PandaLabs has just published its Quarterly Report, January-March 2010. This gave me the reason and opportunity to chat with Luis Corrons, PandaLabs’ technical director (but don’t let this stop you reading the full report – it’s well worth it).
We discussed a number of issues. The first was Mariposa, the largest ever known botnet with more than 12 million infected computers at its command. PandaLabs was instrumental (along with the Canadian Defence Intelligence) in the takedown of Mariposa in February, and the subsequent arrest of three gang leaders at the beginning of March.
Mariposa is not the only recent success against botnets: Microsoft has been successful in ‘crippling’ the Waledac botnet. But there is much debate about how successful Microsoft has actually been. This is because Waledac was effectively disconnected rather than destroyed; in theory, or so it is suggested, Waledac could return. So my first question to Luis was simply, will Mariposa stay down? Luis thinks it will.
“We didn’t just get the command and control servers; with Mariposa we got the guys behind it. The problem is that we can take down the botnet but the criminals are still out there and can start a new botnet – that happens most of the times – but in this case the takedown is permanent. The botnet has been dismantled and the organisers caught.”
Luis explained that botherders are generally very good at hiding their whereabouts.
“These guys would use an anonymous VPN service to communicate with the control servers. We never knew where they were. So we could take over their botnet, but we didn’t know who they were. But on this occasion their leader got nervous. We had control of Mariposa. He wanted it back. He got sloppy. He forgot to use the VPN and tried to regain Mariposa using his own home computer. That gave us his IP address – and we’d got him.”
By that one single, simple error did Mariposa fall. Luis is happy about that. But there are two other aspects of this case that are more worrying. The first is that these ‘hackers’ are not true hackers; they seem to have very little genuine technical expertise. What they had was a botkit, a piece of software that can be bought over the internet. There was a time when script kiddies were more of an annoyance, just internet noise, rather than a serious threat. But the quality of today’s scripts, which are now sophisticated ready-made hacking tools, means that just about any script kiddie wannabe hacker can do serious damage. And that really is worrying.
The second concern is worrying in a different way. Luis doesn’t think there will be a jail sentence for the Mariposa botherders.
“Probably they will be released free, without prison. In Spain it is not illegal to have a botnet, even one comprising more than 10m computers. I know the police in this case; they know the guys are guilty and can be proven guilty; but they don’t think that these guys will go to jail. In fact the police had to accuse them of cyberterrorism, which is not really accurate in this case; but that was the only way they could arrest the leader and confiscate his computers for forensic analysis.”
[Memo to Mandelson: WTF are you doing faffing around with trying to get disconnection for private citizens that you cannot possibly prove to be guilty when Spain cannot even lock up proven criminals that have been instrumental in countless identity thefts all round the world? Don't bother answering that. Just pack your bags and bugger off.]
Next we talked about Aurora. How, I asked him, could anti-malware protect you from sophisticated spear-phishing coupled with zero-day exploits.
“My basic security advice is to have everything patched and don’t trust anyone. But in this case that wouldn’t have worked. The combination of a zero-day exploit and such a targeted attack – someone you know talking about something you’re both interested in with a link to more interesting information – that’s really, really difficult to resist. The weak link in this is always the user, and in general the user is easy to fool – and that’s why so many people get infected. Even if you know about security, and you know you have to be careful on the internet, no-one is safe when something is really targeted at you. I’m not really optimistic – there is no way to be 100% safe – you can be pretty safe, but you cannot guarantee security. OK, you’ve got your anti-virus and it’s up to date, but they will know which anti-virus you’re using and they will test their trojan against your anti-virus to see if it is detected before they attack you with it. They will have studied your movements and know your weakpoints.”
Paradoxically, in such a situation, your security defences merely confirm your security weaknesses. But it was a nice link to my next subject. I wanted to know Luis’ opinion on my claim that the majority of security product testing is a waste of time. You may recall that I said: “If the product in question is in any way anti-malware, the vendor can simply claim that the product kills 99% of all known germs. The validation process will inevitably prove it to be true and the company has a marketing bonus that is actually meaningless. Why? Because the product will inevitably be tested against the Wild List.” I wanted a view from the coalface and expected protestations – but I got a surprise:
“That’s an interesting topic. Using the Wild List as a test to say this particular anti-virus is good is impossible – and most of the tests used could be considered useless anyway. Most take a bunch of virus samples, scan them with the anti-virus product and look at the results. Is that accurate? Well, yes if you’re measuring signature recognitions – but most of the AV companies rely on a whole bunch of other detection measures that aren’t tested. heuristics, behavioural blockers, action in the cloud and others. If a test is a real-life test simulating real-life conditions, it would be good if you could see when and how the threat was stopped. But there are very few people who can do this sort of testing; and it would be really expensive. There are a few AV researchers in universities and elsewhere that are working on this kind of test – but most of the tests we come across are useless because they do not reflect the real situation. But users read them.”
So what can we take away from this interview? We have the technical director of one of the world’s leading anti-malware companies declining to claim that his products would keep you secure from Aurora-like APTs, admitting that you cannot be secure on the internet, and agreeing that most of the product tests we come across are worthless. Frankly, I feel a whole lot safer with this sort of open honesty from a man at the top of the security industry than with the more common ‘we’ll make you 100% safe’ marketing hype we usually come across. PandaLabs just went up in my estimation.
The WikiLeaked CIA Red Cell Special Memorandum on “Sustaining West European Support” for the Afghan war is disturbing. It’s not so much the function of the document. After all, it’s basically a standard PR document of the type that all large companies produce under crisis management; and we tend to accept that business needs to do this. No, this is disturbing because of the cynicism involved in national manipulation and the end product of the ‘business’: war and death.
The document starts:
The fall of the Dutch Government over its troop commitment to Afghanistan demonstrates the fragility of European support for the NATO-led ISAF mission.
and the first three paragraphs headings explain both the problem and the perceived solution:
Public Apathy Enables Leaders To Ignore Voters. . .
. . . But Casualties Could Precipitate Backlash
Tailoring Messaging Could Forestall or At Least Contain Backlash
At one level it is a fascinating discussion of European attitudes. It talks about France and Germany, the third and fourth largest troop providers to the war. In both countries it is the women who are considered the weak or danger point. While women are anti-war, men are either apathetic or vaguely supportive. The French concern is over civilians and refugees. The German concern is more pragmatic: they are “worried about price and principle”.
But all is not lost, the force for change still has some ‘traction’:
The confidence of the French and German publics in President Obama’s ability to handle foreign affairs in general and Afghanistan in particular suggest that they would be receptive to his direct affirmation of their importance to the ISAF mission—and sensitive to direct expressions of disappointment in allies who do not help.
Does this mean that the Americans believe that Europe supports America because it believes in Obama? Oh dear, no. The CIA believes that it can manipulate European loss of favour with Obama to its advantage:
European hand wringing about the President’s lack of attendance at a EU summit and commentary that his absence showed that Europe counted for less suggests that worry about European standing with Washington might provide at least some leverage for sustaining contributions to ISAF.
But I have to admit that it is not the mind-numbing cynicism of this document that worries me most: it is the absence of any need to bolster support in the UK. What does this mean? Does the CIA believe that it has the UK Government so deeply in its pocket that the UK support is a permanent given? Does it mean that the CIA believes it can do no better a job at disinformation and public manipulation than its UK counterparts and the UK government? Think of the Blair/Campbell public manipulation, and any of the lies and falsehoods that have come out of our current government. For me, the biggest concern about this document is that it shows the Americans already consider the UK to be the 51st State.
In business, the ultimate accolade is to be head-hunted. On-line, the ultimate accolade is to be spear-phished.
But this is an insult! They could at least make it believable. It’s not the grammar – anyone can make those mistakes. “We are having congestions…” OK, take some cough mixture.
“Due to the congestion in all hotmail users…” Damn, this cough is contagious!
Nor is it the lack of logic. “Hotmail would be shutting down all unused accounts…” Not much point in writing to me if it’s unused, because I won’t read it.
Nor even is it the sloppiness. “We apologize for any inconvenien”
No. The thing that gives this away as a very poor phishing attempt is the obvious outright lie. “This Email is from Hotmail Customer Care.” Every hotmail user in the world knows there’s no such thing!