[Infowarrior] - more on...Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
Richard Forno
rforno at infowarrior.org
Thu Mar 4 18:13:53 UTC 2010
Begin forwarded message:
> From: Rich Kulawiec <rsk at gsp.org>
> Date: March 4, 2010 11:07:39 AM EST
> To: David Farber <dave at farber.net>
> Cc: Richard Forno <rforno at infowarrior.org>
>
>
> This pitch neatly overlooks something very important, I think.
>
> We have a plethora of Internet security problems, and any reader of
> Dave Farber's IP or Richard Forno's Infowarrior list or Bruce
> Schneier's
> blog or Marcus Ranum's essays &etc. could enumerate many of them.
>
> However, the biggest problem we have, the one that dwarfs all others
> in terms of scale, scope, difficulty, etc. isn't really an Internet
> problem per se: it's a Microsoft Windows problem.
>
> The zombie/bot problem has been epidemic for the better part of a
> decade,
> and continue to monotonically increase is size. It started with
> malware
> like Sobig:
>
> Sobig.a and the Spam You Received Today
> http://www.secureworks.com/research/threats/sobig
>
> Sobig.e - Evolution of the Worm
> http://www.secureworks.com/research/threats/sobig-e/
>
> Sobig.f Examined
> http://www.secureworks.com/research/threats/sobig-f
>
> and then escalated as The Bad Guys developed ever-better code that
> (a) took over Windows systems and (b) provided the command-and-control
> necessary to organize them into botnets. They've gotten really good
> at this.
>
> "How many systems?" remains an open question, but it's clearly
> somewhere
> above 100 million. (Which is the consensus estimate that some of us
> who
> work in the anti-spam arena came up with several years ago.) Other
> estimates
> have been tossed out as well: 250M, 140M, etc. Nobody knows for
> sure because
> the answer is unknowable -- a botnet member isn't visible until it
> does
> something bot-like to something that's listening for it -- but we can
> come up with reasonable lower bounds based on years of observations.
>
> "How many botnets, and how large?" is another open question whose best
> current answers are probably "many" and "millions to tens of
> millions".
> For a recent example:
>
> Mariposa Botnet beheaded
> http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32
>
> This articles says "as many as 12.7 million poisoned PCs" but does not
> elaborate how that number was arrived at. (But suppose it's a 400%
> overestimate: that's still a sizable botnet. And suppose it's a 400%
> underestimate: yipes.)
>
> Before anyone celebrates too much at this news: the takeaway from this
> article is that the C&C structure has been taken down...which means
> that
> there are now putatively 12.7 million pre-compromised systems out
> there
> waiting for the first person(s) who can conscript them into *their*
> botnet.
> (Any bets on how long that'll take? I've got a dollar that says "it's
> already history".)
>
> "What are they running?" is one of the few questions that we have a
> decent answer to, and the answer is "Windows". We can use passive
> OS fingerprinting and other techniques to identify the likely OS on
> each zombie/bot that we see, and while we do from time to time see
> some that classify as "unknown" or "indeterminate" or "something
> other than Windows", they're quite rare. The numbers I've got from
> several years of doing this boil down to "a handful per million might
> not be Windows or might be Windows-behind-something-else".
>
> So here's the executive summary: there are something in excess of 100M
> systems out there which no longer belong, in any real sense, to the
> people who think they own them. They are the playthings of the people
> running botnets, who have full access to every scrap of data on them,
> every set of credentials stored or used on them, and can do *anything*
> they want with them. All but a negligible number of them are running
> Windows. All the band-aids -- patching, AV, etc. -- aren't working.
> They're ubiquitous: desktops, laptops, cellphones, and servers across
> commercial, ISP, academic, and government environments.
>
> And there are more every day.
>
> All of this has a tremendous ripple effect on everything else we're
> working on: anti-spam, anti-phishing, DoS attacks, identity theft,
> anti-forgery, data loss, MitM attacks, DNS forgery, etc.
>
> And while we occasionally see Microsoft doing something minor
> about it, e.g.:
>
> Court order helps Microsoft tear down Waledac botnet
> http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html
>
> these actions are clearly calculated to generate positive PR for
> Microsoft, not to seriously address the problem. (Note that all this
> did, like the bust above, was attempt to cut out the C&C network.
> It does
> nothing to remediate the "hundreds of thousands of infected
> machines".)
>
> This isn't just a security problem, it's THE security problem.
> And Microsoft owns it -- lock, stock and barrel.
>
> Now here's an interesting exercise: go try to find a statement made by
> anyone at Microsoft in which they acknowledge this: that is, in which
> they provide a realistic assessment of the scale of the problem, take
> corporate responsibility for it, and explain what they're going to do
> to clean up their mess.
>
> Scott Charney didn't do that, as far as I can tell. He didn't talk
> about the 100M bots out there or how they're almost all running his
> company's operating system or how much this is costing us in anti-
> spam,
> anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't
> run
> Windows in our operations*. He didn't even come anywhere close to
> this.
> He just lumped all systems together, as if this was a systemic
> problem,
> not one almost entirely confined to Windows.
>
> And neither, as far as I can tell, has anyone else at Microsoft. They
> don't even want to be in the same room with this issue because even
> for a company with their enormous financial and personnel resources,
> it's a staggering task (with an equally-staggering cost) to
> contemplate.
>
> And as long as everyone buys into the Microsoft PR, that we have
> "a generic Internet security problem" and not "a Microsoft Windows
> security problem", they won't have to.
>
> ---Rsk
>
More information about the Infowarrior
mailing list