Articles

Read previous: Generations of DoS attacks 2: Layer 4, Layer 7 and Link-Local IPv6 attacks

In this part, Sam Bowne exemplifies each major type of DoS attacks, showing the actual implementation process and the potential damage that may occur. The CEO of CloudFlare Matthew Prince then takes the floor to talk about his story of reluctant ‘cooperation’ with LulzSec hacktivists.

Let me show you a few of these attacks. I should have some virtual machine set up. Well, this is how I do it in class with my students: I use virtual machines on an isolated network. Well, I’ll tell you a little more when I get there.

Let’s start with the old-fashioned attacks. Here I got a BackTrack 5 Linux machine, and it’s running as a web server. I put up a sample web page, so if I go to localhost and refresh, it is sending out that web page. If you run this page (localhost/server-status), you can see the status of your server. Okay, that’s the server status, and down here are the current connections (see screenshot). There is one connection waiting here and all the rest are available out of hundreds of connections available.

This server can handle hundreds of people viewing that web page. So, if I go to that test page and refresh, it should show up on server status page as another connection – and so it does. Now I have a couple of connections. So, now let’s attack this poor Linux machine from a Windows machine.

Low Orbit Ion Cannon attack in action

We will start with old-fashioned stuff – Low Orbit Ion Cannon. And Low Orbit Ion Cannon is here, the thing that Anonymous people use as a short way of going to prison. So I put the IP address and press ‘Lock on’ button, and IP address appears as a selected target, and I can now do different kinds of attacks here. In addition to sending you to prison, Low Orbit Ion Cannon isn’t very well written, doesn’t let you see what you need to see well. So, I am going to send an HTTP request and I am charging my laser, and now it’s sending stuff, sending complete requests back to my poor target.

So, my poor virtual machine has now started showing new connections on server status page. It’s filling up with a bunch of C’s. Now, those C’s are connections at the web server. It is gradually filling up here (see screenshot), so it is using up all that the web server can do. And again, what it’s doing is complete connections: they form a connection, they download that little web page, and then they wait to time-out. This does fill up all the connections and makes the web server unavailable, but it does it in a very weak way because each connection terminates normally and then just ends its time normally, so it only ties it up for a couple of seconds. That’s what this one does.

SlowLoris attack process

Let’s now get to SlowLoris which is much more powerful. I have to put that IP address in the ‘HTTP attack (slow headers and slow POST)’ interface (see screenshot) and push ‘Run attack’. Then I go back to server status page – and see the connections are filling up with R’s. Those are pending requests; each one of those will take 400 seconds to time-out by default. So, you don’t need to send very many of them, and it uses up all available incoming lines – and this server is toast. That’s the Slowloris attack, and the HTTP POST¹ attack is similar. It’s very powerful and very dangerous.

Link-Local IPv6 attack implementation

Anyway, now that I have shown how to kill Linux with Windows, let’s go the other way, with a more powerful attack. Let me set up my poor Windows machine to show you the evil that is about to happen to it. So, if I go into ipconfig² you see this machine is an ordinary Windows machine. I put on a static address 2::2 in IPv6, and it’s got IPv4 address, and really not much else going on. Using the Task Manager is a good way to see the damage that’s gonna happen to this machine. The CPU usage is now at 0%.

Now, if I send some IPv6 packets here, I am gonna do fake router6 first, let’s send it to def:c0::. And now it is sending some packets advertising that network; all the devices on that network have been commanded to join it. And there it is – it’s made the address start with def:c0:: (see screenshot). Now, this is what’s supposed to happen when you add a router in a normal course of events: I add a router, it advertises its prefix, everybody joins – and the game is over.

But if I send a flood of unwanted packets at the rate of 100 per second, we see that CPU usage on our target machine is 100%, and it’s just gonna sit there at 100% for a long, long time. And what’s worse is it kills so bad that you can’t see the address.

If you go into ipconfig and stop it really fast, this will actually respond without waiting forever, and you can see what it’s done: it’s joined all these networks – page after page of networks (see screenshot). That’s what it’s doing. And it’s still adding more to that list, at the rate of about 5 per second.

So, this is alright, but when I first tried it, I ran it for a while and nothing seemed to happen, and all of a sudden – hey, my Windows machine doesn’t respond at all. What happened? Well, this is no fun, my students don’t learn anything if they can’t look at the damage. So I thought this was a bad project, what do I do? And then I thought – hey, wait a minute, this would kill the domain controller, and the email server, and everything. This is really bad. This is so bad I cannot tell my students at all. I’d better tell Microsoft quietly.

So I sent out a Tweet and said: “Hey, this attack hurts Windows 7″. And then I said: “I need a security contact inside Windows”. I added some other people on Twitter, which immediately gave me good people inside Microsoft, and they sent me to the right people. Within two days, I had an official answer from Microsoft, saying: “Yes, Van Heusen told us about that a year ago, and we don’t care. We’re not gonna do anything about it for current versions of Windows. We do not care that Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, XP are all gonna die at the drop of a hat. We may put it in Windows 8 or Windows 9 or something, if we have nothing better to do”. I said: “Fine! If you’re gonna be that way, I’ll tell the whole world about it”.

Judging from my research, Windows machines are vulnerable to this, and one version of BSD Unix is vulnerable to this attack. You can run the attack on Mac too, the Mac is the host. It joins some of these useless networks, but it doesn’t join them all – about first 10 and no more. It has the sense to ignore all router advertisements after the first 10, for some period of time, which is a pretty good defense. And that’s what I think Microsoft should do in Windows, but they are not interested in my opinion.

I gave it to my students for homework and said: “Use an isolated network, don’t kill every machine at the college – because you could kill every machine at the college, including our servers and everything else”. And my students didn’t kill the whole college with it, which is very nice of them. Therefore I am still working there, I am not on the street with a tin cup.

Anyway, that’s the power of that attack, and we should as well talk a little bit about defenses. But I think before I do that, I am gonna hand it over to Matthew here.

LulzSec: Behind the Scenes

Mathew Prince: So my name is Mathew Prince, and I know Sam, we both live in San Francisco. Sam is the only person I know who can make running DDoS attacks seem charming. We both got sort of dragged into Lulz Security kerfuffle reluctantly. I am gonna tell you the story of how I got dragged into it and talk to you about some of the DDoS attacks that we saw during the 23 days that they were active, and then what we did to stop them.

So, on June 2, 2011, at about 16:54 GMT the Lulz Security Twitter account announced that they had finally gotten around actually making a web page. What was pretty amazing was that within about 15 minutes that web page was knocked offline by a fairly significant denial-of-service attack. I don’t know the details of this particular attack because we hadn’t been involved yet.

About an hour after the web page was first announced, LulzSec announced on their Twitter account that they had actually solved this problem. The only thing that had changed, as far as I’ve been told, is that 9 minutes earlier they signed up for CloudFlare³ – a service that makes websites faster, we protect them from some attacks, but don’t really think of ourselves as an anti-DDoS service. So it was somewhat of a surprise for the Lulz Security people to do that.

