

AnonOps recognized such an opportunity with Wikileaks. While the early "Operation Payback" was exactly what it said: "You DDOSed our website, so we are DDOSing your website" the new act is to convince the public that this was all about Internet Censorship from the beginning. "We fight censorship and stand up for truth" is a much more stable platform upon which to base a group, as opposed to the original "We pirate movies and break the law."

However, breaking the law, and getting away with it, is a great attractor of media. Dr. Sloan explained that this reminded him of the 1960s Vietnam War protests on college campuses. The more the media covered the protests, the more likely it was that your neighborhood college campus was going to have a protest.

Cyber attacks => Media Coverage => New like-minded individuals "converge" into the group => New skills and ideas => New missions and leadership

Exit Strategy

The question that is yet to be determined is, has the AnonOps groups reached a stable form? It is clear that the illegal activity is getting out of hand, and threatening the existence of their group. This weekend's attacks on Paypal, Mastercard, and Visa demonstrated the group's online power, and attracted more hackers. The targeting this evening was sporadic and approaching "riot" stage as various participants shouted out target names in the AnonOps chatrooms and watched as they fell. Established leaders were shouting things like "WHAT ARE YOU DOING?!?!? WHY ARE YOU ATTACKING AIRLINES!?!?! WHAT DOES THAT HAVE TO DO WITH WIKILEAKS OR CENSORSHIP?!?!" Meanwhile,,,, and others all suffered brief outages.

Some of the leadership are attempting to distance themselves from the DDOS attacks and are encouraging an alternative approach of encouraging people to read the leaked cables and write about them as a way of "uncensoring" them. Others are encouraging a new form of cyber attack, asking members to DDOS companies that are found to have been involved in, or believed to be involved in, atrocious acts described in the classified cables. Remember above that members are attracted to groups that share their same strongly held feelings and attitudes. When AnonOps revealed today that US taxpayer dollars were used by a defense contractor to pay for sex with young boys, they were playing perfectly to this theory of the crowd. EVERYONE would be outraged by some of these actions, if they occurred the way AnonOps describes them. That's a powerful tool for enlarging your group, and lowering the barrier to otherwise illegal action. It may be difficult to convince a member to DDOS their own credit card company, but the moral barrier to DDOSing "sex slave brokers" as one AnonOps post described the company, may be lower.

One attempt at legitimacy was to engage the Electronic Freedom Foundation. Leaders reasoned in the AnonOps chatrooms that a partnership with EFF would bring legitimacy to their cause, and EFF responded positively to the approach with their new Say No To Online Censorship campaign.

The new campaign within AnonOps uses the name "" which comes from a George Orwell quote:

“During times of universal deceit, telling the truth becomes a revolutionary act” - George Orwell

I guess my big takeaway from my discussions with Dr. Sloan was the new sociological theories on crowds and gatherings. Crowds can be rational. And, according to one Sociology text:

...Crowds themselves do not impair judgment. The actions of individuals at gatherings also illustrate that individuals remain independent, sometimes responding to solicitations, sometimes ignoring them, sometimes interacting with their subgroup, and sometimes acting spontaneously.

I hope the members of Anonymous will remember that while they are Anonymous, they are also individuals, and responsible for their individual behavior and decisions.

Monday, December 06, 2010

Wikileaks: Lessons Learned

I've spent the past couple days in our nation's capital, and it seems that everywhere I go, someone wants to know what I think of the Wikileaks scandal. I'll tell you at the end of this article. First, I want to talk about what we should LEARN from Wikileaks. When I worked more actively in Critical Infrastructure Protection, there was a saying I heard from time to time that the problem with most Crisis Events is that we don't learn from them. To rectify this failure to learn, the Department of Homeland Security even created the "Lessons Learned Information Sharing" site, Perhaps my exposure to DHS as a then-member of the Energy Sector has taught me to look for Lessons Learned as the silver lining to every dark cloud.

So what is the major Lesson Learned in the Wikileaks situation?

It has to do with information classification, access control, and monitoring. We'll go over those lessons learned, but first, here's a bit of background on what happened.


In the case of PFC Bradley Manning, here was a young man with a very important job. As an Intelligence Analyst, it was important that Manning have access to everything he needed to do his job. In the post-9/11 Kumbaya world of Information Sharing, that pretty much gives counter-terrorism warriors carte blanche. The information access level for people like this may be "If he needs it, give it to him, if you don't, the next 9/11 will be on your head!"

