Slashdot Mirror
Return of the Web Mob
Parore writes "eWeek is running a story about the return of the web mob, highlighting all the similiarities between the online attacks and the real-world mafia. From the article: "Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software."
There is obviously a problem with botnets, virii, and trojans, part of the problem comes from a 'not my problem' attitude from law enforcement and ISP's.
Dozens of times when networks I maintain have been attacked I have contacted ISP's with all the information they would need to trace the user performing the attack and notify them that their machine is infected, however, the response I usually recieve is, 'it is our policy not to blah blah blah', when I have had verified hack attempts on my systems and have notified the authorities about it, I have been transfered all over the place, put on hold, transfered a little more until I completely loose interest, when I do get to report something it never gets investigated.
Until the people that can actually do something about these zombie machines and malicious users, get off their asses the problem will just keep getting bigger.
GeekServ Unix Consulting Services (http://www.geekserv.com)
What did anyone expect?
The problem with anti-virus software is that it is 100% reactionary. The anti-virus companies don't release updates for viruses that they haven't seen yet.
That's why I view viruses/worms as a failure of the security model of the system.
Trojans are a different matter. But even with those there are ways to mitigate the effects. If nothing else, requiring a password before installing an app will solve most of the "naked pictures of celebrity" emails. There will always be a few idiots.
Thank God for the calming, lawful influences Mom's Apple Pie, Truth, Justice and Barry Bonds' adrenal glands.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
That $25 per 10,000 comps isn't bad....
One could do a lot with say... $250 worth.
Silence is golden... and duct tape is silver.
Let's see, the ISPs and other "authorities" can't do anything to stop the "black hat" hackers and mafia, or even refuse to do so.
Yet at the same time ATT is channelling massive amounts of customer traffic to the NSA for examination and interpretation.
Perhaps someone needs to define Mafia=Terrorist?
Three Squirrels
Cue yet another flood of FUD press on the evil "hackers who break into private and public systems, inserting viruses and exploit them to fulfill their own ends" while completely failing to mention the good guys on Bugtraq and such who have quietly been doing their thing for years.
Slashdot Burying Stories About Slashdot Media Owned
The web mob is back! We MUST stop them!
- Quick, To the TuxCave!
$25 to infect 10,000 pc's sure is cheap. If this guy can get only 25 bucks per 10,000, he must have competitors (read: there's a lot of people doing this), and it must be easy to do. These, of course, are not good signs.
However, it occurs to me that the best measure of Microsoft's success in security is the market price for 10,000 infections. For example, if Vista turns out to be an inpenatrible tank, we should see the price go up to 50 or 100 bucks, maybe more.
At the end of the day, until we all stop using the same operating system, we're doomed to a continual barrage of large-scale infections (remember the Irish potato famine?)
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
I think the most mafiaesque thing I've seen on the old HTTP lately would be the DDoS and demand for ransom money on milliondollarhomepage.com Here's an article on it, the blog on the site itself also details how it went down. http://www.techshout.com/internet/2006/19/ransom-s eeking-hackers-attack-uk-students-million-dollar-w eb-site/
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
Only kidding of course, well partially. How many botnets consist of linux or OS-X machines?
It does however show just how hopeless windows security is. Even criminals have costs so if they can make a profit after paying their hosting and electricity and hardware and man power with just 25 dollar per 10 thousand machines then the cost and labour of infecting a windows machine must truly be trivial.
Lets face it the mafia doesn't do it for penny profits. They are not supermarkets surviving on a 1 cent per sale profit. They want millions and they want them now.
How many times $25 does it take to intrest a mobster?
Frankly I don't think the problem is going to go away. The idea that MS is ever going to provide a secure OS is laughable and even if they did nothing helps against a dimwitted user who happily installs anything if it promises a nudie picture.
They only two easy solutions I see is to install a serious watchdog on the net. One who can kick off ISP's that host the mob AND users who let their PC's get infected.
Would that be workable? Even "respectable" western ISP's barely respond to complaints about attacks. We got a spam watchdog that already kicks of ISP off the email net when they misbehave and this just barely works. If the same was applied officially to the net as a whole entire parts of the world would be disconnected.
Perhaps it is just something we got to live with. The real live mafia never went away. Why should the net be any different. As long as their is money to made people will attempt to get it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Most law enforcement I've worked with are great at their job.. if they can see it. Example - someone commits a crime, they can investigate and arrest. However I'd say about 1/2 of general law enforcement people do not grasp the concepts of the "virtual" world, through no fault of their own.
:)
While Opping on irc, I noted a person claiming to sell laptops at 1/2 retail cost.. new ones. I pretended interest, and got some contact info.. forwarded this on to law enforcement for his area... within a week, the detective emailed me to say they'd busted a fraud ring. It was tangible, they could deal with it
Internet crimes still deal a lot in the virtual world, and if you haven't been trained on how to.. visualize and understand it, it's a tough concept. Not everyone gets it.
As with a lot of things, the key would be training. You're probably not going to get a small town sheriff trained, however some of the larger sheriff's departments would be excellent centers for this.. keep it to county level, forward to state or federal if needed.
{} ------ When I think of a good sig, I'll put it here
This is exactly why any and all security information should be released to the public immediately.
Public release will serve the following purposes:
1. To inform the consumer of a problem/vulnerability so that action can be taken sooner.
2. To kick the vendor in the ass and make him move on the issue.
3. To prevent underground organizations from creating secret exploits that might otherwise go unnoticed or unidentified.
3a. To prevent commercial gain by exploiting the knowledge of such secret/unknown security problems.
So........
When i went to purchase these 25,000 computers with my trusty Internet Explorer v4.0, I actually got A DEAL!. They tossed in a extra computer now I control 25,001. These guys are soo nice!.
Meh.
You can do more with a kind word and a gun than with just a kind word. -- Al Capone
AV software is akin to a kind word when it comes to combating the net mafia.
During the Wild West days when law enforcement was scarce, militias and posses were deputized to keep the peace. Today, police and government are stretched thin, so Congress should deputize 'white hats' to attack/track down virus writers. This has got to be better than the reactionary stuff we are legally permitted to use.
I read
Wow, what a bad analgy.
Ignorance is different from negligence. And ignorance is not necessarily a negative term. It just highlights the fact that somebody does not know how stuff works in this example.
Driving 150 km/h is already doing too much, knowingly. The problem is when people drive cars they believe to be secure, driving at speed limit, while not knowing that somebody came and slowly started loosening the bolts on the wheels. Until eventually the wheels come off, the person driving the car loses control and causes a multiple vehicle collision on a highway.
Yes, blah, blah, it is the responsibility of the owner of the vehicle to check the safety of his/her vehicle. Let me ask you, do you check your lugnuts each day? How about each time you drive?
The problems of PC maintenance are highlighted especially in the young kids demographic as well as novice computer users, older computer users (mom/pop, grandma/grandpa), or people who are not technologically adept.
I expect the next line to be that such people should not use computers... Let's talk realistically intead of dreaming.
"An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs"
Dear researches i would like to make you an even better offer recently my good friend the president of nigeria was killed and he had left me a huge amount of money but i need help getting it out of the country for pay the fee for all the legal paper work and transfers i will give you 20% of my 100 million inheretence
Visit my site @ http://www.madtorrent.com
You see the attacks from such countries because it is damn convenient to proxy the traffic through those countries. Every good cracker in The US or Europe does that to have a layer of security between himself and the authorities.
but you have to be careful listening to them.
Hypothesis: the mob are the buyers of botnets, not the sellers, and the sellers are in a worse negotiating position.
Hypothesis: supply of infected machines exceeds demand.
Hard to tell which is correct.
Zero-day exploit pricing is interesting too. I've seen numbers like $500 or $1000. If that reflects supply and demand then Windows machines are still pathetically vulnerable. In any event, that means that any stalker or divorce investigator could afford one.
Anyone seen an actual published survey of zero-day pricing?
Yeah, that's not qall of it, they even accept credit cards :)
Most likely, yes. "we" aren't the ones spreading virius and unknowingly joining botnets. It's the uneducated person who went to CompUSA or Dell and bought their PC. Those people wouldn't put up with the heightened security of a secure Linux box any more than they would with a secure Windows machien. They would still fall victem to the same trojans. Some virus and worms would probably spread more slowly but overall the situation would be pretty much the same because the common computer user doesn't want to deal with everything that goes along with a locked down, secure, system.
You presume that Joe or Jane Consumer will necessarily:
a) Hear
b) Pay attention
c) Understand
d) Be able to do something
e) Do something
Color me skeptical.
3. To prevent underground organizations from creating secret exploits that might otherwise go unnoticed or unidentified.
No, this only means that when someone else finds the hole, you can check if their have been black hats using it. A few of the Black Hat groups are skilled enough to find holes, and clever enough to exploit them without telling anyone else.
//Information does not want to be free; it wants to breed.
Holding Joe Sixpack responsible for his computer's actions? Doubt it.
Remember that he's the one that generates money for the ISPs. He's not downloading Terabytes of movies.
He is the one that buys the crappy "download accelerators" and other useless programs.
He is the one that uses online banking.
He is the one that buys at Amazon.com and EBay.
Let's face it, he is the one they shape the internet for! The 'net ain't our net anymore. Hasn't been for well over 10 years now.
Now imagine he's held responsible for what happens out of his box. He doesn't know jack about his PC. He doesn't know he has a zillion dialers, trojans, adbots and whatnot, from klicking EVERYTHING presented to him. He only knows that "the net" somehow "did this" to his PC.
