Can't have it both ways, I call Shenanigans!

March 17, 2009


I’m calling Shenanigans!

senanigans

Ok, I’m am starting to get a little pissed.  As you know I have been questioning why researchers are not more proactive about taking out botnets and hacking malware and its infrastructure.  Common refrains are NONONONO ooooo that would be illegal blah blah blah.

Now see the following.. just from today.  There are many more such examples if you troll around.

Here is an article from the highly overhyped Brian Krebs who I think does a good job reporting but really does’nt go far enough in his questions or the depth of levels needed to really discuss the important issues in his articles.  Even investigative reporters of the crappy kind go deeper than his content which is sad, because if he chose to do so would dramatically up the level of discussion and populate the idea pool with more useful ideas.  He has the audience now he just needs to up his game to be more effective as a thought leader instead of just a reporter.  Reporters are boring from a research standpoint and do little to add to the cumulative public knowledge base to really solve problems.

Massive Profits Fueling Rogue Antivirus Market

http://blog.washingtonpost.com/securityfix/

“Prior to site’s demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program.”

Now explain to me how they were able to do that without breaking any use laws.  I want to be clear here.  I am not supporting breaking of laws, I am noting that said laws are used as an excuse to really SOLVE the malware infrastructure problem and support the Security products industries bottom lines.

Based on stuff like this, an alternative is needed for protection… Awesome Title BTW

Storm Worm Botnet Lobotomizing Anti-Virus Programs

Any and all of these attempts would run afoul of some narrow minded anal retentive lawyer and somehow break a computer law somewhere.  However the key thing here is authority and intent.

If its illegal to walk on the grass, yet you see a lady getting mugged on the other side of the really nice garden, do you run across the grass and help her or walk ALL the way around and hope that the scumbag does’nt off her and make off with her valuables.

If there is a technical way to disable, subvert, dismantle, neuter, compromise, impact, DOS, surveille a botnet, malware author, cybercrime crew, criminal organization then it should be investigated and done if possible provided it does not make the system inoperable and unusable.  The problem here is that you need extremely sophisticated techniques to do so.  You cant have a bunch of jackass cybervigilantes running amok and causing more havoc then good.

Actions should be given to competant organizations / researchers based on a validated and widespread threat.  Sort of like what a CyberInterpol would do, but we know that will never happen.  Essentially what we need is a vetting process whereby through a collaborative cooperative of security responders/researcher get a free pass to conduct offensive surgical strikes on malware infrastructure and Run ops against these crews.

Here is an attempt to attack Storm that was dead on arrival because there was no will and balls behind the effort.

Result would be degradations of malware infrastructure, sowing distrust and discord among organizations, infiltration through stings, paying rival organizations to rat out their competitors, higher bounties, snatch and grab operations, poison pilled exfiltration data from high level targets, arrest and PREEEESSSUREEEE on the low level schmucks to roll on their buddies, leadership chain attacks, exploitation of malware binaries to render them inert, integrity attacks on command and control channels to render them disrupted or get them to disable or delete themselves, updating the malware do doing something beneficial like disable functions or change its communication mechanism so it is no longer reachable by its command and control at all.  The field is WIDE OPEN for research to discuss and innovate but do you see it being done??  NO.  I repeat NO>

And thats why I am calling SHANANIGANS on the whole lot of them.  When people ever bring the subject up they give you the standard BS responses, however in the background they do things as shown in the previous articles that would clearly be construed as illegal.

I am calling for a Cyber Free Fire Zone.

081110170523

For example.  Make a law that says that all machines that are compromised and attacked, entitle the user or its designated parties via a special use license to make any modifications or actions against said invading party.  This basically protects the user from legal recourse and could fall under reasonable cyber self defense guidelines.  If you come into my house to steal my Playstation 3 or rape my wife I am going to beat the shit out of you.  Or worse in the second case, however if you come in to my computer and steal my vital data or work and compromise my identity or cause me extreme financial hardship I have no recourse and cant to anything?!?!

Now people that just doesnt make sense.  From the goverment side we need a Cyber Monroe doctrine which I believe is a great idea.  As well if you look at the statistics, many many of the malware operations are run from inside the United States to I dont believe for a second, that our laws long arms cant reach into Pukipsee.

A person who I know well, Lenny Seltser who teaches courses for SANS on malware analysis (SANS 610)  posted recently a “counter argument” that while has important points I respectfully disagree with.  I think you need to weigh the consequences between an active response and the impact of not acting.  That is the ethical equation.  If you can do more good then harm, you should serious consider the action.

Here some more on the BBC incident.  Unfortunately I do not see many advocating any counter malware actions, not to my suprise because that is the status quo.

So what do we do?  Prosecute security researchers for their intelligence actions that they try and keep on the downlow, while at the same time espousing support for the rule of law?  I dont advocate that.  I advocate the declaration of a Cyber Free Fire Zone, Establishment of a Cyber Monroe Doctrine, Creation of a counterhack implied user license for legal protection, and enhanced and publised experimentation and surgical counterstrike actions being conducted as I have stipulated above.

BBC Program Purchases Botnet, Touches Off Ethical Debate

BBC Responds to Botnet Controversy

Here is an interesting first step from Britian at least attempting to solve the problem, however present much opportunity for abuse and is only allowed by law enforcement which defeats the purpose and overall goal.  Regardless, Britian with all its security incidents is really in no way shape or form qualified to lead in security research or cyber actions due to its nightmareish list of compromises and general cyber ignorance from its military, goverment and intel sections.

