Thursday, June 30, 2011

TDL-4 Botnet Statistics

Kasperksy Lab analysts Sergey Golovanov and Igor Soumenkov have just released some startling information about what they claim is the 'most indestructible' botnet ever discovered. It is a variant on the TDSS rootkit which first appeared in 2008, and has gone through numerous 'releases' including TDL-3 in 2010 and finally TDL-4 today. It is important to note that TDL-4 is used to describe both the botnet itself and the trojan rootkit malware which initially infects the host computer.

Key points
  • From January through to March of 2011, TDL-4 has infected 4,524,488 computers worldwide.
  • There are three command and control centers; in Moldova, Lithuania and USA.
  • It uses a custom encrypted communications protocol based on a public P2P (Peer to Peer) networking standard to communicate between itself, other infected members of the botnet and the command and control centre.
  • It includes a proxy server module which allows criminals to anonymously surf the internet using the infected PC's internet connection.
  • It can infect both 32-Bit and 64-Bit editions of Windows.
  • It removes other (competing) viruses and botnet malware from the infected machine, leaving itself access to more bandwidth and resources.
  • It inserts itself into the MBR (master boot record) of the infected PC, meaning it gets loaded before Windows and making it extremely difficult for anti-virus software to detect it.
  • Once installed, it systematically downloads and installs a growing list of 'add-on' malware programs (currently up to 30 and growing) including fake anti-virus software, adware and spambot applications.
  • Software to both scan for the TDL-4 infection and remove it is available from Kaspersky here.

Tuesday, June 28, 2011

The rise and rise of children's online gaming

Although only 11 years old, my son is a regular player on some online gaming sites that are designed for children. Currently his favourite is OG Planet's Lost Saga (actually designed probably for 12+), but before that he played other ones such as Club Penguin, Moshi Monsters, Super Smash Flash 2 and some other curiously popular games based on a physics simulator like Dan Ball's Dust. Lost Saga is the only one that runs as a full standalone application and requires a download and install. The others run inside the browser, some require Flash, and others are built using javascript or java.

The first game he ever played and one which he still enjoys is the magnificent, multi-player, educational maths game Mathletics, which was recommended by his school. When he plays this one he actually represents his school online, and the graphic that appears when starting a challenge shows the world map, and where his opponents are from.

It amazes me how he finds out about these games, which is simply through word of mouth - through friends at his school or older members of the family who recommend a game. A successful game can increase its popularity amazingly quickly. In the case of Moshi Monsters, according to its developer, UK-based Mind Candy, approximately half of all children in the 6-12 age group in the US, UK, New Zealand and Australia have played it. Their incredible online success has been followed up by merchandising in the 'real' world in the form of soft toys, books and trading cards. And as with most of these online games, Moshi Monsters is free to play, but there is an optional monthly subscription payment which improves the online game experience and generally results in some sort of higher status or better accessories. Whether this payment is necessary, I'd probably say just wait and see if your child is still playing the game in a months time before deciding whether its worth paying any fees.

Online gaming for children is something which parents need to keep control over and get involved in to ensure your child doesn't spend too much time in front of a computer. A recent campaign I've come across called Unplug+play recommends limiting your child's exposure to all forms of electronic entertainment (TV, Electronic games, Internet) to 2 hours per day ... definitely a worthwhile campaign and one which will benefit both children and parents.

Unplug+play recommends limiting your child's exposure to all forms
of electronic entertainment to no more than 2 hours per day.

Monday, June 27, 2011

Is Bitcoin mining wasting energy

Now this would make an awesome Bitcoin Mining Rig!
(Its actually just a nice looking steampunk case mod.)
In my view the Bitcoin mining system as it is now is a waste of time and energy, and also opens the system up to the exploitation of computer networks for monetary gain by criminals or other rouge individuals within an organisation. One way to address this would be to create a distributed computing style screen saver such as Folding@home which will perform the required computations on under-utilized computers, thereby not wasting any electricity in doing so. Also, the Bitcoins that get mined could be donated to a recognized charity. There’s already a project underway to donate mined Bitcoins to a list of Bitcoin-accepting charities. This way, people can be donating their computer  towards both securing the new currency and also giving a monetary donation. I’m sure this would have another added benefit of removing existing negative feelings towards Bitcoin mining and Bitcoin in general.

