DarkSide Brothers Reality Check - Botnets? Is that the Worst of it? Part I

December 20th, 2007 Drazen Drazic Posted in Industry Specialists Talk |

Darkside Brothers Reality Checks are article submissions to Beast or Buddha from two well respected industry researchers and consultants. Are they serious and on the ball or swaying towards conspiracy lunacy? I’ll leave it with you to work out your own opinions.

In response to the previous Beast or Buddha post on the Billion owned systems. (The SMH has had time to correct if they thought they were wrong but that’s beside the point):

We really need to move on from the idea that unless your motd is “lol fluffy bunny pwnd j00!” your computer is fine.

All your links are owned: http://cryptome.org/nsa-ip-update10.htm.

Every scrap of data that has touched the Internet has been captured under Wholesale Surveillance (owned): http://www.dailykos.com/storyonly/2006/4/8/14724/28476/. (Think MITM, passwords for all your sites (that you re-use for your work VPN, your email and all the encrypted communications and PGP passphrases too).

Look back at every 0day in MS Windows and think about the 6-12 months that it took to get patched. Don’t forget we have the source to Linux. You may not be reading the source, but the ‘bad guys’ are. And now remember that these disclosed vulnerabilities are just the ones that the ‘good guys’ are giving away. Now remember that 0day vulns are worth something. A lot. Good vuln researchers don’t disclose their best finds. They sell them. For lots of money. People are willing to pay lots of money for them, and not because they love being generous: Because they get a return on their investment.

Your phones are owned. http://blogs.securiteam.com/index.php/archives/1028. And the scary thing is when this was disclosed, no one really cared. “*shrug* yeah of course they are” was the response I got from everyone I spoke to.

And what’s not to say that some of these vulns that we keep finding are an intentional mistake? If someone finds “loginasrootwithoutpassword()” while doing a code review, it will raise an eyebrow, but a common buffer overflow will be forgiven. No one has ever punished a vendor for writing bad code. If (as an industry) we did, we wouldn’t have bad code anymore.

Considering the value of vulnerabilities, its quite likely that someone, somewhere has deliberablty coded in a vuln to sell at a later date. Don’t forget that a lot of organisations who buy these vulnerabilities, never disclose them - so there is no fear of getting caught for the coder.

Are you trying to tell me that everyone who volunteers on every open-source project has been background checked and has good intention? Same for commercial software organisations? Cryptome repeatedly proves the pressure companies are under to submit to government requirements to enable silent surveillance. We know about the phones and the ISPs - what else?

Every aspect of interaction with our beloved computers has been compromised in one way or another. It’s time for us to sit down and think about this. You can patch your system until the Earth ends, but it won’t protect you from any of this. Neither will your firewalls, your IPS or your AV.

The whole industry revolves around scrambling to fix a known problem. The commercialisation of software vulnerabilities means that now we don’t get the luxury of knowing “the problem” anymore.