Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for...

18
Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, I Visualization for Data Sharing John S. Quarterman InternetPeril s Jay Swofford Jim Maloney Corillian 19 April 2005 APWG London

Transcript of Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for...

Page 1: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Visualization forData Sharing

John S. Quarterman

InternetPerilsJay SwoffordJim Maloney

Corillian19 April 2005APWG London

Page 2: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Seeing the Undead

• BBC (22 March): U.K. leads world in zombie PCs

• Many of them used for phishing• See the undead horde to help stop

it.

Page 3: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

The Ant Bed

• Destinations: Websense

Page 4: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

The Ant Bed

• 49 phishing servers• mostly found by Websense• with routing paths to each• Looks like an ant bed.• For each ant we know:

– address– domain name where reverse DNS work– routing– likely geographical location– performance

Page 5: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Analyzing the Ant Bed

• Identify data sources and gather data• Organize data in database• Analyze data for patterns using

– rules of behavior– visualization– data mining

• Enhance data in database from analysis• Visualize and report results to stakeholders• Use the above to prepare for next attack

Page 6: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Zooming In

Page 7: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Zooming 7

Page 8: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Zooming 7

Zooming in on 65.39.211.249

ebay.accountreturning.com

The previous slide shows 7 hops out from the destination

Page 9: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Zoomed

Page 10: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Zoomed

• Two phishing nodes connected very similarly– ebay.accountreturning.com– charterone-information.net

• That's interesting in itself• Both connected via peer1.net• and via routers in Vancouver• Latencies from them to destinatons is low• Probably in Canada, possibly Vancouver

Page 11: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Where in the World is65.75.176.120?

Page 12: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Where in the World is65.75.176.120?

• Destination didn't respond to probes• Closest responding node: 64.154.102.5• assertive.managed.com• registered in San Diego, California• next hop out: assertive.above.net

– 64.125.30.94 so-0-0-0.er10a.sjc.us.above.net

– 64.125.30.90 so-2-0-0.er10a.sjc.us.above.net

• Routing indicates near San Jose, California

Page 13: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Where in the World is65.75.176.120?

• But destination's netblock is registered to an individual in Ripley, Texas

• Destination didn't respond: no latency so can't tell whether it's in California or Texas

• Further examination could include:– hosting company offers distributed network?– or only one hosting center in California?– Are there other phishing nodes same center?

Page 14: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

A Faked Domain

Page 15: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

A Faked Domain

• 211.101.236.19 signin.ebay.com.sdll.us• Domain name appears to be in the U.S.• But SDLL is not a U.S. state code• It's registered to someone in San Diego• But its IP address is in China, prob.

Beijing• on capitalnet.com.cn• Nodes leading to it are also in China

Page 16: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

FSTC Phases

• Financial Services Technology Consortium

• Counter-Phishing Initiative• Phishing Phases:

– Planning– Setup– Attack– Collection– Fraud– Post-Attack

Page 17: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Visualization and Pattern Matching for FSTC

Phases• Collect data, visualize, analyze, etc. for each phase and for connections between, in order to:– help stop attacks– show how problems occurred– make problems visible for greater

awareness

Page 18: Copyright 2005 InternetPerils, Inc © 2 0 0 4 I n t e r n e t P e r i l s, Inc. Visualization for Data Sharing John S. Quarterman InternetPerils Jay Swofford.

Copyright 2005 InternetPerils, Inc

© 2 0 0 4 I n t e r n e t P e r i l s, Inc.

Contact Information

John Quarterman [email protected]

www.internetperils.com


Navigating the MPM Suite Tricia Pyle, IS Specialist Kelly Templeton LPN, IS Specialist Michelle Swofford FNP, Team Leader.

Navigating the MPM Suite Tricia Pyle, IS Specialist Kelly Templeton LPN, IS Specialist Michelle Swofford FNP, Team Leader.

Action Learning, Kaizen and Corporate Culture · Action Learning, Kaizen and Corporate Culture Quarterman Lee 26 July 2008 Introduction Action learning is a concept that promotes

Action Learning, Kaizen and Corporate Culture · Action Learning, Kaizen and Corporate Culture Quarterman Lee 26 July 2008 Introduction Action learning is a concept that promotes

PART General Information · 2016-08-25 · Christian McDonald, lecturer Shannon McGregor, assistance instructor Logan Molyneux, assistant instructor Chase Quarterman, lecturer Rachel

PART General Information · 2016-08-25 · Christian McDonald, lecturer Shannon McGregor, assistance instructor Logan Molyneux, assistant instructor Chase Quarterman, lecturer Rachel

North Carolina State University Carolyn Quarterman...Vocaroo VoiceThread Kaizena. Vocaroo Can download recording as mp3 or copy url of recording. VoiceThread Record presentations with

North Carolina State University Carolyn Quarterman...Vocaroo VoiceThread Kaizena. Vocaroo Can download recording as mp3 or copy url of recording. VoiceThread Record presentations with

BY TOM KNOX, BUSINESS WRITER A investments · 2 thegeorgeinvestmentsview Growth Fund - Fall 2011 Portfolio Manager Report by Stephen Swofford Every Fall as new Roland George students

BY TOM KNOX, BUSINESS WRITER A investments · 2 thegeorgeinvestmentsview Growth Fund - Fall 2011 Portfolio Manager Report by Stephen Swofford Every Fall as new Roland George students

Panetti v. Quarterman, 551 U.S. 930 (2007)

Panetti v. Quarterman, 551 U.S. 930 (2007)

2015 ANNUAL REPORT - Georgia Baptist Convention · Anderson, Brian (089) ... Awbrey, Neil (008) ... Awtrey, Bobby (075) Lighthouse, Savannah 401 Quarterman Dr Savannah GA 31410 Ayala,

2015 ANNUAL REPORT - Georgia Baptist Convention · Anderson, Brian (089) ... Awbrey, Neil (008) ... Awtrey, Bobby (075) Lighthouse, Savannah 401 Quarterman Dr Savannah GA 31410 Ayala,

Swofford Construction Brochure Schools Churches

Swofford Construction Brochure Schools Churches

Lecture #9: Image Resizing and Segmentationcs131.stanford.edu/files/09_notes.pdf · Lecture #9: Image Resizing and Segmentation Mason Swofford, Rachel Gardner, ... Figure 17: Improved

Lecture #9: Image Resizing and Segmentationcs131.stanford.edu/files/09_notes.pdf · Lecture #9: Image Resizing and Segmentation Mason Swofford, Rachel Gardner, ... Figure 17: Improved

Creating a Positive Classroom Environment DeAnn Swofford and Jonathan Ferrell While we're waiting to get started... What does a positive classroom environment.

Creating a Positive Classroom Environment DeAnn Swofford and Jonathan Ferrell While we're waiting to get started... What does a positive classroom environment.

Maximum Likelihood Methods in Molecular Phylogenetics · Models of nucleotide or amino acid evolution play an essential role in the analysis of molecular sequence data (Swofford et

Maximum Likelihood Methods in Molecular Phylogenetics · Models of nucleotide or amino acid evolution play an essential role in the analysis of molecular sequence data (Swofford et

Rustock Botnet and ASNs TPRC 24 September 2011 John S. Quarterman, Quarterman Creations Serpil Sayin, Koç University Andrew B. Whinston, U. Texas at Austin.

Rustock Botnet and ASNs TPRC 24 September 2011 John S. Quarterman, Quarterman Creations Serpil Sayin, Koç University Andrew B. Whinston, U. Texas at Austin.

Panetti v. Quarterman: Is There a Rational Understanding ...

Panetti v. Quarterman: Is There a Rational Understanding ...

Youngjae Lee - Prison Legal News › media › publications › ...Youngjae Lee ∗ Is the Eighth Amendment prohibition of cruel and unusual pun- ... Quarterman: Is There a “Rational

Youngjae Lee - Prison Legal News › media › publications › ...Youngjae Lee ∗ Is the Eighth Amendment prohibition of cruel and unusual pun- ... Quarterman: Is There a “Rational

Brewer v. Quarterman, 550 U.S. 286 (2007)

Brewer v. Quarterman, 550 U.S. 286 (2007)

Creating a Positive Classroom Environment DeAnn Swofford and Jonathan Ferrell

Creating a Positive Classroom Environment DeAnn Swofford and Jonathan Ferrell

Spam and Botnet Reputation Randomized Control Trials and Policy John S. Quarterman Quarterman Creations antispam@quarterman.com Leigh L. Linden Department.

Spam and Botnet Reputation Randomized Control Trials and Policy John S. Quarterman Quarterman Creations [email protected] Leigh L. Linden Department.

Quarterman Erin Edell (Coop) 342sheridanwyolibrary.org/wp-content/uploads/SheridanCoHeritage-QR.pdfQuarterman Erin Edell (Coop) 342 Quarterman John 342 . Quensley Shirley 788 . Quillen

Quarterman Erin Edell (Coop) 342sheridanwyolibrary.org/wp-content/uploads/SheridanCoHeritage-QR.pdfQuarterman Erin Edell (Coop) 342 Quarterman John 342 . Quensley Shirley 788 . Quillen

Allopatric divergence, local adaptation, and multiple ...partition homogeneity test (Farris, 1995) as implemented in PAUP* v4.0b10 et al. (Swofford, 2003). The HKY + G nucleotide substitution

Allopatric divergence, local adaptation, and multiple ...partition homogeneity test (Farris, 1995) as implemented in PAUP* v4.0b10 et al. (Swofford, 2003). The HKY + G nucleotide substitution

Learning & Experience Curves In Manufacturing · Learning & Experience Curves In Manufacturing By Quarterman Lee, ... curve, how various factors ... Engineering Sources of Cost Improvement

Learning & Experience Curves In Manufacturing · Learning & Experience Curves In Manufacturing By Quarterman Lee, ... curve, how various factors ... Engineering Sources of Cost Improvement