It was even more of a surprise when an hour later Lulz Security sent out a message to me, saying: “We love your service so much, can we exchange rum for a free Pro account?” I had no idea who Lulz Security was at this point, so I tweeted back a tweet which my legal council has told me to remove, which said: “It depends on how many cases and how good the rum is”. They never sent the rum, and we never gave them a Pro account, but CloudFlare is free and thousands of sites sign up for it every single day, and we typically don’t have problems with them. We had some more issues with these guys. So, over the course of the next 23 days, they wreaked mayhem in lots of different ways, and finally on June 25 they called it quits.

What was interesting is that the way CloudFare works is for a reverse proxy, so all of the traffic which goes to Lulz Security passes through our network first, which has two significant effects. The first is – anyone who attacked Lulz Security was attacking us, so that was amusing. And then secondly, it meant that Lulz Security was actually able to hide where their origin was, where they were actually hosting from. That’s a side affect of how our system is designed, but it was one that they used to create affect.

Sam actually contacted me a little while ago, and said he was going to do a talk on DDoS and asked me whether I would be willing to share some information about it. And again, we have legal council and we are a real company, and we have a privacy policy. Even if you are an internationally wanted cyber criminal, we try to respect the privacy policy, so I wrote the following email to the email account that we had on file for Lulz Security, on July 2, right after they called it quits: “Hey, I’ve been invited to talk about this at Defcon, would you mind?” And I didn’t hear anything for quite some time. And then 11 days later, someone by the name of Jack Sparrow wrote: “You have my permission”.

To be continued…
 

¹ – HTTP POST is one of many request methods supported by the HTTP protocol used by the World Wide Web. This request method is used when the client needs to send data to the server as part of the request, such as when uploading a file or submitting a completed form.

² – ipconfig (internet protocol configuration) in Microsoft Windows is a console application that displays all current TCP/IP network configuration values and can modify Dynamic Host Configuration Protocol DHCP and Domain Name System DNS settings.

³ – CloudFlare is a content delivery network and distributed Domain Name Server service aimed at enhancing website performance and speed and providing security.

On my day off I decided to watch Columbiana and heard a very astute line about painting that really made me think. The line was:

“You never finish a painting… You just stop working on it.”

Which itself was paraphrased from a Leonardo da Vinci quote:

“Art is never finished, only abandoned.”

The same can be said about security:

“You never finish security, you just stop working on it.”

The unfortunate reality is that many organizations see security as having a finish line, but that’s just not the case. The only way to ‘finish’ security is to stop working on it.

Read previous: Generations of DoS attacks: some history and links to Jester, Anonymous and LulzSec

Sam Bowne’s primary focus in this section of his talk is on the technical part of different types of DoS attacks: the relatively primitive Layer 4 DDoS, variations of the more sophisticated Layer 7 DoS and Link-Local IPv6 router advertisement attack.

Layer 4 DDoS (Many Attackers – One Target)

The technical part of this is you have a Layer 4 DDoS as the simplest kind of attack. This is what was used to take down MasterCard and Visa. They couldn’t take down Amazon this way. Anonymous tried this. This is a protest which involves many people.

So, the reason it does is because the tool they use is the Low Orbit Ion Cannon (see screenshot) which is just a network stress tester, and it doesn’t do much harm. So it takes a lot of people to bring down a website this way. But with the participation of 3,000 or perhaps 30,000 attackers, the number is not entirely clear, they were able to hold down MasterCard for more than a day, and many other sites.

And this is the kind of attack that Kaspersky was talking about when they interviewed him a while ago and asked him how many infected machines it would take to bring South Africa off the Internet completely. And he said it would take hundreds of thousands of infected machines to do that. And I know that’s false. I know it would take one 3G cell phone.

However, he is not thinking of that kind of attack, he is thinking of the Layer 4 attack, where it takes thousands of machines to take down one target. And it’s really nothing more than pressing F5 in your browser, F5, F5, F5… If enough people do that, the page goes down. It is a denial-of-service of a sort, it’s just a very weak primitive one.

Layer 7 DoS (One Attacker – One Target)

There are more powerful ones, like the SlowLoris attack that RSnake¹ came up with a couple of years ago. There were many previous versions of the same thing. Here you do something smarter.

Instead of sending a complete request to the web server, and just sending a lot of complete requests to the web server so it has to work too hard to serve them all up, you send it something that would jam up the web server, for instance an HTTP GET request to get a page from a server looking like this.

You have the Layer 2 information and Layer 3 information, and down here you got the GET, which is several lines of information. If you just send part of the GET and you never send the rest of it, then the network assumes that you are on some kind of unreliable network and the packets have been fragmented. And so I’ve got the first half of it, and the other half is still coming. So it waits for the other half and that ties up incoming lines. And it’s extremely powerful.

SlowLoris will freeze all available incoming lines, and all you need is about one packet per second to stop an Apache server dead.

R-U-Dead-Yet is another similar one, but it uses POSTs and affects IIS (see image). IIS is not affected by the SlowLoris attack with incomplete GET requests, but it is affected by incomplete POSTs requests.

There are other variations of it now. There is one using Keep-Alive DoS – that works, I tried that, it’s somewhat effective. It’s not as powerful as SlowLoris attack but it’s another way to send requests that make the server do a lot of work.

The Jester’s tool presumably uses one of these principles. It is called XerXeS (see screenshot). It is a graphical interface, looks like it runs on a bunch of Linux to me, but who knows. One important thing about Layer 7 attacks is you can run them through an anonymizer, so you don’t go to prison.

The Low Orbit Ion Cannon does not enjoy this feature because it has to send a lot of traffic from you to the other end. If you try to run it through the Tor³ network, it will just choke off your attack and bring down the Tor network, because it’s like flamethrower: it burns everything between you and the target. And with Layer 7 attack, it’s like a guided missile: it just sends a few packets that do not harm anything, and when it gets to the server – bang, the server becomes unavailable. So you can run it through an anonymizer, which is what he does, which means that not only can they not find out where it is coming from, but they also cannot protect from it by using a simple firewall rules that search by source address, because all the packets come from different source addresses. Although, if you block all Tor agent nodes, which you should all do, that will stop them from using Tor, and they would have to use something else like a botnet of compromised machines to do it, and that would make it a little harder.

But anyway, his tool starts, runs this thing through an anonymization network, and then brings down the target. And it independently does a series of tests to the target. When the target goes down, then it sends out twitts – ‘Tango Down’.

Link-Local DoS (IPv6: Router Advertisements)

Anyway, that’s where we were up to maybe 2 years ago, these things were running. The Link-Local DoS is much newer, with IPv6. You are using IPv6 if you have any version of any modern operating system, any modern version of Linux, any Windows Vista or Windows 7, or Windows XP – if turn on IPv6, although it’s not on by default. And you server as your domain controller, as your DNS server, as your email server are all using IPv6 whether you like it or not, unless you have gone out of your way to turn it off.

And like any other unwanted service, if you are not using it it’s opening you to the attacks. So, with IPv4, when a machine joins a network, unless you are weird enough to be using static IP addresses, which most people aren’t, your machine boots up and asks the router, a DHCP⁴ server: “I need an IP”, and it says “Okay, use this IP”. And then there is another back and forth to make sure nobody else is using that IP, and it’s the end of the game. There will be no further DHCP traffic until you restart that machine, or until a long time passes, like 4 days. That’s a PULL process: I need an IP, I ask for an IP.

