Slashdot Mirror
Botnet Expert Wants 'Special Ops' Security Teams
CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"
Teach users to be safe on the internet and not download any old thing that pops up on the screen... seems cheaper and easier than waging an all out witch hunt on botnet admins.
Crackin' Wise - Blogging about whatever we want
A bunch of fat, cheetos eating super hero's I can identify with!
The musings of just another geek and his junk.
they need cooperation of ISPs. If only ISPs worldwide would at least send warning to customers that run 'zombie machines'.
Couldnt each OS just have its own installer which md5 checked the isntallation files for downloaded programs against the website which was ofc atleast https secured? For pople without internet available there had to be another solution though.
http://freelinuxguides.wikidot.com
After killing the USAF Cyber Command it's now back, better than ever, under DHS.
That'll put the fear of Dog in those bad botnet operators.
-- Requiring ISPs to send out warnings to zombie machines would help, but I'm not sure if I'd like to give them the opportunity to use packet inspection on my connection to verify the nature of the traffic. That's a slippery slope.
-- How does the Internet Police cross international boundaries in a legal fashion? A Status of Forces Agreement, perhaps? Would England really like Argentina (for example) to shut customers off because they're supporting a botnet?
-- What enforcement tools would be utilized to force people to use anti-virus/malware programs? What are the consequences for the user if they choose not to? There's quite simply too many potholes for a one-nation or government solution, I think. I can't think of a country that's fixed all of their own individual problems, much less open up an Internets Po-Po division to take care of a global problem as well.
I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.
How about building secure systems?
Swat one fly, ten arrive to feed.
Swat ten flies, a hundred arrive instead.
Remove the food, and no flies arrive.
If user education was going to work, it would have worked by now.
~ Anti-virus researcher Vesselin Bontchev
if no one else can help, and if you can find them, maybe you can hire... The 01000001-Team.
Stewart... acknowledged he doesn't have all the answers. "I'm more of an idea guy."
Thanks for the idea! Because nobody has thought of this before. Congrats on the ComputerWorld article, though.
By necessity, the work would have to be done in secret, so as to not alert hackers that a group is on their trail.
But... you just published your idea to the world.
Stewart declined to comment on whether there were teams organized along the lines he suggests already in operation. "I don't want to comment on ones that have or have not started," he said.
So... this may or may not be your own original idea, because there may or may not be teams like this already in existence?
Liberal? Conservative? Compare perspectives at Left-Right
Every programmer who knows C and Win32 API but runs Linux on his notebook must be must be harried, hounded and hunted until he dies or goes total moron. That's the logical conclusion.
May be there is another way to leverage risks? Windows monoculture and total ignorance of users creates "open doors" only lazy can not penetrate. Just leave your wallet on the floor ant shut everybody who cares to peek it.
When the researchers came for the malware authors,
I remained silent;
I was not a malware author.
Then they locked down the adult sites,
I remained silent;
I was not a pervert.
Then they came for the bittorrent trackers,
I did not speak out;
I was not a pirate.
Then they came for the internet,
I did not speak out;
I was not a blogger.
When they came for me,
there was no where left to speak out.
Domestic spying is now "Benign Information Gathering"
My understanding is that the illegality of tampering with others' computers would forbid them from "employing a spectrum of disruptive tactics" inside the botnet, in much the same sense that the illegality of blowing up people's houses stops cops from spending all day recreating Lethal Weapon. Certainly the "illegality defense" (where relevant) would be in effect should the botnet operators or their clients ever be prosecuted.
No kidding!!! What do you say at this point?
Yes, that's just it. Get used to "cybercrime".
As long as nobody gets hurt in the real world, get over it. ... and this leads to rule #1 of anti-cybercrime anti-malware strategy: back up your data, encrypt your data, and make recovery/restore of your data after a malware attack as easy and cheap as possible.
Yes, that also goes for you, secret services. First thing you need to do (and I never thought I'd say that) is implement some kind of secret-service-wide DRM'ed processing network, and *only* work within that network. That will require lots of discipline from you, but... hey, you're a secret service! What's worth the discipline if not the secrecy of your data?
