If You Use a Computer, Do Not Skip This Article
by Andrew Kerr
The CEISMC Gazette
Mike Hunter contributed to a report on emerging cyber threats (download the PDF here) that caught my eye some weeks back. I decided to chat with him about the report's findings in order to determine what level of paranoia is most reasonable for me to should adopt.
Q - What do you do?
A - I'm a research scientist for the Georgia Tech Information Security Center [GTISC--pronounced "Gee-tisk"--ed.]. I've been here one year, since February '07. I came from the University of California at Berkeley.
Q - In the Emerging Cyber Threats Report for 2008 to which you contributed, there is mention of how today's hackers are primarily motivated by financial gain as opposed to personal glory. I recall that in the 1980s hacking was often associated with personal glory--for example, bragging rights over breaking into a Pentagon computer. How did this change from pursuit of glory to pursuit of cash come about?
A - This might seem a little xenophobic, but now that we have the internet there's a lot of countries of widely varying income opportunities that are all sort of in "the same room," when before that wasn't true. If I'm a Russian hacker guy and my prospects for being able to make money as a software developer in Russia results in salary X, whereas if I were to turn to the dark side and go into SPAM and have a resulting income potential of Y, that's pretty compelling.
I think different countries have different roles to play. I can say with certainty that a lot of port scans and "grunt work" come from Brazil. I read these stories that it's the Russians that are the ones that are behind the SPAM, and the Russian mafia. I wouldn't be a bit surprised if some of that is hype. But there are some countries that don't have any social norms over internet behavior. The hosts that you find that are trying to hack you in a sort of a loud and obnoxious way often come from countries where loud and obnoxious internet behavior is tolerated.
You could have the most organized culture in the world in terms of personal interaction, but in that same culture the network might be a free-for-all. There's no expectation of proper behavior on your computer. A lot of that has to do with...everybody's going to have the internet, great, so you wire internet up to everybody's house. It's kind of like Columbus discovering the New World, in that you all of a sudden mix with people who have no exposure to it and they're going to catch every smallpox, disease known to man.
Q - When my credit card info gets stolen, what typically does that money fund? Personal online shopping sprees? Terrorist operations?
A - I am pretty skeptical about the weapons, drug cartels, terrorists, stuff like that. Maybe I see things from motivations that make sense to me, but I think that's kind of just hype.
I've read that there are sort of organs of the cyber underworld that all their job is is to get money out of a credit card number. So they immediately buy whatever 27 things can be sold at near the cost of the price that you bought them for, and then somebody winds up getting actual money.
One interesting thing that people do with stolen credit cards is they'll use it to sign up for an internet account. This happened to me. My credit card was stolen and all of a sudden I had signed up for AOL. "That's strange, I don't recall signing up for AOL." Maybe this person was a spammer and wanted to use my information to set up a little base for sending out SPAM, and maybe it only lasted three days before AOL caught up with it.
But that's really the name of the game, where all of the bad stuff is happening: the "n" days between the time that you start acting badly and the time that you get shut down. All the sort of the hacking systems these days are set up knowing that any individual point is only going to be valid for a fixed number of days, and therefore it just sort of needs to creep and crawl, find new people, new systems to exploit and keep on moving.
Q - The life of the cyber-criminal is a restless one. So how does my stolen credit card information get from the phishing site to, say, the streets of Moscow?
A - 95% of security people have only ever seen it from the public-facing side. I know that there's this mysterious middle part. I see that it gets into a server and that rogue server could be anywhere in the world. From there typically there's a puppet master who oversees, in today's terminology, a "bot net." The bot master collects credit card numbers, or maybe right when you type it in it sends a message to either an aggregation point or the bot master himself.
A bot master may not be interested in using your credit card information. Rather the bot master would prefer to sell your information wholesale and say, "John Smith lives on Maple Drive in Springfield, Missouri, and this is his credit card number." The guy presumably convinces a buyer that this information will work. And it's like "I'm a buyer, I'll buy this information from you for $20."
And then the guy who got the information walks away from it.
Credit card companies are looking like crazy to see if somebody is doing an unusual purchase. "This person's logging in from Malaysia to purchase something to be sent to New Zealand." They'll flag it. Computer criminals have figured this out. To test whether a number/name combination is valid they'll make a charitable donation with the information. So previously the credit card companies weren't scrutinizing that. Why would a hacker want to make a charitable donation against somebody's credit? So I'll give $20 to Habitat for Humanity, prove to myself that this credit information is valid. Then I can sell it on the black market.
Q - It seems that credit card companies would make the determination of suspicious activity based entirely on geography regardless of the type of purchase made.
A - It's not always completely trivial to know where a purchase is being made. You could mask that. The credit information may have been uploaded to a Malaysian site which alerted [a bot master] in France. And the French guy says, "that's interesting. The credit card relates to somebody in Missouri, so I'm going to look at this. I have control of the computer in Missouri, so I'm just going to log into that computer and test the credit information from there."