Like Katharine Gun, the UK's GCHQ intel analyst who decided to leak information about wiretaps among the UN prior to the Iraq invasion, Manning was an analyst who did not understand the chain of command. In Gun's situation, she became aware of cables which implicated the United States in the tapping of communications of United Nations personnel prior to the Iraq invasion. Gun determined that it would be a noble and responsible thing to ignore all of her oaths and orders and rather than sharing her concerns with her supervisors, smuggled this information out of GCHQ and leaked it to the press. Its a growing trend among Intelligence Analysts who determine they are in possession of information that the public has a "Right to Know" and Gun received the "Sam Adams Associates for Integrity in Intelligence" award for her actions. (Sam Adams was an information leaker during the Vietnam War.)

Brannon Manning became a ten-minute celebrity back in May for choosing to put his job on the line for a statement of his principles. He chose an act of civil disobedience, in the form of leaking a video of a helicopter gunship attack in Iraq where US forces fired on and killed Reuters news service photographer Namir Noor-Eldeen, 22, and his driver, 40-year-old Saeed Chmagh. Manning seemed to believe passionately that the US army had attempted to cover up their responsibility for the deaths, and decided to risk his job and his freedom to reveal this video. He was identified as a "whistle-blower" in the news. While I strongly disagree with his decision, that is an act of civil disobedience, and a "whistle-blower" action where a particular individual, possessing access to evidence of what they believe is an act of wrong-doing, "blows the whistle," understanding that there may be consequences for their action and choosing to accept the risk. I do not condone his actions in any way.

World-Wide Anarchy

To clarify, this attitude and action has absolutely nothing to do with the current Wikileaks crisis.

As reported in WIRED Magazine, the new hero of the left had no such intentions in mind when he then determined to leak 260,000 classified documents. He states his intention clearly:

“Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed,” Manning wrote. “It’s open diplomacy. World-wide anarchy in CSV format. It’s Climategate with a global scope, and breathtaking depth. It’s beautiful, and horrifying.”

So, was the goal of the "big data dump" to help reduce future civilian casualties? No. The stated goal was "world-wide anarchy."

According to the same article, Manning had access to "two classified networks from two separate secured laptops: SIPRNET, the Secret-level network used by the Department of Defense and the State Department, and the Joint Worldwide Intelligence Communications System which serves both agencies at the Top Secret/SCI level."

According to the same WIRED story, he boasted to celebrity hacker and information leaker Adrian Lamo:

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
(source: WIRED: ThreatLevel)

While Manning apparently thought he would find a kindred spirit in Adrian Lamo, Lamo knows the difference between information disclosure and treason. Its curious that the New York Times seems to consider Manning a patriotic hero and is certainly selling a lot of papers based on his leaked information. Especially curious when you consider that when Adrian Lamo accessed confidential data at the New York Times back in 2002, the response was not to celebrate the glorious freedom of information, but rather to file charges against Lamo, resulting in facing up to five years in prison, (although he received House arrest, limited access to computers, and payment of restitution in the end. Lamo told the Washington Post that he agonized over the decision, but he turned him in.

Lessons Learned: #1 -- Classification vs. Categorization

I'm going to imagine a slightly oversimplified classification system for a moment, to make our illustrations easier. Let's imagine that the classifications in our system are Unclassified, Secret, Top Secret, and (Collateral / SCI / SAP). The last one is actually not a "classification" but rather means "super secret Need-To-Know." SCI means "Sensitive Compartmented Information" and SAP means "Special Access Programs." We'll imagine for the moment that they both mean simply "Need to Know."

Now, consider various types of information to which a government employee may have access.

It seems that in the environment in which Manning was working, as long as he held an appropriate clearance for the information, he was able to access the information. Imagine an information access chart then that looks like this:

Imagine this information request:

What level of classification does this diplomatic cable have?
"Top Secret"
Does the requester have Top Secret clearance?
Permission granted.

What failure has occurred? A failure in ACCESS MONITORING. Manning was attempting to access information for which he had an appropriate clearance, but information which was in an inappropriate CATEGORY for him.

The same challenge is present in many other workplaces where sensitive information can be found. Consider for example the categories of interest in a hospital or healthcare environment:

Although I've never been in a hospital where things are marked "SECRET" and "TOP SECRET", let's use those as an analogy to the sensitivity of data. Perhaps an unclassified Personnel fact would be that Joe works in radiology. A Top Secret Personnel fact may be that Joe has three DUIs in the past year and has to take a breathalyzer test each shift before reporting for duty. An unclassified patient billing fact may be that office visits cost $175. A Top Secret billing fact may be the credit card number of the patient. An unclassified billing payroll fact may be that Tom is in a minimum wage job. A secret payroll fact may be that Tom's wages are being garnished for child support.

While HIPAA makes it clear that only certain personnel are supposed to see certain records, how is this monitored within your organization?

A more appropriate monitoring situation for PFC Manning may have looked like this:

In a system like this, an auditing record is recorded for review whenever someone accesses Secret or Top Secret information that is outside of their assigned categories of responsibility. With this monitoring system, Manning would still be allowed access to Secret documents in other categories, but these would be flagged for a potential review because of the mismatch with his job description.

Here's a similar chart for a HealthCare environment:

Many of my students are surprised that in my own lab, I do not have "Administrator" access to the workstations! I don't want it! I gave it back! We have an IT staff who is responsible for the creation and maintenance of access permissions, and for the installation of software and documenting its licenses and controls. Because I am not a part of that group, and don't know their methods, I choose to not have that access.

Lessons Learned #2: Volume of Data Flow

The other red flag is the volume of information being extracted. As repeated requests for information IN ANY CATEGORY are made, the volume of requests should be used to determine if a more urgent review is needed. For example, if someone is working in the Iraq war theater, it would make sense for many requests to be made related to that category of information. Occasional requests in other categories may also not be alarming. However, if you saw a large number of requests in a category for which this person does not have a job responsibility match, those should sound a more urgent alarm.


We can agree to disagree on whether Manning is a Patriot, an Anarchist, or a Traitor, but the important outcome of any event of this nature is that we document our Lessons Learned.

Consider your own Information Collection in your workplace.

What are the "Categories of Information" and how is access to those categories assigned?

Within each area what are the "Sensitivity Levels" or "Classification" of that data?

What is a "reasonable volume" for accessing data in each of those categories and classes?

Perhaps most importantly, who is in charge of monitoring access to those categories of information, and how are "alarms" set when a category, class, or volume condition is reached?

Thursday, December 02, 2010

Oleg Nikolaenko, Mega-D Botmaster to Stand Trial

According to Milwaukee's Journal Sentinel one of the largest spam senders in the world is sitting in a cell in Milwaukee awaiting his first court appearance on Friday, where he will be charged with being one of the greatest spammers in the world.

The case being heard, in the Eastern District of Wisconsin (2:2010-cr-00246), charges Oleg Nikolaenko, born July 17, 1987, with violations of 18 U.S.C. §§ 1037(a)(3) and 2.

According to the 13 page criminal complaint beginning in January 2007, violated CAN-SPAM in a maximum way. The first charge against him was CAN-SPAM violations:

the defendant knowingly, in and affecting interstate commerce, materially falsified header information in multiple commercial electronic mail messages transmitted in furtherance of the offense exceeded 2,500 during a 24-hour period, 25,000 during a 30-day period, and 250,000 during a 1-year period, to wit, the defendants altered the header information of spam e-mails that they transmitted via the Internet to disguise the e-mails' true origin, in violation of 18 USC § 1037(a)(3)

Yeah, 10 billion per day is greater than 2,500. 8-)

The second charge brought in the complaint, by Special Agent Brett Banner of the Federal Bureau of Investigation, is that he shipped bogus drugs, failing to ship what was ordered. In other words, Mail Fraud.

Count two says:

On or about November 2, 2009, for the purpose of executing a scheme to defraud by failing to send purchased prescription drugs, the defendant knowingly caused to be sent and delivered by the Postal Service, the following matter: a package from Herbal Health Fulfillment House, 6 University Dr., Ste. 206-273, Amherst, MA 01002, containing 60 pills of "VPXL -#1 Dietary Supplement for Men", to an address in Milwaukee, State and Eastern District of Wisconsin, in Violation of 18 U.S.C. § 1341.

Oleg is messing with the wrong FBI Agent. Brett was the administrator of the Mid-Michigan Area Computer Crimes Task Force from June 2004 to September 2009. That would be Michigan, the state where Terrence Berg locks up spammers and throws away the key on behalf of the Department of Justice until replaced by Barbara McQuade by President Obama. I can't imagine a better office to learn about fighting spam with the legal system! (Don't get me wrong, McQuade is hitting drugs, child porn, and mortgage fraud hard, and earning a great reputation as well. But Berg was an anti-spam crusader!)

Special Agent Banner reveals in his complaint that Oleg was shipping "billions of spam emails on behalf of Jody Smith, Lance Atkinson, and others who were selling counterfeit Rolexes, non-FDA approved herbal remedies, and counterfeit prescription medications."

The fingers started pointing to Oleg from some other cases. In August 2009, Jody M. Smith pled guilty to "conspiracy to traffic in counterfeit Rolex watches" in the Eastern District of Missouri. How much money was Smith making in the watch business? Let's just say that in the court documents he admitted to spending TWO MILLION DOLLARS just on spamming services! Smith's affiliate spamming organization was called "AffKing" and actually included quite a few other messages as well. Just at the Federal Trade Commission's Spam Fridge, they had received over 3 million spam emails that were associated with the AffKing case.

We blogged about the AffKing case back in October of 2008 with this story - SanCash (AffKing) taken down in New Zealand.

Atkinson, who had been charged as part of a case called "Global Web Promotions" back in 2004, was called "the first criminal action under CAN-SPAM" according to the April 24th FTC Press Release. The FTC has the 25 page Judgement on their website.

According to the current criminal complaint, when Atkinson was being interviewed regarding his charges, he admitted posted messages on "a pro-spam Internet bulletin board" needing help from spammers to promote his herbal pills. Atkinson says that the two largest spammers he met on that board were Russians who called themselves "Docent" and "Dem". He estimated that 80% of all of his drug sales came from spam-delivered advertisements.

The complaint further shows that according to "The Director of Malware Research at SecureWorks" most of the AffKing spam was being routed through a botnet, which SecureWorks named "Mega-D" back in 2008, and which they claimed accounted for 32% of all the spam on the planet, or more than ten billion spam messages per day.

Monitoring of Atkinson's ePassporte account revealed that from October 2006 to December 2007, he sent out over $1.8 Million in payments of commission for items sold. Atkinson recalled that Docent used the ePassport account name "Genbucks_dcent".

A subpoena served on ePassporte compelled them to reveal that Genbucks_dcent was Oleg Nikolaenko of 28/10 Spasskiy Proezd, Vidnoe 2, Russian Federation, with the email addresses and In a six month period in 2007, Lance Atkinson had paid Genbucks_dcent $464,967.12 for his spamming services.

Search warrants provided to Google revealed that ddarwin and 4docent were sending and receiving emails from others about their spam, including "" (believed to belong to Lance Atkinson). The email also revealed malware being attached, which were analyzed by SecureWorks and determined to be part of the botnet family known as Mega-D.

In November of 2009, the security research company FireEye was able to take control of the Mega-D network, and was able to prove that 509,000 computers were infected with the spamming botnet software, including 136 computers located in the state of Wisconsin.

Another FBI Agent who was an investigator in parts of this case, Special Agent Jason Pleming, indicates that security research firm M86 Security informed him that a single infected computer on the Mega-D Botnet had been observed to send as many as 15,000 spam messages per hour.

A search of the U.S. State Department's visa applications indicated that Oleg Yegorovich Nikolaenko with matching address, email address, and birthdate, received a traveler's Visa to the United States and was in Los Angeles from July 17, 2009 to July 27, 2009. He was in the US again November 2, 2009 through November 6, 2009, staying in Las Vegas and logging in to his gmail accounts from an IP address at The Tower Hotel in Beverly Hills during that trip. (

The FBI agents indicate that Nikolaenko had expected to stay in the US until November 11, 2009, but that he left early. They propose that this may have been to go home and deal with the fact that FireEye disabled the Mega-D Botnet that week! Although M86 indicates that Mega-D totally disappeared for a short time that month, by December 13, 2009 it was back to 17% of worldwide spam.

Acting as an undercover purchaser, Special Agent Pleming clicked an email which claimed to be from "Amazon, Ltd" and visited a website that described itself as "Canadian Pharmacy". He purchased one package of VPXL, one package of Viagra, and received as a bonus four additional "Viagra Professional" pills.

Although a package arrived, Special Agent Pleming received his VPXL, but received no Viagra pills at all.

Now it was time to wait. . . .

On October 30, 2010, Nikolaenko arrived in the United States at JFK airport, flew to Las Vegas, and checked in at the Bellagio hotel, to attend the "Specialty Equipment Market Association (SEMA)" car show in Las Vegas. (He attended the same car show the previous year.)

The complaint was presented to Magistrate Judge Aaron E Goodstein on November 3rd, and a warrant was issued for the arrest of Oleg Nikolaenko, who was taken into custody in Las Vegas the following day.

The CAN-SPAM charges for which he was arrested in Las Vegas had a potential sentence of 3 years in prison, a $250,000 fine, and 3 years supervised release.

Nikolaenko will be presented with all these charges in court tomorrow, December 3rd.

[Note: after completing this story, while Googling up some additional facts, I notice that Brian Krebs has already written about this. I'll share my interpretation anyway - but please do see Brian's story at Had I seen it first, I would have saved myself a few bucks on PACER! haha!]