As for you mortal users: nobody wants your grandma letters, so don't bother. As for your bank account / identity data: step on your bank's toes to give you a better identification mechanism, then the whole malware problem for you reduces to reliably proving your identity. Period. (Of course, provided that rule #1 is satisfied.)
And for all you guys in between: governments, public institutions, etc: you're not supposed to have any secret data, and if you really are, see #secret-service. Then you can affort the extra bit of discipline to keep it secret.
For the sake of completeness: this whole "cybercrime" thing is a farce. There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped. If proper measures are taken, it can be restored in its original state any time. If deleted, it can be restored from backups, if modified it can be changed back. If crucial parts of your system are being compromised (as is the case with public energy / transportation / water supply systems): detect the intrusion and restore the system from scratch.
The only critical thing with information is that it can be illegally copied, in which case... see #secret-service: if secrecy of information is valuable enough to you, take measures: encryption, DRM'ed corporate networks, secure rooms, no-networking machines etc -- depending on how much secrecty is worth to you, you can implement more or less user-annoying and/or expensive measures.
There's no way to "put an end" to "cybercrime" simply because there's too many ways to do damage to information by anyone with a slight clue and a C compiler. But, then again, it's trivially easy to revert whatever damage is done to information, if proper measures were taken prior to the damage. So, if banning C compilers under legislation similar to heavy weaponry is not an option (and it *better* not be), then the only decent option that's left is to fight the damage of "cybercrime", not the act itself.
Most hacker groups I have seen are set up in such a way where no one needs to trust anyone else. Status is based on what you contribute to the group, so if someone doesn't contribute much, they no longer get access to the work of the collective.
For someone to "infiltrate" a group, all they need to do is contribute to the work being done, and I highly doubt IRC logs will be very admissible as evidence.
My point is, if someone is going to get to the level where they can put anyone of any importance in jail, they are first going to need to contribute a significant amount to the underground community, which would probably cause more problems than it would solve.
If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.
Easy low cost way to do this.
1. Allow the public at large to easily report suspected fraud to a centralized web site.
2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
3. Have the finance investigators work with requisite police agencies world wide.
Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.
Only a total annihilation of spam- and botnetbusiness is what we are looking for.
We have seen how accurate missiles are nowadays. How hard can it be to do some target practice on a \/1@9r@ hosting datacenter?
Privacy is terrorism.
There are several posts advocating larger ISP involvement and nobody has mentioned the obvious slippery slope with ISP's being put into a "policing" role.
If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?
I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?
Asian hackers are being rewarded for their efforts in cybercrimes, moreover, they are being regarded as national heroes. When groups of chinese hackers compromised United States Governmental secured sites, there was no retribution for their actions. The situation is more dire than most of us are aware. Simply having "security" people will not be enough. Just look at all the money that is being wasted on the war on drugs, and we are barely making a dent. There has to be a better way. Lets force the ISP's to be self-regulating and impose fines on those ISP's that are harboring these individuals. Also, we can make our IP's un-accessesible by certain ip segments. Lets tackle this issue before it gets any more serious. God Bless America!
Googling for conficker gave me wikipedia's entry
http://en.wikipedia.org/wiki/Conficker
Looking through conficker's entry gave me the vector MS08-067
Googling for the vector gave me this article
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
Is it that win32 lack a high-quality, well-tested, easily reusable path class, or is it that microsoft is such a large company that a rogue programmer circumventing the approved safe path class and engaging in not-invented-here-roll-your-own antics is commonplace?
It depends how it is done.
If the ISP goes "you're sending out a huge number of emails - you're either a spam bot or a server, so we're locking you down" then that's not being the police. Action like that is just enforcing fair use on a network and ensuring everyone gets an even share without service being degraded by someone else. There's generally a rather obvious point at which someone goes from "sensible home usage on a home broadband connection" to "some kind of spammer or bot".
