You are currently browsing the category archive for the ‘Internet’ category.

I was reading this story earlier today after a colleague shared it. I thought it was very interesting. The research company Renesys has recently disclosed their findings on something as interesting as concerning. For a few days, all the traffic coming from a list of some of the major cities in the US and over the world was routed over Belarus and Iceland. Renesys claims this was an attack and that the main goal was to scan, analyze and perhaps even store all the traffic to obtain who knows what.

In the data analysis they perform they found highly interesting cases, like the one mentioned in the article. An email sent from Guadalajara in Mexico to DC was, at some intermediate step in Virginia, routed to Russia and then, after going through the potentially malicious route in Belarus, was routed back to the US via Frankfurt and New York. It seems that everything originated from an attack on the BGP routing tables (BGP hijacking).

routeAll our communications are encrypted and secured and, unless you work in some top secret organization, there is nothing to worry about. But, still, this is quite preoccupying. I wonder what was the motivation behind this attack.

The report from Renesys presents more evidence from the subsequent attack that routed traffic over Iceland. This report, which you can find here, also discusses in the implications of this attack.

When looking for a good link to refer readers to BGP hijacking information, I found this Defcon talk. Very interesting stuff.

I recently read a very interesting and detailed article that a colleague at work recommended. The article presents a very thorough overview of the latest revolution in consumer electronics combined with wireless communications: the Internet of Things (IoT).

The concept of the IoT defines a (near) future scenario where most (if not all) things on our physical world and lives will be interconnected with each other using all kinds of wireless protocols, such as WiFi, ZigBee, ZigWave, etc. On top of this myriad of interconnected sensors and actuators, a new playground for developers and people with ideas will be ready for new services (and even entire businesses) to be created, all following a similar “mobile OS – app” scheme. And all these new services will be based, according to the article’s author, on simple “if – then” rules:

If  the sun hits your computer screen, then you lower a shade. If  someone walks in the door, then you turn down your music. If  there’s too much noise outside, then you close your window. If  you have a Word document open but haven’t finished writing a sentence in 10 minutes, then you brew another pot of coffee.”

But all these cool new applications will result on new challenges. One of them (the main one, according to the author), will be battery and wireless charging technologies. Indeed, while semiconductors and transistor technology has evolved steadily following Moore’s law, battery technology has been pretty much stale (What time in the afternoon you have to charge your smart-phone on a day you go to work? If it is after 4pm, I want to know what phone you have). There is a great need for better and longer lasting batteries for mobile devices, as well as some kind of technology that feeds itself wirelessly through the signals it receives. Something similar to an RFID tag. Perhaps some day the power consumption of electronic devices will be low enough to get them to charge the battery by means of the actual power the wireless signal carries. Until then, some proposals might help us along the way. For example the wireless electric transmission proposed by the MIT start-up WiTricity.


I am a bit surprised that the author does not highlight too much the security challenges that the IoT will bring to communication systems. In do not think that “[…] Just as with social networking, the privacy concerns of a sensor-­connected world will be fast outweighed by the strange pleasures of residing in it“. I would definitively not feel comfortable at all with my garage door opening when my IoT hub at home, after receiving a message from my car’s geo-location system, sends an “open” command over ZeeWave… specially knowing that someone will show how to hack ZeeWave this summer at Blackhat. I agree with the author, however, in the fact that “[…] our recent hacking epidemic has largely exploited the human interface—the password. We’re always the weak link in online security […]“.

Anyhow, one thing I do know is that in the near future the IoT will change things and our day-to-day lives will look much like the movie Minority Report, with cereal boxes with displays and interactive commercials, personalized advertisements in the subway and smart stores.

Recently an anonymous “researcher” published online the results of what the author refers to the “Internet Census 2012“. Despite the method used to put together such a huge network analysis effort could be considered a bit unethical (infecting hundreds of thousands of connected devices), the results are rather interesting. Moreover, the author is releasing the entire data set obtained from this global IPv4 address space, which could greatly benefit future research. I am actually expecting a paper, some kind of analysis or at least references to this data set in the next Internet Measurement Conference.

As I was mentioning, this massive scan of the entire IPv4 address space was obtained by means of a massive bot-net (the author refers to it as the Carna Botnet), which infected about 420000 devices, including webcams, routers, and printers running on the Internet. The main vulnerability exploited was the fact that many Internet connected devices use a default password or, often, no password at all. Although the author insists on this aspect, this is not a new result. It has been known for quite some time that a large number of connected devices are using default of no protection. Very interesting results on this were published by a team of researchers from Columbia university in their paper “A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan“, presented at ACSAC in 2010.

This story has been widely discussed in the media, with tons of articles and blog posts talking about it (including myself). For more details, I refer the readers to the CNet story or the paper released by the Carna Botnet itself.

From CNet:

Among the findings, the researcher found 52 billion ICMP (Internet Control Message Protocol) ping probes and 10.5 billion reverse DNS (domain name system) records. There were also 180 billion service probe records.

“This project is, to our knowledge, the largest and most comprehensive IPv4 census ever,” the researcher wrote. “With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.”

As important as the census data might be to some, the research highlights a very important security concern: It appears quite easy for insecure devices to be compromised. And although in this case they were used for good, it wouldn’t be that difficult for someone to take a much more dangerous path.

It’s a potential for trouble that is quite far-reaching.

“As could be seen from the sample data,” the researcher wrote, “insecure devices are located basically everywhere on the Internet. They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon.”

Everyone already knows what happened yesterday on the East Coast so I will not give many details. An earthquake, centered somewhere in Virginia, was felt all over the north-east coast of the US. The Capitol Building and the White House were evacuated in DC, people felt the tremor as far up as in Toronto and many people got quite scared in New York, especially the ones that work in a very tall building.

Related to that, this morning I was watching the “news” (if you can call the Good Morning NY shows a news show…) and one of the reporters explained something that was very interesting. His family lives in Virginia and his mom called him about the earthquake before it even hit New York. In a similar way, the tsunami of tweets and Facebook posts scattered across the East Coast way faster than the actual tremor.

A friend of mine posted an old XKCD comic that describes this interesting effect:

I have been thinking about two things:

  • Could we somehow use Twitter and other social media to alert citizens of upcoming disasters? Even better, could we use the combination (social network data + location data) to predict the trajectory of a disaster, its intensity gradient and other characteristics of the event to improve alert systems?
  • If there is ever a major disaster, what will people do? Run and then tweet? Tweet and then run? Tweet while running?

As a final comment I’d like to add that feeling an earthquake on a 25th floor of a tall New York building was very scary. It might have not been felt that much on the street level, but up there…

Well, I am back in New York, back to work and back to Soft Handover. I was gone for 10 marvelous days in my beloved (and best city in the world) Barcelona, and I just flew back.

The first thing I did upon my return was open all the windows in my apartment; it is so hot in NYC! The second thing I did was to shower, go grocery shopping and stop by my neighborhood favorite Chinese restaurant to pick up some General Tso Chicken with pork fried rice. Noting better than Chinese greasy food for the post-flying headache and jet lag. And then, I sat on my couch to watch a movie before going to sleep. I streamed a Netflix movie.

This is why I was kind of surprised and concerned when I read this in the news: Netflix’s vanished Sony films are an ominous sign.

Movie streaming online is one of the hottest things in the Internet nowadays. Everyone is jumping into the business, and you all know what happens when the demand increases… prices do too. Movie studios are asking for humongous amounts of money to secure contracts to license their content to be streamed.

Netflix had been living in a dream world for a couple of years. They were the first and smartest ones, getting into the streaming business a couple of years ago. This way, they secured 4 to 5 year long contracts for decent amounts of money, like a deal with Warner Bros for 5$ million to 10$ million. However, to renew this contracts now will cost at least 10 times more. What will happen? First of all, I doubt we’ll still be able to enjoy as many movies as we do now for just 7$. A sign of this change of things might be the disappearing of some big names from the Sony Pictures catalog, The Social Network and Salt among them – Angelina Jolie, I want to make here a public statement that I have had a crush on you since I was 18 -.

“Netflix has another year or two on most of these contracts, and then the game completely changes,” says Michael Pachter, analyst at Wedbush Securities.

Pachter predicts Netflix’s streaming content licensing costs will rise from $180 million in 2010 to a whopping $1.98 billion in 2012.

When streaming video was new, Netflix was able to secure contracts with the likes of Warner Bros. Studios and MTV to license big TV and film catalogues for about $5 million to $10 million per year. This time around, Pachter says, those costs could increase more than tenfold.

“The content owners realize they can’t give Netflix all the leverage,” he says. “Netflix had the power when they were the only bidder. But you don’t have as much leverage when you suddenly have competition.”

I guess that soon we’ll have to rely mostly on those red envelopes to watch movies. Oh well, I guess I am ok with that. Which reminds me that I still have Black Swan at home to watch.

Just a quick post to share this interesting news. Less than a year ago, illegal P2P traffic to download movies was the number 1 traffic source of the Internet. Months later, Netflix – that currently has 23.6 million customers in the US and Canada – is the biggest source traffic of the Internet.

I will not say I am not collaborating to that; I love Netflix! For a long time I’ve wanted to export the idea to Spain… but I think that too many people would “claim” that the movie was lost in the mailing process – not precisely because we have a bad postal service… – and it wouldn’t be profitable.

From USA Today:

Move over, Web surfing. Netflix movies now take up more of the Internet pipes going into North American homes.

A study published Tuesday by Sandvine Inc. shows that Netflix movies and TV shows account for nearly 30 percent of traffic into homes during peak evening hours, compared with less than 17 percent for Web browsing.

Only about a quarter of homes with broadband subscribe to Netflix, but watching movies and TV shows online takes up a lot of bandwidth compared with Web surfing, email and practically every other Internet activity except file sharing and videoconferencing.

As late as last year, both Web surfing and peer-to-peer file sharing — mainly the illegal trading of copyrighted movies — were each larger than Netflix’s traffic.

A colleague of mine is lately very busy. His colleagues/partners and him are closing quite  a few deals with media companies and stores to launch brand new photo-sharing platforms. He is heading a team of Columbia Business School MBA graduates launching Olapic, a NYC-based start up. From him I learned some news that took place yesterday and, given that right now (4/22/2011, 4:34pm) the website is not running, seems to be still happening.

A major Amazon data center located in northern Virginia started having problems yesterday, causing multiple East Coast-based start-ups to have connection problems or to simply be offline. Among the affected companies there was the aforementioned Olapic, as well as Reddit and Foursquare.

The Associated Press covered the news: struggled Friday morning to restore computers used by other major websites such as Reddit as an outage stretched beyond 24 hours.

The problems began at an Amazon data center near Dulles Airport outside Washington early Thursday. On Friday morning, Amazon’s status page said the recovery effort was making progress, but it couldn’t say when all affected computers would be restored.

Most of the sites that were brought down by the outage on Thursday were back up on Friday, but news-sharing site Reddit was still in “emergency read-only mode,” and smaller sites were still reporting trouble.

Location-sharing social network Foursquare and HootSuite, which lets users monitor Twitter and other social networks more easily, appeared to have recovered.

Many other companies that use Amazon Web Services, like Netflix Inc. and Zynga Inc., which runs Facebook games, were unscathed by the outage. Amazon has at least one other major U.S. data center that stayed up, in California.

I am not going to describe in detail APTs in this post. Neither will I analyze them. I just wanted to talk about this name that is appearing in the news recently due to the attacks to RSA, Epsilon and Google last year.

We are all familiar with the vulnerabilities of any kind of Internet-connected device. Nowadays one can be a hacker by downloading some tools from the Internet and start attacking sites. There is tons of amateur hackers, because the tools are of easy access. I actually still remember like if it was yesterday when I downloaded a plug-in for mIRC that allowed me to throw flood attacks to whoever I wanted. So, if somebody was being very rude or annoying to me, I would drop their IRC connection throwing that simple attack. I swear I only did that to people that was REALLY annoying or rude…

Anyhow, working at a security research center, I am learning many things about security and threats. There is hundreds of threats and vulnerabilities, and we all tr to defend ourselves using anti-virus and such tools. And it works.

