February 19, 2006

More dots than you or I can understand (Internet Threat Level is Systemic)

fm points to Gadi Evron who writes an impassioned plea for openness in security. Why? He makes a case that we don't know the half of what the bad guys are up to. His message goes something like this:

DDoS -> recursive DNS -> Fast Flux -> C2 Servers -> rendevous in cryptographic domainname space -> bots -> Phishing

Connecting the dots is a current fad in america, and I really enjoyed those above. I just wish I knew what even half of them meant. Evron's message is that there are plenty of dots for us all to connect, so many that the tedium of imminent solution is not an issue. He attempted to describe them a bit later with his commentary on the recent SSL phishing news:

Some new disturbing phishing trends from the past year:

POST information in the mail message
That means that the user fills his or her data in the HTML email message itself, which then sends the information to a legit-looking site. The problem with that, is how do you convince an ISP that a real (compromised) site is indeed a phishing site, if there is no phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
This is an increasing problem. People get infected with these bots, zombies or whatever else you’d like to call them and then start sending out the phishing spam, while alternating the IP address of the phishing server, which brings us to…

Fast Flux is a term coined in the anti spam world to describe such Trojan horses’ activity. The DNS RR leading to the phishing server keeps changing, with a new IP address (or 10) every 10 minutes to a day. Trying to keep up and eliminate these sites before they move again is frustrating and problematic, making the bottle-neck the DNS RR which needs to be nuked.

We may be able to follow that, but the bigger question is how to cope with it. Even if you can follow the description, dealing with all three of the above is going to stretch any skilled practitioner. And that's Evron's point:

What am I trying to say here?

All these activities are related, and therefore better coordination needs to be done much like we do on the DA and MWP groups, cross-industry and open-minded. R&D to back up operations is critical, as what’s good for today may be harmful tomorrow (killing C&C’s as an example).

The industry needs to get off its high tree and see the light. There are good people who never heard about BGP but eat Trojans (sounds bad) for breakfast, and others need to see that just because some don’t know how to read binary code doesn’t mean they are not amazingly skilled and clued with how the network runs.

This is not my research alone. I can only take credit for seeing the macro image and helping to connect the dots, as well as facilitate cooperation across our industry. Still, as much as many of this needs to remain quiet and done in secret-hand-shake clubs, a lot of this needs to get public and get public attention.

Over-compartmentalizing and over-secrecy hurts us too, not just the US military. If we deal in secret only with what needs to be dealt in secret, people may actually keep that secret better, and more resources can be applied to deal with it.
Some things are handled better when they are public, as obviously the bad guys already know about them and share them quite regularly. “Like candy” when it comes to malware samples, as an example.

The Internet threat level is now systemic, and has been since the arisal of industrialised phishing, IMO. I've written many times before about the secrecy of the browser sector in dealing with phishing, and how the professional cryptographic community washed its hands of the problem. Microsoft's legendary castles of policy need no reminder, and it's not as if Apple, Sun, Symantec, Verisign or any other security company would ever do any better in measures of openness.

Now someone over the other side of the phishing war is saying that he sees yet other tribes hiding in their fiefdoms, and I don't even know which tribes he's referring to. Gadi Evron concludes:

-opinion-Our fault, us, the people who run these communities and global efforts, for being over-secretive on issues that should be public and thus also neglecting the issues that should really remain under some sort of secrecy, plus preventing you from defending yourself.

Us, for being snobbish dolts and us, for thinking we invented the wheel, not to mention that we know everything or some of us who try to keep their spots of power and/or status by keeping new blood out (AV industry especially, the net-ops community is not alone in the sin of hubris).

It’s time to wake up. The Internet is not about to die tomorrow and there is a lot of good effort from a lot of good people going around. Amazing even, but it is time to wake up and move, as we are losing the battle and the eventual war.

Cyber-crime is real crime, only using the net. Cyber-terrorism will be here one day. If we can’t handle what we have on our plate today or worse, think we are OK, how will we handle it when it is here?

Posted by iang at February 19, 2006 08:03 AM | TrackBack

The lack of responsible behavior on the part of the public community is to blame pure and simple. Everybody wants a big brother someone who will pick up the tab carry the weight and allow the burden to be moved forward. A Wall Street story serves a purpose here "Where are all the customers yachts?" I ask where are all the programmers, systems designers, and crypto folk’s yachts? The answer is simple there are none to be found. They have spent their valuable commodity producing cherished assets that they quickly threw before swine in the service of universities and corporations that manipulated the structures to satisfy their lust. Now we look at bad guys and say what going on here why everything so screwed up is? Wake up you fools there are more bad guys with resources the Peoples Liberation Army has a larger programming staff than Microsoft and the whole of India. Armed with source code this massive effort will cripple the whole of our world in minutes if not seconds rendering their ability to project power into the systems and networks that have become our life line to each other. Think about the gathering storm of threats from organized crime and how easily they are achieved. Think about how easily Enron executives manipulated the accounting standards to paint earnings. Think about how far from perfection the knowable discrete information required to access an enemy capability is. Think about a nation that has made one of the richest corporation remove Tibet from the map of the world. Now that we know nothing we need to discover and assess the threats previously un-thought of and craft solutions. But first the real hard question is who we are and who do we cooperate with? An absolute refusal to use anything Microsoft is the first step; a second step might be not to deal with corporations that promise to do no evil but choose to accept the genocide of a people by erasing a nation on its world maps this is evil. Google, Microsoft, Walmart, Enron, and others have your assets in their scope of acquisition and we must deny them access to our civilization and culture. We must make the hard choice to fight against tyranny and cooperation with the Peoples Republic of China is un-acceptable and uncivilized. I’m an American which probably makes me a suspect in any call to arms or collective activity, but I assure you that if a community with or without Americans or myself is not formed to protect assets that are vital to the continuation of our culture we are all doomed and if it is not significant enough in its efforts and scope the results will be the same. This is Pre World War Three right now and if an effective opposition can be mustered now on this limited front then acts of aggression maybe be thwarted and not encouraged. A secret society must be created to divert the resources currently used to sustain and perpetuate the monopoly of tyrants over our lives. Secret is the key no blog can contain and address the threat. We have been compromised to a great extent already. The craft of becoming more secret is the key not open discourse we are in a theartre of burning people expounding upon the wonderful heat as they melt before our eyes. Hiding the threat and exploiting for our own needs is the answer rather than inform the already compromised entities we should seek to compete with the elements of the dark forces and in this manner confront them and remove them. We will have become just like them the most feared status of those that have been victimized by an enemy. That is also a mistake we must become worse than them and make our threat a fear inspiring message. We must become the Ubber Crackers tormenting their every moment attack attack attack is the only order when confronted with a threat defense is a lost cause and an open society that is free to discovery a myth that never emerged.

Posted by: jimbo at February 19, 2006 09:24 AM

>What is recursive DNS?

where you a DNS server queries where a domain is by querying the whole chain of servers:

ie client -> recursive server -> root server -> .gtld/cctld server -> registry server -> authoritive server

The registry server may not be part of the chain and there may be additional servers in the path as chain of delegation is searched.

The "infamous" wikipedia description is a bit longer and accurate:


There is an interesting paper that graphically shows how it works, but I am unsure as to how they justify some of their conclusions. The data is also a bit old now - particularly in regard to vulnerabilities in the DNS server software and installations, however the datapoints are very interesting and worth a read.

1) Emin Gun Sirer, Cornell U. on DNS vulnerabilities

Meanwhile on the subject of ISP attacks this is an interesting overview:

2) Danny McPherson with an updated Infrastructure Security Survey Overview

This is from Nanog in October 2005 - some interesting statistics, and a Real media stream is available.

Posted by: fm at February 19, 2006 11:05 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.