"Tracking down" illegal torrents tends to require DPI, which is much more like the police, and blacklisting all torrenters is potentially stopping legit emails, which isn't fair on anyway.
As long as there is some kind of control to compensate and/or resolve false-positives and as long as it doesn't turn to criminal proceedings without police involvement then I can't see a problem with ISPs doing the normal job of service providers - monitoring their service for abusers.
Am I in the right place? Is this slashdot?
Nope, you got lost and have somehow ended up on NEGA-SLASHDOT. MWAHAHAHAHAHAHA!
Didn't you notice all of our nifty goatees?
Ethical Hackers Against Pedophelia
Great group of kids helping fight against child porn, lot of talented "hackers" involved for that time period...and ya know what........they were considered outlaw vigilantes. SO I ask, what kind of authority is a government going to be willing to give to a "hacker". Especially in light of the fact that any non-technical politician isn't going to know the difference between Black, White, and Gray hat hackers.
"This is the value of a summer spent and a winter earned"
The only company to blame for the 'botnet' and the sending of all the spam via 'zombie computers' is Microsoft. Windows, as we all know, is a virus haven. Attempts for AVG and Microsoft's own anti-malware software has helped, but has not stopped. The 'success stories' in raiding and taking down a couple botnet groups is no success story. They simply open shop somewhere else. The internet has grown SO HUGE and so global, that no amount of 'man power' in terms of police force, like a friken 'special ops' force will do any good, what do ever. All it will result in are law suits for privacy invasion. Also, what about countries like Russia, where most of the botnet lives? The US or UK can not touch them, legally, what so ever. So, the solution? Microsoft needs to be held accountable, and redesign the core of windows to stop all the zombies... alas... good luck with that.
Do we really need another "War on X"?
I am surprised that no one has brought up the "evil" bit from RFC 3514. Is this really Slashdot?
"That being said, vigilantism isn't the approach either" - by emocomputerjock (1099941) on Wednesday April 22, @08:16AM (#27673271)
Per my subject-line: This exchange from the film "The Watchmen", fits here imo...
----
Nite Owl:"How long can we keep this up?"
The Comedian:"Congress is pushing through some new law that's gonna outlaws masks - our days are numbered. Till then, it's like you always say: 'We're society's only protection'... "
Nite Owl:"From what??"
The Comedian:"What're you kidding me? From themselves...!"
----
Next thing you know? They'll make some law that stops others from helping others... in this art & science, for security.
APK
P.S.=> Nite Owl:"What the hell happened to us? What happened to the 'American Dream'??"
The Comedian:"What happened to the American Dream?!? IT CAME TRUE (you're lookin' @ it)... "
apk
that the solution to spam (and malware) is the marines. Nothing takes a spammer off of the net faster than lead. Kindof shakes up that risk-reward balance a bit.
Net neutrality, by most people's interpretation, means the ISPs cannot do anything about botnets.
Giving ISPs the responsibility but without the authority to really do anything about it just leads to a disaster where, once again, nobody is accountable.
Time to face reality. Botnets are a minor annoyance to properly configured machines and a complete meltdown catestrophe to improperly configured machines. Sorry, but if you want thousands (millions?) of Joe Sixpack's and Grandma's being the "system administrator" for a computer that absolutely requires one, you are going to have this kind of problem. And it isn't going to change, no matter what anyone does.
Without real international agreement, nothing can be done about this. And that agreement isn't going to be coming along anytime soon.
What if we replaced computers with glorified video game consoles with web browsers? It would be like the old webTV thing, but it could work more like a PC (interface wise). The user's preferences are saved on the server, but otherwise the machine runs off a flash ROM, or VM that the manufacturer maintains. When the screen saver kicks in the system resets, they they come back, the preferences change the interface to have the picture of the grandkids or a LoL cat as the wallpaper.
All it needs to do is browse the web, chat, vid cam, run MSO (or something that can Save As .doc).
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
it won't faze the RBN -- or others like them -- at all.