But lately there is a big concern in the community with APTs. These are extremely elaborated hacking attacks that are performed over a very long time span and involve not only hacking tools, malicious code, hidden rootkits and other complicated things, but also social engineering and patience, a lot of patience. And so far does not really know how to stop them – don’t worry, we are working on it! -. The later examples have been the recent attack on RSA, when attackers where able to steal large quantities of secret data. For the ones who do not know what RSA is, they are the ones who provide those funny key holders with a random number that changes constantly that gives important people access to important information – ok, not very accurate, but this is how I like to think about it… -. The Executive Chairman of RSA wrote an open letter explaining that the data extracted does not put current security systems at risk… but it is still kind of scary that it was precisely RSA the hacked company.

It has been in the news lately another case where a company called Epsilon was victim of one of these attacks and lots of data was extracted. Epsilon seems to be a kind of marketing company that deals with other companies mailing lists. Apparently, the only stolen data was a huge list of email addresses. You might have received an email recently from one of the affected companies – customers of Epsilon – informing you about the hack and trying to calm down. But when a friend of mine got an email from Chase explaining that one of its customers that deals with Chase account holders data had been hacked, he freaked out. Other affected companies were BestBuy, Capital One, Citi Bank… You can read about this hack here.

Google was victim of an APT a couple of years ago too. More info here.

So, make sure you have an anti-virus that is updated and do not ever click on links on emails that claim to come from your bank. And read about these topics, is as interesting as scary.

I found out about this story yesterday while reading a paper from the proceedings of INFOCOM from a couple of years ago. Despite being an old movie, I thought it was very interesting and funny, so I am going to briefly shared it here.

Alan Ralsky is a man from Michigan that, after his licenses to sell insurance were revoked in Michigan and Illinois in 1996, started making money by – literally – spamming people. According to multiple experts, Mr. Ransky was – he is in jail now – one of the main sources of junk mail and spam in the world. He allegedly sent over 1 billion emails per day – 1 American billion, with 9 zeros, not one European billion with 12 zeros… this made me think that someday I should talk about the unit differences between America, UK and some others versus the rest of the world that uses the international system, and how once a joint NASA-ESA mission crashed a mars-roamer against Mars due to a bad conversion -.

The funny part of the story comes when, in 2002, he conceded an interview to the Detroit News. The interview was posted on Slashdot along with the address of his newly built home. Hundreds of Slashdot readers then searched the Internet for advertising mailing lists and free catalogs and signed him up for them. As a result, he was flooded with junk mail. In a Detroit Free Press article on December 6, 2002, he is quoted as saying “They’ve signed me up for every advertising campaign and mailing list there is. These people are out of their minds. They’re harassing me”.

Ironic and very funny. I would have done the same.

Yesterday will be always remembered as the day when the very last IP addresses were allocated. After a long time speculating about the arrival of this day, it is finally here. The last 32 bit IP addresses have just been allocated and now, no matter what, the step towards IPv6 has to be done. No more IP addresses are up for grabs, and any future address property allocation requires either dividing what’s already allocated into smaller portions or trading existing properties.

The importance of this transition towards IPv6 is so important that many big names in the industry have decided to promote what is known as the IPv6 day. On June 8th 2011, these major companies – Google, Bing, Facebook, Yahoo!… –  will offer content over IPv6 for a 24 hour test flight with the goal to motivate the industry to make the transition as soon as possible.

IPv6 will be a big step in networking, but it will also be the next step in wireless communications. After living the times of the network of computers and having moved to the network of people, the next step is to move to the network of things. Where everything will have an individual IP and be connected to the network. Vending machines automatically calling the headquarters asking for a restock, my fridge sending me a message to my phone when I am back home reminding me that I am almost out of milk… More or less the same kind of vision that AT&T shows in their just released new commercial.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 147,509 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.