Botnet Expert Wants 'Special Ops' Security Teams 115
CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"
A more simple solution... (Score:3, Insightful)
Re:A more simple solution... (Score:4, Insightful)
Re:A more simple solution... (Score:5, Funny)
We get Dick Cheney to run the computer security task force, give him no oversight and a redacted budget. Then tell him there's oil in the Internet.
I guarantee, all your regulatory problems will mysteriously vanish, just like all of the(*)#(*)@R_ *CARRIER LOST*
Re: (Score:3, Interesting)
Problem is there arn't any innocent people to sue for infringements so the government wont give it a high priority.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:3, Funny)
This still doesn't address drive by exploits, XSS, SQL injections,
True, but I think we could take care of the last one by prohibiting people from taking any legal name that includes the string "); Drop Table"
Re: (Score:1)
Re: (Score:2)
Nah. Sometimes I think a two-pronged brute force attack would work best.
Prong 1, make it uncomfortable / undesirable to want to be on the sending/selling end of the spam economy. This addresses the issue of "We can't prosecute them because they're in a foreign country and besides, another one would just pop up anyways". Take a REAL task force, and send them into that country. Hunt down the operators. Bomb their facility, destroy their equipment, then shoot each one, and leave the bodies as a warning. Th
Well (Score:5, Insightful)
If user education was going to work, it would have worked by now.
~ Anti-virus researcher Vesselin Bontchev
Re: (Score:3, Informative)
Why the hell are quotations not shown in the preview line of comments?
That having said, please excuse the reply to my own posting.
Re: (Score:2)
Re: (Score:2)
When we start aggressively educating people, and THAT fails, then
Re: (Score:1)
Re: (Score:2)
Like I mention in a lower reply, if people want to be ignorant and think that someone will always make it good again, thats their problem, not mine.
Re: (Score:2)
I honestly don't believe that is true. Education only works if the effects are both of import to the people involved and they understand what is at stake.
You *may* be able to educate the general public into taking certain steps to protect their online identity, but taking steps to prevent botnets, which is a problem that most people don't understand and which usually does not directly impact them, is likely to be a losing battle. There is not enough understanding, and even if they are infected, remote use
Re: (Score:3, Informative)
I've cleaned a couple of computers of malware where the owners didn't know they had malware installed... but complained that either their internet connection was slow, and blamed their new ISP. When I opened a traffic monitor and took some measurings I realized that even idle the computer was maxing the available bandwith.
Networking is being seamlessly and transparently integrated in the computer... where I think a different approach should be taken. People need to have more direct and present feedback of p
Re:A more simple solution... (Score:5, Insightful)
Any solution that relies on people not being lazy morons is never going to work.
Re: (Score:2)
Re: (Score:2)
If a bank gets robbed by masked gunmen, is it 'their problem' or everyone's problem? I'd say the effects are on everyone, so it's everyone's problem and society should do something about it (i.e. hiring police to go get them).
Re: (Score:2)
It gets to be your problem when all the bullshit traffic from such botnets impedes your own traffic, or manages to target you or your destination.
It would be your problem then.
Re: (Score:2)
Why not just force everyone to upgrade to Windows 7 and reformat? ;)
Re: (Score:2)
That postpones the problem 'til they hit the internet for the first time. Malware writers will have a field day, hunting to be the first to infect and keep the competing herders out of their new turf.
Basically, you're building a new home for the nuisance. Essentially, you're burning down a house infested by termites, then you build a new one, on the same ground, made from the same untreated wood.
Re: (Score:2)
I feel that W7 (and the lack of IE6) no longer makes W7 a wooden house (although IE8 sucks). I look at it as burning down all of the unpatched wooden XP homes and building new W7 aluminum homes ontop of it. Sure, the termites may come back and learn to like aluminum, but it would take them out of their comfort zone.
If W7 ships with some forms of protection already embedded (that actually works), suggesting users to upgrade might be the best solution we have for the "click on the flashing ad" masses. If only
Re: (Score:2)
He did say reformat AFTER upgrading to Windows 7.
Seriously though, even if Windows 7 was the most secure OS out there, undereducated users are the problem. Not enough people are afraid to install any old thing they find on the internet. Even without standard exploits, trojans work because the user chooses to install them. There is no way to stop that is with user education or by preventing users from installing anything other than vetted software. Most users are too lazy for the former and Microsoft cannot
Re: (Score:2)
There is no way to stop that is with user education or by preventing users from installing anything other than vetted software.
Massive brain fart while typing that sentence. Should read "The only way to stop that is with..."
Time for more coffee.
Re: (Score:2)
Allow me to say it again in this thread (no, not because I usually get informative mods for it, but because it is true and catchy, use it when appropriate), security is the minimum of a system's abilities and its admin's abilities. Not the average. The minimum. You can be the top security guru and cannot secure a hopelessly insecure system. Likewise, a completely secure system is worthless with an admin that allows anything to run with maximum privileges.
There are now essentially two ways to make the admin
Re: (Score:2)
It's not a witch hunt, and cyber criminals and botnet admins deserve what they get. Users are people and people have all sorts of failings. Protecting them is a good thing, and there is no cogent defense for these people. Shake down rackets, ponzi schemes, and other schemes are just as evil.
So are the people that make rotten, buggy operating systems and apps.
Hackers I can believe in.
Botnet cowboys deserve as Johnny Carson might say, early transmission failure.
Re: (Score:2)
A scammer is a scammer, whether they are running back-alley games of 3 card Monte or are distributing applications loaded with spyware or other malware. Just because it is ignorance causing people to fall for these scams does not mean the scammers should get away with it.
One might as well say that they shouldn't go after people that rob houses because the houses should have had better locks.
Re: (Score:3, Insightful)
Re: (Score:2)
This will work if, and only, absolutely only if, users become liable for their computer's actions. Not any moment sooner.
My computer participates in a DDoS? Do I care, as long as I have sufficient bandwidth to surf and mail? My computer sends out spam mail, do I care as long as I don't end up on every blacklist I want to mail to. My computer collects my data and I get bombarded by targeted spam, do I care? I have a good spamfilter...
People are, if anything, lazy. Yes, some want to be educated, but their num
Re: (Score:1)
Re: (Score:1)
Finally! (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
HEY! Damn you and your stereotypes, we're not all fat, cheeto munching attic-dwellers with pale skin, the love life of a hermit and only get a high when we crack open some botnet and infiltrate it!
Some of us, like me, prefer nachos!
Re: (Score:2)
Oh, no - not another nacho vs. cheeto flame war! :-(.
War on Botnets(R) (Score:1)
Do we really need another "War on X"?
ISPs (Score:3, Interesting)
Re:ISPs (Score:5, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
If an email vanishes and nobody is there to read it before it is gone, did it make a "you got mail" sound?
A bot that intercepts all traffic between your mail program and your mail provider can easily filter out the relevant mails before the client is even notified of its existance.
Re: (Score:3, Insightful)
Not if they charge per email sent... like .0001 cent...still adds up enough to let someone know they are infected, and with a cap at 100$ month, this will avoid a user falling off his chair, but make it sure evident to do something about it before next month.
As for the culprits, 100$ per month for spamming, might not be much, but then you have a paper trail of which could be used to track activity for perticular botnets.
Re:ISPs (Score:5, Insightful)
If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.
Sending warning emails to users is a pointless exercise. Assuming that they read/understand the email in the first place (BIG assumption), I guarantee that the majority of them will just delete it. Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.
No, I think the solution is for zombied computers to be quarantined. Use DNS and routing tricks to redirect any attempts to go anywhere "on the internets" (i.e. a web browser) to a site which explains that they're quarantined, and what they have to do to get out.
Unfortunately, that would raise call volumes to the ISP support lines, and require commitment on the ISPs' part to train their support monkeys. If ISPs started facing financial penalties for zombied users, then maybe the economics would balance out.
I'm sure I'm not the first person to think of this, though, so I'm probably missing something.
Re: (Score:2, Informative)
Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.
In my experience, it's worse than that. It's not that they don't care. They don't even believe it.
"My computer works fine. It can't be infected. I have Norton 2003 that came with the computer, so I'm fine. It's maybe a little slow, but that's because it's getting old and wearing out. I'M NOT INFECTED!I'MNOTINFECTED!I'MNOTINFECTED!LALALALALA"
Re: (Score:3, Insightful)
I work for a major finnish ISP and since this information is public knowledge, I am not going to anon this post.
We have several systems (which are actually pretty good and do work) in place that identify and warn us regarding the kind of traffic that happens when a customer machine is turned into a botnet zombie. When this is deteched, the customer is approached by either email or phone and given a grace period of a couple of days to clean up his machine. If the customer ignores this, his internet connectio
Re: (Score:3, Insightful)
I don't mean this in a snarky way, but given that the population of the entire country of Finland is ~5.2M folks, I can't imagine that even a "major" Finnish ISP has a huge userbase.
I used to work for a medium-sized regional ISP. We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly. This was back in the dialup days, btw.
Anyhow, my point is that when you're talking about the scale of the behemoth ISPs here in the S
Re: (Score:2)
We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly.
I don't mean this in a snarky way either, but to give you a sense of scale, we, in a country of 5,2 million, have 500k broadband accounts and have no problem maintaining this policy.
Re: (Score:1)
A fairly common reaction when explaining to people that they had been infected, was to be shouted at for "sending my PC viruses".
Sadly I think that before any quarantine plans can be implemented a pretty major shift in user perception must occur - otherwise the level of bitching that will occur will be apocalyptic.
However, I don't work in support anymore - I say go for it ;)
Re: (Score:2)
Yeah I think the call volume part is really the singular problem there. Like every other business, it seems they HATE taking phone calls.
Maybe a mutual arrangement that all ISP's could pay into, one call center where each ISP pays by subscriber count. They could all quarantine using similar techniques and the call center would give out the same advice to people.
Hell, my windows machines are well protected, and I have little fear my *nix machines will see many problems, but I wouldn't mind having an ISP pr
Re: (Score:2)
I totally agree. If ISPs would set egress limits on syn packets and email traffic, that would seriously reduce the value of these botnets as well. Even just filtering out obviously forged syn packets would improve things greatly.
Of course these features would have a slight cost, and no benefit to the ISP directly, so I am sure it is never going to happen.
Md5 - solution to some of the problems atleast (Score:1)
Re: (Score:2)
Of course, this is not a true fix anyway. There is no reason that someone cannot just write a program that does the s
Re: (Score:2)
What would keep me from redirecting your request for the MD5 to a page that tells you everything is fine, or simply supply you with the "right" checksum altogether? I can't see a reason why a request to such a page cannot be redirected internally to a locally running server that gets supplied the MD5 sum of the software you just downloaded.
Since such a system would certainly be used to ensure you only run software that you are supposed to run (read: does not pester MS, RIAA or similar nice orgs), I'm fairly
Re: (Score:2)
Gosh, you mean like a digital signature for every program? You mean like what is implemented in Windows?
There is a security option for Windows that says nothing gets executed that is not signed and valid. Turn it on and you would be a lot safer. Unfortunately, some of Microsoft's own stuff isn't signed.
Stupid.
Nuh-uh... (Score:4, Informative)
-- How does the Internet Police cross international boundaries in a legal fashion? A Status of Forces Agreement, perhaps? Would England really like Argentina (for example) to shut customers off because they're supporting a botnet?
-- What enforcement tools would be utilized to force people to use anti-virus/malware programs? What are the consequences for the user if they choose not to? There's quite simply too many potholes for a one-nation or government solution, I think. I can't think of a country that's fixed all of their own individual problems, much less open up an Internets Po-Po division to take care of a global problem as well.
Re: (Score:1)
Interpol [wikipedia.org]? From TFA:
Interpol already work on computer crime so TFA's argument may be implemented as a specific department, likely
McColo success story? (Score:5, Insightful)
I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.
Re: (Score:3, Funny)
True, but now we know the bad guys suck at backups, too....
Re: (Score:2)
The only solution, really, is for your users to not download malware. Good luck w
The death of a meme? (Score:2)
I am surprised that no one has brought up the "evil" bit from RFC 3514. Is this really Slashdot?
If you have a problem, (Score:2)
Idea Guy (Score:5, Interesting)
Stewart... acknowledged he doesn't have all the answers. "I'm more of an idea guy."
Thanks for the idea! Because nobody has thought of this before [networkworld.com]. Congrats on the ComputerWorld article, though.
By necessity, the work would have to be done in secret, so as to not alert hackers that a group is on their trail.
But... you just published your idea to the world.
Stewart declined to comment on whether there were teams organized along the lines he suggests already in operation. "I don't want to comment on ones that have or have not started," he said.
So... this may or may not be your own original idea, because there may or may not be teams like this already in existence?
... must be harried, hounded and hunted until (Score:1)
Every programmer who knows C and Win32 API but runs Linux on his notebook must be must be harried, hounded and hunted until he dies or goes total moron. That's the logical conclusion.
May be there is another way to leverage risks? Windows monoculture and total ignorance of users creates "open doors" only lazy can not penetrate. Just leave your wallet on the floor ant shut everybody who cares to peek it.
Re: (Score:2)
Track, infiltrate, disrupt (Score:4, Insightful)
I remained silent;
I was not a malware author.
Then they locked down the adult sites,
I remained silent;
I was not a pervert.
Then they came for the bittorrent trackers,
I did not speak out;
I was not a pirate.
Then they came for the internet,
I did not speak out;
I was not a blogger.
When they came for me,
there was no where left to speak out.
Re: (Score:3, Insightful)
That's sounds like a case of one of the Godwin law extensions
Re: (Score:2)
I'm willing to give him the benefit of doubt, that he actually really has no nefarious intentions to become the new "ruler of the online world". Some malware researchers are a wee bit zealous, I've seen people who would demand nothing less but to ban people from connecting to the internet should they be part of a botnet, who demand "driver's licenses" for computers, and that's some of the tamer examples.
I believe him that he has no intention to be the internet overlord. I also believe, though, that he didn'
Re: (Score:2)
Per your order of operations there, I'm pretty sure we'd stop them dead before they cut off our porn. ;)
Re: (Score:1)
Who needs intellects to go on strike, the mediocre will eventually stop the motor of the world all by their lonesome. O'Bama is the Dagny Taggart of the new millenium.
Der Wachter.
Re: (Score:2)
But when they came for the spammers,
I cheered loudly.
Re: (Score:2)
And then suddenly the Internet became 1000% better without all the worms and torrent kidz and goatse and griefers and Rickrolling and we all said 'hey why didn't we appoint a CEILING CAT years ago? This was a great idea we had!'
And we all had a party and ate cake.
"employing a spectrum of disruptive tactics" (Score:2)
Re: (Score:2)
I'd hope you could make the argument that it's more like making a thief's gun jam during a robbery, or disabling his getaway car.
Or just get used to it. (Score:2)
Yes, that's just it. Get used to "cybercrime".
As long as nobody gets hurt in the real world, get over it. ... and this leads to rule #1 of anti-cybercrime anti-malware strategy: back up your data, encrypt your data, and make recovery/restore of your data after a malware attack as easy and cheap as possible.
Yes, that also goes for you, secret services. First thing you need to do (and I never thought I'd say that) is implement some kind of secret-service-wide DRM'ed processing network, and *only* work within
Re:Or just get used to it. (Score:4, Insightful)
There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped.
Are you serious?
This isn't about virtual murder. It's about botnets that may steal your credit card information, be directed to launch attacks against servers, etc. There is significant potential for financial harm. Suppose your credit lines were maxed out by someone else, rendering your payments late, and then your bank got DoS'd so you couldn't access your money? What if you lived in Estonia, whose governmentand banks were essentially shut down during a massive cyberattack?
Re: (Score:2)
Agreed, but the last thing I want is to see a bloody "police department" or "military special operations team" tracking down spammers and credit card thieves.
Re: (Score:2)
You mean like this [networkworld.com]?
Re: (Score:2)
It's about botnets that may steal your credit card information
Right, why read the post while you can disagree without. Read again.
This is a problem of identification, not of malware. Have your bank identify you using something different than a 12 digit number, and you don't have to care about bots stealing credit card information.
be directed to launch attacks against servers, etc.
Do do what damage, that couldn't be undone by backups and/or restoring the software of the data centers?
There is significant potential for financial harm. Suppose your credit lines were maxed out by someone else, rendering your payments late, and then your bank got DoS'd so you couldn't access your money? What if you lived in Estonia, whose governmentand banks were essentially shut down during a massive cyberattack?
For how long? Restore the banks. A "massive" cyber-attack is nothing that couldn't be detected.
The fact that we don't _have_ a decent soll
Re: (Score:2)
[To] do what damage, that couldn't be undone by backups and/or restoring the software of the data centers?
You really can't imagine that there are time-sensitive matters in the world, for which a DoS attack could be catastrophic? An obvious example is a hospital. Or fuel delivery that is held up because your bank is DoS'd, and now you're freezing to death. Your power is out, and thousands of dollars of food in your grocer's freezers is rotting away -- money down the drain for him, and less food for peop
Re: (Score:2)
I get your point, but... :-)
Yes, I'll admit that there are time-critical applications that could be DDoS'ed. But only if you admit the following:
1) it's probably cheaper to make sure that a DDoS is recognized fast(er than now) and reacted to appropriately within a matter of mere seconds/minutes, than it is to make a system DDoS-safe. And for many applications, this is good enough and significantly cheaper. To use your example: a fuel company DDoS could be safely responded to within minutes/hours. My fuel ta
trust (Score:4, Interesting)
Most hacker groups I have seen are set up in such a way where no one needs to trust anyone else. Status is based on what you contribute to the group, so if someone doesn't contribute much, they no longer get access to the work of the collective.
For someone to "infiltrate" a group, all they need to do is contribute to the work being done, and I highly doubt IRC logs will be very admissible as evidence.
My point is, if someone is going to get to the level where they can put anyone of any importance in jail, they are first going to need to contribute a significant amount to the underground community, which would probably cause more problems than it would solve.
Cut of their funding (Score:3, Informative)
If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.
Easy low cost way to do this.
1. Allow the public at large to easily report suspected fraud to a centralized web site.
2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
3. Have the finance investigators work with requisite police agencies world wide.
Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.
Re: (Score:2)
3. Have the finance investigators work with requisite police agencies world wide.
There you go. Without this last item, the rest is pointless. And there is no agreement that botnets are bad by all the world's governments and police agencies. So, no cooperation and no enforcement.
You do not want Visa and MC deciding who is a good person and who is a bad person on their own.
Re: (Score:2)
I've worked in credit with large balance fraud, a skilled fraud investigator can find fraud in very short period of time. I have worked with law enforcement for some of the bigger stuff. The guys in the credit world are better at busting that kind of thing. I could call up a contact at the secret services and the conversation would go like this:
1. Here's your victim
2. Here's the crime
3. Here's the perps bogus ID, address and so on
4. Here's the perps real information
All the secret service agent had to was ve
I'm not waiting for "a dent" (Score:1, Troll)
Only a total annihilation of spam- and botnetbusiness is what we are looking for.
We have seen how accurate missiles are nowadays. How hard can it be to do some target practice on a \/1@9r@ hosting datacenter?
ISPs? What the hell happened to slashdot? (Score:5, Insightful)
If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?
I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?
Re: (Score:2)
It depends how it is done.
If the ISP goes "you're sending out a huge number of emails - you're either a spam bot or a server, so we're locking you down" then that's not being the police. Action like that is just enforcing fair use on a network and ensuring everyone gets an even share without service being degraded by someone else. There's generally a rather obvious point at which someone goes from "sensible home usage on a home broadband connection" to "some kind of spammer or bot".
"Tracking down" illegal t
Re: (Score:2)
Am I in the right place? Is this slashdot?
Nope, you got lost and have somehow ended up on NEGA-SLASHDOT. MWAHAHAHAHAHAHA!
Didn't you notice all of our nifty goatees?
National security is being compromised every day.. (Score:1)
Re: (Score:2)
Net neutrality, by most people's interpretation, means the ISPs cannot do anything about botnets.
Giving ISPs the responsibility but without the authority to really do anything about it just leads to a disaster where, once again, nobody is accountable.
Time to face reality. Botnets are a minor annoyance to properly configured machines and a complete meltdown catestrophe to improperly configured machines. Sorry, but if you want thousands (millions?) of Joe Sixpack's and Grandma's being the "system administra
Attack Vector? (Score:4, Informative)
Googling for conficker gave me wikipedia's entry
http://en.wikipedia.org/wiki/Conficker
Looking through conficker's entry gave me the vector MS08-067
Googling for the vector gave me this article
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
Is it that win32 lack a high-quality, well-tested, easily reusable path class, or is it that microsoft is such a large company that a rogue programmer circumventing the approved safe path class and engaging in not-invented-here-roll-your-own antics is commonplace?
Anyone remember EHAP? (Score:1)
Ethical Hackers Against Pedophelia
Great group of kids helping fight against child porn, lot of talented "hackers" involved for that time period...and ya know what........they were considered outlaw vigilantes. SO I ask, what kind of authority is a government going to be willing to give to a "hacker". Especially in light of the fact that any non-technical politician isn't going to know the difference between Black, White, and Gray hat hackers.
Windows is to blame... (Score:1)
I've always said... (Score:2)
Terminals as Dumb as Their Users (Score:2)
What if we replaced computers with glorified video game consoles with web browsers? It would be like the old webTV thing, but it could work more like a PC (interface wise). The user's preferences are saved on the server, but otherwise the machine runs off a flash ROM, or VM that the manufacturer maintains. When the screen saver kicks in the system resets, they they come back, the preferences change the interface to have the picture of the grandkids or a LoL cat as the wallpaper.
All it needs to do is brow