Here is another example

Spam Botnet Taken Over By Good Guys: Now What?

Gee Boss, now whut?? (Scratches his head)  The answer is focused collaborative research on cyber course of actions.  DUH!  Thats what the military does all the time.  Establish course of actions against an enemy’s order of battle.  The acts.  No action here….
Here is another example from the Prevx group

Stolen-data trove offers look inside a botnet

Now how could researchers obtain this and not break the law?  Why was this box not infiltrated and monitored to prosecute, track and punish the people that connect and download said purloined information.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected websites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.”

Cut the bullshit about not being able to do something as a security researcher and whining about laws.  Researchers are already doing it.  however they are at risk of prosecution so this debate is about empowering them by giving them cover or implied authority.  A digital RobinHood / Zorro if you will.

I think the fact of the matter is, researchers dont want anyone else to do it, so use the cover of the law to keep public debate to a minimum.  As well, alot of their SENSOR networks and compromised honeypots used for intelligence yet are members of said botnets are operational and doing everything a full member of a botnet would be doing such as DDOS and spam.  Maybe even SqL injection attacks ala ASPROX.

It would be nice if guys who had the balls like Offensivecomputing had the same initiative and championed these counter cyber attack research options through public debate.  Currently right now I would imagine it is only debated in Military and Intel communities but those organizations are so hamstrung with policies and bullshit that I doubt anything rarely gets accomplished, or its not in their domain, or they just dont care.

FBI included.  They have only limited resources ya know and threshold for what warrants attention.  “So what you got hacked and lost 10grand to a russian guy who drained your brokerage account. Go call the local PD. Dial 911, Operator, whats the emergency.  Caller- some guy just hacked my computer and stole 10 grand from my brokerage account.  Operator, thats not an emergency. Police officer status not my problem, call the FTC.”  _get_THE_PICTURE?

The website that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.” – wow no action, i am not suprised…

They should have realized abuse complaints in that part of the world go straight to the bit bucket…. duh.. Next time act.  compromise the data in the trove with beacons and find the real culprits,  put crypto attack code in the documents so that whoever opens them gets their files cryptolocked with a Secret key and a message to contact a POC to get your files unlocked.   Other avenues of action are or could be equally disruptive and intersting.  Send the badguys information and keystrokes back to the victim.

Here is another great example of retarded action.

Kraken the botnet: The ethics of counter-hacking

Two awesome researchers did excellent innovative work.  Then what happened.  NOTHING.  Great job management.  Next time set up a Skunkworks unattibutable group with resources that are untraceable and Fucking Do it.  Then destroy all traces of said action.  In the current environment this is the only recourse for real action.  Someone needs to stick their dick in the pool first.  Whose it going to be.  O yea right.  Your not supposed to find out.  Sorry you wont get the credit but youll be the one smiling in the room when its discussed…..

Pretty soon we need to start dealing with these issues effectively and dealing with the likes of these.

lens1552240_evilleprechaun

Or we can start expecting our data and vital operations to look like this…

beirut2

Advertisements

6 Responses to “Can't have it both ways, I call Shenanigans!”

  1. I think the legalization argument is likely to fail. The intricacies of legislating something like that is well beyond many law makers who understand the Internet as a “series of tubes”. Additionally, you run into a series of problems with international computers, proxies, unwitting victim computers, etc.

    On a practical level, I think you’re covered. As you note, there is very little in the way of cyber crime police. The FBI isn’t out there detecting attacks from one computer to the next. If an incident is reported, and if it’s investigated, generally there’s a complaint from someone. Now ask yourself, is the cyber criminal likely to file that complaint? Keep in mind the examination of the evidence would necessarily include evidence of the botnet/malware. Criminals already understand this as demonstrated by the malware that removes other malware and patches systems.

    Your Zorro and Robin Hood comparisons are apt. Zorro wore a mask and Robin Hood was hunted by the Sheriff. Researchers are in the gray area all the time and sometimes step across ethical lines. They don’t need to advertise it. The problem is that rather than holding researchers to a police-like standard look at their results. In the BBC case, the sent a few emails, alerted users to the presence of a bot on their computer, and removed it where possible. I believe they did the right thing.

  2. Tom said

    You’re not clear on what rights people should be given to defend themselves. Suppose someone injects a bot on my computer and I think it’s from a specific IP address, can I try to attack that IP? What if I’m wrong?

    The devil is in the details.

  3. Thomas said

    Hi

    I was wondering if any of the technical info came to light as of yet. I am still curious about the excat type of Botnet that was used or what the classification/detection name of the Botnet was by the major A/V vendors.

    I think the major questions that everyone seemed to miss is, was this detectable by an A/V product, or was it purchased because it avoided A/V detection.

    Tom

  4. […] in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood […]

  5. Arguillo said

    I fully agree, the devil is in the details. Similarly, what if the specific IP address is only a jump box for the real attacker.

    Ethically, I'm comfortable hacking into a botnet. Obviously that's going to tread on some people but any non-invasive limited use directed toward disabling the botnet is for the greater good in my opinion.

    Yes, that might break some laws but if you keep that minimal and achieve a strong positive I have a little (possibly misplaced) faith that things would work out in the legal system. Likewise, even if you had a law that tried to clear up the mud, I think sorting things out would still be almost as messy in practice.;…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: