Recently in Cyber Crime
Filed in: Gonzalez
A couple of weeks ago I presented at the annual
FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.
The FS-ISAC is one of several ISACs "mandated" by the US Government to facilitate information sharing between companies within the same business sector. Other prominent
ISACs are the IT-ISAC and the Multi-State ISAC.
During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.
For example, he was the snitch used by the USSS (United States Secret Service) in Operation Firewall back in 2004 where the feds snatched some 28+ underground carders. He was also a member of the infamous Darkmarket forum; the forum where FBI Agent Mularski infiltrated for two years and resulted in the arrest of some 56 underground carders. It is iDefense speculation that Gonzalez used Darkmarket to exchange credit card numbers with one of his main TJX accomplices: Maksym Yastremskiy. The USSS used Yastremskiy as the linchpin in the case to tie everything back to Gonzalez.
At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.
But that is not the good part. This is the good part.
At this point in the presentation, one of the FS-ISAC leaders stopped me cold and said that he wanted to make an announcement. In the interest of full disclosure, he wanted the audience to know that, in fact, Albert Gonzalez presented at this very same conference not five years ago as part of his federal consultancy gig. The USSS brought him in to give the FS-ISAC membership a view from the hacker's mind. This was about the same time that Gonzalez was launching his TJX scheme.
How cool is that?
As you might imagine, this little nugget of information brought the house down. I was almost wiping tears from my eyes because I was laughing so much. I could not have planned it better if I was making it all up.
(2 Comments)
Filed in: Kirllos Facebook
A couple weeks ago, iDefense got a lot of press for reporting an anomaly found while conducting research on the criminal buying and selling of PII (Personal Identifiable Information). A hacker named "Kirllos" claimed that he had 1.5
million Facebook accounts to sell. That was interesting enough. Most underground sellers of PII don't sell in bulk like that. It causes too much attention; which this did. As the press would say, it had legs. It seems like every press outlet in the world picked up the story; which was not a story really, it was more of an observation.
The second anomaly was with Kirllos himself. iDefense analysts had high
confidence that he was at least a native Russian speaker based on his
language skills used in the forums and it was likely that he lived in
Eastern Europe. The reason this is an anomaly is that we have not seen
many Russian speakers selling Facebook accounts. They tend to stick to
their own regional sites like the VKontakte social networking site that
is popular in Russia, Belarus and Ukraine. This is not to say that
Russians do not sell Facebook accounts, it is just that it does not
occur too often and definitely not in that volume.
So there you are; two pieces of data that don't really mean that much but kind of makes you say hmmmm, that is interesting. To be clear, we never said that these were valid accounts. We made no effort to prove it. The thing that was interesting to us was the volume advertised and the location of origin. At first glance, Kirllos seemed like a valid seller at the time. Before the press got a hold of him, he was a seller in good standing on the forum where we noticed him.
Enter Facebook.
The Facebook security team reached out to me after reading the press
accounts. As one might suspect, they were all over this Kirllos fellow.
They had been following him for some time and knew exactly what his
capabilities were. I use the word "were," the past tense, on purpose.
This entire episode crippled Kirllos' fledging carrier using the Kirllos
alias. Once the iDefense "observation" hit the press, many other
underground buyers, including the Facebook security team, attempted to
contact him to buy the accounts. Kirllos ignored them. Either he did not
have the accounts to sell or he was afraid that law enforcement was
onto him. Most likely, it was both. Regardless, many underground forums
banned Killros from the space.
Facebook's assessment of Killros is that he is a low-level player and
that he had nowhere near the 1.5 million accounts he advertised. Most
likely, he had a few hundred accounts most of which he likely created
himself. Through some interesting and impressive forensic work, the
Facebook security team identified the real Facebook accounts owned by
Kirllos, reset the passwords, and notified the account owners. Awesome!
The bad news is that iDefense's reporting on a simple "observation"
created quite a media frenzy for Facebook. Unfortunately, even though
iDefense never claimed to have verified the accounts as real, most
stories suggested that they were.
The good news for iDefense is that we now have a new security research
collaboration partnership with Facebook. I look forward to exchanging
information with Facebook's security team in the future. As Rick says in
my favorite movie, "Louis, I think this is the beginning of a beautiful
friendship."
(1 Comment)
Filed in: Responsible Disclosure
I got a call last week from a newspaper reporter. He was wondering
about the status of the iDefense Vulnerability Contributor Program
(VCP:
Here and
Here)
and other commercial programs of the same ilk that buy vulnerabilities
from independent researchers. He was wondering if there has been any
attitude change in recent years as the security community has matured.
This is a great question. Let me try to answer it.
Paying for bugs used to be very controversial. When iDefense
pioneered the idea many years ago, the security community was aghast
that somebody might actually pay researchers to find weaknesses in
enterprise-level software.
I am reminded of that great movie,
Casablanca when Claude Rains announces to the crowd in Humphrey Bogart's café that he is closing it down for the night.
Bogart: How can you close me up? On what grounds?
Rains: I'm shocked, shocked to find that gambling is going on in here!
[a cashier hands Rains a pile of money]
Cashier: Your winnings, sir.
Rains: [sotto voce] Oh, thank you very much.
Rains: [aloud] Everybody out at once!
That's my favorite scene in the entire movie, but I digress.
Today, the practice of buying vulnerabilities is more accepted.
There are many organizations that participate in this activity today.
Responsible Disclosure -- the act of buying and identifying bugs,
informing the responsible vendor, but keeping the information private
until the vendor fixes the issue -- is not perfect by any means. The
process is frustratingly slow in some cases; however, it is the process
that has stabilized over time and all parties benefit. Researchers
pursue their interests and organizations compensate them for their
efforts. Vendors discover new bugs in their products. Responsible
Disclosure participants provide value to their customers in the form of
early warning until the bug is fixed. Finally, the security community
as a whole benefits because bugs are identified and fixed; maybe not as
fast as we would all like, but fixed all the same. Most in the security
community realize this. There are outliers for sure; those who have
proclaimed that the system is too slow and, out of frustration, hurl
zero-day vulnerabilities into the public without warning. This just
introduces chaos into the system and causes everybody to twist
themselves into knots reacting to whatever the impact might be. I like
to think about Responsible Disclosure in similar ways that I think
about a democracy in action. It is painful and slow and inefficient,
but it is far superior to other more destabilizing options.
But then the reporter hit me with an even harder question. He
asked, "How effective is this method, given that the underground market
has developed to the extent that cyber criminals can offer much better
prices for vulnerabilities?"
Let me just say that I reject this notion. The vulnerability market is
a market like any other. The price of a vulnerability reflects whatever
the market will bear. People buy vulnerabilities for different reasons.
At VeriSign / iDefense, we buy them to give our customers early
warning. Other white hat researchers buy them to enhance their security
products. Black hat or grey hat purchasers have their motivations too.
You may not like their motivations and you might not condone them -- I
certainly do not -- but they exist all the same and are a fact of life.
Ultimately, all purchasers make a decision on the worth of a
vulnerability based on the value that the vulnerability may bring to
support their motivations. Is it likely that some buyers may want to
pay a significant amount of money over what other buyers would pay?
Sure. Does that mean that these other buyers have no role? Absolutely
not.
There are many kinds of security researchers: white hat, grey hat and
black hat. They decide which kind of purchasers they want to deal with
and what kind of researchers they want to be. White hat researchers
find bugs in enterprise-level software, help the Internet community
become a little safer and get paid for their efforts. Grey hat and
black hat researchers, in some cases, give their research up to
nefarious organizations whose purpose they may not fully understand.
They might get paid handsomely for their efforts but they are
definitely not making the Internet safer. Unfortunately, vendors do not
fix those kinds of vulnerabilities until the damage is done. The bad
guys who leverage that research may use it to commit cyber crimes, to
conduct cyber espionage or to execute some other nefarious purpose. The
security community does not get to fix that vulnerability until
somebody discovers it and there is no guarantee that we will discover
it either.
As an aside, don't think that a grey hat selling that kind of
research is free from criminal charges either. I have heard some
researchers say that they are just building tools. They are not
culpable since they do not actually pull the trigger to do anything
illegal. At least in the US, this is just not true. Consider the
Gonzalez-TJX case if you don't believe me. Authorities sentenced
Stephen Watt -- the guy that wrote the sniffer software called "Blah
Blah" that the Gonzalez team used to sniff credit numbers from
high-profile retail stores -- to two and a half years in prison for his
efforts even though he was not part of the Gonzalez team that actually
conducted the operation. Two and a half years! That is not
insignificant.
But I digress.
I fundamentally disagree with the notion that since the black hats and
the grey hats can possibly make more money selling vulnerabilities,
then the white hats have no role to play. Clearly that is not true. The
iDefense VCP program is alive and well. It produced more than 50
vulnerabilities last year; at least 30 of which were high-impact
Microsoft vulnerabilities. Other white hat operations had similar
successes.
I believe it is clear that white hat vulnerability research is
here to stay. Now if I can just find that cashier and get my winnings.
(No Comments)
Filed in: Cyber Arms Control
Before the holidays, I stumbled into a
blog
over at defensetech.org regarding the subject of Cyber Arms Control.
The word "stumbled" is one of those euphemisms I use when I am surfing
the net instead of doing real work.
From Bruce Schneier's
blog,
the Russians and the Americans have started discussions about how a
treaty might be arranged that might "strengthen Internet security and
limit military use of cyberspace". From what I have read, the Americans
are not that interested in a formalized treaty, but in a break from the
previous administration, the Obama administration is at least willing
to listen.
It is not quite time to gloat yet because there are many years of
negotiations ahead of us before this gets any closer to reality. But,
this falls right into line with something I suggested in an SC Magazine
essay
back in August. This is the idea that nations could agree to take on
individual security issues together. The particular issue I suggested
in the SC Magazine essay was the Botnet issue. I suggested that nations
might authorize an international team of Botnet Terminators to pursue
and destroy Botnets wherever they may lead. If we could just get the
Chinese, the Russians and the Americans to sign up for that program,
other nations would surely follow. The result would be a game changer.
Pernicious Cyber Security Cartels from around the world would have to
refit and reconfigure their entire operations in order to avoid the
Terminators.
As I said, it is not time to gloat yet. There are many reasons why
nations will not want to participate in my Botnet Terminator program or
other similar Cyber Arms Control Treaties. I am encouraged though that
at least some leaders are talking about it. That puts us a lot closer
to the possibility then we were back in August and way closer than I
ever thought possible when I wrote the original essay.
I guess I need to stumble around more often. If I could just convince my boss then I would really have a reason to gloat.
(2 Comments)
