Please forgive me for following up my own previous message, but I've <chuckle> taken a little grief offlist for being, hmmm, "unduly alarmist". So I thought I'd tell you all a little story that might make it clear why I write things about security as, ummmm, strongly as I do. (Besides the fact that I've been doing 'net security work for 30 years and can out-curmudgeon *anyone*. ;-) ) Let me begin with a question that I know those of you who enjoy spy thrillers and such will be able to answer: who is the best spy? The answer of course, is "one who does not know they are a spy". So suppose there was A Bad Guy out there who wanted to send spam, engage in some phishing, run some DoS (denial-of-service) attacks, and other nasty things. Should The Bad Guy pay for some server space at somebody's hosting site and have at it? Well, maybe: but that costs money. And it's traceable. And it's limited. And the end result will probably be that he won't get very far before someone pulls his plug. Now suppose he had a clever idea: why not hijack someone *else's* system and use that, without their knowledge? Better yet: why not hijack *multiple* systems? This is much cheaper; it's harder to shut down (in its entirety); it's more convenient; and it's harder to defend against because there are multiple systems involved. Then he might have an even more clever idea: having worked all this out -- hijacking the systems, putting them to work doing various kinds of nastiness, etc. -- he could rent them out to others who had nasty things to do, but didn't have the resources. Of course none of this would be any good for the users who had their systems hijacked; we all know the principle "If someone else can run arbitrary code on your computer, it's not YOUR computer any more". Not only would every scrap of data stored on their systems be exposed, not only would every password they type be grabbed by keystroke loggers, but they would be blamed for the damage done by their systems. But the clever person we're talking about here would hardly balk at any of that. He'd just work out all the myriad technical details, and hijack 10 or 20 or even 100 systems. He'd release viruses and use trojan downloaders on web sites to create more, and he'd figure out how to manage them all, and life would be pretty good for him because the chances that he'd be caught -- if even reasonably careful -- would be very, very tiny. And if he happened to live in certain locales scattered around the world, then he could forestall that by making sure that the local authorities were well-paid out of his profits -- well enough to make sure that they stayed bought. Maybe, in some cases, he might find it convenient to link up with organized crime, in order to leverage its organizational savvy, its connections, its abilities to broker transactions, launder money and enforce discipline. <cough> Of course those of you who are chuckling to yourselves already know that this is not a little work of fiction: it's history. One species of the malware used to hijack these systems is dissected in detail here: Sobig.a and the Spam You Received Today http://www.secureworks.com/research/threats/sobig Sobig.e - Evolution of the Worm http://www.secureworks.com/research/threats/sobig-e/ Sobig.f Examined http://www.secureworks.com/research/threats/sobig-f It's not the only one, but it serves as a general example. You also know that we're not talking about 10 or 20 or 100 systems here. More like, oh, 100-200 MILLION. (Yes, really. Vint Cerf, widely regarded as one of the fathers of the Internet and now at Google, has given 250M as his estimate. Valdis Kletnieks at VaTech says 140M. I use 200M as my current best guess, 150M when I'm being conservative.) And every now and then one of the clever people behind these screws up and gets caught, and then we have this: Mariposa Botnet beheaded http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 Supposedly -- 12.7 million systems. <shrug> Maybe, maybe not. Does it really matter if it's half or twice that? It's still a LOT. And keep in mind: these were the guys who were dumb enough to get caught. We're aware of much larger operations -- better-run ones, too. (Oh, and don't get too excited about this takedown. All that it means is that 12.7 million already-compromised systems are sitting out there waiting for the next person clever enough to take control of them. My guess is that this has already happened.) If you know where to look online, you can find places where the owners of these invisible networks are selling their services: so many dollars/euros for many systems for so many days, and so on. They're quite happy to provide consulting and programming services if you need those -- just pay up. They can show you how to set up your whole operation so that it's completely hosted on one (or more) of these botnets, which is really handy if you're doing something very nasty like peddling kiddie porn, or selling credit card datasets for $1.75 each (more if credit limit above $10K), or collecting unfortunate photographs of people who probably should not be naked at the same time in the same place (for possible future use in extortion). And they're always looking for more systems. Including yours. So if you think that your firewall and your anti-virus and your anti-spyware will protect you: that's very nice. A pretty good chunk of the 200M people whose systems now belong to someone else thought that too. The fix? The best fix is "don't run Windows", although that's not a panacea. Still, it's an excellent first step. I don't permit Windows systems on my network. Period, full stop. Next best is "never use IE" and "never use Outlook": you can't do worse, so pick anything else, like Firefox and Thunderbird. Get a firewall -- a REAL firewall, which means a dedicated box, not some junk piece of software that runs under Windows and is more like a screen door than a bank vault. They're under $100. Use AdBlock and NoScript with Firefox. Think about what the hell you're doing before you click. Turn your system off or physically disconnect it when you're not using it. (Many laptops have a "wireless off" hardware switch. Use it.) Bookmark your bank, your credit union, etc., all the sites that you provide critical information too and ALWAYS USE THE BOOKMARKS to go to them -- that is, NEVER click on a link in a mail message that claims to be from them. (If you're using the bookmarks, and you set them up properly to begin with, you're going to be pretty much phish-immune...unless an attacker already owns your system, in which case you're hosed anyway.) ( Incidentally, here's something that will give you pause: those 200M compromised systems out there? They're not all sitting in folks' homes. They're in corporations and universities, they're desktops and laptops and servers, and even cell phones (some of which run versions of Windows). A few years back we caught one on a US ship. So there is absolutely no reason to think that all the Windows systems at your bank or your credit card company are secure. After all, it's only *your* private data they're dealing with: why should they bother? It's much cheaper to just have a spokesliar stand up at the press conference after the next dataloss incident and say "We take the privacy of our customers seriously" while the CEO spends more on carpet for his/her office than on actually-useful IT security. ) Anyway: Don't install any software you don't need. Don't ever reply to spam or phishes, no matter how pissed off you are: if you do, you'll furnish highly valuable intelligence to the enemy. Do not indulge your curiosity to "just take a look" at the spammer's site -- there are things there that bite. Hard. Don't download everything that looks shiny, especially toolbars -- they tend to fall into two categories: (1) those that are spyware and (2) those that are so badly written that they weaken your security. Keep your darn programs patched -- Firefox and Thunderbird will notify you, pay attention! Clear your browser of personal data often -- again, Firefox makes this easy. Make backups. (You ARE doing backups, aren't you? For crying out loud, an external USB drive that holds half a terabyte is available at any office store for $80. Go. Now. Get up, get in the car, get your butt over there and buy one.) Don't furnish your password to anyone who asks for it: real system admins with real clue will simply *reset* your password to one of their choosing if they really need to do that. Do not, do not, do not let your kids use your computer. Get them their own. Make it a Mac or Linux box unless you want to be scrubbing cruft off it every other week. Pick strong passwords, and no, you may not use your street, dog, car, boyfriend, or anything else that you blab about on Facebook or whatever this month's transient and unimportant site is. If you're walking around with your laptop, encrypt the drive with TrueCrypt, so that when it's stolen by airport baggage handlers and sold, at least you're only out the hardware. (Consider keeping your valuable data on a USB thumb drive that rides in your pocket -- also encrypted in case you lose it -- and only keeping your programs on your laptop.) Don't believe any web site that say it's "hacker-safe", "TrustE certified", "super whizbang protected with extra vitamins": anybody can buy those labels and slap 'em on. Use a low-credit-limit card (under $1K) for routine online purchases, and ONLY for routine online purchases. Have you backed up your system yet? One of the favorite tricks for attackers these days is to compromise a popular web site and use it to get at everyone who visits. This works well with (a) men and (b) sites featuring girl parts because (c) we're stupid that way. But it's also been used on ordinary commercial sites, newspapers, etc. Which is why I recommended AdBlock a few paragraphs back. If you are a customer of paypal.com you are not a customer of paypa1.com. If you get a request to fiddle with a webmail account you don't have you're being phished, don't respond to it. The nice man who says he's an attorney in Lagos is not going be sending you millions of dollars of inheritance you didn't know about. The other nice man who says you need to download and install his antiantiantispyware is not on your side. Be paranoid. This is not the 'net of the early 80's when none of us locked our doors and you could pop in, borrow a cup of sugar, and leave a note. This is the wild west, rife with roving gangs that are smart, ingenious, fast, and ruthless. Think I'm kidding about any of this? Or exaggerating? Go read the Wikipedia entry on "Russian Business Network": http://en.wikipedia.org/wiki/Russian_Business_Network ---Rsk *************************************************************************** PaddleWise Paddling Mailing List - Any opinions or suggestions expressed here are solely those of the writer(s). You must assume the entire responsibility for reliance upon them. All postings copyright the author. Submissions: PaddleWise_at_PaddleWise.net Subscriptions: PaddleWise-request_at_PaddleWise.net Website: http://www.paddlewise.net/ ***************************************************************************Received on Mon Mar 08 2010 - 08:46:14 PST
This archive was generated by hypermail 2.4.0 : Thu Aug 21 2025 - 16:31:39 PDT