Information warfare and defending organizations from computer espionage

This blog post is about computer-based espionage, and how we can defend our organizations against it. But I'd like to start from a mood piece of sorts.

There has been too much noise about information warfare lately. If we put DDoS (Distributed Denial of Service) and defacement attacks (such as in Estonia [PDF]) out of mind. The following two stories (coincidentally left to rot as Firefox tabs in my browser for the past two months) give a better understanding of what it is really about, without resorting to more scary stories about what China is, or isn't, doing.

We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures in defending against computer-based espionage and targeted attacks.

The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage:
http://www.networkworld.com/community/node/32202

The second, is a lesson from history called The Farewell Dossier.

From Wikipedia:

The Farewell Dossier was a collection of documents containing intelligence gathered and handed over to NATO by the KGB defector Colonel Vladimir Vetrov (code-named "Farewell") in 1981-1982, during the Cold War.

...

This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982. The details of the operation were declassified in 1996.

The resulting explosion was so big, it was supposedly confused for a Nuclear explosion by American decision makers until the CIA said: "oh, that's one of our operations."

A quote from this article puts it in a computer security perspective:

In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline.

It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former U.S. Air Force secretary and National Security Council member.

What does this mean?

While incapacitating and destruction-based attacks are certainly of significance, and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its' users), smarter, quieter attacks, are all around us. How do we defend against them?

I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.

And yet, what if you are a target?

Recognizing there is a threat

You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples.

One famous case from a few years ago which I had the unfortunate opportunity to study, lead incident response for in the Government, and brief Fortune 100 companies on, is the Israeli Trojan horse case.

Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for for a long period of time, undetected by any of these companies.

The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes, and discovered during the investigation into this harassment case. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.

In another case Israeli case, the attackers broke into a local branch of the Post Office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation (the Israeli Post Office is a sort of a small bank). This case was also broken by complete chance, originally, as nothing was stolen, this was to be ignored by the bank and local authorities.

In other cases, intelligence agencies for various countries, such as France as a prominent example, have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.

Here is an interesting quote from "The Industrious Spies, Industrial Espionage in the Digital Age".

This transition fosters international tensions even among allies. "Countries don't have friends - they have interests!" - screamed a DOE poster in the mid-nineties. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same. French relentless and unscrupulous pursuit of purloined intellectual property in the USA is described in Peter Schweizer's "Friendly Spies: How America's Allies Are Using Economic Espionage to Steal Our Secrets."

Defending against computer-based espionage

For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it--there is no inherent difference in how you defend your organization from computer-based espionage than in protecting against any Joe hacker.

In espionage, the attacker has more resources, both technical and operational. That is the one technical difference, others are motive and legal standing.

Some of what I would do differently

I'd concentrate a bit more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.

Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).

I'd also consider putting up a good deterrent as a cyber security policy. Both to add to the attackers risk, as well as to increase their cost.

First, by doing my job--making myself too difficult of a target in any way available to me, and letting people know about it. Stating the obvious with saying "do your job" is not too helpful, but is solid advice. It is a strong 180 degrees turn from strategies of the 1990's such as "let's not make ourselves a juicy challenge for these kids!"

Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught, and scare them. Covertness is the name of the game, or they would have come through the front door.

Entering am "industrial espionage defense" clause into your budget, or creating a “five year plan” to better protect your organization from organized industrial espionage, may just get you a larger budget to cope with your organization's security needs.

Do you have something you'd do different from (or in addition to) regular security practices when facing espionage from "organized" hackers? Any experience, or thoughts, you can share?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Time for self reflection

In case you don't read any of what I have to say below, read this: I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Atrivo (also known as Intercage), is a network known to host criminal activity for many years, is no more.

Not being sarcastic for once, this is time for some self reflection.

I wish I was one of those who sleep soundly tonight. Being clear in my conviction that Atrivo should be out of business, and being positive my decision to help that happen was sound--While I would do it again, I am sad.

I won't sleep soundly tonight, as that company, criminal and abusive as it clearly and contemptuously was, still sustained quite a few families in several layers of employment, from sysadmins sitting in the US of A all the way to minor low-level fraudsters employed by their clients' clients.

I will however, be able to look myself in the mirror for my part in the
effort to get rid of them--and even gloat some. My conscious is as clear to me as my sadness is crystal. We may not have changed the wall of battle in the long term and whenever one criminal falls, another jumps up to the opportunities of the land of the free--the Internet. But for once, just for a while, we halted the machine. We stopped the wheels of evil, even if only for a fortnight.

While doing so, ee also touched some lives in a destructive fashion. The criminals'.

No villain ever sees himself as the bad guy, as the saying goes. A friend recently showed me Russian language comments written on Brian Krebs' recent Washington Post story. In them, the posters ask: "why do you take our bread away?"

In a lecture during ISOI 5, some folks just didn't understand the meaning. Their bread. Their bread. We in the Western world, behind the cultural divide speak a different language. Their culture isn't poorer than ours, it is unequivocally different.

We can not truly comprehend what it means for some folks in Russia to no longer be able to feed their children this month. Nor can we understand that by sending email, we made those children starve. Cheap theatrics on my part, you say? You got that right. It doesn't make it any less true.

Cyber crime is a war waged against the Western world. At first, no one even noticed and it was a niche.. an art. While the artists still exist, they are a minority, the hackers. For the criminals however, motive is as irrelevant as nationality. Whatever actions are taken, be it a political defacement, fraud or spam, the unavoidable secondary impact remains the same: damage to the Western economy and security in an exponential growth which will become ever clearer in the coming years.

Yes, my friends. I would do the same again. I feel sorry for Atrivo, but they were harboring the equivalent for the Internet of active missile launchers firing on Israel from the Gaza strip. They are human beings who hit a curve in the road to their success. Cyber criminals, however, establish such growth as parasites and whatever I may feel for needing to resort to the end game weaponry, these people need to be smacked down like cockroaches.

Ten years ago they were a pride to their parents, today they are a scourge. What will they be in ten years?

If all reasonable and even some unreasonable approaches fail. That does not mean I don't have to feel sorry for them, and me. But it also doesn't mean we don't need to fight back.

Not even a hundred years ago, disastrously, war was business and an
acceptable horrifying part of life. A few years later, in 1918, war was
unthinkable. In the century since we who live in or are influenced by
Western culture made war no longer an option we can publicly stomach, while facing those who would play us like children because of it.

War is horrifying and evil, it is also a last resort in a world not as
ascendant as we would like to think. The Internet has its own "liberals" and I am proud to be one of them. However, I am also practical and see that wishing for a world we once had is not. A world where I could host files on my neighbor's servers openly, where children could happily use pocket calculators and go to libraries for their school work rather than Google and read Wikipedia. You did so, do your children?

This new world has its price, and that price is a complete loss of public privacy, and a culture of ineffective security.

We are reliant on our Auntie Jane's computer knowledge for our own security, and while not many would follow us to our bathrooms to infringe on our personal privacy, online we have no privacy, however much it helps us to lie to ourselves that something we do publicly (read, on the Internet) is private.

I accepted that, but that is because I am in the trenches for years. Others live better not knowing. But it doesn't mean I won't work diligently to make it remain.. functional.

Indeed, taking a step back from my niche in security, and seeing how bad things truly are--people can still surf for porn, and argue over who the best Star Trek captain is. Cyber crime, in all its immense activity of billions of incidents an hour, is background noise. But the background noise continually increases. When will it overflow?

All I really want is to maintain the functionality we have, regardless of the abuse. And yet... Going back to Atrivo, they made enough money by now. And regardless once more, their criminal clients are already back online elsewhere--in some places possibly hosted by what seems like Atrivo, only under a different name.

We did not win, but boy does it feel good to have a victory once in a while for morale's sake. We halted the machine, even if only just for a short time. That, my friends, also has strategic implications as far as our ability is to influence networks running clean on the Internet, although only time will determine if I am right on that.

Enough whining though. Who is next on the target list? :)

More seriously, why do I care so much? I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Gadi Evron,
Of the Internet.
ge@linuxbox.org

Follow me on twitter! http://twitter.com/gadievron

Estonian Cyber Security Strategy document -- now available online

The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting.

Those who wish to download the document:
http://www.mod.gov.ee/?op=body&id=518

My contact there specified she'd be happy to answer any questions. To avoid spam of her inbox, email me for her address.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Internet Vigilantism

The good people at Renesys wrote a blog about what they call "Internet Vigilantism".

While I feel I can not yet fully comment on the whole Atrivo / Intercage depeering movement, there is an underlying strategy to consider. I will comment at a later date.

The blog above asks:

While I'm not a big fan of cyber-crime or the providers who knowingly host these activities, I can't help but wonder where law enforcement is in this story. We still have laws, right? There is a lot of questionable activity and content on the Internet that is thriving and has no shortage of suitors. Even the most cursory look of of what passes for "content" should convince anyone that it's pretty hard to get thrown off the Internet — it just doesn't happen. But since it just did, I have no trouble believing that Atrivo had it coming. It's tough to piss off the entire world, especially when you have the money to pay them off. I only wonder why the cops didn't get there first [...]

My response is, 'okay', but please don't call it Vigilantism.

There is a difference between Vigilantism as it is perceived today and Vigilantism as it is in the dictionary. It means neighborhood watch.

When the Police is not around, that is something you need. "It's for the children".

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Estonian Cyber Security Strategy document, translated and public

The Estonians have a public version of their cyber security strategy translated into English (currently available offline only). The concept of a national strategy for cyber security is one which I am particularly fond of (also see previous post, An Account of the Estonian Internet War).

The following is the Summary section from the document which might be of interest (Estonian Cyber Security Strategy — Cyber Security Strategy Committee, Ministry of Defence, ESTONIA, Tallinn 2008):

* * *

The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

It is an essential precondition for the securing of cyberspace that every operator of a computer, computer network or information system realises the personal responsibility of using the data and instruments of communication at his or her disposal in a purposeful and appropriate manner.

Estonia's cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. This will be accomplished through the implementation of national action plans and through active international co-operation, and so will support the enhancement of cyber security in other countries as well.

In advance of our strategic objectives on cyber security, the following policy fronts have been identified:

• application of a graduated system of security measures in Estonia;
• development of Estonia's expertise in and high awareness of information security to the highest standard of excellence;
• development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems;
• promoting international co-operation aimed at strengthening global cyber security.

Policies for enhancing cyber security

1. The development and large-scale implementation of a system of security measures

The dependence of the daily functioning of society on IT solutions makes the development of adequate security measures an urgent need. Every information system owner must acknowledge the risks related to the disturbance of the service he or she provides. Up-to-date and economically expedient security measures must therefore be developed and implemented. The key objectives in developing and implementing a system of security measures are as follows:

• to bolster requirements for the security of critical infrastructures in order to increase its resistance, and that of related services, against threats in cyberspace; to tighten the security goals of the information systems and services provided by the critical infrastructure;
• to strengthen the physical and logical infrastructure of the Internet. The security of the Internet is vital to ensuring cyber security, since most of cyberspace is Internet-based. The main priorities in this respect are: strengthening the infrastructure of the Internet, including domain name servers (DNS); improving the automated restriction of Internet service users according to the nature of their traffic, and increasing the widespread use of means of authentication;
• to enhance the security of the control systems of Estonia's critical infrastructure,
• to improve on an incessant basis the capacity to meet the emergence of newer and technologically more advanced assault methods;
• to enhance inter-agency co-operation and co-ordination in ensuring cyber security and to continue public and private sector co-operation in protecting the critical information infrastructure.

2. Increasing competence in cyber security

In order to achieve the necessary competence in the field of cyber security, the following objectives have been established for training and research:

• to provide high quality and accessible information security-related training in order to achieve competence in both the public and private sectors; to this end, to establish common requirements for IT staff competence in information security and to set up a system for in-service training and evaluation;
• to intensify research and development in cyber security so as to ensure national defence in that field; to enhance international research co-operation; and to ensure competence in providing high-level training;
• to ensure readiness in managing cyber security crises in both the public and private sectors;
• to develop expertise in cyber security based on innovative research and development.

3. Improvement of the legal framework for supporting cyber security

The development of domestic and international legislation in the field of cyber security is aimed at:

• aligning Estonia's legal framework with the objectives and requirements of the Cyber Security Strategy;
• developing legislation on protection of the critical information infrastructure;
• participating in international law-making in the field of cyber security and taking steps internationally to introduce and promote legislative solutions developed in Estonia.

4. Bolstering international co-operation

In terms of developing international co-operation in ensuring cyber security, the Strategy aims at:

• achieving worldwide moral condemnation of cyber attacks given their negative effects on people's lives and the functioning of society, while recognising that meeting the cyber threats should not serve as a pretext for undermining human rights and democratic freedoms;
• promoting countries' adopting of international conventions regulating cyber crime and cyber attacks, and making the content of such conventions known to the international public;
• participating in the development and implementation of international cyber security policies and the shaping of the global cyber culture;
• developing co-operative networks in the field of cyber security and improving the functioning of such networks.

5. Raising awareness on cyber security

Raising public awareness on the nature and urgency of the cyber threats might be achieved by:

• presenting Estonia's expertise and experience in the area of cyber security at both the domestic and international level, and supporting co-operative networks;
• raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers;
• co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Cyber crime: an economic problem

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just "next door" (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and "legitimate", right in the US--for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.

Background
For years the Internet has become increasingly "dirty". It isn't just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn't even about the next stage, the botnets and massive fraud attacks. It's about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn't.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this reveue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the Economic equation
To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:

• Cost (earning less or spending more)
• Benefit (earning more or losing less)

Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their qarterly revenue goals. Assymetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by "killing" their botnets, or making sure phishing sites stayed "on the air" for less time.

They have contingencies, design and operations to ensure they are never "down". They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one "goes down", if it wasn't just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When "bullet proof" hosting is found, they don't need to jump around. Example, some phishing sites hosted on Atrivo's IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did--they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:

• Considerably under-staffed
• Hardly able to communicate inside the US
• Barely able to communicate with agencies in other countries
• When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
• When successful, often takes years (more than two) to build a case
• Then, success is rare in comparison to the number of incidents

So what are we to do?

Law enforcement vs. maintaining our networks
At some point every network operators comes to this fork in the road. "Do I maintain my network and kick this SOB off my network, or wait for law enforcement?"

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Public sharing and a new strategy in fighting cyber crime

A couple of years ago I started a mailing list where folks not necessarily involved with the vetted, trusted, closed and snobbish circles of cyber crime fighting (some founded by me) could share information and be informed of threats.

In this post I explore some of the history behind information sharing online, and explain the concept behind the botnets mailing list. Feel free to skip ahead if you find the history boring. Also, do note the history in this post is mixed with my own opinions. As I am one of the only people who where there in the beginning though and lived through all of it, I feel free to do so (in my own blog post).

As I conclude, we may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

History
It was my strong conviction that the bad guys (criminals!) already had access to all this data--now we know they do, and further, could test their own creations against anti virus detection (on their own to see they are not detected or using a tool such as VirusTotal). They could use honey pots and any number of other sources of public information. Then, they could also always measure success ratios--they do.

On the other hand, the Good Guys^TM did not share. What sharing did happen was very limited and limiting. Aside to that, because it was so scarce, it was (and to a level still is) kept secret to a select group of friends. Others would not be allowed in very easily, nor should they for obvious trust issues.

System administrators and security researchers had to get their information from their own logs or public reports of limited value from vendors. This secrecy also had the consequence of the public not being aware a cyber crime problem even exists and later on, always being roughly three to six years behind the curve on accepting what is actually happening.

By extension, when after the Estonian "war" many countries and organizations became-literally-scared, they started creating tech policy, based on misconceptions and information glimpsed from the news media and vendor reports.

The black hat effect
The anti virus industry has an history of being strict on sharing. That is as it should be and quite proper. In the early 1990s there used to be roughly one virus released every month. Then someone released a study on one, and within a month 50 new variants came out. Disclosure was a bad idea. However, times, they are a-changing.

When malware can be found by anyone running an honey pot, surfing the web, opening their inbox or Googling for it, the strong restrictions on sharing made little sense as far as "aiding the bad guys" (read criminals). The strong argument remaining to be strict on sharing was "we are not black hats, we are careful with these things!"

This is fine, and acceptable. It is also burying our heads in the sand. While sympathetic, change was required as the big worms were out (circa 2003-4) and security professionals all over the world had no information. Worse, when most security vendors and therefore the media were concentrating on the big worms, exponentially bigger botnets were out there, undisturbed.

A new industry formed which would later be called "Anti Trojan", as they would detect these bots (Trojan horses) and remove them, while many anti viruses considered them:
1. Not their job to detect.
2. Not viruses.
3. "Garbage files".

Beginning 1997, I made many approaches and tried to get the AV industry involved, telling them they are only detecting 20 to 30 per cent of all malware, to no avail. in 2004-5 they started playing catch-up. This happened again two to three years late with spyware (new industry, two years late to the game, etc.) and two to three years late with rootkits.

At that point in time active sharing was established between vendors (not just AV), academia and others. Companies such as Checkpoint, Cisco or "God forbid" Microsoft had "no business" dealing with samples according to the AV industry, as they went elsewhere, with people such as myself driving this sharing and, yes, taking the heat.

The strict sharing policies had an extra motive (on part of the AV industry), which made little sense except for business sense. They had every marketing intention of maintaining an iron grip on malware samples, so that only they could sell products and control the information flow. It was brilliant for a few years, but they also self-marginalized themselves and were forced to become more generic security vendors to catch up, due to inability to change in time.

They now had massive competition and were out of touch. This reminds me of the copyright wars in the music industry.

This grip was broken as such information became readily available (which was, as mentioned, ignored by the AV community). I can take a very big part of the credit for breaking this iron grip, by fascilitating sharing communities where vendors, researchers, law enforcement and others not directly of the AV world could exchange samples as well as analysis. Being a part of the AV world, this made me persona-non-grata by some, but thankfully not for more than a year or so.

Still, vetting and silence were a pre-requisite in the newly formed communities. Trust was key. Some of the new mailing lists and communities formed by me were DA and MWP. Later copy-cats include malaware and II (not as vetted, but now more relevant as far as malware sharing goes).

Others still would have to create their own communities, such as the ISP world, fighting this problem on the network side. They would later on not accept the researchers much the like researchers would not accept them--for the very same reasons, and only to change their minds once these folks started working on their own (on mailing lists such as DA and MWP).

No one wants to be considered a black hat, but times change and necessities fascilitate evolution.

Sharing C&C information
It was a long journey, but we kept running into the same problems. We'd be fighting malware infecting a hundred thousand to three million users a day, with hundreds such incidents every single day. Yet, the public did not know about it, and the security vendors would be behind--concentrating naturally on their own niche.

We changed the world, enabled better sharing and created new trust models. And still, we would not truly cooperate. Cooperation and resource sharing aside (after all, many in the industry have financial agendas, as they should), we could not get the bigger picture straightened out. We needed to share intelligence on millions of stolen identities every day, but still couldn't get this malware sharing out of the way.

Command and control (C&C or C2) for botnets, for example, was information barred and restricted by the security and network operations communities now newly formed. After all, sharing would cause us to help the criminals. No? More than that, we'd no longer have control.

Much like with the AV industry before them, the anti terrorism folks in government and any other reactive fighters, the ISPs and operations professionals--me included--were indeed doing great work. We'd be fighting malware and botnets, but the problems just got worse, even if we were more organized.

A couple of years later, getting these C&Cs off-line was no longer useful, as they had graceful degradation and backup, immediately "jumping" somewhere else, undisturbed.

New researchers and organizations were refused acceptance once again, and started working on the problem on their own, sharing their information and eventually out-growing the original communities now set in their ways. Such is the way of the world. This showed me how sometimes divsersity, rather than cooperation, can be great. Repeating mistakes and seeing how they no longer are mistakes due to a changed landscape, was something I now appreciated.

My advocacy was to treat C&Cs as intelligence sources rather than targets, but the intelligence discussion is for another time in another post.

Soon, C&C information was publically available, and yet--to the public and policy makers, the cyber crime problem did not exist.

Enter the botnets@ mailing list
It was time for a change. Facing much resistance I created a public mailing list where the public, the sysadmins and the security researchers could share information, learn and fight cyber-crime.

The response was staggering. Dozens of contributors emailed in with detailed information, and yet--we felt uncomfortable about it. We treated folks like they were doing something wrong sharing in public, and sent mixed messages.

New groups were formed, and older groups got new recruits (such as Shadowserver, which the mailing list helped). It was still a win situation, but the mailing list had to go.

Today, about two years later, the botnets mailing list has been revived and in the past day the response has once again been staggering.

Folks share their information, get informed of new threats in a languge they understand (tech) and talk to each other. More over, they understand the risks and the ugly face of Internet security is out there for all to see. This time we need to be ready to accept this change.

Public fighting
Sharing information with the public has always been something I was personally attacked for, and yet, how else are you supposed to win a war if the people you fight for don't even know it is happening, or needed?

Last year, Estonia was attacked on the Internet by Russians [PDF]. It can not be proven if it was a public uprising, Internet-style, or state-sponsored action. Still, it re-affirmed some of my beliefs about affecting change and community forming.

To fight a war, you have to be involved and engaged. On the Internet that is very difficult, but the Russians found a way. It is a fact that while we made much progress in our efforts fighting cyber crime, we had nearly no effect what-so-ever on the criminals and the attackers. Non. They maintain their business and we play at writing analysis and whack-a-mole.

Using the botnets mailing list, I am borrowing a page from the apparent Russian cyber war doctrine, getting people involved, engaged. Personally aware and a part of what's going on.

It can't hurt us, and perhaps now, four years over-due and two years after the previous attempt, we may be ready to give it a go and test the concept.

Perhaps now regular malware can become something regular professionals deal with, low AV detection of samples can become public knowledge, and vetted communities can think strategically and respond to more problematic matters such as intelligence handling of millions of stolen identities, or criminal organizations operating--not only in Russia and China, but from the San Fracisco bay area.

We may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron