[Infowarrior] - Future of Cyber Security: Hackers Have Grown Up

[Richard Forno]

(c/o St)

Future of Cyber Security: Hackers Have Grown Up
By Kevin Poulsen | 07.28.09

http://www.wired.com/dualperspectives/article/news/2009/07/dp_security_wired0728

Late last year, the software engineers developing a new Windows-based  
networking client confronted an all-too-common problem in today's  
hostile internet environment: How would they make their software  
resistant to the legions of enemies waiting to attack it? Particularly  
worrisome was a key feature of their code, a mechanism to accept  
updates online. If it were subverted, an attacker could slip his own  
program into an installed base of millions of machines.


The coders decided to fortify their software with MIT's brand-new,  
high-security cryptographic hashing algorithm called MD-6. It was an  
ambitious choice: MD-6 had been released just two months before, and  
hadn't yet faced the rigors of real-life deployment. Sure enough, the  
move seemed to backfire when a security hole was found in MD-6's  
reference implementation not long after the launch. But the coders  
rallied, and pushed out a corrected version in a new release of their  
software just weeks later.


It would be a model for secure software development, except for one  
detail: The "Windows-based networking client" in the example above is  
the B-variant of the spam-spewing Conficker worm; the corrected  
version is Conficker C, and the hard-working security-minded coders  
and software engineers? A criminal gang of anonymous malware writers,  
likely based in Ukraine. The very first real-world use of MD-6, an  
important new security algorithm, was by the bad guys.


This is the future of hacking: professional, smart, and above-all well- 
funded. In the old days, hackers were mostly kids and college-age  
acolytes sowing their wild oats before joining the establishment.  
Today, the best hackers have the skill and discipline of the best  
legitimate programmers and security gurus. They're using mind-bending  
obfuscation techniques to deliver malicious code from hacked websites  
undetected. They're writing malware for mobile phones and PDAs. The  
underground has even embraced the next-generation internet protocol  
IPv6, according to research by IBM -- setting up IPv6 chat rooms, file  
stores and websites, even as legitimate adoption lags. Ten years ago,  
an oft-repeated aphorism held that hackers were unskilled vandals:  
Just because they can break a window, doesn't mean they could build  
one. Today's bad guys could handcraft the stained glass in the Sainte- 
Chapelle.


Money is the catalyst for this change: Computer criminals are scooping  
in millions through various scams and attacks. The best hackers are  
growing up in Russia and former Soviet satellite states, where there  
are fewer legitimate opportunities for smart coders. "If you're a  
sophisticated team of software developers, but you happen to be in  
Eastern Europe, what's your way of raising a lot of money?" says  
Phillip Porras, the cyber threat expert at SRI International who  
dissected Conficker. "Maybe we're dealing with business models that  
work for countries where it's more difficult for them to sell  
mainstream software."


One result is hacking-as-a-service. Want your custom code installed in  
a botnet of hacked machines? It'll cost you $23 for a 1,000 computers,  
$130 if you want them exclusively, says Uri Rivner, head of new  
technologies at security company RSA. Or you can pay for a custom  
Trojan horse that will sneak past anti-virus software, or a toolkit  
that will let you craft your own. "They actually have a testing lab  
where they test their malicious code against the latest anti-virus  
companies," says Rivner, whose group closely monitors the underground.  
While most computer criminals are "thugs," the programmers and  
software entrepreneurs supplying them are scary-smart, he says.


Particularly disturbing to security experts is the speed with which  
the bad guys are jumping on newly disclosed vulnerabilities. "Even one  
year ago, a lot of these web exploit toolkits were using  
vulnerabilities that had been discovered one or two years prior," says  
Holly Stewart, Threat Response Manager at IBM's X-Force. "They were  
really, really old.... That has really changed, especially this year.  
We're seeing more and more current exploits go into these toolkits.  
And we're seeing exploits come out that are even just a couple days  
after the vulnerability announcement."


Even worse, hackers are finding or purchasing their own  
vulnerabilities, called "zero day" exploits, for which no security  
patch exists. With real money to be had, there's evidence that  
legitimate security workers are being tempted themselves. In April,  
federal prosecutors filed a misdemeanor conspiracy charge against  
security consultant Jeremy Jethro for allegedly selling a "zero day"  
Internet Explorer exploit to accused TJ Maxx hacker Albert Gonzales.  
The price tag: $60,000. It could take a lot of consulting gigs to make  
that kind of money performing penetration tests.


The change is being felt at every level of the cyber security world.  
When SRI's Porras dug into the Conficker worm -- which still controls  
an estimated 5 million machines, mostly in China and Brazil -- the  
update mechanism initially baffled him and his team. "I know a lot of  
people stared at that segment of code and couldn't figure out what it  
was," he says. It wasn't until crypto experts analyzed it that they  
realized it was MD-6, which at the time was available only from the  
websites of MIT and the U.S. National Institute of Standards and  
Technologies. Other portions of Conficker were equally impressive: the  
way it doggedly hunts for anti-virus software on a victim's machine,  
and disables it; or the peer-to-peer mechanism. "There were points  
where it was pretty clear that certain major threads inside Conficker  
C seemed to be written by different people," he says. "It left us  
feeling that we had a more organized team that brought different  
skills to bear.... They aren't people who have day jobs."


Looking back, the first 20 years in the war between hackers and  
security defenders was pretty laid back for both sides. The hackers  
were tricky, sometimes even ingenious, but rarely organized. A wealthy  
anti-virus industry rose on the simple counter-measure of checking  
computer files for signatures of known attacks. Hackers and security  
researchers mixed amiably at DefCon every year, seamlessly switching  
sides without anyone really caring. From now on, it's serious. In the  
future, there won't be many amateurs.