Iraq War Logs no longer served by Amazon EC2

The Iraq War Logs site run by WikiLeaks has been showing some choppy performance since last weekend, when its remaining Amazon EC2 instance stopped responding to HTTP requests.

Over the past week, the DNS configuration for warlogs.wikileaks.org had been directing traffic to two IP addresses on a round robin basis. One of these IP addresses was at Octopuce in France, and successfully handled half of the HTTP requests sent to http://warlogs.wikileaks.org; however, the remaining 50% were directed towards an Amazon EC2 IP address in Ireland, which stopped accepting connections to port 80 last weekend.

WikiLeaks appeared to fix the DNS problem today (Friday) – warlogs.wikileaks.org is now being served from just a single IP address in France. This is in contrast to the situation a few weeks earlier, when the site was being served from as many as 5 IP addresses, presumably to make the site more resilient to attack and high demand.

WikiLeaks edges further away from the US

Not long after the Iraq War Logs website stopped being hosted on US servers, WikiLeaks' main website at wikileaks.org has followed suit.

Earlier this week, both sites were using US-based Amazon EC2 instances to serve their content. These servers have since been removed from their round-robin DNS setup, leaving only Irish and French servers to host the content for wikileaks.org and warlogs.wikileaks.org

Earlier this morning, we also noticed a change in the DNS settings for wikileaks.org. The nameservers had been altered to point to Irish servers instead of US ones:

org.                    9316    IN      NS      c0.org.afilias-nst.info.
org.                    9316    IN      NS      d0.org.afilias-nst.org.
org.                    9316    IN      NS      a0.org.afilias-nst.info.
org.                    9316    IN      NS      a2.org.afilias-nst.info.
org.                    9316    IN      NS      b0.org.afilias-nst.org.
org.                    9316    IN      NS      b2.org.afilias-nst.org.

These nameservers are hosted in Canada by Afilias Canada Corp, which is a wholly owned subsidiary of Irish company Afilias. Such a change could help WikiLeaks stay out of reach of the US government. Afilias is responsible for a fair chunk of the internet — in 2001, they launched the top-level domain registry for .info, and now act as the service provider for the .org generic top-level domain on behalf of Public Interest Registry.

Both wikileaks.org and warlogs.wikileaks.org continue to share an Amazon EC2 instance in Ireland, and a French server hosted by Octopuce. At the time of publication, wikileaks.org had reverted back to its US-based nameservers at everydns.net.

WikiLeaks edges away from the US

WikiLeaks is no longer using US servers to deliver content for its Iraq War Logs site at warlogs.wikileaks.org.

Yesterday, two of the IP addresses used by the site belonged to Amazon EC2 instances in the United States, but these are no longer being used. Today, the Iraq War Logs site is only being served from two IP addresses; one in France and an EC2 instance in Ireland.

click to view

However, the main WikiLeaks site at wikileaks.org is still using a US-hosted EC2 instance. More interestingly, the DNS for wikileaks.org is also controlled by a US company:

wikileaks.org.          5160    IN      NS      ns4.everydns.net.
wikileaks.org.          5160    IN      NS      ns1.everydns.net.
wikileaks.org.          5160    IN      NS      ns2.everydns.net.
wikileaks.org.          5160    IN      NS      ns3.everydns.net.

In April 2010, EveryDNS was bought by the owners of DynDNS, which is well known for providing free dynamic DNS services.

WikiLeaks will have prepared for US intervention over the Iraq War Logs, which could explain why warlogs.wikileaks.org uses different nameservers, hosted in France:

;; ANSWER SECTION:
warlogs.wikileaks.org.  864     IN      A       91.194.60.32
warlogs.wikileaks.org.  864     IN      A       46.51.186.222

;; AUTHORITY SECTION:
warlogs.wikileaks.org.  864     IN      NS      gnou.octopuce.fr.
warlogs.wikileaks.org.  864     IN      NS      benedict.serverside.fr.
warlogs.wikileaks.org.  864     IN      NS      ns2.octopuce.fr.

The short TTL (time to live) on warlogs.wikileaks.org is typical of any site that may need to change its location in a hurry, and is reminiscent of the actions carried out by Microsoft in 2004 after they anticipated www.microsoft.com being attacked by the "MyDoom.B" virus. SCO also made a similar change, setting their TTL as low as 60 seconds. The 15 minute TTL on warlogs.wikileaks.org allows WikiLeaks to change the site's location relatively quickly, should any of the hosting locations be attacked or taken down. Netcraft has not seen the site suffering any outages yet.

Nonetheless, WikiLeaks' hosting is not as bulletproof as some make out. Besides the US-based nameservers used by wikileaks.org, another potential weakness for all sites under the wikileaks.org domain could be the choice of domain name registrar: Dynadot LLC is a US company and thus has to consider US law as well as ICANN regulations.

This could suggest that the US government is reluctant to disrupt access to warlogs.wikileaks.org, even though they appear to be capable of doing so.

Symantec buys large share of SSL market

Symantec has agreed to acquire VeriSign's Identity and Authentication business for an aggregate purchase price of $1.28 billion. It had previously looked as though Symantec was setting itself up to become a direct competitor of VeriSign following its recent acquisition of PGP Corporation, which also has trusted root certificates in browsers through its own acquisition of TC TrustCenter.

Symantec's acquisition will include VeriSign's SSL and trust services. Netcraft's most recent SSL survey shows that VeriSign is the largest SSL certificate authority, with around half a million valid and distinct SSL certificates in use on the web, giving it a market share of 38%.

