<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d27708445\x26blogName\x3dWatchingTheHerd\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dLIGHT\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://watchingtheherd.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttp://watchingtheherd.blogspot.com/\x26vt\x3d8775860279176631146', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Wednesday, December 29, 2010

BOOK REVIEW: Fatal System Error

Fatal System Error -- Joseph Menn – 251 pages (paperback)

Whether you follow world markets, macroeconomics or geopolitics, the combination of mysterious “flash crashes”, global banking meltdowns and political turmoil in emerging economies seems to confirm the adage of "everything is one thing." Globalization has linked markets, economies and societies in ways not imagined even five or ten years ago. Current events could be construed as a crash course in what happens when technology is advancing an order of magnitude faster than any laws to manage it. Though principally focused on the particulars of computer network denial of service attacks and identity theft as new tools for organized crime, the book Fatal System Error by Joseph Menn provides frightening insight into how tools created for cybercrime have already morphed into tools for cyberwar.

The Roots of Cybercrime

Menn’s book begins by focusing on a firm called Prolexic, which was established in 2003 by Barrett Lyon to provide web businesses network support and defenses against distributed denial of service attacks (DDOS). By 2003, Lyon already had several years of experience in analyzing, reverse engineering and stopping DDOS attacks perpetrated against firms dependent upon a functioning web site for profits. Web servers providing content for a web site obviously have a finite amount of CPU horsepower on each server to process requests and all share IP bandwidth to the Internet to carry all that content back to the eyeballs of the people attempting to use the site. At the time Lyon started his business, hackers attacked web sites primarily by sending the site huge amounts of requests from a single remote site and either used up the CPU horsepower or IP bandwidth (or both), preventing the site from answering requests of real customers. Lyon’s primary customers and initial lead investors operated online betting / gambling sites in off-shore locations.

Lyon’s business took off quickly and his skill set widened considerably to keep up with the enemy. The enemy quickly realized that originating a denial of service attack from a single location was of limited value. Even if the source site couldn’t be attacked or shut down, as long as the bogus traffic arrived from a single IP or narrow range of IPs, victims and their local service providers could simply block traffic from that range of IPs – problem solved, no need to pay a ransom to stop the attack. The enemy rapidly adopted the use of computer viruses that could infect thousands / millions of computers and originate small amounts of traffic from those endpoints which looked unsuspecting at each source but still added up to a flood at the victim end to implement the denial of service. Stopping these distributed attacks required understanding the communication required BETWEEN the "drones" and a master that timed the start of the attack.

Much of the book tracks this cat and mouse evolution of offensive and defensive tactics. In tracing that history and Lyon’s involvement, Menn provides a disturbing picture of how small-time teenage hacker crimes rapidly became dominated by organized crime. In hindsight, the linkage is painfully obvious.

1) earliest businesses solely dependent on web customers were off-shore gambling sites
2) hackers know gambling sites need visitors but know they can’t complain to authorities
3) once DOS attacks succeed, hackers know victims may seek retribution as well
4) the hacker’s “business” is also illegal, so best source of protection is existing organized crime bosses

If only the evolution stopped there, the book would be an interesting (to techies anyway...) combination of modern technology and cloak and dagger tale.

From Cybercrime to Cyberwar

The real value of Fatal System Error is the line it draws from cybercrime to cyberware. As Menn traces the efforts of British and American law enforcement to work with foreign governments to prosecute and convict major cybercriminals, he extends the evolution of cybercrime at the point it became controlled by organized crime into control by governments. Everything you need to know to make the connection can be summarized in a single word.


Even with distributed denial of service attacks, at some point most attacks still require a single point of control, either for the serving of infected content that creates the drones needed for a later attack or to provide the “command and control” to those drones as they prepare to attack a victim. Between 2003 and 2008, more and more of those “single points” mapped to equipment operating inside data centers operated by RBN – the “Russian Business Network” – ostensibly an Internet Service Provider (ISP) much like Equinox, Savvis, Global Crossing or a few other firms you have heard of that provide large-scale server hosting and large IP access circuit service for high bandwidth users.

The problem with RBN is that despite having facilities worth tens, maybe hundreds of millions of dollars – implying MAJOR financial backing – the company hosts no sites anyone in the world would have heard of and most of the content it hosts involves pornography, child pornography and known mal-ware downloads. In Menn’s analysis and that of many others, RBN was founded by a ring of hackers operating from St. Petersburg, Russia and became controlled by a man referred to as Flyman who possibly operates the largest child pornography ring on the planet. “Flyman” also has ties to both organized crime and political figures that make him untouchable throughout Russia.

All one need do is consider what has been heard about corruption in Russia since the demise of the Soviet Union and the rise of the oligarchs and the clarity of Menn’s summary of the criminal / political danger rings like a bell:

Without some cover from above, no organization could have been so deeply involved in everything from DDoS attacks to spyware – and so public that it advertised "bulletproof hosting" and other services and gave out staffers’ names – while escaping prosecution. The RBN gave off an astonishing combination of mystery and openness that made it all the more menacing: it hid in plain sight. The group dated back as far as 1998, according to Zenz and another of the most influention experts on the gang, a security professional using the pseudonym Jart Armin. Armin believes that the RBN started out as conventional, if proficient, circle of hackers. Then it had a merger with one of the most powerful traditional organized crime groups in Russia, the Tambov gang of St. Petersburg.

If this reading is accurate, the combination became a model for other cybercrime groups throughout the country. Although most hackers started on their own, as they got bigger they developed a need for protection by old-school mobsters, who were better connected politically. Even if they didn’t see such a need, the mobsters might point it out to them in a very persuasive manner. It’s not so much that the hackers feared getting arrested; it’s more that they feared that any police who identified them would demand a bribe. The typical way to avoid paying an exorbitant bribe in Russia is to have one’s own mob ally, or "roof," negotiate for you, according to Joe Serio, an American who worked in the Soviet government’s anti-organized crime bureau.

At this point in the book, Menn begins outlining the direct ties between a series of relatively well-publicized Internet events and security breaches with ties back to the RBN.

2003 – The initial version of the “SoBig” virus introduced a new distributed model of providing infected drones with data for spam attacks then rapidly morphed monthly into new versions, leading security experts to realize attackers planned shutdowns into the life of the code to ensure newer more effective versions wouldn’t have to compete for bandwidth with older iterations of their own viruses. SoBig was traced to a Russian firm called Send-Safe that sold spamming tools.

July 2005 – nearly 45 million credit card numbers are stolen from American firm TJX after wireless networks in stores are compromised by hackers. The leak costs TJX nearly $100 million dollars and the theft is traced to hackers in Ukraine, Belarus and Estonia. Those hackers were then linked to an American hacker Albert Gonzalez previously arrested by the FBI for involvement in a smaller-scale credit-card theft ring. Gonzalez was actually acting as an FBI informant while masterminding the even larger credit-card thefts at TJX and later Heartland Systems and CitiBank ATMs. One of his indicted co-conspirators worked at Morgan Stanley (#1)

April 2007 – attacks on web sites of the government of Estonia

July / August 2008 – attacks on Internet infrastructure in Georgia, starting with sites associated with the town of Gori, which was the first town to be bombed by Russian forces.

August 2009 – attempts to block views for a single user’s Facebook site on the anniversary of the Georgian War took down Facebook worldwide– the user was a noted critic of Russian actions in Georgia

So the Russian government is hiding behind the cover of hackers to go after political opponents in a bunch of former Russian states we couldn’t care less about, right?

Wrong. Menn makes the following points in discussing the morphing of cybercrime into cyberwar:

The head of the cybercrime division in our Justice Department believes East European gangs possess about half of the world’s credit card numbers – they just haven’t used them yet.

The author who published a treatise describing the creation and use of the SoBig virus has remained anonymous to this day for fear of his life. That author believes the virus wasn’t released in order to provide drones for generating traditional mindless spam but to serve the needs of an even more powerful group pulling the strings BEHIND the Russian Business Network. Others have taken that hint to suggest release of the virus was actually instigated by the Russian Federal Security Service (FSB) which is pretty much the modern day KGB.

Trojan horse software originating from infected USB drives that attacked the US defense department in 2008 was traced to Russian sources. (#2)

One of the British citizens arrested in 2007 for various terror and the purchase of roughly $3.5 million worth of airline tickets, cellphones, night-vision goggles and other “implements of destruction” was a regular participant on carderPlanet, a Russian site dedicated to sharing credit card scamming and phishing tools. In short, computer crimes are becoming a popular and productive source of funding for terrorist groups.

Menn then summarizes the tug-of-war between Google and the Chinese government as it attempted to offer search and email services in China. Most Americans know Google had to comply with oppressive restrictions on search results (most famously, “tank man” results are very different in China -- #3). A few may be aware of a dust-up in early 2010 over hacking attacks of gmail accounts originating from Chinese network addresses. What most don’t know is that the attacks focused on accounts of Chinese dissidents and that the hacking methods built upon other Google intellectual property stolen by Chinese hackers. In essence, Menn’s summary of the Google experience in China highlights the next mode of operation in cyberwar. In Russia, they’re still maintaining the illusion that hackers are operating independently of the government. The Chinese government wastes no effort on such pretense.

Looking Ahead

The author’s conclusion to the book focuses primarily on the technical and regulatory gaps that must be plugged to mitigate some of the risks posed by criminal organizations leveraging insecure networks and millions of compromised computers. The logistics of educating lawmakers across the world and adopting software and network changes that reflect needed fixes are obviously difficult and justify a great deal of attention. However, Menn doesn’t address the macroeconomic and social dangers associated with the status quo. After reading Fatal System Error, anyone remotely familiar with the mechanics of the current financial industry and the networks of most large corporations will come to one inescapable conclusion. The combination of Russian mafia interests backing Russian hackers and Chinese leaders supporting intellectual property heists of any cutting edge hardware or software virtually guarantees a “black swan” scale event in the near future. The only real question would appear to be whether the swan will have a Russian or Chinese accent.


#1) http://en.wikipedia.org/wiki/Albert_Gonzalez

#2) http://news.cnet.com/8301-1009_3-10104496-83.html

#3) http://www.pbs.org/wgbh/pages/frontline/tankman/internet/sidebyside.html