But IPv6 is not normally done in that fashion. With IPv6, addresses are generally distributed by router advertisement. So the router pushes a router advertisement and says: “I am the router, everybody stop what you are doing and join my network now”. Everybody has to stop, make up an address and join the network. It’s a broadcast packet, although they say there is no broadcast in IPv6, but there is something called ‘multicast to all nodes’.

The difference between these things is still logical in nature, and I don’t intend to go into it. But the point is the router sends out one packet that goes to every node, and every node now has to join the network, which doesn’t seem that bad. Here is the router advertisement packet going to a multicast to a ‘multicast to all nodes’ address ff02::1 and telling people what network to join (see image). The problem is you can send out a lot of router advertisements. And when you do, the poor target joins all these networks. That would be alright, except that Windows is extremely inefficient in doing that.

To be continued…
 

¹ – RSnake (Robert “RSnake” Hansen) is the Chief Executive Officer of SecTheory – a web application and network security consulting firm. Robert is a co-author of the authoritative book “XSS Exploits: Cross Site Scripting Attacks and Defense”.

² – IIS (Internet Information Services) is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows.

³ – Tor (short for ‘The onion router’) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.

⁴ – DHCP (Dynamic Host Configuration Protocol) is a network configuration protocol for hosts on Internet Protocol (IP) networks. It provides a central database of devices that are connected to the network and eliminates duplicate resource assignments.

Sam Bowne from City College of San Francisco shares his expertise in the history of denial-of-service attacks, their technical aspects, and the major groups of hacktivists who use those for various purposes. This Defcon presentation starts with the classification of DoS attacks and the analysis thereof in terms of Jester, Anonymous and LulzSec attackers’ activity.

I am Sam Bowne, I teach at City College, San Francisco. I am here to talk to you about DoS attacks. I am gonna talk a little bit about the hacktivists who’ve used DoS attacks because I find them interesting, and they have dramatized how much damage you can do with the various kinds of DoS attacks, at the parallel of going to prison themselves for it, which is a drag, but anyway, it helps the rest of us sell security appliances, and it helps me entertain the students and keep them interested in knowing how these acts of defenses work.

So you’ll be participating as victims. Now, how many people brought a device to get killed? One, two, three – yeah, not very many, okay. That’s kind of what I thought, because Ryan who is setting up a wireless network says he probably cannot connect more than 40 or 50. I didn’t think there would be that many volunteers to get their device killed.

However, I was trying in the speaker room, and I believe this attack could be used to kill every machine at Defcon, from peer. I was gonna demonstrate a version of that – not so lethal – on the stage, but it wouldn’t connect it all in the prep room, so I decided to skip that for the moment. But if any of you are unscrupulous, you can try it.

I’ve got two guests with me: I’ve got Matthew Prince here who is gonna talk about his inside dealings with LulzSec¹, which I am very pleased to have. In fact, I met him because both of us were deplored as immoral evil people for helping LulzSec, because I retweeted some LulzSec tweets that pointed to stolen data which I thought was important. And he ran a service that they used to protect themselves from attacks. Another one of my guests – Ryan Carter – is gonna set up the network and ‘kill’ people who wish to volunteer to be DoS’ed with this attack, because we could learn some new vulnerabilities here. Now, they are not zero-days, because this – the attack I am using here – wasn’t written by me and it’s not new. It’s been known for a year. It’s just that an awful lot of people who manufacture devices don’t care and have not patched it. So, if anybody has exotic devices, it would be interesting to see if they are vulnerable.

Anyway, I’ll briefly outline what I want to show you. The DoS circus is about the history of this stuff and the attackers who have been using it. And then, I’ll talk about the three kinds of DoS: Layer 4 DoS, where you use thousands of attackers to bring down one machine, usually distributed denial-of-service; Layer 7 DoS, where one attacker can bring down one server or more; and the Link-Local IPv6² router advertisement attack. I talked to you last year about IPv6, and I said it was gonna bring a lot of security problems – and so it has.

The DoS Circus

It has given us a time warp when a bunch of things designed in 1993 are now back on our networks, so the old tricks work again. This is not really an old trick, but it’s devastating and I’ll show it to you. You can kill all the Windows machines on a network from one attacker. And again, you only need a few packets per second to do it.

So, Julian Assange stirred everybody up by leaking U.S. secrets. He published this mysterious encrypted file as his insurance. And if he ever gets irritated enough at the fact that he is being held in a house arrest and perhaps gonna be deported and stuff, he can release the secret key and reveal something terrible, not yet specified.

So, this stirred up these Anonymous³ people that had gotten tired of just posting pictures of cats on 4chan, and decided to save the world through denial-of-service, which makes a lot of sense to them all, but not to me. So they started attacking. If there was anybody they could all agree to hate, they would blow them away. So they started with Scientology because it’s pretty easy to hate the scientologists.

Then it went on to other people – and eventually HBGary Federal⁴. This company’s CEO Aaron Barr was supposed to be here but he was issued a court order about 3 days ago, forcing him to not speak at the Panel and tell what really happened for the inside story here.

But anyway, in order to publicize his new government security contracting company, Aaron Barr said that he could find the people running LulzSec and expose them by doing a correlation of social networking. So what appeared in Twitter, he would correlate with what appeared in Facebook and elsewhere. And so, they decided to take him down, and it was extremely easy.

They got a team of Anonymous members. Now, Anonymous was a low-tech group, usually using really primitive tools. But a small number of them got together, who were relatively skilled compared to the others. And they decided to take these guys down. They found an SQL injection⁵ and took over the email server, and then they sent emails pretending to come from the owner of the company, asking him to please change the password, change the username and turn off the firewall. Thanks, that’s working now!

And once they were in, they took all the emails and dumped them on the Web, because the whole thing about these guys who later became LulzSec was complete irresponsibility. The fun thing is to take everything you were told not to do, and just do it, and then you laugh – ha, ha, ha!

So, what would happen if I just dumped your whole email log out, everything personal, hurting who knows how many innocent people that just had something to say about their medial conditions? So that would be a lot of fun, so that’s what they did. And they found a lot of real dirt in there. It looked like they were planning to do a lot of really nasty things from HBGary.

Then Anonymous decided to attack the Chamber of Commerce, having found out that they had a Drupal exploit, again showing more intelligence technically than the Anonymous had before, which had just used that Low Orbit Ion Cannon⁶, which is pretty primitive.

So the Jester (th3j35t3r) gets in here, using the demonstration of the power of a Layer 7 attack, although no one knows exactly what he does, he is truly secret, and I am guessing what he does. But from people who have been attacked and kept logs of his packets, they’ve told me that I am correct, that what he was doing is essentially using a Slowloris⁷ attack with some variations.

His plan here is to be right-wing essentially, where Anonymous and LulzSec are left-wing. He is pro-military, he comes from the military, and he tries to punch back at anybody that he regards is endangering soldiers, like Julian Assange and Jihadist recruiting websites.

And he brings websites down with his tool, and then tweets about it. He is prominent on social networking, you can go chat with him, I’ve chatted with him. But he doesn’t have any partners, unlike LulzSec. He works alone, and therefore he hasn’t been caught yet. He understands military operational security. Nobody can betray him – something that LulzSec forgot.

