Archive for March, 2010

A chat with Luis Corrons, technical director at PandaLabs

March 31, 2010 2 comments

PandaLabs has just published its Quarterly Report, January-March 2010. This gave me the reason and opportunity to chat with Luis Corrons, PandaLabs’ technical director (but don’t let this stop you reading the full report – it’s well worth it).

Luis Corrons, PandaLabs

Luis Corrons, technical director, PandaLabs

We discussed a number of issues. The first was Mariposa, the largest ever known botnet with more than 12 million infected computers at its command. PandaLabs was instrumental (along with the Canadian Defence Intelligence) in the takedown of Mariposa in February, and the subsequent arrest of three gang leaders at the beginning of March.

Mariposa is not the only recent success against botnets: Microsoft has been successful in ‘crippling’ the Waledac botnet. But there is much debate about how successful Microsoft has actually been. This is because Waledac was effectively disconnected rather than destroyed; in theory, or so it is suggested, Waledac could return. So my first question to Luis was simply, will Mariposa stay down? Luis thinks it will.

“We didn’t just get the command and control servers; with Mariposa we got the guys behind it. The problem is that we can take down the botnet but the criminals are still out there and can start a new botnet – that happens most of the times – but in this case the takedown is permanent. The botnet has been dismantled and the organisers caught.”

Luis explained that botherders are generally very good at hiding their whereabouts.

“These guys would use an anonymous VPN service to communicate with the control servers. We never knew where they were. So we could take over their botnet, but we didn’t know who they were. But on this occasion their leader got nervous. We had control of Mariposa. He wanted it back. He got sloppy. He forgot to use the VPN and tried to regain Mariposa using his own home computer. That gave us his IP address – and we’d got him.”

By that one single, simple error did Mariposa fall. Luis is happy about that. But there are two other aspects of this case that are more worrying. The first is that these ‘hackers’ are not true hackers; they seem to have very little genuine technical expertise. What they had was a botkit, a piece of software that can be bought over the internet. There was a time when script kiddies were more of an annoyance, just internet noise, rather than a serious threat. But the quality of today’s scripts, which are now sophisticated ready-made hacking tools, means that just about any script kiddie wannabe hacker can do serious damage. And that really is worrying.

The second concern is worrying in a different way. Luis doesn’t think there will be a jail sentence for the Mariposa botherders.

“Probably they will be released free, without prison. In Spain it is not illegal to have a botnet, even one comprising more than 10m computers. I know the police in this case; they know the guys are guilty and can be proven guilty; but they don’t think that these guys will go to jail. In fact the police had to accuse them of cyberterrorism, which is not really accurate in this case; but that was the only way they could arrest the leader and confiscate his computers for forensic analysis.”

[Memo to Mandelson: WTF are you doing faffing around with trying to get disconnection for private citizens that you cannot possibly prove to be guilty when Spain cannot even lock up proven criminals that have been instrumental in countless identity thefts all round the world? Don’t bother answering that. Just pack your bags and bugger off.]

Next we talked about Aurora. How, I asked him, could anti-malware protect you from sophisticated spear-phishing coupled with zero-day exploits.

“My basic security advice is to have everything patched and don’t trust anyone. But in this case that wouldn’t have worked. The combination of a zero-day exploit and such a targeted attack – someone you know talking about something you’re both interested in with a link to more interesting information – that’s really, really difficult to resist. The weak link in this is always the user, and in general the user is easy to fool – and that’s why so many people get infected. Even if you know about security, and you know you have to be careful on the internet, no-one is safe when something is really targeted at you. I’m not really optimistic – there is no way to be 100% safe – you can be pretty safe, but you cannot guarantee security. OK, you’ve got your anti-virus and it’s up to date, but they will know which anti-virus you’re using and they will test their trojan against your anti-virus to see if it is detected before they attack you with it. They will have studied your movements and know your weakpoints.”

Paradoxically, in such a situation, your security defences merely confirm your security weaknesses. But it was a nice link to my next subject. I wanted to know Luis’ opinion on my claim that the majority of security product testing is a waste of time. You may recall that I said: “If the product in question is in any way anti-malware, the vendor can simply claim that the product kills 99% of all known germs. The validation process will inevitably prove it to be true and the company has a marketing bonus that is actually meaningless. Why? Because the product will inevitably be tested against the Wild List.” I wanted a view from the coalface and expected protestations – but I got a surprise:

“That’s an interesting topic. Using the Wild List as a test to say this particular anti-virus is good is impossible – and most of the tests used could be considered useless anyway. Most take a bunch of virus samples, scan them with the anti-virus product and look at the results. Is that accurate? Well, yes if you’re measuring signature recognitions – but most of the AV companies rely on a whole bunch of other detection measures that aren’t tested. heuristics, behavioural blockers, action in the cloud and others. If a test is a real-life test simulating real-life conditions, it would be good if you could see when and how the threat was stopped. But there are very few people who can do this sort of testing; and it would be really expensive. There are a few AV researchers in universities and elsewhere that are working on this kind of test – but most of the tests we come across are useless because they do not reflect the real situation. But users read them.”


So what can we take away from this interview? We have the technical director of one of the world’s leading anti-malware companies declining to claim that his products would keep you secure from Aurora-like APTs, admitting that you cannot be secure on the internet, and agreeing that most of the product tests we come across are worthless. Frankly, I feel a whole lot safer with this sort of open honesty from a man at the top of the security industry than with the more common ‘we’ll make you 100% safe’ marketing hype we usually come across. PandaLabs just went up in my estimation.

Categories: All, Security Issues

Sustaining West European support in Afghanistan – the CIA’s view

March 28, 2010 1 comment

The WikiLeaked CIA Red Cell Special Memorandum on “Sustaining West European Support” for the Afghan war is disturbing. It’s not so much the function of the document. After all, it’s basically a standard PR document of the type that all large companies produce under crisis management; and we tend to accept that business needs to do this. No, this is disturbing because of the cynicism involved in national manipulation and the end product of the ‘business’: war and death.

The document starts:

The fall of the Dutch Government over its troop commitment to Afghanistan demonstrates the fragility of European support for the NATO-led ISAF mission.

and the first three paragraphs headings explain both the problem and the perceived solution:

Public Apathy Enables Leaders To Ignore Voters. . .

. . . But Casualties Could Precipitate Backlash

Tailoring Messaging Could Forestall or At Least Contain Backlash

At one level it is a fascinating discussion of European attitudes. It talks  about France and Germany, the third and fourth largest troop providers to the war. In both countries it is the women who are considered the weak or danger point. While women are anti-war, men are either apathetic or vaguely supportive. The French concern is over civilians and refugees. The German concern is more pragmatic: they are “worried about price and principle”.

But all is not lost, the force for change still has some ‘traction’:

The confidence of the French and German publics in President Obama’s ability to handle foreign affairs in general and Afghanistan in particular suggest that they would be receptive to his direct affirmation of their importance to the ISAF mission—and sensitive to direct expressions of disappointment in allies who do not help.

Does this mean that the Americans believe that Europe supports America because it believes in Obama? Oh dear, no. The CIA believes that it can manipulate European loss of favour with Obama to its advantage:

European hand wringing about the President’s lack of attendance at a EU summit and commentary that his absence showed that Europe counted for less suggests that worry about European standing with Washington might provide at least some leverage for sustaining contributions to ISAF.

But I have to admit that it is not the mind-numbing cynicism of this document that worries me most: it is the absence of any need to bolster support in the UK. What does this mean? Does the CIA believe that it has the UK Government so deeply in its pocket that the UK support is a permanent given? Does it mean that the CIA believes it can do no better a job at disinformation and public manipulation than its UK counterparts and the UK government? Think of the Blair/Campbell public manipulation, and any of the lies and falsehoods that have come out of our current government. For me, the biggest concern about this document is that it shows the Americans already consider the UK to be the 51st State.

Categories: All, General Rants

Another sloppy phishing attempt

March 27, 2010 Leave a comment

In business, the ultimate accolade is to be head-hunted. On-line, the ultimate accolade is to be spear-phished.

But this is an insult! They could at least make it believable. It’s not the grammar – anyone can make those mistakes. “We are having congestions…” OK, take some cough mixture.

“Due to the congestion in all hotmail users…” Damn, this cough is contagious!

Nor is it the lack of logic.  “Hotmail would be shutting down all unused accounts…” Not much point in writing to me if it’s unused, because I won’t read it.

Nor even is it the sloppiness. “We apologize for any inconvenien”

No. The thing that gives this away as a very poor phishing attempt is the obvious outright lie. “This Email is from Hotmail Customer Care.” Every hotmail user in the world knows there’s no such thing!

Categories: All, Security Issues

Democracy in the United Kingdom

March 25, 2010 Leave a comment

The democratic basis of the United Kingdom is under threat. This is happening right now.

What is that democratic basis? It is a trias politica; the separation and independence of the three functions of government: executive, legislature and judiciary. In the UK, the executive is the Cabinet; the legislature is parliament; and the judiciary is the Courts. Enforcement is controlled locally by the police, and internationally by the Armed Forces. They exist to enforce the edicts of the legislature, and whether they get it right or wrong is determined independently by the judiciary.

The first breakdown in this democratic principle came with the castration of parliament: it has had its balls removed by the executive. Parliament no longer matters: it is bullied, steamrolled and ignored by the executive. Its wishes are irrelevant. It might as well not exist – its sole remaining purpose is to make us, the people, believe we have a say in government.

The second breakdown came with the castration of the Cabinet. It no longer matters either. It is peopled by self-seeking Yes Men (and Women) who either want the extra pay and prestige or who are actively jockeying to be the next Leader. But they no longer matter or have any real say in policy: they have absolutely no say in government.

Government is now controlled by the Leader, who has an inner clique whose primary function is to maintain his position. This usually comprises the Home Secretary, the Minister of Justice and the Chancellor. The current variation is that it really only comprises the current Secretary of State for Business, Innovation and Skills (worryingly, someone who has no elected mandate from the people whatsoever).

So democracy now comprises an executive of one person and a judiciary.

The independence of the judiciary is also under threat. Judges are ultimately appointed by the executive. Traditionally, they are kept in check by an independent trial jury of twelve citizens – and we already have situations where juries are dispensed with. But the more worrying trend is that the judiciary is being side-lined.

This is being achieved by a gradual (actually, not so gradual) movement away from a presumption of innocence to a presumption of guilt. We are increasingly guilty unless we can prove our innocence; and this in turn is increasingly done either by our presence within, or our absence from, one or more of the increasingly inclusive national databases.

This is most obvious with the National ID Register and ID Cards. Their purpose is to prove that, individually, we are not benefit cheats, illegal immigrants, paedophiles, terrorists or gun-running, money-laundering mafia overlords.

A very close second comes the National DNA database which contains DNA records of more innocent people than criminals. If we haven’t done anything wrong, why should we worry, we are told. But that’s the whole point: in a true democracy it is up to the police to prove to the judiciary that we are guilty of a crime; it is not up to us to prove we are innocent.

This process is now neutering the judiciary. Guilt will no longer be decided by argument and proof, it will be decided by the inclusion or absence of database records. No judgement will be required by judges, merely the pronouncement of statutory sentences. And these sentences come from the executive, which we have already seen to be effectively the Prime Minister.

In other words, shocking as this may sound, we in the UK are on the verge of being ruled by dictatorship. Many of us believe that this is already happening.

Categories: All, General Rants

Sacred cows fall at Pwn2Own

March 25, 2010 2 comments

One thing in this life is certain: if you set something up, someone will knock it down. That is just what has been happening at the Pwn2Own contest run by security company TippingPoint Zero Day Initiative (ZDI) in Vancouver. The impregnability of the iPhone has gone. Security researchers Vincenzo Iozzo from Zynamics GmbH and Ralf-Philipp Weinmann from the University of Luxembourg stole the SMS database from an iPhone that visited a malicious website.

The researchers have declared, under the rules of the competition, that they won’t release details until after Apple has had a chance to patch the vulnerability – but it just proves that nothing is safe, and even iPhone users need to watch where they’re going.

Apple’s Safari browser running on the latest Snow Leopard version of OS/X also fell to proven Mac hacker Charlie Miller, again to the process known as drive-by hacking. When a conference organiser pointed Safari at the poisoned web page, Miller’s exploit took control of the Macbook.

Peter Vreugdenhil took down IE8 running on Windows 7. He managed to by-pass Windows’ DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) protections that are specifically intended to prevent such attacks.

Firefox on Windows 7 fell to a German researcher known as Nils, using a new zero-day vulnerability. Firefox has only just released version 3.6 (with commendable speed); so we can expect 3.7 before some laggards even update to 3.6.

All in all, the only target that wasn’t attacked and defeated was Google’s Chrome; presumably because no-one yet has a working exploit. But give it time. What Pwn2Own does is demonstrate that nothing is ultimately secure. We just have to be very, very careful about what we do and where we go whatever we’re using,

Categories: All, Security News

The electricity of the future? Brown says so!

March 22, 2010 1 comment

Well, it’s true. The rumours that have been floating around were right. Gordon Brown has delivered his speech claiming that the internet is the electricity of the future, and that universal access to broadband should be a fundamental right. So what of the Digital Economy Bill? Well, we’ll come back to that. First we should at least briefly talk about the main thrust of this speech.

Because, frankly, if we could believe him, and believe in his intent, then it would be a wonderful thing. There will be a new mygov site, opening both national and local government to the people via the coming semantic web, headed by luminaries including Berners-Lee and Martha Lane Fox. Broadband will be brought to 100% of everybody (funded by a new £6 per year tax on all phone-owners). There will be a new web science institute with £30m funding.The people will be able to shape the government of the future! And it will generate mind-boggling savings in the cost of government.

It sounds wonderful, and there will be many detailed analyses of what he said, and declined to say, over the next few days. But my initial thoughts are that what he described will never happen. Oh, we might get interactive government, but it will actually be more closed than ever. Because those who control the pipes control what goes through them; and the Digital Economy Bill will give government full control over those pipes.

It will also force people to accept national ID cards – because that will be the way in which we authenticate ourselves in order to have access to this wonderful new e-government. And if we haven’t got the card, we cannot access government services (which will include paying taxes and claiming benefits and probably even access to our GP).

Speaking in a different context, John Young (a living legend for free speech) has recently commented about freedom of information, “…once laudable and honorable freedom of information processes have evolved into shrewd and lucrative disinformation distribution tools for authoritatives of all stripes — gov, mil, com, edu, org, MSM.” This is how Brown’s open government will evolve, into something that appears to be open but effectively, and efficiently, hides what we aren’t meant to see. At the same time it provides the means to make the National ID Register necessary for all of us to accept. Ultimately, it just concentrates more power into the hands of government and those who control government. If you don’t do what you’re told, we’ll cut off the pipe!

I see far more dangers than benefits in this.

Categories: All, Security Issues

2012 Armageddon Blamed on Twitter

March 18, 2010 Leave a comment

Search Google with “social network blamed” and you get the following top hits:

  • Online social networking blamed for rise of AIDS cases
  • More teen troubles blamed on social networking
  • Social Networking Sites Increasingly Blamed in Divorces
  • Mother blames social networking website
  • Social Networks Blamed For $2.25B In Lost Productivity
  • 1 in 5 Divorces Blamed on Facebook
  • Facebook fuelling divorce, research claims
  • Texting, online social networking blamed for poor English skills
  • Economist Blames Twitter for Down Economy

All of this comes from the first two pages, and I’ve omitted most of the others simply because they are different takes on the same headline.

Can this be true? Is social networking the cause of everything wrong in society. Is it what lies behind global warming? (Actually, it probably is since the energy consumed by all of Google’s, Twitter’s, FaceBook’s, Bing’s etc servers is quite staggering.)

But isn’t it time to stop the blame game, and take responsibility for ourselves upon ourselves? While there are many individual tragedies behind these headlines, we have to stop trying to blame other people for our own misfortunes. It’s a by-product of socialism gone wrong: the State will provide. If the State provides, where is the incentive for us to provide for ourselves? I’m not saying the State shouldn’t provide in cases of genuine hardship and misfortune; but the by-product is that we have become too happy to say “it isn’t my fault, so it must be someone else’s”.

It’s got to stop. Social ills are caused by social problems; not by social networking. The solution is for us to be more security aware and to teach our children to be aware, not to automatically blame something or someone else.

Having said all this, I am praying for a new headline in a few weeks time: “Brown blames it all on Twitter, as he packs his bags”.

Categories: All, Security Issues