What is he going to do? Learn how to use it? Or stop using it altogether?
Which one is more likely? And would the industry like that reaction?
So will he ever be held responsible?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I've installed and run investigative workstations for my employer. It ain't easy. Our methodology is to set up workstations that are as bulletproof as we can make them (considering the places we're going to visit, that's a given) and then let specialists try to develop leads. We have procedures to allow non-LEO personnel do the initial legwork; they surf and chat and poke around, extensively logging everything. When something interesting pops up, they're free to dig deeper. Eventually, when they think they have enough information to write up a report, they do so and turn it over for review. If it's picked up for serious investigation, either on the criminal or civil side, it passes from their hands and they never really know what becomes of it. That's fine with me; the initial lead development is what's fun, anyway. I'm one of the few people I know who can say he's spent a great deal of time being paid by Uncle Sam to surf porn (and other unsavory stuff).
What bugs me are the amateurs. There's a certain nexus between the sleazy side of the porn world and financial crimes, so I've spent a bunch of time in places that, at first blush, might seem more titillating than profitable. You would not believe how many transparently fake attempts are made by local, often small-town cops to entice people into illegal behavior. By far, the most common problem is the "I'm a 12-year-old girl. Would you like to talk to me about sex?" thing. Yes, some of them are that crude. Apparently, there are a bunch of Barney Fifes out there who have convinced their bosses to set up an AOL account for them in a back room at the police station for the purpose of generating a few easy, cheap, and sensational arrests that'll get the name of the local DA in the paper before the next election.
I used to wish they'd just go away, but afaik perhaps they already have. I haven't worked in lead generation for several years so I haven't been in any of those places in quite a while.
Anybody have any recent experience with this? Are there still woefully clueless LEOs out there popping up at inappropriate places pretending to be hot-to-trot preteens? God, I hope not; they were a royal pain in the ass.
Maybe I've seen too many movies, but these blackhats don't *sound* like the mob.
I'd think the mafia would build enterprise-ready e-commerce sites and then "persuade" businesses to purchase hosting from them. You know, the old protection racket.
None of this $25 a pop retail sales stuff. That's just monkey business.
I thought webmobs are like flashmobs, but on the web as they write in the webmobs manifesto http://www.webmobs.de/manifesto.html. There seem to be 2 different meanings of the same word.
It is clear that the author of this article has absolutely no understanding of the real web "mob" (which isn't even called that BTW). This article is total BS and probably some kind of government set up.
For people who want to understand the "real" "mob", they need to understand the Underground Economy (UE). What they need to understand is business and commerce. 90% of UE transactions is just regular business trying to aviod taxes and regulations. They have an elaborate offshore finance network that can transfer money arround the world faster than governments can track it. Most of the money is gained thru (some) female services, hotels, casinos, people smuggeling, and (some) drugs, and the biggest one - tax free duty free trade - and not thru online hacking nor thru draining peoples bank accounts or even defrauding people. In fact, they try to distance themselves from these activities because they want return customers built on a trust relationship. Most fortune 500 companies have regular dealings in the UE.
It is highly factioned, and some people do try to blackmale, eg (give us money, or don't report us when we rob you or else such and such government will find out about your hidden transactions) - but this is mostly on a rogue individual level and not a large commercial level. In fact, when the FBI trackes these people down - it helps the UE, because it lowers their transaction costs and liabilities. Also, if they need access to secure systems, they don't need to hack into them. They have a lot of high level bank officers and government officials in their pockets. The real UE also hates terrorisim which in the last few years has increased their transaction costs several fold. The goal is to hide financial transactions from taxes, regulation, and rogue lawsuits, not to hide finances for terrorisim. Also most of the UE is split between drugs. Many try to distance themselves from the drug trade to avoid the higher costs of business, but the money is so big that it can't be ignored all together.
Another thing that most people don't understand is that the war on drugs and the financial part of the war on terrorisim is really just an excuse to wage war on the UE. When corporate money associates the UE with drug lords and terrorisim, then they tend to keep their money at home more where their respective governments can tax the living daylights out of them. Given the costs of the war on terror, the big welfare states of most governments, and really really bad fundamentals of the US dollar lately - this has become a high proiroty for the US government in recent times.
One more thing, the US dollar is in deep deep shit. The US economy can't pay off it's debts without watering down the dollar (or default which they can't do because it will cause a cascading chain of defaults), but they cant water down the dollar without sparking a stagflation spiral. When it spirals out of controll it will cause hell in the US and every country in the world. Anyone who doesn't have precious metals is either stupid, poor, or going to be poor. It used to be that the dollar was the currency of choice for the UE, then when the dollar devalued the currency of choice became the Euro, now the currency of choice has been moving quickly torard Gold.