Anyway, he brought down WikiLeaks single-handedly and held it down for more than a day. To prove it, I was chatting with him on IRC and he said: “Look, I can turn off the attack and let it come back up”. And it came back up. Then he said: “Now, I am taking it down again”. And it went down again. So that convinced me that he was really in control of the attack. Here is the Netcraft map of WikiLeaks going down for more than a day, thanks to the Jester (see image).

So that was his game, and then he decided to fight with Anonymous because Anonymous didn’t like him taking down WikiLeaks, and he has been focusing on them for about the last year, Anonymous and LulzSec blasting each other apart with the variety of tricks; he was putting on them denial-of-service.

And then, the Jester got mad at Westboro Baptist. Now, these guys are also pretty easy to hate. They have some ridiculous hatred of homosexuals, and they also picket funerals – basically, their profit method seems to be about being annoying until someone finally punches them in the face, and then sue. But the Jester decided to take them down, so he took down four websites with his tool, which he had ported to a cell phone. And from the single 3G cell phone, he says, he held down four websites for two months straight.

And I don’t doubt that because I know I can do it, and any of my students could do it, and you could do it if you just pay attention to this talk. It’s not hard. The Slowloris attack runs on Windows, it’s not hard to do at all. And that’s how it goes.

Now, LulzSec continued on a rampage, hacking everybody in sight. At one point, they just opened up a telephone line and you could call them, and they would hack anybody you wanted. They hacked U.S. Government, Military, NATO, British Government sites. They dumped the contents of the Booz Allen Hamilton database. When the dumped out the Arizona cops is when I got really mad, because that was really important, they dumped out their names and password hashes and the logins for their emails.

And when they dumped out Booz Hamilton⁸ password hashes, that struck me as outrageous: 150,000 password hashes, half of them were cracked by the next day. So, all the top military, their names and passwords are now out there where anybody can use them, and they didn’t think much of that.

However, they also took down some game websites, which I didn’t even notice, but it seemed to be what really caused trouble for them.

They put up a website to announce all the stuff they took down and all the stolen data (see image). And then, they hacked PBS⁹ website and put up a silly thing there. I was pretty irritated by that, like – why would you hack PBS? Come on guys…

Anyway, now they’ve been caught, largely. Ryan Cleary was one guy kind of on the periphery of LulzSec, they caught him in June. Shortly after that, they caught T-Flow (see screenshot of news report excerpt) who was much more important to LulzSec. At the end of July 2011, they caught Topiary. So, they really are just British teenagers, and the attitude of taking down everything just for fun, you know, comes from just childish immaturity. You might wonder what makes them do this – they are just young and foolish, that’s why they think they can just take down every government website just for fun.

By the way, Jester and Sabu are supposed to be both here, they are both on Twitter claiming to be here, and they said they were at the pool yesterday. The Jester said he was here and Sabu said he was here. I kind of doubt it, but maybe they are, who knows.

Sabu is the main LulzSec person still at large. And why they assume to be on the way down is because his friends have are already been arrested, and this is what always happens: after they get the first one, they would find the rest, because they don’t have much of operational security.

To be continued…
 

¹ – LulzSec (abbreviation of Lulz Security) was a computer hacker group that claimed responsibility for several high profile attacks.

² – IPv6 (Internet Protocol version 6) is a version of the Internet Protocol (IP) intended to succeed IPv4, which is the protocol currently used to direct almost all Internet traffic. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with IPv4 address exhaustion.

³ – Anonymous (used as a mass noun) is an Internet meme that originated in 2003 on the imageboard 4chan, representing the concept of many online and offline community users simultaneously existing as an anarchic, digitized global brain.

⁴ – HBGary Federal is a technology security company which sold its products to the US Federal Government. HBGary Federal is defunct as of 2012.

⁵ – SQL injection is a frequently used technique to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).

⁶ – Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#.

⁷ – Slowloris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.

⁸ – Booz Hamilton (Booz Allen Hamilton Inc.) is an American consulting firm headquartered in McLean, Fairfax County, Virginia, with 80 other offices throughout the United States. Founded in 1914 by Edwin Booz, the company is one of the oldest management consulting firms in the world.

⁹ – PBS (Public Broadcasting Service) is a non-profit American public broadcasting television network with 354 member TV stations in the United States which hold collective ownership. Its headquarters is in Arlington, Virginia.

Read previous: How malware authors are winning the war 2: exploit toolkits, fake antiviruses and mobile threats

James Lyne moves on with his analysis of malware distribution patterns, speaking on the techniques fraudsters are applying to diversify away from the expected conventional paradigm of cybercrime and scam, e.g. exploiting social media. Finally, Mr. Lynes draws conclusions on modernizing the approach to protection.

Now, I’ve talked a lot about threats and malicious code but it wouldn’t be right to talk about the bad guys without getting a little bit into social engineering. The bad guys love social media, brilliant tool for them to do social engineering. And it is not due to vulnerabilities in the platform, it’s just that social media is a really good way to reach lots of people and interest groups.

Here we have an astonishing example, a Facebook page that was created saying: “Join for free 25 dollar giftcard to Starbucks”. So fantastic, 25 dollars for morning coffee, you can get your caffeine high and get to work. Now, in the real world we’ve all developed this sense of whether we trust people or not. For example, as a security person, if a sales guys walks into your office with slicked back hair and a nice suite and one of those skinny purple ties with little spots on it, and says: “I’ll be honest with you” – we all know that means: “I am about to lie to your face”, kind of got used to it.

However, in the digital world we don’t have the same equivalent. The very first sentence on this page says: “This is not a scam”. What does that mean? It’s a scam. Of course it’s a scam. And any economist is immediately gonna be going: “25 dollars of free coffee which you can share with all of your friends: okay, the world has free coffee for about four days. Probably cannot afford to do that”.

But let’s take a closer look at what they actually ask you to do. First, click ‘Join’, then click ‘Share’, and the idea is you’re gonna share this with all of your friends so that they can get their 25 dollars of brown water too. Next – “Erase everything in the address bar”. That’s where the facebook.com is typed. Okay. Next – “Copy and paste this code into address bar and hit ‘Enter’, note this won’t work on Internet Explorer, only Mozilla Firefox and Safari”.

These bad guys were too lazy to write a virus. They put the code on the page, they asked people to run it, and people did! What? Is that simple – social engineering. Thousands and thousands of people joined this page and followed these instructions before the page was torn down, all in attempt to get their 25 dollars of morning caffeine.

To add insult to injury, at the end of it you get to go to this wonderful official page which has got a padlock on it that says: “Zero fraud tolerance”. Good to know this criminal gang wouldn’t be sharing my details with other criminal gangs. And the page says: “We are now just minutes away from being complete”, which is fascinating because I started off this journey hoping for 25 dollars of free coffee. Who knew social media was so powerful that all of my life had been leading up to this very moment? Brilliant social engineering, incredibly effective.

So the challenge we have is that the bad guys are not only using more affective technology, they are not only producing a much, much larger volume of malicious code, they are not only taking advantage of our stereotypes, of the fact that we need to protect a Microsoft PC and not other platforms – but they are diversifying away from these expectations users have on how they are going to get infected. They are moving beyond email and simple web. They are using social media. They launch incredible campaigns, and users aren’t updating their knowledge to know they need to not click those nasty links.

And there are some astonishing examples of these diverse scam techniques, like letters resembling the ‘traditional’ Nigerian scam. But they print those and put official logos on them, and post them to people. Now, most users, if you send them a link saying: “I am going to sell you a Rolex for five dollars” these days will probably delete it. There’s always one, but the success rate is much lower. How confident are you that your users will apply the same sense to social media on the mobile platform, or if they received a targeted letter?

So we need to be thinking about broadening the tenets of our acceptable use policy. Incidentally, if you are wondering what we did with the letter – we shredded it and posted it back to them for fun.

So, what have we got to do? The bad guys have fundamentally changed the game. The volume of malicious code, the quality, the quantity is making traditional protection unsustainable. It’s not working. Signature AV, traditional AV is dead, nails in the coffin, incinerated – game over. We all have to modernize our approach to protection. We all need to be looking at tenets like content, reputation and behavior.

We need to be thinking about remediation and hardening. We need to be making sure that we are patching things like Firefox, these other applications, raising the profile of our systems, not just the Windows PC.

To the security industry, the most critical message is this: most security technology for many years has been based on the concept of content, matching files, matching packets. It is too easy for the bad guys with these tools to generate massive quantities of malware that makes content-based detection fail.

All these things like advanced persistent threats, samples that will never be seen on a large scale – make content security fundamentally challenged. We need security technologies to be building in the concept of reputation and behavior. It doesn’t matter what PDF caused Adobe PDF to go off and start trying to create Admin accounts. What matters is it’s doing something bad. So we need these tenets to be built-in across the industry.

So, what should you do as a user to keep yourself safe, to drive cyber victory – it is our Internet, the bad guys cannot have it? You need to go back to the office, you need to make sure you are patching PDF, Flash, Firefox; take advantage of the good work that Adobe and others are doing.

You need to make sure that you are adopting and using behavior and reputation based capabilities, modernizing your protection portfolio. And you need to make sure that you are thinking about more than just the PC. Think about where all that valuable data flows across your environment, and have appropriate controls at each point.

And to the industry – simplify. The reason people don’t use technologies like HIPS¹ is because they get these screens that say: “Right, there is a mob here, now turn it to the left, and of course now the A vector of anthological analyses engine with kernel32.dll on Internet Explorer, when accessed by user B, and IP address is C at 13:37 on Tuesday when the North wind is going this way and my hair is particularly ginger…” What on Earth does that mean? Where is the checkbox that says ‘Stop bad stuff’? We have got to make this stuff simple and adoptable. People don’t have the resources to be chasing all this flexibility and dealing with 95000 threats a day.

We’ve got to, as an industry, drive policy centrally, take advantage of community intelligence and make this stuff work for the customer. And please stop using the term ‘SaaSification’.

 

¹ – HIPS (Host-based intrusion prevention system) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Read previous: How malware authors are winning the war: waves of malicious code

Having singled out the three major waves of malicious code evolution, Sophos’ James Lyne proceeds with his presentation, describing exploit toolkits, rogue antivirus activity patterns and the gradual, yet steadily growing trend of mobile viruses distribution.

The bad guys are also getting much smarter about how they target our computers. They are producing pretty impressive tools, like Crimepack for instance. There are lots of competing products here. Interestingly, all with wonderfully modern web user interfaces and really quite nice product design, they are obviously very good at using the latest web development toolkits. These tools are designed to provide an attacker with access to the latest zero-day exploits. But interestingly, more often than not the most successful campaigns are targeted in applications and vulnerabilities that are quite old.

For example, if we look at the breakdown of vulnerabilities in the most popular crime kits out there at the moment, you can see the lion share focus is on PDF. And interestingly, if you go to any CISO¹ and say “When did you have MS08-067 (the Conficker²) patch deployed?”, they’ll know. It may have taken two days, it may have taken a month, but they will have a solid picture. Ask them what version of Adobe PDF they are running, and they through their hands into the air and have absolutely no idea whatsoever.

The bad guys know what we in IT all suck at – deploying, and that’s what they are targeting. These exploit packs make it really easy for the bad guys to go after things like PDF, Internet Explorer, Firefox, and Java – all the things that aren’t so well controlled in the IT environment. So good for Microsoft that they’ve managed to get themselves out of the frame to a large extent, that patching is paying off to security responsiveness. The bad guys are now targeting the application layer, and we all need to be thinking about how we keep apps up-to-date.

Another terrifying trend of 2010 that will undoubtedly continue in 2011 and 2012 – fake antivirus. Now, if imitation is the highest form of flattery, then antivirus companies should be very flattered indeed.

These are everywhere, all over the Internet, injecting themselves into good web pages, using black search engine optimization to gain the attention of users. And the premise is simple: you type in “I’ve got a virus, I need cleanup”, and you get told: “Oh my God, you’ve got 216 threats on your computer, it’s the end of the world, and you really need to clean up your computer right now!” And the user sits there looking at this fake antivirus screen, and it looks just like a real AV product. In fact, often these fake AV products look more attractive than real antivirus products. So perhaps a good security policy suggestion would be: if it looks nice – uninstall it.

Anyway, they sit there and they think: “Right, the IT administrator told me about viruses and worms and trojans, and how they wirelessly connect to my fridge and put my milk off and scare my cat at 2 a.m.” They get the details wrong but they basically know that viruses are bad. So they type in their credit card details to ‘register’ the product to clean up the malicious code, compromising their personal finances, providing an attacker with backdoor access to a corporate asset and the access to data, and potentially joining it to a large-scale botnet.

The astonishing thing here is that it used to be free to get infected with malicious code, but now people actually pay for the privilege. People pay to run malicious code from the bad guys. And these are all over the web, they make Conficker look like a pussy cat.

But it’s not just Windows. We see it happening on other platforms too now as well. I am a Mac user, I have been for a long time. I had the understanding that while running a Mac I should run antivirus because I would feel bad if I accidentally infected a PC user. There wasn’t really this feeling of risk of actually compromising your own computer. The metaphor for this is Typhoid Mary, a woman that worked in a hospital in the U.S and was a carrier of Typhus and could infect other people, but wouldn’t actually become ill herself.

Those days for the Mac user have gone. And whilst there may be very little malicious code for the Macintosh platform versus the PC, it’s still serious stuff. Here we can see the iMunizator³ – brilliant product name, wonderful user interface. Steve Jobs would have been proud of this, it is very nice-looking, and all of the buttons work. It’s incredibly convincing, comes localized in about 20 different languages.

Some of these products actually have support, you can call them up and get technical assistance on how better to use their fake antivirus, it’s insane! But if you are a Mac user, if you are a CEO regularly giving presentations, if you are in a creative team, if you are in IT sitting there with lots of access to privileged information – be aware that the bad guys are targeting you too now, and you need to be protecting yourself appropriately. Times have changed.

The other big trend that we are at the beginning of the wave – we will certainly see more of it in the next couple of years – is mobile. I just have to say this – really, mobile. For the last seven or eight years, certain vendors, certain parts of security industry have been running around, waving their hands in the air saying: “This is the year that all of the malware will go from the Windows PC, and it will stop targeting them, and it will affect Symbian”. And, you know, every year nothing happens.

