<<< Date Index >>>     <<< Thread Index >>>

[IP] more on cybersecurity neglected





Begin forwarded message:

From: Rich Kulawiec <rsk@xxxxxxx>
Date: October 18, 2004 10:53:52 AM EDT
To: Suzanne Johnson <sjohnson@xxxxxxxxx>
Cc: David Farber <dave@xxxxxxxxxx>
Subject: Re: [IP] cybersecurity neglected

As the third anniversary of Sept. 11 passes, the
next threat could be a Net threat:Solid evidence shows that al Qaeda
agents and other terrorists are trying to attain the online skills
needed to wage cyberwar.

They don't have to: so many people have made it so easy for them that
even a half-hearted effort could be wildly successful.

As just one example, consider what's need to conduct a good -- a really
good -- DDoS attack:

        - lots of bandwidth
        - lots of CPU
        - lots of network diversity (so that simple countermeasures
                like blocking a handful of networks are ineffective)
        - autonomous attack agents (so that once they're unleashed,
                they can operate on their own, i.e. independent of
                any centralized control and thus independent of any
                single point-of-failure)
        - multiple attack engines (so that simple countermeasures
                like a blocking one kind of attack are ineffective)
        - staggered/rotating deployment (so that as attack agents
                are blocked or shut down, others take their place)
        - attack agents whose "owners" don't know they're attack agents
                (not really necessary, but certainly useful)

Now consider that in light of developments such as:

Investigative Report: How Hackers Infect PCs To Spread Spam and Steal Money http://www.usatoday.com/money/industries/technology/2004-09-08- zombieuser_x.htm
and:
        New Worm Installs Network Traffic Sniffer
http://news.netcraft.com/archives/2004/09/13/ new_worm_installs_network_traffic_sniffer.html
and:
        Is Organized Crime Controlling Your PC?
        Symantec report says Internet attacks for financial gain on the rise.
        http://www.pcworld.com/news/article/0,aid,117946,00.asp
and:
        "A couple of weeks ago studies released suggested numbers of new
        systems being zombied / taken over range at a minimum estimate
        of 30,000 and a high estimate of 70,000 every day. We are starting
        to see troubling signs of PCs we maintain that are locked down and
        updated as tight as possible managing to get infected, we suspect
        either by web browser or by email, since the holes there and the
        vulnerabilities are now coming faster than we can respond to."
        (Ronald Edge, on NANAE)
and:
"I've seen CBL identify 300,000 _new_ compromised machines in a single day."
        (Chris Lewis, on NANAE)

along with all the other articles about spyware, adware, viruses, worms,
spam, zombies (completely hijacked Windows systems) and so on.

So far, the primary uses we've seen from all these compromised/hijacked
systems have been:

        - sending spam
        - hosting spamvertized web content
        - probing for more systems to compromise/hijack
        - probing for security holes
        - probing for open proxies to send spam
        - harvesting email addresses for subsequent spamming
        - occasional DDoS attacks

Nobody knows how many there are, but "tens of millions" is a minimal
estimate and I wouldn't even blink if it turned out the number is well
above 100 million. Nobody knows who's controlling them, although I think it's safe to speculate that it's not any single individual or group. We do know that access to them is being sold (i.e. so many systems for so many $$ for so many hours/days) as a commodity. We also know (via OS fingerprinting and other detection techniques) that they account for something around 80% of
all SMTP spam at the moment


Putting this all together, it would be very easy for anyone with
some money to spend to simply *buy* access to enough systems to launch
a very effective DDoS attack. (And I doubt that those selling such access
would refuse to sell to anyone with cash in hand.)  Imagine trying to
locate and stop a DDoS attack coming from, say, 20 million systems located
all over the world.

Nothing especially clever is needed for this: the tools are already
there, and the resources already available.  I think it's just a matter
of time until it happens -- and I wonder if some of the DDoS attacks
we've seen recently have been experiments: after all, I don't think
anyone has ever built a distributed computing cluster this large and
diverse, so some tinkering may be necessary to figure out how to make
it "work".

And the chilling part is that it's only going to get worse: I find myself
wondering if there is an upper bound on the number of systems that will
be compromised/hijacked other than the number of systems that *can* be
compromised/hijacked.

The fix? There is no fix, at least not one that most people will accept.

---Rsk

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/