Overall growth trend in the SSL certificate market (all companies)
ssl-growth.png

The widespread use of VeriSign certificates is also evident from handling more than 2 billion Online Certificate Status Protocol lookups in a single day last month, less than a year after hitting 1 billion per day. These OCSP checks allow web browsers to determine whether a certificate has been revoked.

In recent years, VeriSign has been keen to evangelise Extended Validation SSL certificates. These certificates cause the browser's address bar to turn green, which indicates to a customer that the identity of a site has been authenticated according to the most rigorous industry standard.

VeriSign holds a significant 71% share of the Extended Validation market. Although this market itself only accounts for 1.5% of all SSL certificates, it has typically been a high value market, with VeriSign currently selling individual certificates from $995 for 1 year.

Symantec's announcement cites $408 million revenue for VeriSign's business during the twelve months leading up to the end of March, much of which is likely to have come from SSL certificate sales alone.

Despite several other companies selling Extended Validation certificates at lower prices, VeriSign's market share has only fallen by 2 percentage points over the past 12 months. However, competitor Go Daddy's aggressive new pricing of $99.99 earlier this year has already resulted in a noticeable growth increase at Go Daddy over the past few months.

Symantec recently acquired PGP Corporation for approximately $300 million. PGP had previously made its own agreements to acquire the privately-held TC TrustCenter, along with its parent company, ChosenSecurity. PGP now sells organization validated, wildcard and extended validation certificates under the PGP TrustCenter brand.

The SSL certificate market continues to thrive, with our last SSL survey finding a total of 1.3 million distinct valid third-party SSL certificates.

Inside a 419 scam site

Most of us have received a 419 scam in our mailbox at some time or another. Forming part of what is also known as an advance-fee fraud, these emails typically ask the recipient for their help in transferring a large amount of money from a foreign bank account. In return for their assistance, the recipient is purportedly allowed to keep a significant cut of the proceeds.

There are often some inventive background stories behind the origin of monies — some may involve a government or bank employee who is aware of a large amount of unclaimed money that they themselves cannot access directly. Other common ruses are wealthy foreigners dying in a plane crash shortly after depositing lots of money in a bank, or even a dictator who has built up a fortune in stolen assets.

Most of us are wise enough to ignore these emails; indeed, many are filtered away as spam before they even get a chance to be read. But what happens when someone falls for this first part of a 419 scam? After the victim responds to the fraudster, how does he prove that the money really exists?

In the case of the fictitious bank employee and his bank's unclaimed fortune, one obvious 'proof' is to supply the unwitting victim with the online banking username and password. The victim can then log in to the online banking site and verify that there is, apparently, a lot of money in the pot.

Of course, the online banking site is entirely fake and does not contain any real money; nor does it really allow the money to be transfered to other bank accounts.

A closer look at a real scam site

Every now and then, we stumble upon a scam site that reveals more information than the fraudster intended. Sometimes this is caused by a configuration oversight, but more often than not, this is simply caused by limitations in the free hosting platform or compromised web space selected by the fraudster.

The Asterx Standard Bank is well documented as a 419 scam site. One of its many instantiations was placed onto a free 50webs hosting account, but the fraudster forgot to create an index page. If it wasn't already obvious from the poor web design effort, this makes it rather obvious that the site is fake:

419-index.png

Each webpage on this 419 site is a static HTML file, several of which display fake account details. None of these pages requires authentication, which is clearly something to be suspicious of.

This is the page that the fraudster really wanted you to see, of course:

419-login.png

To add a bit of credibility to the fake login page, it even produces a popup window, warning the victim about identify theft:

419-popup.png

After logging in with the top-secret credentials supplied to you by the fraudster (which are of course unnecessary — any username and password will let you in), the account status page shows that the bank account does indeed contain a very healthy balance! Also note the unauthorised use of the VeriSign logo, in an attempt to add some further credibility to the fraudulent site:

419-accountstatus.png

By this stage, the fraudster hopes you'll be totally convinced that the money is real. Perhaps convinced enough to transfer the money to your own bank account within 24 hours:

419-transfer.png

Naturally, transferring such a large amount of money can take a while. This is an ideal moment to slip in a progress bar:

419-processing.png

Even the most gullible victim would probably wait for the money to arrive in their account before forwarding a percentage of it on to the fraudster, so how does the fraudster expect to make money?

The fake online banking application informs the victim that the account is on "de-active" mode, and a "Presidential Clean Source of Funds Clearance" is required in order to reactivate the account and have full access to transfer funds:

419-accepted.png

Undoubtedly, the fraudster will be able to offer the necessary funds clearance document — in exchange for an advance fee, of course. Although this fee may seem very small in comparison to the 8 million dollars at stake, the prospect of getting access to those 8 million dollars could very well blinker a victim into going along with the whole implausible scheme. This is likely to result in the loss of their advance fee, and perhaps anything else the fraudster can coax out of them.

Koala loses a little karma with Ubuntu.com

Ubuntu.com was unavailable for some short periods during yesterday's release of Ubuntu 9.10 "Karmic Koala":

Ubuntu.com uptime during Ubuntu 9.10 release day

The 9.10 versions of Kubuntu, Xubuntu, Edubuntu, Mythbuntu, and Ubuntu Studio were also released at the same time.

The Ubuntu.com website is itself powered by an Ubuntu server running Apache 2.2.8. Netcraft's October Web Server Survey found a total of 1.4 million websites being served from known Ubuntu machines, nearly all of which were running the open source Apache web server.