Hacking Matures As A Criminal Discipline

July 2006

The increasing criminalization of hacking concerned speakers at (ISC)2’s SecureLondon conference on 20 June. "It’s no longer an issue of hacking for fun and games or defacing a website," said former eBay and Microsoft security chief Howard Schmidt in his keynote speech. Schmidt went on to detail how peer-to-peer networks are being used by criminals as a source of confidential corporate and personal information.

Schmidt, also a former cyber security adviser to the US presidency, said that corporate data leakage might be tackled through implementing a confidentiality classification system similar to those used by governments. However, this would not eliminate problems posed by portable drives.

Jon Carpenter, a systems engineer for security software vendor McAfee, said that since 2004, malware writers have moved from noisy vandalism to raising botnet armies as quietly as possible. The turning point was the spring 2004 slanging match between the writers of the Netsky, Bagle and MyDoom viruses, using messages within the code: but the aim of the malware was to control machines remotely.

Since then, establishing such botnets without detection, for lucrative illegal purposes including identity hijacking and spam generation, has become the main aim of malware. Carpenter said this has affected the quality of its code. "More and more, they are doing it for money," he said. "It’s a shame to say, some of it is very good, it’s been tried and tested." This seems to include checks for quality and to ensure it is not caught by current releases of anti-virus software.

The result is that some 18 to 20 million machines have been corralled into botnets, McAfee estimates, compared with 10-12 million in January, and 3-4 million in January 2005. "It is widely accepted that there are enough bots to take down the internet," said Carpenter - but their operators have no interest in doing so, as this would stop their income.

Spam 83% of all email

Spam, which is often produced by such botnet machines, made up 83% of all email the day before the conference (on 19 June) according to Postini’s figures, Carpenter added, and one car manufacturer he has worked with delivers just 1.6% of the email it receives to its staff.

Carpenter said that zero-day attacks allowed little or no time for firm such as his to prepare blocking and removal for such malware - and he warned that a new kind of "metamorphic" virus (sent in by its writer rather than found in the wild) had taken a senior McAfee researcher three months to reverse engineer, while some rival firms took more than nine months.

Instead, organizations must make it harder for such attacks to work, as well as trying blocking malware through conventional anti-virus scans. This could include blocking common vulnerabilities such as buffer overflows, certain ports on routers and the ability to lock-down aspects of corporate networks.

But education was also required: "The human has got to be the weakest point," Carpenter said. "A lot of viruses get out by email still. Users will still click on stuff."

Ignorance not malice

Paul Hansford of Siemens Insight Consulting backed this up, when seeking to make a point on the definitions of ‘threat’ and ‘vulnerability’. He said employees are often seen to represent the greatest potential threat to infosecurity, but most compromising actions result from ignorance, not malice. "I would suggest the insider is the greatest potential vulnerability," he said.

Fred Piper and Kenny Paterson of the security group at Royal Holloway, University of London, discussed one way to buy time for the building and distribution of solutions to problems: the method in which academics release information on such problems.

"If you perform research and find a flaw, it can become an attack [regardless of intent]," said Professor Piper. For those in this field, he added: "The dilemma is clear, the solution isn’t."

Paterson described how he had dealt with a flaw uncovered by doctoral student Arnold Yau and himself with the Linux implementation of IPSec, a suite of security protocols at the IP layer of network communications.* The problem was relatively low-impact and could be solved fairly easily by users, but Royal Holloway did not know how to tell vendors without also alerting those would exploit the flaw for criminal ends before alterations could be made - the likely result of releasing it straight to the media.

NISCC British approach to vuln disclosure

Instead, the academics presented their findings to the UK government’s National Infrastructure Security Co-ordination Centre (NISCC), and demonstrated the attack to its staff. NISCC told vendors about the vulnerability in April 2005, then made a public announcement in May, which was relayed by US-CERT and Aus-CERT, the US and Australian equivalent organisations to NISCC.

However, Fred Piper said that there are likely to be much harder cases for academics to deal with in future - such as if a flaw was in hardware such as smartcards or vehicles, meaning it could not be patched and would take years to be replaced, or if there was no solution to a problem they discovered.

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion