Cyber crime: an economic problem

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just "next door" (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and "legitimate", right in the US--for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.

Background
For years the Internet has become increasingly "dirty". It isn't just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn't even about the next stage, the botnets and massive fraud attacks. It's about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn't.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this reveue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the Economic equation
To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:

• Cost (earning less or spending more)
• Benefit (earning more or losing less)

Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their qarterly revenue goals. Assymetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by "killing" their botnets, or making sure phishing sites stayed "on the air" for less time.

They have contingencies, design and operations to ensure they are never "down". They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one "goes down", if it wasn't just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When "bullet proof" hosting is found, they don't need to jump around. Example, some phishing sites hosted on Atrivo's IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did--they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:

• Considerably under-staffed
• Hardly able to communicate inside the US
• Barely able to communicate with agencies in other countries
• When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
• When successful, often takes years (more than two) to build a case
• Then, success is rare in comparison to the number of incidents

So what are we to do?

Law enforcement vs. maintaining our networks
At some point every network operators comes to this fork in the road. "Do I maintain my network and kick this SOB off my network, or wait for law enforcement?"

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

House Armed Services Committee discussion on EMP

A friend of mine recently brought to my attention the 2008 report of the Commission to Assess the Threat to the United States From Electromagnetic Pulses (EMP) Attack. That report
is dated April 2008, but the US House Armed Services Committee held hearings on that report July 10th, 2008.

The 2008 report (208 pages/7MB+) is available from
http://www.empcommission.org/reports.php
A video copy of the House Hearings in Windows Media format is available from
http://armedservices.house.gov/hearing_information.shtml

I listened to it once, and then a second time to get the quotes I wanted. Especially interesting to those of us who study affecting change and existential risks.

Event mentioned:
August 13 2003--Power transmission line got hot, sagged down, touched a tree and shorted the ground. Next hour 2000 megawatts of generating capacity were looking for a route to get to the northern US. Whole North-East was blacked out.

Nice buzzword/terminology:
Graceful degradation

Facts and "realistic" assessments mixed in, shared:
1, Estimation of approximately 90% death toll is possible "within parameters"
2. Estimation of a year and a half to order replacement equipment to key systems, from abroad
3. Tested, estimation of 10% of cars to stop working, most (not all) to restart regularly
4. Launch over Caspian sea and tests of Shahab 3 to detonate in orbit show EMP intentions, no others come to mind
5. Explicit Iranian doctrine including EMP
6. It doesn't take advanced or large-yiled nuclear weapons
7. China and Russia have been developing such EMP devices, as opposed to their Cold War strategies
8. With a Scud B you could cover one of the coasts
9. Estimated we'd have three days supply of food

Mentioning of (not explored further):
"Intelligence interdiction and deterrence"
"Deter, dissuade, and if necessary intercept"

My favorite quotes:

"This report presents the results of the commission's assessment of an EMP attack to our critical national infrastructures sometimes referred to as civilian infrastructures, but since they are as important to our military capabilities and our national security as they are to our civilian economy and citizenship we chose to call it critical national infrastructures." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

The subject of critical infrastructure is dear to my heart, and I've challenged its definition in the past year, following the "Estonian war" incident.

"EMP is one of a small number of threats that can hold our society at risk of catastrophic consequences. A well coordinated and wide-spread cyber attack is another potential example." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

Dr. Graham putting cyber attacks right beside the nuclear (EMP) strategic threat.

"Our vulnerability is increasing daily as our use and dependence on electronics and automated systems continues to grow." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

Although mentioned in relevance to EMP, it reflects well the vulnerability advanced countries face in a connected world, as I discuss in my Georgetown Journal of International Affairs article about the "Estonian war" [PDF].

"The impact of EMP is asymmetric in relation to potential adversaries who are not as dependent on modern electronics as we are." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

They can get us, we can't necessarily get them. Georgia is equivalent to "them" here, in being less reliant on the Internet and thus suffering mostly a PR and PR communication blow in the recent cyber attacks incident in Georgia.

"The current vulnerability of our critical infrastructures can both invite and reward attack if not corrected." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

Being vulnerable, not working on a correction and then, not only doesn't deter an attack, but invites it. Assuming the other side isn't aware of this vulnerability in this case is false, and yet statements have been made discussing it is a mistake.

When writing the post-mortem analysis for the Estonian CERT, I wanted to avoid a certain issue as it places a target on the backs of the local banks. The Estonian mentality of "if you write about it, we can fix it" truly surprised me.

It is a culture which has secrets and a place for security agencies, but puts full disclosure as part of its ideology.

"It's unlikely my home will burn but I would not sleep well if I did not have an insurance policy. I don't hire somebody to stand there watching for a fire to yell fire! fire! but i do have an insurance policy. That's what I'd like my nation to have for EMP protection." -- Rep. Roscoe Bartlett, House Armed Services Committee hearing on EMP, July 10, 2008.

You can't always protect against everything, but you can plan for most of it.

[Answering on if EMP is the most asymmetric attack possible] "One as I mentioned was a cyber attack, possibly a very wide-spread and contagious biological attacks, but this is one of a very small set and very asymmetric." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

Dr. Graham putting cyber attacks right beside the nuclear (EMP), and the biological, strategic threats.

When asked: "Why is there so little interest in the part of our leadership to do something about it? Is it just too hard they just don't want to face it?" -- Asked by Rep. Roscoe Bartlett, Dr. William R. Graham answered:

"It might be better to ask a sociologist than an engineer and physicist that question, but it falls into the category of a problem which hasn't happened yet. Certainly our ability to predict very unusual and significant events whether it's Pearl Harbor, the start of the Korean war, 9/11 and whatever, we have, to paraphrase Winston Churchill "much to be humble about" in our ability to predict these events before they happen. Of course once they happen then there tends to be massive response, but somehow it's just not within our character and our society to look for these events before they occur." -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

This brings to mind one of my favorite quotes:
"My biggest obstacle is people's unrealistic belief that if a given disaster hasn't happened yet, it won't ever happen."
--Scott Borg, director and chief economist, U.S. Cyber Consequences Unit

Humans are reactive beings, and we kill fires. In fact, most human endeavor is so busy with current and "interrupting" events as to think or follow-through on long-term strategy.

Before a disaster occurs, you're crying wolf. After it does you're one hair on the back of one sheep asking for calm in a huge panicky herd.

Convincing people a threat is real, isn't easy either. Those who do believe you, may want live examples (show me a PowerPoint presentation of a live exploit!), or may have an interest in how this may impact them, their budget, and their work-load.

"This may be the all-time asymmetric threat but it is also the all-time esoteric threat" - Rep. John Spratt, House Armed Services Committee hearing on EMP, July 10, 2008.

Yeah, it's huge in being scary and potential impact, but how likely is it compared to everything else? Can we afford to ignore it even so?

"Affordability is like beauty, it tends to be in the eye of the beholder" -- Dr. William R. Graham, Chair, Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack before the House Armed Services Committee hearing on EMP, July 10, 2008.

Beautiful analogy.

"If you are preparing for something like this in advance, say years ahead, you're now a patriot, you're stimulating the economy, but if you do it hours before it happens, now you're a hoarder [and] you're doing exactly the same thing and timing is critical." -- Rep. Roscoe Bartlett, House Armed Services Committee hearing on EMP, July 10, 2008.

Brilliant summary of existential risks, as viewed by the public and by decision makers.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron