Black Raven Dragoons

http://bits.blogs.nytimes.com/2011/06/2 ... s-offline/

It's interesting to me that instead of investigating the problem further, the FBI disrupts numerous services by seizing loads of equipment, including equipment that was unlikely to be involved in any attacks. If this is the best we can do, it's shameful.

It's like cutting off your head to get rid of a head-ache. My oldest kid is a network security "geek" and says this sort of stuff is constantly changing and cyber attacks are more common than they've ever been. But taking the "hardware" from hackers is only half the battle. I'm sure the hacking software is quite useful too.

Gnomegrenade wrote:My oldest kid is a network security "geek" and says this sort of stuff is constantly changing and cyber attacks are more common than they've ever been. But taking the "hardware" from hackers is only half the battle. I'm sure the hacking software is quite useful too.

That's largely quite true. In this case, I think the article was probably correct--the FBI probably thought 1 equipment cabinet = 1 server without realizing that most colocation/VPS/hosting services will often place several servers into a single cabinet depending on how they charge for space and the distribution of machines. Servers can be designed to have a rather small footprint once mounted as you can see here. It's astounding to me that the very people who should know what they're doing to avoid collateral damage simply don't know and don't care.

You're absolutely right in that attacks are increasing in regularity. The real kicker is that the majority of the ones I see on most web-accessible services are automated and are typically just one prong of a botnet, either searching for Unix/Linux hosts to use as botnet controllers or to install malware so that whenever someone visits the site with an outdated browser (or, more commonly, Flash), their machine gets infected and used as a zombie host. Except for high profile targets, it's exceedingly rare to see attacks that aren't automated probes, particularly for smaller networks

I had the reluctant pleasure of diagnosing a particular exploit on a number of vBulletin installs that appeared to be long-running. These sites in question had previously been attacked, likely with password hashes snagged, and about one year later, new (?) attackers were using administrative accounts to install malware. This demonstrated that they had not only managed to crack the passwords previously snagged, but they also were in some way affiliated with the previous attackers or--at the very least--shared information with them (likely, considering most malware installers are probably in some manner affiliated with organized crime). Unsurprisingly, the accounts in question were either old administrative accounts or ones for which the admin passwords were presumed to have been changed; so really, security is just as much about policy as it is about securing physical things. Of course, that doesn't do much good when the reason for your downtime is federal officials getting a little overzealous and snagging things that were not involved with any sort of illegal activity. Though it does hurt public relations when you have to tell customers that your site is down because the FBI snagged your boxes. Perhaps this says something about renting space in multiple, geographically diverse data centers, if you can afford it.

As far as hacking software goes, I am aware of a few different levels: There's the basic "point and click" stuff along the lines of LOIC (Low Orbit Ion Cannon), which is basically a Distributed Denial of Service (DDoS) tool that enables anyone who wants to assist in some inane cause to partake in service disruption (often called "hacktivism," as was the case against PayPal following Assange's arrest) and is not specifically a "hacking" device more than it is an attack vector; there are legitimate automated tools that are typically used for security penetration testing ("pen testing" kits can be found and gotten pretty easily, including as convenient, bootable ISO or USB images); and then there are malware authoring kits that allow people of varying degrees of skill to roll their own malicious software. There's various permutations of each, sometimes mixed, and there are some that have legitimate use cases.

What worries me is that this is leading us straight down the road of further regulation on the Internet and on legitimate software tools that can help system administrators locate and diagnose problems before a potential adversary can. While there are legitimate arguments for banning certain forms of software (like the pen-testing suites), it's something that I liken to banning certain types of speech--and really, there's something to the software-as-speech argument. As more and more services move onto and require Internet access to operate, there will be increasing pressure on our politicians to tighten regulations. In some ways, it almost lends credence to the tinfoil hat-wearers who have been making claims that LulzSec is backed or funded by pro-Internet regulation groups who are hoping to see the Internet of today changed drastically to limit free speech and free information sharing. I don't see specifically how, but it's certainly food for thought. In a somewhat morbid twist, it falls in line with the same model used by the entertainment industry to push regulations onto hardware and software vendors in effort to protect their global hegemony. But, I suspect this is just a case of malicious urges. After all, most malware authors proper are doing it for the money--and working systems are more useful than broken systems, because they can exchange spam, information, or be used in extortion.

Of course, as long as compilers and information remains free (or very nearly free--books are still cheap), regulation is unlikely to have any effect on anyone else but companies offering Internet-aware services.

Thalaria wrote:What worries me is that this is leading us straight down the road of further regulation on the Internet and on legitimate software tools that can help system administrators locate and diagnose problems before a potential adversary can.

Maybe this is what the federal government wants??

That's a good point. It behooves our politicians to keep the masses stupid and uninformed. The Internet is very counter to that.

Perhaps the tinfoil-hat theories aren't quite so outlandish!