So we’ve all got used to this notion that mobiles are kind of secure. We do our Internet banking, we install applications. And whilst the security team and the CISO are worrying about these devices, most users don’t have the same inbuilt sense of acceptable use and threat they had on the desktop environment. They are much more happy to click on things.

Over this year, we started to see malicious code. I am showing here the consequences of the first known malicious code for jailbroken iPhones, which you knew you were infected when this picture of Rick Astley came up in the background with the line: “Ikee is never gonna give you up” – apologies for that inadvertent rickroll. It is rumored that Rick Astley was Rick-rolled by his own phone, but no one has been able to confirm that for me yet.

This malware may be low distribution, but it is the beginning of a huge trend. The reason the bad guys haven’t been targeting these platforms is not because they are eminently secure, actually they are a bit like Windows 95; the reason is that until recently there wasn’t interesting data on these platforms to steal. But as we all use these devices more and more as a replacement for our laptop, as they become more and more a part of our lives and our identity – they are going to be more targeted.

So we need to see people focusing on protecting these devices. It’s not about the same protection model as the conventional PC. It’s not about antivirus in the same sense. But we do need to be thinking about compliance, patching and security to keep these devices safe.

To be continued…
 

¹ – CISO (Chief Information Security Officer) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected.

² – Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet.

³ – iMunizator is a rogue antivirus application targeting Mac OS. It performs a bogus system scan and claims to detect imaginary privacy issues on the targeted machine, subsequently asking the user to pay for resolving the ‘problems’.

Director of Technology Strategy at Sophos James Lyne expresses his vision of the way malware production has evolved over time, shifting from mostly prankish activities to the complex sophisticated cybercrime infrastructure that we’re seeing today.

Hello there, my name is James Lyne from Sophos, and today I am gonna be talking about how malware authors are winning the war. My job at Sophos is to focus on long-term technology trends: the next five years of things that are happening in IT, like mobilization, virtualization, de-perimeterization¹, PSaaS²(-’ization’) – you can basically apply it to anything. But I am also a bit of a geek. I love playing with malware and looking at the bad guys’ creations in the labs, and figuring out exactly what they are up to.

I’ve been at Sophos for more than seven years, and over that time I’ve seen a huge change in the nature of malicious code that we are having to deal with for our customers. We are now in what I like to call the third wave of malware.

The first wave, about twenty years ago, was predominantly about pranks, about spotty teenagers sitting in basements, producing malicious code that was designed to get attention. There used to be the big green worm that would go across the screen eating all of your documents before defecating in the bottom left-hand corner.

That was the time when one of our PR people Graham Cluley, well known gentleman, annoyed virus writers so much that they put his face in the middle of the screen, you had to throw coconuts at him to be able to use your computer again. The first wave of malicious code was basically lots of fun.

About eight or nine years ago, we moved into the second wave of malicious code. Things started to get serious. The spammers and the malware authors started to become financially motivated. We saw the rise of the ‘Brazilian banker’³: “Hi, I’d love to give you a billion dollars, just because I like your face”; or the Nigerian that happens to have inherited or otherwise acquired some money and would conveniently love to share it with you; or perhaps the Chinese shop that would love to sell you a Rolex for five dollars. Financial motivation became very much the key to malicious code, and we saw a significant change in the product that these guys were producing and how they were infecting people at large. And that’s largely what we have been living with up until 2010 or so.

The third wave of malicious code is far more serious. The third wave of malicious code is about organized criminals producing malware. And I believe that this change has not yet been appropriately recognized by the industry. People aren’t taking action to protect themselves against this escalated threat.

So, what’s changed in the third wave of malicious code? Firstly, a massive increase in the volume, the quantity of malicious code. At Sophos Labs, we now see 95,000 unique individual pieces of malicious code every single day. It’s an astronomical quantity of malware. Only a few years ago, we were dealing with on average 5000 pieces of malware.

And indeed, if you look back over the history of all time you can see that the dinosaurs didn’t particularly have a problem with malicious code. So, what is it that we are doing wrong? It is a serious issue.

What’s happened is the bad guys have brought professionalism to their trade. They’ve developed a black market economy. They are adopting the latest and greatest technology. And they are garnering more resource than most vendors and most public sector organizations, and governments can put towards this issue. That’s principally because they are not bound by law, they are able to steal these resources. It is easy for them to go out to the Internet, click their fingers and get 80,000 computers.

They are using tools like polymorphism which enable them to create new pieces of malicious code at high speed. Security Tool – a fake antivirus product – was infamous last year for creating new versions of itself every minute and distributing them all over the web.

So the bad guys with their illicit economy have changed the game. As any economist will tell you, when you get a market, when you get people providing services, franchising, products – you get research, innovation, development and competition. And that is what is behind the significant escalation in the quantity and the quality of malicious code out there today.

It’s actually quite astonishing when you go and look at what these guys are now producing. Just to poke fun at SaaS, the ‘SaaSificationization’ of crime, crimeware as a service – all these ridiculous buzzwords, but underneath it there is a real trend.

There are lots of AV check sites on the Internet, all set up by the bad guys to provide services for people producing suspicious files. The idea is simple: you write a virus, a piece of malicious code that you are going to launch against a specific organization, and then you upload it to this cloud-based service. And the bad guys run your virus against twenty to thirty antivirus products, and they produce a nice little PDF report with pretty graphics and charts showing how your malicious code was detected. And they even give you tips on how better to avoid being detected in the future. It’s a cloud-based quality assurance service for malware authors. What the hell is wrong with the world? It’s insane.

These guys now are diversifying out into providing exploit toolkits⁴. Some of them even provide for relatively high price profiling of specific organizations that you want to target, so that your success rate when you go trying to knock on that door is very high. These services are an absolutely terrifying trend, and at one point they are starting to defeat the technologies that we’ve all relied upon for the past twenty years to keep ourselves safe.

Now, I’ve talked about this provision of services, this trade, but it is also interesting to see how the bad guys are starting to modernize and diversify their business models. And one of my favorite examples of that is the Canadian Pharmacy. The Canadian Pharmacy has been around since 2003 – a long-standing threat. And the premise is simple: you go online and you are searching to buy Viagra or Cialis or some performance enhancing drug.

This is astonishing. You go online, you type in trying to buy your Viagra and you get redirected to a Canadian Pharmacy site through black search engine optimization, or perhaps, you know, if you are clicking on the link in a spam message. And for some reason, everyone trusts the Canadian, it’s a good place to buy drugs. You are typing your credit card details, click ‘Buy’, and the bad guys run off with those details, go and spend lots of money from your credit card. Your bank locks the card down, replaces it, and hopefully you’ve learned your lesson. That’s been the model for a very long time.

What we’ve seen over the last year that’s interesting is these sites have actually started sending out the product. So you can go online, type in your credit card details and they actually do send you, say, performance enhancing drug. And it works. And don’t ask, it was one of the most interesting tests we had to perform at Sophos Lab compared to conventional file analyses, but anyway… What they are sending you is a cheap Chinese knockoff, not the officially branded product. And they are sending it to you, you believe it is working, you believe that it is the premium product, and they are stealing money from you on an ongoing basis, a subscription theft model rather than a one-hit wonder, because they’ve realized that overall that’s far, far more profitable. So that’s a structured decision to use a different business model for profit. Quite a terrifying trend.

To be continued…
 

¹ – De-perimeterisation is a concept/strategy used to describe protecting an organization’s systems and data on multiple levels by using a mixture of encryption, inherently-secure computer protocols, inherently-secure computer systems and data-level authentication rather than the reliance of an organization on its (network) boundary/perimeter to the Internet.

² – PSaaS (Physical Security as a Service) is a security model based on the use of SaaS (Software as a Service) cloud-oriented software delivery principle for providing high degree of enterprise protection.

³ – Brazilian Banker is a financial Trojan that targets consumers of Brazilian-based banks and other banks in Latin America, stealing their banking credentials.

⁴ – Exploit toolkit is a peace of software which contains malicious code so as to exploit the vulnerability in an application.

Follow-up on Eugene Kaspersky’s talk called “The threats of the Age of cyber-warfare” where the speaker is looking into instances of critical infrastructure damage, catastrophes and military challenges called forth by cybercrime. Mr. Kaspersky is also providing some ideas on minimizing the risks, making a special emphasis on international cooperation for fighting cyber criminals.

Unfortunately that’s not the end of my story. What can be worse? This is not a question, it’s an answer. We have some examples of the catastrophes, very big disasters because of the misfunctions of IT systems. I think all of you remember the blackout in 2003. And the same day, the same time there was an epidemic of Blaster Worm¹ which infected millions of computers around the globe. And we have reports that the worm damaged Unix systems which were in charge of electricity distribution through the electric grid. The worm was one of the reasons, maybe the main reason of the blackout in the United States and Canada East Coast in 2003. I don’t have any hard data about that, but I am pretty sure it could not happen without the worm, it was the main reason.

Another story, I think that you might not have heard about that because it happened in August, vacation time, but it wasn’t out of the focus of our attention. In August 2008, the Spanish plane crashed, just after the takeoff from Barajas airport in Madrid. And there were more than 150 people dead in this catastrophe. Last year, they reported the result of investigation, they said the plane had crashed because of the technical problems. But these technical problems were not discovered by ground-based engineers, because the computers were infected. So the malware blocked computers and the technical problems were not reported to the engineers. So the virus, the infection, the malware wasn’t the reason of that catastrophe but it could not happen without infection.

More, Stuxnet² – I think I don’t need to explain that. I think all or most people who are responsible for IT security, and the national security working with transportation, industrial systems, factories, governments are really scared, because unfortunately all these systems depend on IT.

So these are facts which already happened. And the question is, this year, next year, do we expect to see similar incidents: yes or no? That’s very obvious, of course yes. It will happen because there is no 100% security. And unfortunately, these systems were designed years back, possibly by people who weren’t trained well.

Just a few more stories. This is quite an old story but for sure it will happen again. Now it’s fixed, don’t worry – now this problem is fixed. But in 2008, they reported that cockpit systems, the pilot systems were connected to the passenger network. When I got this news, I was sitting with my mouth open, reading that and thinking: “How could they design that?” And then the lawyer from my company came to my room with some report and I said: “Listen, this is a new plane from Boeing, they have a pilot’s network connected to the passenger network”. And my lawyer said it’s not possible. But unfortunately, it is possible, it was actually, now it’s fixed. But for sure, people are people, engineers are engineers, and engineers unfortunately are humans too. They make mistakes.

Here is another story, it’s a little bit more serious maybe: the military drones which didn’t have encrypted traffic, so it was possible to intercept the drone, and for example send it back, or to change the target. Well, it’s from the news, that’s why I am not surprised, because humans are humans. They design these systems in such a way.

The nations are vulnerable. Unfortunately, even the national systems are sometimes designed in such a way that they could be very easy victims of a hacker attack. Do you remember the movie about cyber terrorism – “Die Hard 4″? I recommend you to watch it again. Well, that’s a Hollywood story, and half of this movie is bullshit. Only half, when Bruce Willis crashed the helicopter with the police car – that’s not truth, of course it’s not possible. But the rest, I am afraid, might well be true. Just read the news, read the news very carefully. And you can find information which explains that what we do, what is done, is done in such a way, that unfortunately I don’t sleep well sometimes after such news.

As a result, we have a number of companies which were hacked last year. Well, most of the companies that underwent the attacks are American of course. But there are many victims in Europe, in Asia, in Russia, maybe in China as well, but the Chinese don’t report that at all. Unfortunately this list is much, much longer. The companies simply don’t report that. Another question is – do they need to report that or not? Some people say “Of course yes”, because their customers have to know what’s going on. There is another opinion – don’t ruin police investigation; it could be very dangerous for the police investigation.

And now a little bit more about governments, about national military forces involved in that. News from China: they said that they had so-called Blue Team Forces, cyber military forces. News from the United States – the same. India – they plan to have that as well. What about North Korea? Do they have computers in North Korea? Yes, they have. And they also report that they also have cyber military division. Germany – same plans.

And all that looks like a very, very bad Hollywood story. The Head of the United States Cyber Command³ Keith B. Alexander (on the photo) told Congress that cyber weapon could be as dangerous as the traditional military weapons, and the result could be as bad as with traditional weapons. And he was not kidding, that’s reality, unfortunately. That’s reality of this world.

And can we stop that? What to do to minimize the risks at least? Of course I have some ideas. First of all, the most serious issue is attacks on industrial systems, transportation, electric power grid etc. And I think that there must be much more serious government control on the industrial systems: the regulation, the standards, and penalties for engineers and companies which don’t follow regulation.

There should as well be more secure design for industrial systems, including maybe new future secure operating systems, because unfortunately most of the existing systems are not secure at all. There must be new design, new ideas, new innovations in IT, in operating system development. And these systems which are much more secure and protected must be used in critical industrial systems.

It’s not possible to fix the problems only within the national borders. Unfortunately, what I see is national leaders talking about national security only. But we live in the Internet. Internet doesn’t have borders. Unfortunately, it’s not possible to fix the problem only on a national level.

The only right way is international cooperation. Even if your country doesn’t have good enough relationships with others, some of others, you must talk about and establish global IT security, Internet security, because if you have someone on the street who does not follow the regulation and there is no police to stop that, you are not protected.

And the cyber police is the next issue. To fight the international cyber crime, to fight the international cyber terrorism, we must have international cyber police forces, I call it Internet-Interpol – the organization which is not under the national regulation but only under international regulation as a part of United Nations maybe, as a division in a traditional Interpol, I don’t know. But this is the only way to fight the bad guys in the Internet.

Internet ID’s are also important to stop hooligans and help the police fight cyber criminals. I have been talking about these Internet ID’s for many years, maybe 10 years. It was 10 years ago that I said for the first time that it would be a good idea if we had Internet ID’s. And people were smiling at me. 5 years ago, they started to listen. 2 months ago, I was in China, and in Beijing airport Wi-Fi is free, but to get access, to get a login and password you need to have a passport, to get a special machine to scan your passport, and then you have the login and password.

In Germany, they already issued some kind of Internet identification card. And the President of the United States, about half a year ago, said about plans to have Internet ID’s for every American to build secure Internet.

But once again, it’s not possible to fix that problem only on a national level, there must be international cooperation.

For now, we don’t have government regulation on industrial IT systems, secure OS for critical infrastructures, international treaties, Internet-Interpol, Internet ID’s. We don’t have any of these. We need them but we don’t have them. The only thing we have is technologies. We have many things to do. And I think it’s not only the task for private companies or the task for IT security industry, there must be international cooperation on the government level. Without that, I don’t see the good future and the blue sky for the next years. Unfortunately, we will see much more very serious incidents, more cybercrime, more cyber terrorist attacks, and maybe cyber wars between some countries.

And because we live in the Internet, a cyber war somewhere far away from your country could reflect on you as well, because the Internet is Internet, there are no borders and there are no countries in there. So we depend on IT, our world, the systems are not designed in a secure way. We just entered the cyber war era, so only global cooperation and coordination and better budgets on IT security are the solution for the problem.

 

¹ – Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003.

² – Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment.

³ – United States Cyber Command (USCYBERCOM) is an armed forces sub-unified command subordinate to United States Strategic Command, located in Fort Meade, Maryland and led by General Keith B. Alexander. USCYBERCOM centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks.

Co-founder and CEO of “Kaspersky Lab” Eugene Kaspersky delivers a speech called “The threats of the Age of cyber-warfare”, expressing his vision on the current state of the global cybercrime and exemplifying his research with some observations and evidence of close affiliation of malware related crime with real-world facts.

Today we are here to discuss the problems, explaining our view on the existing situation and the future. This is the main topic of my presentation, and I am going to start.

Well, computers are everywhere. How many computers do you have or use in your life? You don’t know. You don’t know how many computers you have in your car. You don’t know how many computers manage the train, if you use train to get to New York. You don’t know how many computers manage the elevators in this hotel. Everything is digital, everything is online.

Entertainment…It’s digital. Oh, well, except poker in Las Vegas. But in Las Vegas, poker is under the control of cameras which are for sure digital and report that to the digital systems.

How many times did you open paper printed encyclopedia last year? Zero. How many times did you open Wikipedia or Wikileaks? As to Wikileaks, usually I say, please don’t publish so much information at the end of Friday, because secret services – they are humans too. They have families and they want to have weekends.

Social lives – well, how many people here in the room have 5 or more accounts in social networks? Well, I understand I am talking to journalists, it’s not fair, okay, okay. But when I am in a business audience, or I deliver a speech to students in universities, if someone raises the hand, I ask security to catch that person and to write down the name, to report that to the employer or to the professor.

Governments are another issue. Governments want to be online. And a very serious problem is that the new generation wants be 100% online. And if you don’t have Internet government or online government, if you don’t have Internet voting, then the new generation, kids – they will never go to the election office. If there is no online service, they will never go to vote. If you don’t have secure online voting, Internet passports – that will be the end of democracy. Well, this is also a very special topic, and maybe we will discuss that later.

Industrial systems – unfortunately, or fortunately, all these systems, well, they are not online, but it’s possible to bring USB, so they are partly online. And unfortunately, it’s a very, very big danger, and I have some examples of what’s already happened because of the security issues with industrial systems.

So, everything is online, and unfortunately everyone, every business, every person is under the attack. There are so many targets: individuals, governments, businesses. And there are 3 main sources of these attacks.

The first source is not so serious, that’s just script kiddies¹, vandals. Still there are kids who develop malware just for fun, like in the past. But less and less kids are doing that, because they don’t have time, they play computer games. In the past, these kids were presenting themselves, they wanted to make themselves proud because they wrote a super computer virus. Not anymore. They play computer games, they grow into super heroes in computer games.

And the third source is organizations, governments or individuals which attack the Internet in very different ways with cyber weapon, with distributed DoS attacks, which develop spying software to steal critical information. Unfortunately, we are getting more and more reports about that.

So, a little bit about online crime. First of all, it’s global. It’s not just Chinese cyber criminals, it’s not only Russian cyber criminals – it’s global. Of course there are more cyber criminals in Asia, in Russia, in Latin America than in Europe or in the United States. But if you look at these faces, these pictures of criminals, you can see quite different faces: Americans, Russians, Palestinian… It’s everywhere. Computers are everywhere, Internet is everywhere, except Antarctic, I was there and checked, there was almost no Internet. So maybe Antarctic is the only one region free of cybercrime, but the rest isn’t – it’s everywhere.

Unfortunately, it’s very effective, it’s possible to stop a country with the help of malware. It’s organized. This is a very, very old screenshot (see image) but I like it, because it’s a part of the business, it’s a gang which develops botnets² and trades these botnets. So actually this is a price list: how many bots you want to use, how many days you want to use these botnets. There’s an ICQ number for technical support; there is also something about discounts if you buy the service 2 or 3 or more times; Terms of Service.

That’s a business. There is B2C (business to customers), B2B (business to business), well, I call this C2C – criminals to criminals. That’s organized world, huge well organized world with a lot of money in there, and it’s very profitable.

This picture here shows the consequences of illegal street race in Moscow. Believe me, Moscow doesn’t look like this everyday. So there were a couple of Russian cyber criminals in that car. It’s a new BMW 7. One of them died in this incident, he was 19 years old. A 19-year-old boy driving a new BMW. They have lots of money.

Unfortunately, these guys have much more money than software engineers, than IT security software engineers. This is the answer to the question. Will cyber criminals be looking for a job in your company? Never, because they have much more money, unfortunately.

And it is easy to do because it’s just software, the Internet. They don’t need to invest too much, and they don’t have physical contact with victims. That makes the life of cyber criminals very simple. And it’s low risk. If they have enough of brain, they can do it in such a way that it is very, very difficult to find them, to trace them.

They attack from different countries using proxy servers, and in some cases they don’t attack victims in their own country. They don’t want local police to have calls from local victims. Some of these guys are extremely clever. We still don’t know the names of criminals which were responsible for some kinds of very big attacks like Conficker³, or Kido, attacks in the past, with 10 million infected proxy servers. I still don’t know the names. They were very professional people.

So it’s global, it’s very effective, organized, profitable, easy to do, no risk… of course there will be more and more cyber criminals. And also, keep in mind that there are more and more Internet users from very poor countries. And we live in the same territory, in the same city, on the same streets.

So, I don’t know how much money we lose because of that, because cyber criminals don’t report their financial figures. I am sure Gartner⁴ doesn’t have reports from cybercrime gangs. However, we tried to count, to approximate the financial impact, and we got the number – 100 billion dollars. And this is only from the cybercrime based on malware. Spam, credit cards, trading counterfeit stuff – it’s not counted. Only the cybercrime business which is based on malware costs global economy at least 100 billion dollars a year. So, if it’s 500 billion per all cyber crime, I am not surprised. And compared with that disaster in Japan, they said it was about 300-billion-dollar impact – every year we have at least one tsunami impact on the global economy.

To be continued…
 

¹ – Script kiddie is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.

² – Botnet is a collection of compromised computers, each of which is known as a ‘bot’, connected to the Internet and used for cybercrime purposes.

³ – Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet.

⁴ – Gartner, Inc. (NYSE: IT) is an information technology research and advisory firm headquartered in Stamford, Connecticut, United States.