It hits the press from time to time that somebody was successful taking down a botnet. We had some success as well with the Waledac Botnet Takedown.

There is actually a good article on What it takes to shut down a botnet. When I was doing some bing-search on the botnet takedowns, I found good work from Microsoft research as well: Your botnet is my botnet: analysis of a botnet takeover.

It is not only about taking down the botnet, it is about going after the criminals and making sure it does not recover.

Roger

Related posts:

1. Results of Operation b49 (Botnet Takedown)
2. Is there a Botnet building on MS08-067 exploits?
3. How a Botnet looks like

Steve Ballmer was once asked by a journalist whether and why he allows blogging by Microsoft employees, without any approval process. His answer was that he lets Microsoft employees talk to customers without approval process as well (at least that’s the story which was told ).

You know that I am a big fan of enabling employees to leverage social networks to increase productivity. However, there are risks one has to be aware of and policies which should be followed as this example shows: Blogger beware: Postings can lead to lawsuits

So, beware what you write

Roger

Related posts:

1. Blocking Social Networks? Think Again…
2. Safe Social Networking
3. Tired of Web 2.0? Kill your Online Identities

It is an interesting and difficult question. What can we do to really be able to stay on top? Or shall we give up? Well, clearly, I do not think so.

I read this article today, which really made me think: Black Hats are Winning, Symantec Says – wow! A fairly clear statement. We lost (at least according to Symantec). And the solution is – you guess – new technology:

“Technology that does not rely on capturing and analysing a threat in order to protect against it, like Symantec’s Reputation-Based Security, is indeed becoming imperative. Other methods that are also playing a key role in combating today’s most pervasive threats are heuristic, behavioural and intrusion prevention technologies.”

So, I agree that new ways are need but really in enhancing today’s technology? Sure, we have to make sure we keep up with what is going on, but is it a technology problem, which can be solved by the next generation of any security product?

Remember that, a few years ago, we launched Trustworthy Computing in order to change the way we, Microsoft, internally think but we always said that this is an industry initiative. After a while, we realized that this was not enough and we came up with a model we call End to End Trust. The reason we did that was fairly simple: We did the SD3+C (Security by Design, Secure by Default, Secure in Deployment and Communication), we introduced the Security Development Lifecycle, and we worked on specific threat mitigation (actually, this is what Symantec seems to refer to). But unless the underlying architecture does fundamentally change, we (the industry) will not be able to change the rules and always run behind the criminals.

So, the ecosystem needs the trusted stack and a sound identity system which allows for strong identities and for minimal disclosure at the same time – without risking the freedom of speech.

All this is not new, the technologies are available. The problem is, that this is not a Microsoft challenge – it is an industry problem and the ecosystem has to buy in. We are doing a lot of groundwork there but as long as we are looking for medication to cure the symptoms and are not ready to look for the big bold changes, we will definitely lose. However, clearly we need to work on the medication in the meantime as well.

And then, let’s think about what this means for the Cloud… but this is something for another post…

Roger

Related posts:

1. SANS Commits $1 Million to Fight Cybercrime in Developing Countries
2. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
3. Use Music to Fight Cybercrime: ‘Maga No Need Pay’

I blogged about the vulnerability which was publically disclosed by a researcher working for Google earlier this month. In the meantime the attacks started to increase. I think that it would be important for you to look at what is going on. There is a good blog post by our malware protection center: Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

Roger

Related posts:

1. Vulnerability Disclosure to Compete?
2. End of Support for Windows 2000 and Windows XP SP2
3. Attacks on MS08-067

Well, yes we need Cybersecurity Legislation without doubt but sometimes the legislator goes too far in my opinion. I read this article this morning: Use Google Street View Maps & Serve More Time. I quote: The state legislature in the U.S. state of Louisiana has passed a law adding extra time for committing a crime with an online map. So, you get one year more if you use an online map preparing your crime. So, what about using pictures you can find on the Internet? What about other use of technology to prepare a crime? This simply gets too complex in my opinion

Roger

Related posts:

1. A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
3. Legal Challenges of International Business and the Cloud

I recently came across a paper called Shadows in the Cloud, which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network, an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the privilege to investigate those attacks: the Information Warfare Monitor and the Shadowserver Foundation.

Even though the report is out since quite some weeks, I think it makes sense to dig in it here as there are a few fairly remarkable conclusions and statements in there. One of the key things we should think about globally is an International Incident Sharing Database (see the end of the post).

Sharing and Collaboration

If you are a regular reader of my blog posts, you know that I am a big supporter of international collaboration and I am clear about the need of a common set of rules to establish this collaboration. If you read through the paper, you see in different areas that they were challenged during the investigation. On page 8 that state that On our side, we felt unsure about the protocol around information sharing, and were in an awkward position to be able to give information over to governments and affected parties directly without being entirely clear about whom would be responsible and whether or not our interlocutors were appropriate authorities. The notification problems around Ghostnet informed our approach to the Shadows in the Cloud investigation, including being more conscious from the outset of documenting our notification procedures. Think about that for a second. You investigate a security incident e.g. in your company. During the investigation you realize that you are not the only victim but that there are others, being it companies or governments. What do you do with this information? Whom do you contact? How can you be sure that this information gets into the right hands? A fairly hard question to answer and finally, what kind of information are you allowed to pass on? Additionally, Information sharing, generally speaking, is immature and underdeveloped, often hampered by proprietary concerns surrounding the commercial market for cyber security services (page 10) and Information sharing among victims of network intrusions and espionage is rare (page 10). Well, what I see fairly often is, that incidents do not happen as they are not supposed to happen. Rarely somebody talks openly about what happened to them.

In order to combat such attacks, the legal collaboration is key (again ). As otherwise, it points to the possibility of a perfect storm that may result from a lack of international consensus, ill-developed and implemented security practices, a paucity of notification mechanisms, and the growing confluence of cyber crime, traditional espionage, and the militarization of cyberspace (page 10). This simply tells us that we will lose the fight without international legal collaboration and harmonization as well as the willingness of the public and the private sector to share information.

Technology

From a technical perspective, they started to use Internet-based services. For example, they used Twitter to control the botnet as well as free mail services like Gmail and free blog services like Baidu. This is to enhance the command and control infrastructure of a botnet, something I was never aware of but is actually a logical enhancement of what we know already. The next point, when it comes to technology is the software they seem to have exploited: We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003 – old software, software which was designed to cope with completely different threats than the ones existing today! And even is they decided to stay on the previous versions: The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. In other words: It is about patch management again… But to be fair, they fell victim of some vulnerabilities in PDF which were not patched at the time of the attack.

Source

Finally let’s think about the people behind the attacks. It is a joint understanding that the attacks originated from China. The Chinese government was accused to be the source behind it but they denied it and it has never been proven otherwise. Generally – not only in China – it can be expected that there is a close collaboration between governments and the hacking or as the report states: The degrees of the reported relationship vary between “authorize” to “tacit consent” to “tolerate” (Henderson 2007b).

Conclusions

What can we learn from the report? Actually nothing new, it just re-enforces my view of the world:

• We have to be better in sharing incident information. This has two sides: One is between victims. There has to be a way (and, honestly, I do not have a solution yet) to find the right contact within a government or an organization to help them understand that they were attacked.
• We need smooth and fast international legal collaboration. This has to be based on a solid harmonized legislation.
• There are two calls when it comes to your software maintenance: Make sure you are on the latest version of your software and make sure you are patched. Patch Management is one of your fundamental processes in your organization!

And now to the final point I am thinking of since quite a while. The airline industry suffered initially from quite some technical incidents. The way the industry finally dealt with it was, to establish a sharing of incident information (as well as near misses) and a global body taking care of the airline safety (and the willingness of the governments to collaborate and share). The same actually started now in certain countries in the healthcare sector.

When it comes to Information Security we all deny incidents unless they become public – because we fear an impact on our reputation. We have to start thinking differently. We need a place where we are able to (anonymously?) file incident which happened or ways somebody was attacked to be shared between security professionals. That’s the only way where we can learn collectively and increase the pace of the products becoming better at defending and security professionals improve their skills in protecting the critical information. The critical question is who can own such a database? It has to be an organization which is trusted internationally and therefore cannot be state-owned. It could be an international association or and inter-governmental organization. Ideas are very welcome as I am convinced that there is a huge need of an International Incident Sharing Database.

Roger

Related posts:

1. Legal Challenges of International Business and the Cloud
2. The Importance of International Collaboration–Even in Exercises
3. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2

If would like to start with an important statement: This is the first blog post I made with a disclaimer to start with. The content of this post is not an official Microsoft position and might not reflect the Microsoft opinion!

Let’s have a chat about piracy. When I look at my neighborhood, I often (very often) have discussion about how legal it is to copy software and use cracked software and copied DVDs and copied music. In Switzerland, we have a piracy rate on software of approx. 25% – this is where I live and this is one of the richest country on the globe. If you take this figure: How would you feel if every fourth hour you are working is not paid? I would go ballistic! This would be unacceptable to me.

Still, a lot of people think that it is not really a problem if they use resources – illegal resources – which are freely available on the Internet. A lot of people think that it is just a peccadillo to copy. Being it books, music, software. And then I posted recently on Twitter about “What is your view? I think it is a good idea: Illegal downloaders face web ban http://ow.ly/xGaK” and got a lot of harsh reactions. I hope that a lot of those people will – in the future – work at least one hour every four for the community as they seem to expect this to happen for the software industry.

Now, let me take another position: I think it is great that we introduced a limited offer (do not ask me why it is limited) of a Windows 7 Family Edition to be installed within your household at max. three times – this covers a huge need of families and they might often have copied or cracked it instead. Whenever I can avoid it, I do not download technically protected music – and let me tell you why (please if you quote me, quote me in context): Why should I pay for music to be used on only my MP3-player? I am listening music from my PC during work, my business notebook during travel, my Zune during flights, my car during travel and last but not least my Mediacenter. If the music is copyright protected, this does not work. I am allowed to copy it but not to break any copyright protection. So, this model sucks. I understand that a artist wants money for the music and I am definitely willing to pay for it (see my point above – I do not work for free neither) but I want to consume it whenever I want, wherever I want. If I use not technically protected music, I can leverage it across all my systems. Otherwise I cannot – and this sucks. Is this a reason to hack it – no. Is it a reason not to buy it – definitely.

I see the need of the entertainment industry to protect its assets. On the other hand I see the requirements of the consumers, which are often ignored. What scares me much more is the way we raise children. Growing up in a household, where copying of illegal content is just a normal thing, whit what values do this kids grow up? Basically with a mindset that stealing is illegal if we deal with physical goods but not really illegal for not physical good? So, stealing is just a little bit illegal. Or is just illegal if it fits us personally?

Therefore, the British approach above to ban illegal downloaders might be drastic but is it that far fetched? Is it really going too far? What do we do with trespassers in the physical world and why is this different on the Internet?

A final remark: If you quote me, please quote me in context. Additionally I want to state again, that this is my personal opinion!

Roger

Related posts:

1. Raid against Piracy
2. Legal Challenges of International Business and the Cloud
3. Software Piracy – A Threat to Security!

I blogged on Day 1 and Day 2 but as I expected, I was unable to blog yesterday on the conference. However, let me just briefly give you my impression of the final day:

The core part of this last day was a whole block on Cloud Computing. There were different presentations on the subject and then a panel discussion, which I had the opportunity to be part of. There are a few key conclusions for the cloud from my point of view:

• Looking at the presentations (mainly done by “Cloud Specialists), there is a huge gap between the lawyers and the IT security people. The presenters – in my opinion – were unable to explain the cloud to a lawyer. The presentations (and some of the statements) were very good – if you have an IT background but with a legal background and not being too IT literate (as most of the judges and prosecutors are), I guess they still do not know more about the cloud than before – a missed opportunity.
• We have therefore to find a common language. We have to be able and willing to channel our excitement and explain it to non-IT people. I once had a manager who told me that I have to be able to explain something to a 6-year-old child. We have to bring the cloud to that level. A lot of people I talked to do not understand the difference between Windows, Internet Explorer and Facebook or Twitter. That’s one and the same. And to be clear – they are not dumb. I have the same problem when they try to explain me the details of the Cybercrime Convention and the application within European and local law.
• The industry performs poor (I am kind of stuck in the communication channel). We either oversimplify (oh, security is solved in the cloud as the pros take care of – the typical message of one of the biggest cloud provider) or we ad too much complexity – this has to change.
• The panel has been in agreement that international – even global rules are needed for the cloud and the corresponding rules and regulations. One of the panelists compared it with Maritime or Air Traffic legislation. This is regulated on a global basis. Something similar is needed.

Finally, the conference always concludes with key messages and summaries from the workshops. The strongest one – I had the feeling – was the once for ICANN (see highlighted below). That’s the excerpt from the final document:

In this connection, participants in the conference underline that:

• For security and the protection of rights to reinforce each other, measures against cybercrime must follow principles of human rights and the rule of law.
• Security and the protection of rights is the responsibility of both public authorities and private sector organisations.
• Broadest possible implementation of existing tools and instruments will have the most effective impact on cybercrime in the most efficient manner.

Following detailed discussions, participants recommend:

• Making decision makers aware of the risks of cybercrime and encouraging them to exercise their responsibility. Indicators of political commitment include steps towards the adoption of legislation and institution building, effective international cooperation and allocation of the necessary resources.
• Implementation of the Budapest Convention on Cybercrime worldwide to sustain legislative reforms already underway in a large number of countries. Countries should consider becoming parties to make use of the international cooperation provisions of this treaty. Consensus on this treaty as a common framework of reference helps mobilise resources and create partnerships among public and private sector organisations. In this connection, the ratification of the Budapest Convention by Azerbaijan, Montenegro and Portugal prior and during the conference, and the expression of interest to accede by Argentina and other countries serve as examples to other countries.
• Establishing the Budapest Convention as the global standard goes hand in hand with strengthening the Cybercrime Convention Committee (T-CY) as a forum for information sharing network, policy-making and standard-setting. It is encouraged to address issues not (exhaustively) regulated by the provisions of the Cybercrime Convention such as electronic evidence, jurisdiction and liability of ISP’s.
• Coherent and systematic training of law enforcement, prosecutors and judges based on good practices, concepts and materials already available.
• The establishment and strengthening of high-tech crime and cybercrime units, and incidents response and reporting teams and systems.
• The development of cooperation procedures between law enforcement agencies, CERTs/CSIRTs as well as internet service providers and the IT industry.
• Due diligence by ICANN, registrars and registries and accurate WHOIS information. Endorsement of the “Law Enforcement Recommended Amendments to ICANN’s Registrar Accreditation Agreement (RAA) and Due Diligence Recommendations” in line with data protection standards. ICANN is encouraged to implement these recommendations without delay.
• The many networks and initiatives against cybercrime that exist already create a dynamic and innovative environment involving a wide range of actors. Stronger networking among networks is encouraged to allow for synergies and reduce duplication. The mapping of networks exercise initiated by the Council of Europe should be continued.
• A contact list for enhanced cooperation between industry and law enforcement should be established. A proposal for a secure portal for interest parties is in preparation.
• Initiatives aimed at preventing, protecting and prosecuting the sexual exploitation and abuse of children are most valuable but require stronger support and consistency. The “Lanzarote” Convention of the Council of Europe (CETS 201) offers guidance in this respect and provides benchmarks to determine progress.
• Making use of the guidelines for law enforcement – ISP cooperation adopted at the Octopus Conference in 2008.
• Completion and broad dissemination of the results by the Council of Europe of the typology study on criminal money flows on the Internet that is currently underway.
• In order to meet the law enforcement and privacy challenges related to cloud computing existing instruments on international cooperation – such as the Data Protection Convention (CETS 108) and the Budapest Convention – need to be applied more widely and efficiently. Additional international standards on law enforcement access to data stored in the “clouds” may need to be considered. Globally trusted privacy and data protection standards and policies addressing those issues need to be put in place and the Council of Europe is encouraged to continue addressing these issues in its standardsetting activities as well as by the Global Project on Cybercrime.

The website of the event is here: Octopus Interface 2010 and these are the Key Messages.

It was – once more – a very good conference. That the collaboration became closer could be seen as well that there was no single session the private sector was excluded. Talking about the private sector. It is a real shame that quite some key players from the industry are still not very active to support such activities. Just joining the conference does not solve the problems.

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 1
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2
3. Council of Europe: We need ONE Cybercrime Convention

And the second day starts. I just met with Jeremy Kirk from IDG and it is great to see that the press is actually interested in such a conference as well.

The day today started with a long session on different initiatives against cybercrime. A lot of good information:

• Interpol offers quite some good services to the police stations across the globe: A 24*7 center to bridge between the different police forces (sometimes just to overcome language barriers), a central database to share information on crimes, etc. Additionally they train police forces on cybercrime and investigation all across the globe for law enforcement officers.
• London Action Plan: The largest network of civil authorities but it is open to participation by the industry. Even though it is called “London Action Plan” it is a global public-private partnership, formed in 2004 and covers data protection agencies, consumer protection agencies, the private sector, etc. They want to strengthen the network, increase the knowledge and share best practices and emerging threads. Basically it is about how the different parties can use their tools and knowledge in a cooperative way to conduct investigations.
• GPEN (Global Prosecutor E-Crime Network): It is owned by the Association of International Prosecutors. Basically this is a big sharing initiative for prosecutors on cybercrime. One of the kea areas is about sharing trainings packs for capacity building. Additionally, they run and website with a forum where they share approaches to cases (no sensitive information) – a fairly interesting approach. Finally, they have material they share about how to present cases in front of court (like how a botnet works, what a Trojan horse does…) like videos, presentations etc.
• InHope: InHope is a network of hotlines against illegal content like child sexual abuse image (actually the core of their work), extreme violence, racism, etc. They want to work on standardization (or best practices) how such reports are handled to make law enforcement more effective. They are covering 31 countries today and are looking into growing into more developing countries.
• Global Network Initiative: An initiative to support to freedom of expression and privacy. The challenge they want to address is the conflict global companies face, were local legislation conflicts with human rights on the Internet. So, the GNI developed a set of principles to advance human rights on the Internet.
• Anti-Phishing Working Group: This is fairly obvious what they do. A few years back, they actually organized an event in Europe (I think it was in Berlin) on how to collaborate on phishing cases. One of the projects they are running at the moment is about sharing data with law enforcement. It is basically about automated processing of e-crime data and write “the story” for the prosecutor and judge. So, it is about harmonizing databases and file format. A good idea, I am just wondering whether the law enforcement agencies will pick it up and really share the data as they do not share the data today – because they are often not allowed to share… Where they definitely will be successful is, when it comes to data on phasing cases.
• Messaging Anti-Abuse Working Group (MAAWG): This working group actually roots back in the time when e-mail came up significantly and when e-mail started to get abused. so, the working group mainly consists of ISPs as well as some security vendors as well as companies, which rightfully use e-mail for marketing purposes. So, basically it is about collaborate to fight spam (which often is one of the root of cybercrime attacks) and they have a lot of good guidelines like the use of port 25 etc.

What I liked with this network sharing workshop is that I never heard from any of the networks “we are the ones” but much more: We want to collaborate and not duplicate efforts – a great position we need. If you want to get an overview of the different networks which exist, the Council of Europe has a good overview: Anti-cybercrime networks, organisations and initiatives

The afternoon was about effective measures against sexual exploitation and abuse of children on the internet. I was fairly new to this theme. So, there are a few key findings for me:

• Just access for children to law enforcement is a huge problem. But there are initiatives to address this – for children which are most exposed like children without parents as well.
• This is a very big social problem. It is not necessarily a legal challenge (which it is as well but there are guidelines for it) but – again – how can a victim really execute the rights?
• There is a lot of interesting (and shocking) information available on the website of EPCAT International: http://www.ecpat.net/EI/EI_publications.asp

So far it was – as always – a very interesting and valuable conference. I am not sure whether I can write about tomorrow as I will be in a panel on the Cloud in the morning and then on the road

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 1
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
3. Council of Europe: We need ONE Cybercrime Convention

As you saw from previous posts, I am at the Octopus Conference on Cooperation against Cybercrime at the moment. We had yesterday the Deputy Secretary General of the Council of Europe and one of her key statements was that different bodies (like the Council of Europe, UN etc.) should not compete. The Budapest convention by the Council of Europe is now about 9 years old. So, let’s leverage this in the future as well. Jeremy Kirk, IDG, covered this yesterday as well: Council of Europe pushes for only one cybercrime treaty

This definitely makes sense, no?

Roger

Related posts:

1. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 1
2. Council of Europe – Octopus Conference (Cooperation against Cybercrime) – Key Messages
3. Council of Europe – Octopus Conference (Cooperation against Cybercrime) Day 2