Saturday, August 30, 2008

Friday, August 29, 2008

Washington Post: Atrivo/Intercage, why are we peering with the American RBN?

This Washington Post story came out today:
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.

1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?

If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.

2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?

What ASNs belong to Atrivo, anyway?

Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.

Hostexploit released a document [PDF] on this very network, just now, which is helpful:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, August 28, 2008

Public sharing and a new strategy in fighting cyber crime

A couple of years ago I started a mailing list where folks not necessarily involved with the vetted, trusted, closed and snobbish circles of cyber crime fighting (some founded by me) could share information and be informed of threats.

In this post I explore some of the history behind information sharing online, and explain the concept behind the botnets mailing list. Feel free to skip ahead if you find the history boring. Also, do note the history in this post is mixed with my own opinions. As I am one of the only people who where there in the beginning though and lived through all of it, I feel free to do so (in my own blog post).

As I conclude, we may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

History
It was my strong conviction that the bad guys (criminals!) already had access to all this data--now we know they do, and further, could test their own creations against anti virus detection (on their own to see they are not detected or using a tool such as VirusTotal). They could use honey pots and any number of other sources of public information. Then, they could also always measure success ratios--they do.

On the other hand, the Good GuysTM did not share. What sharing did happen was very limited and limiting. Aside to that, because it was so scarce, it was (and to a level still is) kept secret to a select group of friends. Others would not be allowed in very easily, nor should they for obvious trust issues.

System administrators and security researchers had to get their information from their own logs or public reports of limited value from vendors. This secrecy also had the consequence of the public not being aware a cyber crime problem even exists and later on, always being roughly three to six years behind the curve on accepting what is actually happening.

By extension, when after the Estonian "war" many countries and organizations became-literally-scared, they started creating tech policy, based on misconceptions and information glimpsed from the news media and vendor reports.

The black hat effect
The anti virus industry has an history of being strict on sharing. That is as it should be and quite proper. In the early 1990s there used to be roughly one virus released every month. Then someone released a study on one, and within a month 50 new variants came out. Disclosure was a bad idea. However, times, they are a-changing.

When malware can be found by anyone running an honey pot, surfing the web, opening their inbox or Googling for it, the strong restrictions on sharing made little sense as far as "aiding the bad guys" (read criminals). The strong argument remaining to be strict on sharing was "we are not black hats, we are careful with these things!"

This is fine, and acceptable. It is also burying our heads in the sand. While sympathetic, change was required as the big worms were out (circa 2003-4) and security professionals all over the world had no information. Worse, when most security vendors and therefore the media were concentrating on the big worms, exponentially bigger botnets were out there, undisturbed.

A new industry formed which would later be called "Anti Trojan", as they would detect these bots (Trojan horses) and remove them, while many anti viruses considered them:
1. Not their job to detect.
2. Not viruses.
3. "Garbage files".

Beginning 1997, I made many approaches and tried to get the AV industry involved, telling them they are only detecting 20 to 30 per cent of all malware, to no avail. in 2004-5 they started playing catch-up. This happened again two to three years late with spyware (new industry, two years late to the game, etc.) and two to three years late with rootkits.

At that point in time active sharing was established between vendors (not just AV), academia and others. Companies such as Checkpoint, Cisco or "God forbid" Microsoft had "no business" dealing with samples according to the AV industry, as they went elsewhere, with people such as myself driving this sharing and, yes, taking the heat.

The strict sharing policies had an extra motive (on part of the AV industry), which made little sense except for business sense. They had every marketing intention of maintaining an iron grip on malware samples, so that only they could sell products and control the information flow. It was brilliant for a few years, but they also self-marginalized themselves and were forced to become more generic security vendors to catch up, due to inability to change in time.

They now had massive competition and were out of touch. This reminds me of the copyright wars in the music industry.

This grip was broken as such information became readily available (which was, as mentioned, ignored by the AV community). I can take a very big part of the credit for breaking this iron grip, by fascilitating sharing communities where vendors, researchers, law enforcement and others not directly of the AV world could exchange samples as well as analysis. Being a part of the AV world, this made me persona-non-grata by some, but thankfully not for more than a year or so.

Still, vetting and silence were a pre-requisite in the newly formed communities. Trust was key. Some of the new mailing lists and communities formed by me were DA and MWP. Later copy-cats include malaware and II (not as vetted, but now more relevant as far as malware sharing goes).

Others still would have to create their own communities, such as the ISP world, fighting this problem on the network side. They would later on not accept the researchers much the like researchers would not accept them--for the very same reasons, and only to change their minds once these folks started working on their own (on mailing lists such as DA and MWP).

No one wants to be considered a black hat, but times change and necessities fascilitate evolution.

Sharing C&C information
It was a long journey, but we kept running into the same problems. We'd be fighting malware infecting a hundred thousand to three million users a day, with hundreds such incidents every single day. Yet, the public did not know about it, and the security vendors would be behind--concentrating naturally on their own niche.

We changed the world, enabled better sharing and created new trust models. And still, we would not truly cooperate. Cooperation and resource sharing aside (after all, many in the industry have financial agendas, as they should), we could not get the bigger picture straightened out. We needed to share intelligence on millions of stolen identities every day, but still couldn't get this malware sharing out of the way.

Command and control (C&C or C2) for botnets, for example, was information barred and restricted by the security and network operations communities now newly formed. After all, sharing would cause us to help the criminals. No? More than that, we'd no longer have control.

Much like with the AV industry before them, the anti terrorism folks in government and any other reactive fighters, the ISPs and operations professionals--me included--were indeed doing great work. We'd be fighting malware and botnets, but the problems just got worse, even if we were more organized.

A couple of years later, getting these C&Cs off-line was no longer useful, as they had graceful degradation and backup, immediately "jumping" somewhere else, undisturbed.

New researchers and organizations were refused acceptance once again, and started working on the problem on their own, sharing their information and eventually out-growing the original communities now set in their ways. Such is the way of the world. This showed me how sometimes divsersity, rather than cooperation, can be great. Repeating mistakes and seeing how they no longer are mistakes due to a changed landscape, was something I now appreciated.

My advocacy was to treat C&Cs as intelligence sources rather than targets, but the intelligence discussion is for another time in another post.

Soon, C&C information was publically available, and yet--to the public and policy makers, the cyber crime problem did not exist.

Enter the botnets@ mailing list
It was time for a change. Facing much resistance I created a public mailing list where the public, the sysadmins and the security researchers could share information, learn and fight cyber-crime.

The response was staggering. Dozens of contributors emailed in with detailed information, and yet--we felt uncomfortable about it. We treated folks like they were doing something wrong sharing in public, and sent mixed messages.

New groups were formed, and older groups got new recruits (such as Shadowserver, which the mailing list helped). It was still a win situation, but the mailing list had to go.

Today, about two years later, the botnets mailing list has been revived and in the past day the response has once again been staggering.

Folks share their information, get informed of new threats in a languge they understand (tech) and talk to each other. More over, they understand the risks and the ugly face of Internet security is out there for all to see. This time we need to be ready to accept this change.

Public fighting
Sharing information with the public has always been something I was personally attacked for, and yet, how else are you supposed to win a war if the people you fight for don't even know it is happening, or needed?

Last year, Estonia was attacked on the Internet by Russians [PDF]. It can not be proven if it was a public uprising, Internet-style, or state-sponsored action. Still, it re-affirmed some of my beliefs about affecting change and community forming.

To fight a war, you have to be involved and engaged. On the Internet that is very difficult, but the Russians found a way. It is a fact that while we made much progress in our efforts fighting cyber crime, we had nearly no effect what-so-ever on the criminals and the attackers. Non. They maintain their business and we play at writing analysis and whack-a-mole.

Using the botnets mailing list, I am borrowing a page from the apparent Russian cyber war doctrine, getting people involved, engaged. Personally aware and a part of what's going on.

It can't hurt us, and perhaps now, four years over-due and two years after the previous attempt, we may be ready to give it a go and test the concept.

Perhaps now regular malware can become something regular professionals deal with, low AV detection of samples can become public knowledge, and vetted communities can think strategically and respond to more problematic matters such as intelligence handling of millions of stolen identities, or criminal organizations operating--not only in Russia and China, but from the San Fracisco bay area.

We may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Thursday, August 21, 2008

House Armed Services Committee discussion on EMP

A friend of mine recently brought to my attention the 2008 report of the Commission to Assess the Threat to the United States From Electromagnetic Pulses (EMP) Attack. That report
is dated April 2008, but the US House Armed Services Committee held hearings on that report July 10th, 2008.

The 2008 report (208 pages/7MB+) is available from
http://www.empcommission.org/reports.php
A video copy of the House Hearings in Windows Media format is available from
http://armedservices.house.gov/hearing_information.shtml

I listened to it once, and then a second time to get the quotes I wanted. Especially interesting to those of us who study affecting change and existential risks.

Event mentioned:
August 13 2003--Power transmission line got hot, sagged down, touched a tree and shorted the ground. Next hour 2000 megawatts of generating capacity were looking for a route to get to the northern US. Whole North-East was blacked out.

Nice buzzword/terminology:
Graceful degradation

Facts and "realistic" assessments mixed in, shared:
1, Estimation of approximately 90% death toll is possible "within parameters"
2. Estimation of a year and a half to order replacement equipment to key systems, from abroad
3. Tested, estimation of 10% of cars to stop working, most (not all) to restart regularly
4. Launch over Caspian sea and tests of Shahab 3 to detonate in orbit show EMP intentions, no others come to mind
5. Explicit Iranian doctrine including EMP
6. It doesn't take advanced or large-yiled nuclear weapons
7. China and Russia have been developing such EMP devices, as opposed to their Cold War strategies
8. With a Scud B you could cover one of the coasts
9. Estimated we'd have three days supply of food

Mentioning of (not explored further):
"Intelligence interdiction and deterrence"
"Deter, dissuade, and if necessary intercept"

My favorite quotes:
"This report presents the results of the commission's assessment of an EMP attack to our critical national infrastructures sometimes referred to as civilian infrastructures, but since they are as important to our military capabilities and our national security as they are to our civilian economy and citizenship we chose to call it critical national infrastructures." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
The subject of critical infrastructure is dear to my heart, and I've challenged its definition in the past year, following the "Estonian war" incident.
"EMP is one of a small number of threats that can hold our society at risk of catastrophic consequences. A well coordinated and wide-spread cyber attack is another potential example." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
Dr. Graham putting cyber attacks right beside the nuclear (EMP) strategic threat.
"Our vulnerability is increasing daily as our use and dependence on electronics and automated systems continues to grow." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
Although mentioned in relevance to EMP, it reflects well the vulnerability advanced countries face in a connected world, as I discuss in my Georgetown Journal of International Affairs article about the "Estonian war" [PDF].
"The impact of EMP is asymmetric in relation to potential adversaries who are not as dependent on modern electronics as we are." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
They can get us, we can't necessarily get them. Georgia is equivalent to "them" here, in being less reliant on the Internet and thus suffering mostly a PR and PR communication blow in the recent cyber attacks incident in Georgia.
"The current vulnerability of our critical infrastructures can both invite and reward attack if not corrected." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
Being vulnerable, not working on a correction and then, not only doesn't deter an attack, but invites it. Assuming the other side isn't aware of this vulnerability in this case is false, and yet statements have been made discussing it is a mistake.

When writing the post-mortem analysis for the Estonian CERT, I wanted to avoid a certain issue as it places a target on the backs of the local banks. The Estonian mentality of "if you write about it, we can fix it" truly surprised me.

It is a culture which has secrets and a place for security agencies, but puts full disclosure as part of its ideology.
"It's unlikely my home will burn but I would not sleep well if I did not have an insurance policy. I don't hire somebody to stand there watching for a fire to yell fire! fire! but i do have an insurance policy. That's what I'd like my nation to have for EMP protection." -- Rep. Roscoe Bartlett, House Armed Services Committee hearing on EMP, July 10, 2008.
You can't always protect against everything, but you can plan for most of it.
[Answering on if EMP is the most asymmetric attack possible] "One as I mentioned was a cyber attack, possibly a very wide-spread and contagious biological attacks, but this is one of a very small set and very asymmetric." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
Dr. Graham putting cyber attacks right beside the nuclear (EMP), and the biological, strategic threats.
When asked: "Why is there so little interest in the part of our leadership to do something about it? Is it just too hard they just don't want to face it?" -- Asked by Rep. Roscoe Bartlett, Dr. William R. Graham answered:

"It might be better to ask a sociologist than an engineer and physicist that question, but it falls into the category of a problem which hasn't happened yet. Certainly our ability to predict very unusual and significant events whether it's Pearl Harbor, the start of the Korean war, 9/11 and whatever, we have, to paraphrase Winston Churchill "much to be humble about" in our ability to predict these events before they happen. Of course once they happen then there tends to be massive response, but somehow it's just not within our character and our society to look for these events before they occur." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
This brings to mind one of my favorite quotes:
"My biggest obstacle is people's unrealistic belief that if a given disaster hasn't happened yet, it won't ever happen."
--Scott Borg, director and chief economist, U.S. Cyber Consequences Unit

Humans are reactive beings, and we kill fires. In fact, most human endeavor is so busy with current and "interrupting" events as to think or follow-through on long-term strategy.

Before a disaster occurs, you're crying wolf. After it does you're one hair on the back of one sheep asking for calm in a huge panicky herd.

Convincing people a threat is real, isn't easy either. Those who do believe you, may want live examples (show me a PowerPoint presentation of a live exploit!), or may have an interest in how this may impact them, their budget, and their work-load.
"This may be the all-time asymmetric threat but it is also the all-time esoteric threat" - Rep. John Spratt, House Armed Services Committee hearing on EMP, July 10, 2008.
Yeah, it's huge in being scary and potential impact, but how likely is it compared to everything else? Can we afford to ignore it even so?
"Affordability is like beauty, it tends to be in the eye of the beholder" -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.
Beautiful analogy.
"If you are preparing for something like this in advance, say years ahead, you're now a patriot, you're stimulating the economy, but if you do it hours before it happens, now you're a hoarder [and] you're doing exactly the same thing and timing is critical." -- Rep. Roscoe Bartlett, House Armed Services Committee hearing on EMP, July 10, 2008.
Brilliant summary of existential risks, as viewed by the public and by decision makers.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron