Tag Archives: security

The media myth of the hacker uptick

The Freakonomics people asked a bunch of folk whether they thought there had been a sudden explosion of hacking in recent times. One of the respondents was Bruce Schneier, who bursts the very myth that the question attempts to bolster:

None of this is new. None of this is unprecedented. To a security professional, most of it isn’t even interesting. And while national intelligence organizations and some criminal groups are organized, hacker groups like Anonymous and LulzSec are much more informal. Despite the impression we get from movies, there is no organization. There’s no membership, there are no dues, there is no initiation. It’s just a bunch of guys. You too can join Anonymous—just hack something, and claim you’re a member. That’s probably what the members of Anonymous arrested in Turkey were: 32 people who just decided to use that name.

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

Unmasking one of the many faces of the modern moral panic… I note that the other four respondents all conceded that there has been an increase in hacking, and that – unlike Schneier – they all hold high positions in computer security businesses.

Meatpuppet farming: the (dark) grey-hat global freelance job market

Compsec maven Brian Krebs rakes over the findings of University of California, San Diego research report into the online market for what I like to call meatpuppets: cheap human labour-on-the-web that gets leveraged for bypassing the security systems that are supposed to stop automated spammers.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.

It’s interesting to see massive crowds of human labour getting rolled quite effectively into these vast and largely automated systems: the darkside equivalent of Amazon’s Mechanical Turk, with a smattering of Matrix metaphors on the side. But those digital peons are just trying to make a living, and when you look at the prices being charged for Twitter followers by the thousand and factor in the significant cut being taken by the service aggregators, you realise that they’re probably not making much more than sweatshop wages. Which means that until the massive differential in income between developed and developing nations gets narrower, web security procedures will always be subject to this sort of outsourced brute-forcing. Shorter version: spam ain’t going anywhere anytime soon.

The irony of having blocked five fake Twitter accounts in the time it took me to write this post is palpable. Death, taxes, noise*, spam.

[ * Anyone who’s worked in the recording or music industries will tell you that noise is the third certainty of life. As, I suspect, will anyone who has lived in a block of flats. ]

A kraken, enraged

This Ars Technica rundown of the whole HBGary Federal vs. Anonymous/Wikileaks thing is really quite astonishing for a whole number of reasons, not least the staggering hubris and chutzpah of Aaron Barr, but there’s also the comparative ease with which Anonymous nailed Barr to his own mizzen. Maybe it’s just me, but the subtext I get from the whole business is that Barr’s desire to “take down” Anonymous stems from a sort of envy and admiration of them; funnier still are the communications between Barr and his pet programmer, who makes no bones about telling Barr he’s walking out onto very thin ice indeed.

Most astonishing of all (though hardly news in this day and age) is the staggering amount of money that shadowy and largely unaccountable outfits like can charge government agencies for work that neither party fully understands or – more importantly – wants the general public to know about. And as Chairman Bruce points out, there’s probably a whole lot more operations just like it that we never get to hear about:

The question now is, do people stumble over the truth here and just sort of dust themselves off and traipse away sideways — or are there more shoes to drop? The furious and deeply humiliated lawyers at HBGary ought to have enough federal clout to pursue their Anonymous harassers and nail them to the barn like corn-eating crows — after all, they claimed they know who they are, and that’s why they got savagely hacked in the first place.

However — are HBGary gonna be able to carry out that revenge attack with their usual discretion — the shadowy obscurity with which they help deny climate change and break labor unions for the Chamber of Commerce? It’s like watching a shark fight a school of ink-squirting squids.

Normally, one never sees a submarine struggle like this. If it does happen to surface, it gets cordially ignored, or ritually dismissed as a sea-monster story. But boy, this one sure is leaky.

Things are getting very permeable of late, aren’t they?

Hacker’s report says cyberwar fears misdirected

Not that I expect governments and military bureaucracies to change course in response to sensible thinking from qualified experts, the guy who penned (or rather keyed) The Hacker’s Handbook back in the day has co-authored a report that suggests the recently fashionable wing-flapping over “cyberwar” is counterproductive:

Published today, Reducing Systemic Cybersecurity Risk says that a true cyberwar would have the destructive effects of conventional war but be fought exclusively in cyberspace – and as such is a “highly unlikely” occurrence.

Cybersecurity is important because it protects all categories of data from theft and damage. This includes sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and governmental and industry information systems. To hire experts, we recommend to check https://www.sapphire.net/.

[…]

Controversially, the OECD advises nations against adopting the Pentagon’s idea of setting up a military division – as it has under the auspices of the US air force’s Space Command – to fight cyber-security threats. While vested interests may want to see taxpayers’ money spent on such ventures, says Sommer, the military can only defend its own networks, not the private-sector critical networks we all depend on for gas, water, electricity and banking.

Co-authored with computer scientist Ian Brown of the Oxford Internet Institute, UK, the report says online attacks are unlikely ever to have global significance on the scale of, say, a disease pandemic or a run on the banks. But they say “localised misery and loss” could be caused by a successful attack on the internet’s routing structure, which governments must ensure are defended with investment in cyber-security training.

Personally, I think the Pentagon’s bluster and chest-thumping over “cyberwar” is thrown into an interesting light by the increasingly inescapable conclusion that they played a large part in commissioning the Stuxnet worm; as Chairman Bruce puts it, “what’s worse, strategically: Stuxnet, or proliferating Iranian nuclear weapons? How about a world where you’ve got proliferating Stuxnets AND proliferating Iranian nuclear weapons?”

Pandora’s box strikes again; code is far easier and cheaper to reverse engineer than a nuke, and requires no expensive and/or dangerous physical contraband. Beware of starting a knife-fight in a downtown full of ninjas.