An actual Bitcoin mining rig, complete with liquid cooling.
This features 4 Radeon HD5870 cards, details here.
Further Reading:

Sunday, June 26, 2011

Bitcoin, the brave new currency

What is Bitcoin?

Bitcoin is a brand spanking new digital currency, designed to allow people to buy and sell without regulations imposed by (evil) banks, governments and corporations. It allows for anonymous, secure transactions which aren't tied to any individual’s or group’s identity. In true cyberpunk form, Bitcoin users have no need to trust any central authority; every aspect of the currency is secured through the use of strong cryptography. It is a dream come true for cypherpunks, hackers and criminal masterminds everywhere, and in its brief existence so far has garnered a massive amount of support.

Bitcoin was originally proposed as a theoretical design by mysterious computer scientist and software engineer Satoshi Nakamoto (a pseudonym), he basically set about to design a digital currency without central controls, and which is both secure and anonymous.

Double spending problem
The initial problem faced by all digital currencies is that of double-spending, since duplicating a digital file is as easy as copying a file on disk. This is a major problem with currency, since there must be a limited supply that has value. If you use a dollar at the supermarket in the morning, you can't expect to go out and spend the same dollar at a cafe in the afternoon. A failure to prevent double spending would make forgery of digital currency rampant, leading to an out of control inflation spiral, and eventually rendering the currency worthless.

The usual solution to the double-spending problem is the centralised approach of a trusted intermediary. PayPal makes sure that you can't spend the same dollars twice by deducting them from your account before they get added to someone else's account. Banks, Visa, MasterCard along with all payment processors do the same. However, this approach is one that Satoshi Nakamoto specifically tried to avoid in the design of Bitcoin. His idea was to rely on cryptography to create verifiable transaction records without the need to trust anyone in the system.

Digital cash
Below is a quote from the book The Ascent of Money: A Financial History of the World by British Historian and writer Niall Ferguson. It is particularly relevant to Bitcoin.

Today's electronic money can be moved from our employer, to our bank account, to our favourite retail outlets without ever physically materializing.

It is this 'virtual' money that now dominates what economists call the money supply. Cash in the hands of ordinary Americans accounts for just 11 percent of the monetary measure known as M2. The intangible character of most money today is perhaps the best evidence of its true nature. What the conquistadors failed to understand is that money is a matter of belief, even faith: belief in the person paying us; belief in the person issuing the money he uses or the institution that honours his cheques or transfers. Money is not metal. It is trust inscribed. And it does not seem to matter much where it is inscribed: on silver, on clay, on paper, on a liquid crystal display. Anything can serve as money, from the cowrie shells of the Maldives to the huge stone discs used on the Pacific islands of Yap.

And now, it seems, in this electronic age nothing can serve as money too.

Does Bitcoin make a good currency?
Below I have listed seven requirements for something to be regarded as a good medium of currency, along with how Bitcoin stacks up on each one.

1. Acceptability: will everyone accept it to purchase goods and services?
Like other fiat currencies such as the dollar, and even gold, Bitcoins are worth something only because everyone else thinks they are worth something and are willing to trade things for it. A loss of confidence in Bitcoin could severely affect its value and even drive it down into a death spiral until it’s completely worthless. Acceptability is a weak point with Bitcoin currently. Apart from a very small number of merchants accepting Bitcoins as payment for goods, there are several online Bitcoin markets which maintain a floating exchange rate against the USD. These have so far been shown to be susceptible to market manipulation, speculation and even unfortunately to being hacked, as in the case of Mt Gox recently. 

2. Durability: will is last a long time?
Bitcoin truly has an advantage here over physical money in the form of cash and/or bullion in that it only exists virtually, in the form of 1s and 0s (bytes). The electronic wallet file storing your private crypto-key (required for performing transactions) can be backed up ad infinitum, and thereby will never decay. 

3. Portability and Convenience: is it easy to carry around?
To trade your Bitcoins, you need to use a free “Bitcoin client” application, plus you need access to the internet. There are many versions of the client available for use on mobile devices like the iPhone and Android along with the official Bitcoin client, which runs on Windows, Linux and Max OS X. Because of this, one can see Bitcoin being ideal for both small and large payments and also being popular in the developing world, where access to reliable money transfer services may be limited.

4. Scarcity: is it scarce enough to be valuable?
The supply of Bitcoins increases at a predetermined rate, the details of which have been determined by the following method: “Blocks” of Bitcoins are created at a constant average rate, about 1 block every 10 minutes and since there is a set number of coins minted per block (currently 50 coins per block), the total money supply, too, increases at this steady rate. For now, this rate is 50 coins every 10 minutes, i.e. 300 coins every hour. But every four years this ‘minting’ rate falls by a half. So the rate will drop to 25 coins per block in 2013, to 12.5 coins in 2017, and so on, in a geometric series, until the total supply of Bitcoins plateaus at 21m or so around 2030. This could be seen as a way of rewarding the early adopters and founders of Bitcoin. It will also mean that in the long term Bitcoin, if it succeeds and is popular, will be deflationary - the purchasing power of 1 Bitcoin will increase over time - a good thing.

5. Divisibility: can it be divided into small units?
Bitcoin is truly in a league of its own here with divisibility all the way down from 1 BTC to the eighth decimal place, or 0.00000001 BTC which is known as 1 Satoshi (pronounced sa-toh-shee), in honour of the founder of Bitcoins.

6. Legal Tender: is it backed by a government?
Bitcoin is not backed by any laws and is not considered legal tender in any jurisdictions. This however hasn’t stopped other currencies from becoming hugely successful; albeit for a short period of time, e.g. remember tulips in 17th century Holland?

7. Intrinsic value
Gold and Silver have intrinsic value in that they can be made into physical jewellery that people actually desire. Bitcoins (and even dollars for that matter) have absolutely no intrinsic value. In theory if a run happened on Bitcoin their value could plummet to zero.

So what holds for the future of Bitcoin?
As a payment transfer system, Bitcoin is the first of its kind in being implemented as a secure, distributed, peer to peer (P2P) system with no central transaction log; the transaction logs being stored on each of its peers (nodes). In this task it has excelled and has already shown it is more than capable. 

In terms of being a fully fledged currency, for this it also requires a market, somewhere it can be given a hard value in terms of an existing currency. It’s on this side of the coin where Bitcoin has shown some failings so far, with the recent MtGox hack, and the subsequent freefall dive in value due to a large volume of trade. This demonstrates that even the most perfectly engineered cryptocurrency will still be affected by human factors such as exuberance, greed, doubt, loss of confidence, fear and panic. However, the strong cryptographic underpinnings of the Bitcoin system remain solidly in place, just as strong as ever and it will be very interesting to see what happens with Bitcoin over the next few months.

Bitcoin is a classic example of disruptive technology in the 21st century, building on advances of peer-to-peer distributed computing, the Internet, and cryptography. Although currently viewed as something of a novelty, no doubt government authorities would definitely take a bigger interest if trading volumes continue their upward march, if only to get their slice of the Bitcoin action.

Bitcoin currently has the first mover advantage in the peer to peer currency space. However since it is built on open source technology, it would be relatively easy for a competing digital currency to start up in parallel as direct competition. In fact if the history of Internet start-ups are anything to go by, we can expect a leaner, more efficient and stronger competitor to out-manoeuvre Bitcoin and to eventually take over the market, in the same way that Google took over the existing search market by doing search better than all the existing players.

Further Reading:

Saturday, June 25, 2011

How to choose a good password

Its a fallacy to think that a very strong password, like Qiu&^%3kk_3238enh, is a good password. The reason is that such a password is so hard to remember that people will invariably write it down or store it in a text file on their computer that is easily accessible (e.g. on the desktop). Its much better to have a combination of both easy to remember and one that is fairly strong, with at least a combination of upper and lowercase and some numbers or punctuation thrown in as well. Its notable that a lot of online banking systems actually don't allow any punctuation - the password must be fully alphanumeric only.

Here's four tips to help you make up a good password:
  • Make sure it is at least 8 characters in length.
  • Make sure it contains at least two numbers and a mix of upper and lower case.
  • Make sure it doesn't contain any words that would appear in the dictionary.
  • Use an easy to remember four word phrase and then use just the beginning two letters of each word in the phrase, plus a two digit number. E.g. the phrase "Easy Peasy Lemon Squeezy" can be converted into the password "EaPeLeSq88".
Once you've selected a good password remember to never reuse it again on another account, and to change it regularly, at least twice a year.

Lastly, don't even think about using a simple password, for anything, even for temporary logins. The reason is that there are a lot of very commonly used passwords and hackers know them already. Here below is the list of the most commonly used passwords of all time. One out of every 50 people have used one of these passwords, at one time or another! Apologies about the bad language here, but hey I didn't make these up! ;-)
  1. 123456
  2. password
  3. 12345678
  4. 1234
  5. pussy
  6. 12345
  7. dragon
  8. qwerty
  9. 696969
  10. mustang
  11. letmein
  12. baseball
  13. master
  14. michael
  15. football
  16. shadow
  17. monkey
  18. abc123
  19. pass
  20. fuckme
The full list of commonly used passwords, from 1 to 500 is listed here, including several more swearwords!

Further Reading:
Follow @dodgy_coder

Subscribe to posts via RSS

    Free online tool to find out if your email has been hacked

    Above: A screenshot from the website when I found out one of my emails had been hacked!
    And no, that's not my email address ;-)
    Australian security researcher Daniel Grzelak has built a cool website which lets you quickly check if any of your online account logins has been compromised by the recent hacks by groups such as LulzSec and Gnosis. The site is called No passwords are stored on the site, it is simply a free service which lets you find out if your email address has been compromised and whether you should change all the passwords that use that email address as a login.

    He has currently amassed a database containing only the emails of 13 recent hacking attacks, and this will be updated as more occur. If one of your emails has been hacked, you are given a message which tells you exactly when it occurred.  You can then look on the sources page of the website to find out details of which attack led to your password being stolen.

    After trying the website with all of my email addresses, I found to my horror that one actually had been hacked, and that it was due to the Attack on Gawker Media that happened back on December 12, 2010. Luckily I don't use the same password for any other of my online logins, so nothing bad came out of that particular hack. However plenty of people do use the same email login and password for many online accounts, and have been scammed. This is another reason to be vigilant when it comes to your password security.

    Further Reading:

    Follow @dodgy_coder

    Subscribe to posts via RSS

    Friday, June 17, 2011

    Anti Virus Software Rankings

    One of the essential pieces of software to install on any Windows PC is anti-virus software. Below find the ranked results of the latest independent tests from ...

    RankingProduct NameProtectionRepairUsabilityTotal
    1BitDefender: Internet Security Suite 2011645.515.5
    2F-Secure: Internet Security 20115.54.55.515.5
    3Symantec: Norton Internet Security 20115.554.515
    4Kaspersky: Internet Security 20115.54.5414
    5G Data: Internet Security 201154514
    6Panda: Internet Security 201154.54.514
    7AVG: Internet Security 10.0544.513.5
    8Sophos: Endpoint Security and Control 9.544513
    9Webroot: Internet Security Complete 7.04.55312.5
    10Trend Micro: Titanium Internet Security 20113.53.55.512.5
    11Eset: Smart Security 4.2345.512.5
    12Sunbelt: Vipre Antivirus Premium 4.035412
    13Avira: Premium Security Suite 10.043.5411.5
    14Avast: Free AntiVirus 5.0 and
    15MicroWorld: eScan Internet Security Suite 11.03.53511.5
    16Microsoft: Security Essentials
    17BullGuard: Internet Security 10.05.523.511
    18Comodo: Internet Security Premium 5.0 and 5.3433.510.5
    19PC Tools: Internet Security 201143.5310.5
    21CA: Internet Security Suite 201123.549.5
    20McAfee: Total Protection 2011323.58.5
    22Norman: Security Suite Pro 8.0332.58.5

    Above tests were carried out between January and March, 2011.

    Each score is out of 6 so the maximum total score for a product is 18. Interestingly, the people determine that a score of at least 11 is needed to pass their test, in other words the bottom 5 products here have failed and so could not be recommended, ouch!