Sunday, March 29, 2009

Response to 60 Minutes Story "The Internet Is Infected"

I just watched the 60 Minutes story The Internet Is Infected. I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks.

I'd like to outline the negative and positive aspects of the story, in my humble point of view.

The negative aspects are as follows:

  1. I detest the term "infected." Computers in 2009 are not "infected." They are compromised by malware operated by a human with an objective. The malware is a tool; it is not the end goal. In the late 1990s I enjoyed defending networks because the activity I monitored was caused by a human, live on the Internet, whose very keystrokes I could watch. At the beginning of this decade I despaired as human action was drowned in a sea of malware that basically propagated but did little otherwise. Since the middle of the decade we have had the worst of both worlds; when I see malware I know there is a human acting through it for malicious purposes. I detest "infection" because the term implies we can apply some antiseptic to the wound to "clean it." In reality the malware's operator will fight back, resist "cleaning," and maintain persistence.

  2. Cue the "teenage hacker." I thought we were collectively making progress away from the pasty-faced teenager in the parental basement. It seems the popular consciousness has now moved to the pasty-faced teenager in Russia, courtesy of 14-year-old "Tempest" in the 60 Minutes video. Never mind the organized crime, foreign intelligence, and economic espionage angles. Two other groups are definitely going to be upset by this: Chinese hackers and insider threats. Actually, not hearing a word about the latter makes me feel happy inside.

  3. "I thought I had a good enough firewall." GROAN. Hearing people talk about their firewalls and anti-virus was disheartening. I almost thought Vint Cerf was going to spill the beans on the easiest way to avoid Conficker when he said the following:

    I’ve been on the Net ever since the Net started, and I haven’t had any of the bad problems that you’ve described," Cerf replied...

    Because I don't use Windows! Say it Vint! Oh well.

The positive aspects are as follows:

  1. Hello security awareness. Stories like this wake people up to the problems we face every day. Sure Conficker is just the latest piece of malware, definitely not "one of the most dangerous threats ever," as said on TV. At the very least this story should enable a conversation between management and security operations.

  2. Client-side exploitation via socially-engineered and social network attacks were demonstrated. Good for Symantec to show that Morley Safer owns Leslie Stahl via Facebook. Better yet, 60 Minutes even used the term "owned"!

  3. Real consequences were demonstrated. I am very glad that Symantec showed just what an intruder can do to an owned computer. Keystroke logging, screen scraping, sensitive informatiomn retrieval, the works. They didn't even mention opening and closing the CD tray or activating the Webcam. That would have been cool, though.

Expect a few questions about this tomorrow at work!

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.


Daniel said...

To my knowledge, the vulnerability that Conficker exploits had a patch out for months before Conficker was released. I would have liked a mention of that. Would have made the CBS network guy answer some actually tough questions.

Right on with the windows comment. Is there actually a legit purpose for things like remotely attaching threads to explorer.exe that couldn't be accomplished better in a different way?

Morgan Storey said...

I found it mildly amusing that the "hackers" PC in the facebook attack looked to be running Ubuntu, well Gnome with the Human theme at least.

Sid said...

@Daniel: while MS08-067 remains its major replication vector, Conficker uses other attack vectors, in particular when it comes to spreading into an enterprise network...

inuk-x said...

I just watched the segment and would like to add the following.

Personally I detest the term "hacker"; it is so cliche and unimaginative.

It is completely plausible that CBS edited out Mr. Cerf's comments on not using Windows.

Anonymous said...

for those who can't understand finnish this is basically pointing out that the picture of "tempest and homies" they use is a picture of finnish school kids thats been around finnish sites for 6 years now.

and further inspection reveals that the boy on the left has the finnish coat of arms on his jacket

Russ Cooper said...


FWIW, I've been on the Net since Windows was capable (no arguments please) and I've only ever had one piece of crimeware get on my machine. That piece came in a Word document from a Lawyer working on behalf of an Anti-virus company.

...and I've used Windows exclusively all along...and never anti-virus software. The same is true of my very un-tech-savvy Mother, btw.

It's disheartening to see you think people can't resist crimeware...even if they run Windows.


Richard Bejtlich said...

Anonymous, that's one of the best comments I have EVER SEEN here. HA!

Anonymous said...

I laughed so hard when I saw the picture of the finnish teenager. That picture has been around for an eternity and now it comes up in something like this. Hilarious.

But if I was that little guy, I would probably sue CBS or the makers of the program or whoever.

Joel Esler said...

Vint uses a Mac. For those of you wondering.

Anonymous said...

Enjoy the light reading

NCSC Research Paper, A New Model for Network Valuation, By Rod Beckstrom