Information Systems Security Association :: OTTAWA CHAPTER

If you are interested in publicizing your security whitepaper or other relevant documentation, please e-mail webmaster@issa-ottawa.ca.

From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobface botnet. It focused on Koobface because of its notorious misuse of social networking platforms that allows its operators to exploit the trust we have both in these platforms and in our friends that we use these platforms to communicate with.

"Koobface: Inside a Crimeware Network" details Koobface's propagation strategies, counter-security measures and business model. The report also addresses shortfalls in national and international responses to such crimes.

The main findings of the report are:

• Koobface relies on a network of compromised servers that are used to relay connections from compromised computers to the Koobface command and control server. This creates a complex and tiered command and control infrastructure.
  
  
• Koobface maintains a system that uses social networking platforms, such as Facebook, to send malicious links. Social networking platforms allow Koobface to exploit the trust that humans have in one another in order to trick users into installing malware and engaging in click fraud.
  
  
• Koobface exists within a crime-friendly malware ecosystem that consists of buyers and sellers of the tools and infrastructure required to maintain a botnet. Koobface operators rely on relationships with other botnet operators and cybercriminals to sustain their operations.
  
  
• The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010.
  
  
• The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted. The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious.
  
  
• Botnet operators benefit from the fact that their criminal acts spread across multiple jurisdictions. Issues of overlapping jurisdictions and international politics often complicate investigations and hinder law enforcement and takedown efforts. Furthermore, cross-border investigations are at times hampered by a lack of priority and willingness to respond. This is because criminal activity in any one jurisdiction appears minimal while in fact the sum of Koobface's criminal activities is significant.

• Get the report here ...

Cygnos IT Security has kindly made their whitepaper entitled "Canada's Policy on Government Security and Directive on Departmental Security Management" available to the ISSA Ottawa Chapter for publication.

• Get the report here.

This paper provides an analysis of the implications of Treasury Board's new Policy on Government Security (PGS) and Directive on Departmental Security Management (DSM) published earlier this year. As well, this whitepaper makes some recommendations on how departments can develop a strategy and action plan to support the policy.

• Download the TBS documents
• PGS, and
• DSM