A Canadian company plans to unveil a solar-powered laptop in Ghana next week and the device could find its way to North America, perhaps as a Chromebook, by the end of the year.
10 years ago, I had a life-altering work experience. I was on the team at Microsoft that was trying to solve 2 huge problems:
SAP's Business Objects BI (business intelligence) product line may soon begin receiving a visual overhaul based on a new "design language" or methodology called LAVA (Lightweight Applied Visual Analytics).
Some recent cases of news articles about same-sex marriage disappearing from the newspaper page on Facebook appear to have been caused by a bug and not a policy violation, the social network said.
University of Washington engineers have developed a way to communicate over short distances using devices that don't require batteries or transmit any signals.

We have used the term "internet background radiation" more than once to describe things like SSH scans.  Like cosmic background radiation, it's easy to consider it noise, but one can find signals buried within it, with enough time and filtering.  I wanted to take a look at our SSH scan data and see if we couldn't tease out anything useful or interesting.

First Visualization

I used the DShield API to pull this year's port 22 data (https://isc.sans.edu/api/ for more details on our API.)  Graphing out the targets and sources we see something, but it's not obvious what we're looking at.

Looking at the plot of targets over time, you can see how the description of "background radiation" applies.  The plot of sources looks more interesting.  It's the plot of the number of IPs seen scanning the internet on a given day.  It's likely influenced by the following forces:

  • Bad Guys compromising new boxes for scanning
  • Good Guys cleaning up systems
  • Environmental effects like backhoes and hurricanes isolating DShield sensors or scanning systems from the Internet.

Looking for Trends

One way to try and pull a signal out of what appears to be noise is to filter out the higher frequencies, or smooth plot out a bit.  I'm using a technique called exponential smoothing.  I briefly wrote about this last year and using it for monitoring your logs (https://isc.sans.edu/diary/Monitoring+your+Log+Monitoring+Process/12070)  The specific technique I use is described in Philipp Janert's "Data Analysis with Open Source Tools" pp86-89. (http://shop.oreilly.com/product/9780596802363.do)

Most of the models I've been recently making have a human, or business cycle to them and they're built longer-term aggregate predictions.  So I've been weighing them heavily towards historical behavior and using a period of 7 days so that I'm comparing Sundays to Sundays, and Wednesdays to Wednesdays.  You can see how the filter slowly ramps up, taking nearly two months' of samples before converging on the observed data points.  Also the spike on May 13, 2013 shows how this method can be sensitive outliers.

One of my assumptions in the model is that there's a weekly cycle hidden in there, which implies human-influence on the number of targets per day.  Given that we're dealing with automated processes running on computers, this assumption might not be such a good idea.


If a time-series has periodicity, it will show up when you look for autocorrelation (http://en.wikipedia.org/wiki/Autocorrelation)  For example, I used R (http://www.r-project.org/) to autocorrelate a sample of a known human-influenced process, the number of reported incidents a day.

Note the spikes on lag 7,14,21.  This is a strong indicator that a 7 day period is present.  Looking at the SSH scan data for autocorrelation looks less useful:

The target plot reinforces the classification of background noise.  The sources plot indicates a higher degree of self-similarity than I would expect.  You'd have to squint really hard and disbelieve some of the results to see the 7-day periodicity that I had in my initial assumption.

Markov Chain Monte Carlo Bayesian Methods

When I was reading through "Probabilistic Programming and Bayesian Methods for Hackers" (https://github.com/CamDavidsonPilon/Probabilistic-Programming-and-Bayesian-Methods-for-Hackers) I was very impressed by the first example and have been using that on my own data.  Having a tool that can answer the question "has there been a change in the behavior of this ____ and if so, what kind of change, and when did it happen?"

This technique will work when you're dealing with a phenomena that can be described with a Poisson distribution (http://en.wikipedia.org/wiki/Poisson_distribution).  Both the number of SSH-scan sources and the number of targets appear to satisfy the requirements.

So, has there been a change in the number of targets or sources in the past 30 days?

These plots show that according to multiple MCMC models the average number of SSH scan sources seen by DShield sensors per day dropped from a little under 600 to 400 per day.  Scan targets sees a similar drop 15 days ago (these were executed August 12th.)  An added benefit of any Bayesian method is that the answers are probability distributions so the confidence is built into the answer.

In these cases, the day of the change is fairly certain while the exact values are less so.  For sources you can see that the most common results were around 563 and 383.  For targets, you have to look really hard to see any curve and are left with the ranges, e.g. between 77000 and 77400 for the new average.

What this doesn't tell us is what was the cause of the change.  This method is useful for detecting the change, and if you're trying to measure the impact of known changes.  For example, if we were aware of a new effort to clean up a major botnet, or were trying to identify when a new botnet started scanning, this process may be valuable.


While the MCMC method allows us to analyze back, the exponential smoothing method allows us to synthesize forward.  So for fun, I'll predict that the total number of sources scanning TCP/22 between August 16 and August 29 will be 19963 +/- 1%

We can also use the output of the MCMC model to extrapolate a similar projection.  Using a 7-day and a 30-day observations to calculate our averages they project the following.


Method SSH scan source total for 14-days
Exponential Smoothing 19963
7-day average projection 7197
30-day average projection 7054

Check back in two weeks to see how wildly incorrect I am.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft Windows CVE-2013-3175 Remote Privilege Escalation Vulnerability
Linux Kernel 'perf_event.c' Local Privilege Escalation Vulnerability
Microsoft warned Windows XP customers that they face never-patched, never-dead "zero-day" vulnerabilities if they don't dump the 12-year-old operating system before its April 2014 retirement.
NASA's Voyager 1 has journeyed farther from Earth than any other man-made object, but there's a debate about exactly how far it's gone and whether it's actually left our solar system.
New York, the nation's third most populous state, has over 120,000 state employees spread across more than three dozen agencies. These agencies all run their own IT operations, but that is all going to change and for good reason.
An open-source project aims to give a rudimentary eye to robots with the help of a camera that can detect, identify and track the movement of specific objects.
Mozilla will launch Firefox for Microsoft's Windows 8 "Modern" user interface in mid-December, more than a year after the operating system's launch, according to the open-source developer's planning documents.
If true, reports that Nokia plans to release a tablet running Microsoft's failed Windows RT OS are "bizarre" and "highly surprising" according to analysts who think the company should focus on its struggling smartphone business.

On July 16th, 2013 Apache announced a vulnerability affecting Struts 2.0.0 through 2.3.15 (http://struts.apache.org/release/2.3.x/docs/s2-016.html) and recommended upgrading to (http://struts.apache.org/download.cgi#struts23151).

This week I began to receive reports of scanning and exploitation of this vulnerability.  The first recorded exploit attempt was found from July 17th.  A metasploit module was released July 24th.  On August 12th I received a bulletin detailing exploit attempts targeting this vulnerability.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cybercriminals were quick to integrate a newly released exploit for a Java vulnerability patched in June into a tool used to launch mass attacks against users, an independent malware researcher warned.
Multiple Vendor TCP Sequence Number Approximation Vulnerability

At least 100,000 Internet-connected servers sold by Dell, HP, and other large manufacturers contain hardware that is vulnerable to potent remote hack attacks that steal passwords and install malware on their host systems, researchers said.

The threat stems from baseboard management controllers that are embedded onto the motherboards of most servers. Widely known as BMCs, the microcontrollers allow administrators to monitor the physical status of large fleets of servers, including their temperatures, disk and memory performance, and fan speeds. But serious design flaws in the underlying intelligent platform management interface, or IPMI, make BMCs highly susceptible to hacks that can cascade throughout a network, according to a paper presented at this week's Usenix Workshop on Offensive Technologies.

Heightening the risk, a recent Internet scan detected at least 100,000 IPMI-enabled servers running on publicly accessible addresses, despite long-standing admonitions from security professionals never to do so.

Read 11 remaining paragraphs | Comments


phpFox Multiple SQL Injection Vulnerabilities
Ruby on Rails CVE-2013-1854 Remote Denial of Service Vulnerability
Ruby on Rails CVE-2013-1857 Cross Site Scripting Vulnerability
Microsoft condemned Google's decision to block the new Windows Phone YouTube app, accusing its rival of making excuses to keep the app from connecting to the popular social video service.
Nokia has started rolling out the Amber software update to its Lumia smartphones, which will allow users to take better pictures and get new camera apps.
Google said it will by default encrypt data warehoused in its Cloud Storage service.
The use of tools to detect malicious patterns in apps led Facebook to temporarily disable some legitimate third-party apps that integrate with the social networking website, it said Thursday.
Jobs, the feature-length movie starring Ashton Kutcher as the late Apple CEO Steve Jobs, will entertain Apple fans as much as it frustrates them with its dramatic reinterpretation of events.

Posted by InfoSec News on Aug 16


By Simon Sharwood
The Register
14th August 2013

The Australian Strategic Policy Institute (ASPI) has issued an "Agenda for
Change" (PDF) that suggests data retention is a necessary centrepiece of
Australia's future homeland security needs.

The document's introduction, penned by ASPI Chair Stephen Loosley, says...

Posted by InfoSec News on Aug 16


By Jacob Bunge
The Wall Street Journal
August 15, 2013

When prices on some U.S. stocks suddenly zoomed one day last month and
others unexpectedly plunged, stock-market officials set out to detect a
possible computer glitch or a trading algorithm run amok.

But after hastily comparing notes, exchange employees—who were
participating in a test of market defenses...

Posted by InfoSec News on Aug 16

Forwarded from: "Gregory W. MacPherson" <greg (at) constellationsecurity.com>

Bed to differ - ideally healthcare people should *not* need to be trained on
security. Ideally the security components of healthcare ought to be built so
that the users are PROHIBITED from performing actions that could compromise the
confidentiality, integrity, and availability of the secured data (and that
includes shoving a memory stick into a...
Joomla! 'media.php' Arbitrary File Upload Vulnerability
MiniWeb Directory Traversal and Arbitrary File Upload Vulnerabilities
Open-Xchange Security Advisory 2013-08-16
Update: Linksys EA2700, EA3500, E4200v2, EA4500 Unspecified unauthenticated remote access

Posted by InfoSec News on Aug 16


By Adrianne Jeffries
The Verge
August 14, 2013

It was a late night in May. Renderman, the computer hacker notorious for
discovering that outdated air traffic control software could be used to
reroute planes mid-flight, was feeling shitty. The stress of digging
himself out of debt he’d accumulated during years of underemployment was
compounded by the feeling of being...

Posted by InfoSec News on Aug 16


By Amber Corrin
Aug 12, 2013

The Defense Information Systems Agency is moving ahead with plans for an
analytical cloud environment focused on cybersecurity and cloud-based
enterprise services for Defense Department agencies.

DISA plans to launch an analytic cloud, dubbed Acropolis, to provide
situational awareness in cybersecurity, which will hinge on the use of big

Posted by InfoSec News on Aug 16


By John P. Mello, Jr.
CSO Online
August 15, 2013

Growing awareness of cyber threats and reporting requirements by
regulators are driving a newfound interest in insurance products covering
data breaches and other computing risks.

Almost a third of companies (31 percent) already have cyber insurance
policies, and more than half (57 percent) that...
Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities
Copy to WebDAV v1.1 iOS - Multiple Web Vulnerabilities
Internet Storm Center Infocon Status