I wouldn't be surprised if credit card companies catch 80% or 90 or 95% of attempts to use a credit cards. But all it takes is for 1% of it to actually work for it to be a worthwhile industry for a computer criminal person.
Q - The report opines that "client-side attacks" are all the rage in hacking right now. Can you talk a bit about what client-side attacks are all about?
A - We've had a number of years of a real recognized threat of network-based attacks and hacking servers. But think about breaching the Great Wall of China. So they built this wall; how did those hordes get through? It was by bribing the gatekeepers. There's a strong analogy between that type of behavior and, "I'm going to try to make something that is linked off of MySpace that asks you to download this neat new plug-in." And the bribe is the promise of something neat happening to your computer. You say, "Yes, I want to download this thing." And then all of a sudden you've gotten past most of the fancy defenses that your computer or your professional IT administrators at work have put up for you. You bypass all that and you click "install."
What we're getting now with Web 2.0 hacking is that you as a web user aren't aware necessarily that the site that you're viewing isn't static. The site that you're viewing heavily relies on programs implemented by the author of the web page that are helping your computer render it the way it's supposed to be. It's more complicated for the computer to run a program on your behalf written by the web page author, so that gives more opportunity for a malicious author to find a weakness in your web browser or in your computer itself and try to infiltrate you.
Q - I notice that on sites like download.com that they often pledge that certain software offered there is virus free. How can they make that guarantee?
A - I don't know the specifics of how those sites determine that. It's something that I've been concerned about for a long time. Even very security-minded people find it necessary to install new software on your computer. People like to be able to upgrade their functionality.
Microsoft has tried hard to get companies to use signed executables. It's sort of cryptographic provenance of a new program that this company can demonstrate to you, the user, that it was the one that wrote this new program. But if I'm a novice computer user and Symantic says that they wrote this program, great. But what if it's "Symantoc"? So the answer from the Microsoft perspective is that if you want to digitally sign your programs then you need to register with us and cough up maybe a couple thousand bucks--I don't know how much it is to sort of get into their digital registration system. But in doing that you instantly alienate not only small or foreign software developers, you sort of alienate people like...geeks sort of have a, "Ah, I'm not going to pay money" [philosophy].
Q - I would imagine there's a philosophy that the online community would rapidly identify rogue software and alert others on the web anyway.
A - I use that sort of logic myself. If I Google the name of this program and a lot of people talk about using it to and nobody seems to be saying that it ate their hard drive or put their social security number on YouTube then I'm more inclined to run it. But the devil's advocate inside me thinks, oh man, if I ever were really interested in doing something bad, I would write some neat program that everybody downloaded, but then cleverly disguised some kind of a time bomb in it. Like, after April 1st it turns into an evil program and starts searching for your social security number. So, that logic breaks down in that sort of example.
Guaranteeing or stating with a little bit of certainty that this software doesn't do something is very difficult to do. It's really hard to prove the negative.
Q - Just to go into one specific example into some detail, since I imagine a lot of our readers use Microsoft Excel. The report states that even Excel could be used as a hacking tool. How would an Excel-based hack work?
A - Microsoft in their Office products have made a concerted effort to allow intermingling between functionalities. You can embed an Excel spreadsheet in a Word document and vice-versa and they continue to function. People get value out of that.
So, maybe mid-90s or late-90s, Microsoft decided, "We would love to have people be able to embed visual basic programs in Office documents." An example of legitimate functionality would be something that figures out all the people in a spreadsheet whose last name is "Smith" and addresses a form letter to them and prints it out. People want this functionality to be able to do that. But the silent concession that's made when you implement something like that is that we're going to allow developers to tell the application, Microsoft Word or Microsoft Excel or whatever, what to do in very explicit terms.
It's a lot simpler to say the value of cell A6 is A5 plus A4, but if you increase the utility to the user by allowing more complex operations you're also exposing any flaws in Excel in a very intimate way to potentially adversarial forces. If I know that Excel goes nuts if I try to multiply two large numbers such that the result is bigger than it can handle, or if I know that Excel can only consider lists of length 999 and I go and construct a list that has a length 1000, then I can, from my remote evil location, figure that when I do this internal operation in Excel something bad happens, and once I have that knowledge I can create an Excel spreadsheet that supposedly does something that people would be interested in and send it to them. And then I'm in control of their computer.
People need to recognize that security and convenience are often at odds with each other. Microsoft decides that they want to give people more interesting things to do in Excel and people love it. But they're also being attacked by it at the same time.
Q - So what you're saying is that when Excel was focused on self-contained actions, like those occurring inside their spreadsheets, it was relatively secure. But for Excel to "talk" to MS Word, for example, requires using the computer's operating system as an intermediary, and therein lies the opening up of vulnerability.
A - I think that's fair. By making the decisions that they did, [Microsoft] increased the prevelance of the interchange of raw materials between programs. So it's like allowing somebody to inject something interesting straight into your bloodstream instead of making you eat it. It's not that you can't poison somebody when you eat it, but at least you have the chance to throw up. Whereas now it's straight into the bloodstream.
Q - The report also talked of embedding code inside Flash files. YouTube uses Flash files for its video content. What are the dangers there?
A - YouTube has their stuff together--they're a smart company. So I'm going to cross my fingers and trust that they have figured out how to filter out any mal intent in somebody uploading a video. But let's say you went to some other site, like YouToob, spelled "T-O-O-B" or something like that, and they were hosting Flash files and putting them in front of you. They may have written the Flash files to do evil things.
Once the Flash file is running in your browser it has a certain range to roam. It can attempt to access information in your browser. You're looking at this malicious site in one window and on the other window you're on your eBay. So you haven't let the wolf into your house, but the wolf is in your front yard.
Hackers never sleep. They're spending all their time figuring out, if they can get this close to the information in the other window, how can I trick the browser into giving it to me?
There are people in my department who just won't use Flash because they're afraid. And that's a good security decision, but then they end up having to borrow other people's computers to do their work sometimes.
Really the right strategy for users is to sort of put their trust in--and I hate to use the analogy, but it's sort of like religion. The best way to deal with religion is to pick one and to do it. The best device is to identify who is responsible for helping me set up this computer in a secure way. What is our company's, or our school's, or our class's strategy for computer security? And then just do your best to follow that.
Q - The report talked about "targeted messaging attacks," wherein potential victims are more specifically and personally targeted. It would seem that these would be very effective when they worked, but that overall they'd be pretty inefficient. How does targeted messaging prove profitable to cyber-criminals?
A - I had a small credit union in California where I used to live. All of a sudden there were messages going out: "You need to change your account information for Cal State 9." Cal State 9 has way fewer members than Bank of America.
So the level of specificity isn't really that big of a deal. They just figure out there's a small bank in Concord, California; this is the name and this what their website kinda looks like, "I'm gonna copy it just a little bit, and then I'll send it to this list of everybody I can." I think maybe they actually sent it only to people at UC Berkeley where I used to work. So this guy did a little research, figured out that this is the credit union for the UC system, and sent to the specific group of people this specific thing. So there's fewer people to respond, but the yield is much higher.
Q - How are peer-to-peer (P2P) systems being exploited by hackers?
A - I haven't studied that specifically. It's interesting that a lot of work in the academic and the computer peer-to-peer downloading world has gone into figuring out how to have a reliable system that can accomplish file transfers and other commands without any central point of control. All these smart scientist dudes and programmers have figured out how to do this. And the bot people, not to insult them or whatever, but they're in the position where they can just take the work of others and apply it to their domain. All of the heavy-lifting had been done.
So instead of transferring a Britney Spears video around I'm going to transfer a list of commands or a list of targets. It defeats some of the current generation of detection systems because one of the big things the detection systems look for is who's the master. So if you can cut the head off then you will solve the problem. But if there is no head to cut off, then you've changed the problem into something less sexy, more gruntwork. You're back to the original problem: I have 10,000 infected computers and I have to deal with them. Nobody wants to do that.
The motivations for doing it are similar to the motivations for amassing a regular botnet. You want a bunch of serfs to do your work for you. The only difference is if you could figure out a way to tell all the serfs to lead themselves rather than always asking a certain master for instruction. You've got the sort of the grunt work, and then you throw the science at it, the science that can disseminate messages across this changing network in a manner that's reliable. That's pretty incredible by itself.
Q - One scam that was described in the report involved the use of mobile phones: sending a text message with a clickable link in it. Click the link and you get hit with a $20 addition to your phone bill. This reminded me of those phone scams a decade or two ago, where if you dialed a certain number you phoned Bermuda or something and then got hit by a huge bill.
A - A lot of the scams that happen online are just terrestrial scams reborn in an online incarnation. Pyramid-scheme emails, extortion--like back in the "good ol' days" people would say "I'm going to burn your house down or your business down unless you give me 10,000 bucks." Now it's, "I'm going to hack your website into pieces unless you give me 10,000 bucks."
Q - Google sometimes warns a user that a site may potentially be malicious; seems phone companies could figure out a similar thing with regards to these scam links.
A - There are many people trying to apply protection for mobile devices. I think that human nature dictates that some of the seedy elements are often the first into new technologies, and then the sheriff moseys west a couple weeks, months, or years afterwards. That will come, but apparently the hackers are the first ones to have the bright idea in that area before the security professionals have time to respond in such a way that people are interested to use the technology.
Q - That is really worrying, actually. Is the overall strategy for fighting cyber-crime largely a defensive one?
A - People will say that it's not, but in my experience it absolutely is. From '95 to 2005 it was absolutely true that if you were trying to push a product out, the way to make the most profit did not include strong security at the expense of anything else. People want strong security, but do [software developers] want to actually delay their product's release for a month to test it? Do they want to hire good security people? Do they want to potentially bother the user with security questions that the user potentially don't want to answer? Do they want to potentially disrupt the connectivity of the thing as far as the internet goees by being careful about the type of connections that it accepts? The answer is often "no."
Q - I didn't exactly understand the section of the report on RFID. Can you explain that to me?
A - RFID stands for "radio frequency identification."
There are little chips that you can get embedded in your credit card or on your keychain or even in passports nowadays that transmit small amounts of information based on coming into the proximity of an RFID reader.
Q - Ah. This sounds a lot like "biometrics."
A - It becomes biometrics when you are carrying your keys all the time everywhere you go. If it was a 50 pound orange flag then you wouldn't think of it as biometrics, because it's cumbersome and you're aware of carrying it around. But it starts to bleed into privacy when you don't even realize that you're carrying things like that, and you're sort of exposing your data, whatever that data may be.
Q - I remember the flap about the embedding of those chips into passports. Why does anybody think this is a good idea?
A - The U.S. passport office sees, "Man, things would be a lot more efficient if we could get an automated way to get people's passport information when they go through borders." That's definitely true, but there's also a cost. Is it a real problem that somebody in a foreign country might set up a reader that looks for passports as people go by, and when it sees an American decides that they need to get kidnapped? I don't know.
Q - Overall, is the web a safe place?
A - I see people going on to the internet, and it's like my daughter going off to college. It's like she's in the wild world all by herself, and is she ready? Or is she too naive? Does she need to lift weights, or carry a Taser? What does she need to do to get ready, to ready herself for the world?
I think my mom's at risk, I think my sister's at risk, I think that only a select group of people really understand what the consequences of their actions are and the rest of them are sort of at the mercy of their anti-virus program and other things beyond their control. So my advice to people is to understand what the consequences are for you, get a strategy, and stick to it. You don't have to be a security expert to understand what the risks are and what the consequences to you would be if one of those risks came true.
A co-worker had a bunch of her medical information scanned onto her laptop, and that was hacked. By putting that information on your laptop you have, without answering what percent chance there is that it's going to get hacked, put it at risk. So if you really don't want people to find out you're a hemophiliac, and if you put that on your computer, if that's really valuable to you then you've made a mistake. You think to yourself, "I want to connect this computer to the internet. What is a loss to me if this computer is melted down and infected?" I think people don't think along those lines.
Q - Is anti-virus software enough these days to protect you?
I'm torn as to whether to recommend the anti-virus software. I think on the one hand that this is a thing that people need to have. On the other hand, at UC Berkeley I saw whole campuses decimated by an e-mail worm four months after they installed the fancy-pants protection system (this worm was so new that it hadn't been indentified yet). We waited for hours for our saviors to come and deliver us from this worm! What a joke!
Q - I suppose anti-virus software could lull users into a false sense of security.
A - I think it can, but then that may be true for me, security expert guy, but in order for it to lull a layman into a false sense of security the layman would have to have had some sense of security in the first place.
I take issue with some of the things that [anti-virus software vendors] try to push on you. "Your computer has firewall but it doesn't have privacy guard! Do you want to have privacy guard? Do you want to buy privacy guard for 60 bucks?" I see my relatives struggle with this. They're being asked to buy this extra protection which 75% of the time is garbage as far as I'm concerned.
I don't mean to trash-talk the security vendors, because I think they're in the same boat as us in some ways. They're trying to do an impossible job of educating people who aren't interested in security.
Every day I wake up praying that somebody will decide that computers ought to be less configurable and more focused on security. Just this magical world where it's not about the next new program, it's not about XY and Z, it's about sticking with what you've got. But realistically that's not what people want. I'm still searching myself for my own personal belief system.
Q - Any advice to school computer system administrators out there?
A - Unfortunately, school environments tend to have a poverty of computer professional system administration, which equates to bad securty. There is a direct relationship between the amount of energy put toward administering computer systems and their resulting security. And I think that computers should be deployed in proportion to how much system administration you have the ability to do. It's just like cars. If I had a fleet of 50 bakery trucks but no mechanic, what do you expect to happen? It is a foregone conclusion that they are going to break down. So if you have no system administration you ought to have no computers. If you have a guy who comes in for an hour a week you ought to have n computers, and then if that person comes in for 10 hours a week you should have 10n computers.
Choosing to ignore that type of thing is choosing insecurity.
...which should keep Georgia Tech's School of Psychology busy for a long while!
© 2008 Georgia Institute of Technology :: Atlanta, Georgia 30332