Sunday, March 02, 2014

Cyberstar Revealed

In April 2006 I told an investor what I was seeing on the Internet.

He told me I was full of paranoid conspiracy theories and that I should write a blog.

So I did. This is my blog. I kept it anonymous because first of all I had no idea what I was doing when I started. Secondly, I feared repercussions on my puny web sites. And everyone acted like I was paranoid (including various boyfriends, friends and family) when I talked about it. So I didn't tell anyone. Since then history has proven much of my analysis to be correct, but I am still learning.

On the last day of  2013 I was accepted into the Sans Technology Institute Master of Science in Information Security Engineering program. To a security geek like me, this is very exciting because I've been following SANS for a long time.

Having never publicized my work in security people probably wonder how and why I made the leap from back office software geek for a bank to information security. This blog may shed some light.

Although I never had a title with the word "security" in it, I was responsible for many customer web sites, server and data center operations while running a business. Over the years I started to see anomalies no one seemed to noticing. I became aware of the implications of security and researched network traffic to try to understand what I was seeing (and that everyone else was telling me to ignore).

My business started out with some guys hosting servers in their basement with a T1 line running into their house. I knew what a T1 line was and that it was big because I had previously worked as a telecommunications analyst for an oil company. I managed a project to install ISDN lines at 300 gas stations and managed the data related to all the telecommunications costs. I also had to set up video conferences through AT&T which was a royal pain in those days. It never worked.

After figuring out that running mail servers in my apartment and hosting web sites in a basement was not ideal, I moved the operations to a collocation facility where I was the one gaining access with a biometric reader to reboot servers, and hiring Cisco certified contractors to help me login and update load balancers. Finally I opted for managed hosting facilities and email providers which provided their own set of challenges. I've recently started exploring AWS (Amazon cloud) and am very impressed. If you see the challenges faced in this blog and you know how AWS works you will understand why.

On a three month hiatus to Australia I became obsessed with figuring out why I was getting 900 spam messages per day. I didn't believe it was all spam. I started analyzing and correlating email headers. I started noticing patterns - the same spam message was coming from different IP addresses at all kinds of companies - including HP and Microsoft. I started reporting this to these companies but it did little good.

This led me to start following security blogs and research which led me to discover the workings of bot nets, organized crime rings and the involvement of governments in relation to all this traffic. My parents thought, "Our daughter has lost it..." when I told them about it.

While hosting an international hostel booking web site I uncovered strange network patterns that led me to believe my site was hacked. I was able to uncover and prove it was hacked but instead of helping me my hosting company paid me to move to another. Later it was announced in the media that one of the largest number of servers ever were hacked by the same thing that hacked my server. It involved spewing stock spam and an embedded Kapersky virus checker.

At this point I wrote a software firewall for my web sites which logged traffic in detail - the traffic you will find in this blog. Customers didn't understand it however because it was like the first email spam filters - people would freak out if something legitimate went to their spam folder. Now everyone is used to it. If someone couldn't get to the web site people would immediately freak out and it was too esoteric to explain to them what I was doing and why it mattered. I think now more people will understand.

In the end everyone started telling me I was paranoid. So I tried to forget about all this. I got busy with jobs and other things.

February 2014: I attend SANS Technology Institute class on enterprise security. My instructor says:

"You are not qualified to work in information security until your friends and family think you are a paranoid freak."

This blog probably means I qualify.

And since most of the things I learned in that class back up my analysis, the traffic is old, and I'm finally getting the training to explain all the things I have been trying to figure out on my own...

I'll tell you who I am:

Teri Radichel
@teriradichel
http://radicalsoftware.com
http://webdatabaseprogrammer.com