Security Thread

[Triple Zero]

Malware coder / Botnet herder does AMA on Reddit, loads of interesting things:

http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

(Be sure to expand all the collapsed comment thread bits because some have such a dislike of anonymous cybercriminals they downvoted many of the OP's comments into collapsement)

[Triple Zero]

From the discussion on HN about the above Reddit AMA, kind of off-topic in regard to security, but a very interesting observation in general:

http://news.ycombinator.com/item?id=3962120

It was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

[Golden Applesauce]

From the discussion on HN about the above Reddit AMA, kind of off-topic in regard to security, but a very interesting observation in general:

http://news.ycombinator.com/item?id=3962120

It was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

I saw that!

I also like how he blaims his victims for being insufficiently paranoid / tech savvy.  Of course they're not as paranoid as you are - they aren't cybercriminals.

Also - either 12,000 bots is fucking tiny or being a botmaster doesn't pay shit.  Sure, it's a part-time college job, but he's only making a fraction of what a first-year CS graduate can make in the States.

[Triple Zero]

yes 12k bots is quite tiny, most "pro" botnets I heard of are in the 100k range, the real big ones can easily be 5-10x that.

I don't think it's bad money, though. It's obviously not his full-time job as he's still studying engineering. In the mean time he's tinkering with netsec and reverse engineering, which he would probably be doing anyway. The bitcoin mining seems to net him about $1000 each month, he doesn't say how much he gets from selling cc info in addition to that.

And with that quote I meant something different. I'm completely uninterested in how or why this guy's rationalisations are wrong, unethical, immoral and/or misguided. That much is obvious and the whole moral crusade thing is just for making the people pointing it out feel good about themselves but detrimental to learning and the discussion. However it's the last sentence of that quote that caught my attention:

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

See I don't care about his arguments that people should learn to protect themselves better etc, though I agree that they should that's no reason to rob them. The interesting thing is he also points at politicians, bankers and such who are operating much larger scale corruption, stealing billions from the economy, fucking over people far worse (through policies and crises) than he does.

It's an interesting idea, how many people rationalize their smaller-scale crimes because even our "leaders" are doing it, and they're doing it much worse?

"They're screwing us over, so that means I can take what I want, too"

Something about responsibility and setting an example.

[Cain]

Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

Depraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

[Mesozoic Mister Nigel]

Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

Depraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

FUCKING HELL

That's horrifying!

[The Good Reverend Roger]

Might want to watch out for this

http://www.theregister.co.uk/2013/02/01/ransomware_trojan/

Depraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software and pops up a text message accusing victims of breaking the law - usually for downloading copyrighted material or dodgy pornography - and locks down the computer until the user coughs up some cash.

But this new Trojan stoops to an all-time low by displaying actual pictures of child sex abuse and accuses the victim of previously viewing it. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

FUCKING HELL

That's horrifying!

Jesus Christ.

[Nephew Twiddleton]

Wow. What the shit.

[Golden Applesauce]

"Hackers" call in a SWAT team on big shot security researcher / blogger / professional Russian cybercrime pisser-offer Brian Krebs. Brian Krebs is unimpressed.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437

[Mesozoic Mister Nigel]

Very interesting, and well-handled on his part.

[Bu🤠ns]

yes 12k bots is quite tiny, most "pro" botnets I heard of are in the 100k range, the real big ones can easily be 5-10x that.

I don't think it's bad money, though. It's obviously not his full-time job as he's still studying engineering. In the mean time he's tinkering with netsec and reverse engineering, which he would probably be doing anyway. The bitcoin mining seems to net him about $1000 each month, he doesn't say how much he gets from selling cc info in addition to that.

And with that quote I meant something different. I'm completely uninterested in how or why this guy's rationalisations are wrong, unethical, immoral and/or misguided. That much is obvious and the whole moral crusade thing is just for making the people pointing it out feel good about themselves but detrimental to learning and the discussion. However it's the last sentence of that quote that caught my attention:

I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.

See I don't care about his arguments that people should learn to protect themselves better etc, though I agree that they should that's no reason to rob them. The interesting thing is he also points at politicians, bankers and such who are operating much larger scale corruption, stealing billions from the economy, fucking over people far worse (through policies and crises) than he does.

It's an interesting idea, how many people rationalize their smaller-scale crimes because even our "leaders" are doing it, and they're doing it much worse?

"They're screwing us over, so that means I can take what I want, too"

Something about responsibility and setting an example.

I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.

[Golden Applesauce]

I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.

They don't need to leave holes open. Antivirus software fundamentally does not work - they attempt to guess if a program is a virus or not by looking at its code. Which is theoretically unsolvable (see: Halting Problem, the computer equivalent of Gödel's incompleteness theorem) as well as unsolvable in practice - all you have to do is either deploy a self-decrypting or self-extracting program and AV software can't read inside of it, or trick a safe program into running malicious code (the "poisonous PDF" trick.)

Windows or not is irrelevant. Actually, PC hacks these days tend to rely more on vulnerabilities in specific programs (Adobe Reader, Java's browser plugin, Flash) than operating systems. They might still be deploying Windows code, but only because that's the most bang for your effort, not because modern Windows is especially vulnerable. It's terrifically easy to accidentally configure Windows to be insecure (or forget to turn on the important security settings)

Security companies can work, but good security is Hard, and therefore Expensive. Cost efficient if you're a bank or DoD contractor, not so much as an individual user or small business. Here's a story about what real security firm looks like. They messed up, but the attackers had to work really hard to pull it off. Maybe not Stuxnet grade, but almost certainly state-backed.
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

[Cain]

Not to mention, thanks to the flood of cyberwarfare scares in the past few years, the security consultant firm is absolutely filled to the brim with scam artists and people who do not know what they are talking about.

Most companies would also rather take the losses and bury the mistake and hire some shiney looking outfit to run "stress tests" and "deploy active countermeasures" than be told that they need to change their passwords weekly, and not have their password as "password".  They'll take their (not so) cheap, technological cure-all (which doesn't actually work) over a focus on the human equation of security, being told no security is perfect and engaging in a number of opportunity-cost raising activities which may not reassure investors and could impact on their bottom line.

[Bu🤠ns]

I'm almost finished the thread but what grabbed me is the idea that Antivirus companies will purposely leave holes open and that they're nothing more than snake oil salesmen. 

What do you think about that?  At least from a Windows point of view.

They don't need to leave holes open. Antivirus software fundamentally does not work - they attempt to guess if a program is a virus or not by looking at its code. Which is theoretically unsolvable (see: Halting Problem, the computer equivalent of Gödel's incompleteness theorem) as well as unsolvable in practice - all you have to do is either deploy a self-decrypting or self-extracting program and AV software can't read inside of it, or trick a safe program into running malicious code (the "poisonous PDF" trick.)

Windows or not is irrelevant. Actually, PC hacks these days tend to rely more on vulnerabilities in specific programs (Adobe Reader, Java's browser plugin, Flash) than operating systems. They might still be deploying Windows code, but only because that's the most bang for your effort, not because modern Windows is especially vulnerable. It's terrifically easy to accidentally configure Windows to be insecure (or forget to turn on the important security settings)

Security companies can work, but good security is Hard, and therefore Expensive. Cost efficient if you're a bank or DoD contractor, not so much as an individual user or small business. Here's a story about what real security firm looks like. They messed up, but the attackers had to work really hard to pull it off. Maybe not Stuxnet grade, but almost certainly state-backed.
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

So then the best security practices are to: enable basic OS security settings, update everything constantly, scan for rootkits, not use pirate software and use script blockers?   I've considered using a VM to do the more risky stuff....is that a useful tactic?

Not to mention, thanks to the flood of cyberwarfare scares in the past few years, the security consultant firm is absolutely filled to the brim with scam artists and people who do not know what they are talking about.

Most companies would also rather take the losses and bury the mistake and hire some shiney looking outfit to run "stress tests" and "deploy active countermeasures" than be told that they need to change their passwords weekly, and not have their password as "password".  They'll take their (not so) cheap, technological cure-all (which doesn't actually work) over a focus on the human equation of security, being told no security is perfect and engaging in a number of opportunity-cost raising activities which may not reassure investors and could impact on their bottom line.

This is crazy..it's the first I've heard of this.  Here I'm thinking that I'm lucky because I don't get malware (that i know of :P ) because I update my AV every time I can.

[Cain]

"Hackers" call in a SWAT team on big shot security researcher / blogger / professional Russian cybercrime pisser-offer Brian Krebs. Brian Krebs is unimpressed.

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/#more-19437

Unfortunately for these hackers, they are being datamined by whitehat hackers currently.  Krebs is pretty popular amongst the more sensible and knowledgeable infosec circles, and they are most upset at him being treated in such a manner.