Schneier on Security
A blog covering security and security technology.
« AES Timing Attack |
| Insider Threats »
May 17, 2005
Fearmongering About Bot Networks
Bot networks are a serious security problem, but this is ridiculous. From the Independent:
The PC in your home could be part of a complex international terrorist network. Without you realising it, your computer could be helping to launder millions of pounds, attacking companies' websites or cracking confidential government codes.
This is not the stuff of science fiction or a conspiracy theory from a paranoid mind, but a warning from one of the world's most-respected experts on computer crime. Dr Peter Tippett is chief technology officer at Cybertrust, a US computer security company, and a senior adviser on the issue to President George Bush. His warning is stark: criminals and terrorists are hijacking home PCs over the internet, creating "bot" computers to carry out illegal activities.
Yes, bot networks are bad. They're used to send spam (both commercial and phishing), launch denial-of-service attacks (sometimes involving extortion), and stage attacks on other systems. Most bot networks are controlled by kids, but more and more criminals are getting into the act.
But your computer a part of an international terrorist network? Get real.
Once a criminal has gathered together what is known as a "herd" of bots, the combined computing power can be dangerous. "If you want to break the nuclear launch code then set a million computers to work on it. There is now a danger of nation state attacks," says Dr Tippett. "The vast majority of terrorist organisations will use bots."
I keep reading that last sentence, and wonder if "bots" is just a typo for "bombs." And the line about bot networks being used to crack nuclear launch codes is nothing more than fearmongering.
Clearly I need to write an essay on bot networks.
Posted on May 17, 2005 at 3:33 PM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Who is this Dr Peter Tippett? I'm guessing his setting his company up for a big fat cost plus government contract!
The threat is clearly being overplayed by Cyphertrust, although I'm not surprised. The last I'd heard of Peter Tippett was of his hacker tracking network.
The threat of attacks by bots is certainly real, and the effects can be devastating - I've written about them in my blog, here, here and here for those that might be interested in handling the threat from a small business perspective.
That article is utter nonsense. Clearly the author has no idea how the nuclear launch codes work and is purely scaremongering.
For a bot network attack to threaten nuclear security by using a brute-force attack against the codes, the nuclear trigger would have to be fully automated.
In actual fact the launch process is about as far from automated and as low-tech as it could possibly be. It involves numbers printed on cards stored in safes stored both at sea and on land which have to match up.
The EAM or launch message is encrypted and manually sent out from various different sources and contains details of the 'target package' (i.e. the lucky recipients)
Further, Trident commanders are under orders to surface and radio for confirmation should they receive a valid launch EAM.
I was always wondering - why does nuclear rockets launching switches and control connected to the Internet =)
Vaguely reminiscent of War Games. Up for a game of Global Thermonuclear War, anybody?
It is astonishing and down-right frightening that someone like Dr. Tippett can manouver into a position where he has the ear of the President of the United States. It is even more worrying that a screening process over various crack-pots did not filter him out before he got there.
Something is rotten in the United States of America...
Sounds like nonsense to me. For anyone fearing "a million computers" breaking your government's nuclear launch codes (even if they had anything to do with encryption) here's a copy/paste from one of Bruce's articles: "A sure way of breaking an algorithm is to try every possible key. Modern algorithms have a key so long that this is impossible; even if you built a computer out of all the silicon atoms on the planet and ran it for millions of years, you couldn't do it."
An essay on bot networks is really needed.
Seems like the author of the text has little formal background on cryptography and was influenced by media-driven concepts.
I find it interesting how static some people think cryptography and its applications are. They seldom consider that even if those networks get enough processing power and momentum to become a threat to current cryptographic systems, technology will evolve.
The notion that terrorists could use a botnet to launch nuclear missles is ridiculous, of course. We should not overlook its potential use as a propaganda tool though. I have oft wondered, for instance, how militant groups in Iraq manage to post materials onto the web without being tracked down. And it wouldn't surprise me at all if in the future terrorists take to using spam to directly intimidate the American public. It's incredibly cheap way to "drop leaflets" over your enemies. I think Sober.Q is a prelude to what's to come.
With the launch code remark, Tippett has just flushed whatever credibility he had down the toilet.
We all know terrorist is a loaded word. Although I can't read the article (not a subscriber) the idea of using bot networks to cause a publicized DOS of some critical financial systems does not seem so far fetched to me and well within the ideologies of existing organized groups that some would consider "terrorists".
From a *real* article on nuclear weapons security:
"Only the launch keys, not the codes, are physical prerequisites for generating valid launch commands, the purpose of the codes being exclusively that of authenticating an execution directive." -- http://www.cdi.org/blair/...
Obviously the human is still completely in the loop, thus the logic of the human brain is. While a forged order to launch a missile at a foe during an emergency might still work, I doubt one would work during normal times.
So one of Bush's advisors says such things?
I guess they're good for one another...
Yeah - string him up!
It could not possibly be that some news agency misquoted the fellow or took him out of context.
Better to start a riot than check the facts... right Newsweek?
I have to admit I have been wondering about that Newsweek thing, too. The Koran-in-the-toilet story has been reported in the news for years. Near as I can tell, the source never retracted the story -- which has been corroborated again and again -- only whether or not it was in a particular report.
On the other side, you'd think that rapes and murders would incite more protest than religious desecration.
And in the middle, it's clear that the riots and protests were planned for a while, and that this was just a convenient excuse.
I have to admit that I can't figure out what the story is here.
Of damn course it's fearmongering. What has the United States government been doing since 9/11? Nothing but fearmongering. For such FUD to vomit from the mouth of someone connected to the president is of no surprise at all to me.
The article is rash and obviously designed to do nothing more than profiteer from fear and the US President's paranoia and penchant for talking about terrorism.
For those who have an open mind yopu can see this, but the employment of the nuclear launch code thread has just evaporated any credibility this article and it's author has.
Someone put the record as straight as is possible.
> Clearly I need to write an essay on bot networks.
Aren't you getting a bit cocky here, Bruce? Not that I wouldn't like to read it.
It's only crackpot if it's not intune with your thought processes.
You should ask how did a crackpot become a presidential advisor, and follow the chain of logic ;)
I thought it was another story from the Onion. I like the bit where he encourages everybody to use a wireless router.
The problem with "Bot nets" or "intelegent user agents/networks" as they where once called is that they are dual purpose (like the worms an AT&T bod proposed for applying security patches to OSs).
Back in the early 1990's a proffesor at the Open University in the UK was activly seaking researchers into what he called "Inteligent user agents" his idea was to use the spare computing capacity on machines to find usefull information on the Internet or do other relevance type activities then "push" back information that matched the search criteria to the originator.
The problem that was posed to him was "what if 10% of Internet connected people launched bots to find information?". The answer is of course a DoS attack even if there are good control mechanisums in place.
I just love the opening and closing comments about Peter Tippett in his BioPic on the Cybertrust web site,
"Peter Tippett has led the computer security industry for more than 15 years"
"Dr. Tippett is a trained scientist with both a Ph.D. and MD from Case Western Reserve University"
Oh and he has worked for Symantec that well known purvayor of Security bloatware ;)
"'Clearly I need to write an essay on bot networks.' Aren't you getting a bit cocky here, Bruce? Not that I wouldn't like to read it."
Didn't mean it to come out that way. It's an interesting topic; that's all. It nicely illustrates the shift in computer attackers from hackers to criminals
Perhaps Dr Tippett has been watching too much Dr Who, with the web interface to launching missiles...
Blaming everything on "terrorists" is like the age-old phrase "think of the children!" It is yet another word that has been misused so many times it is worthless as a means of communication, and instead is a slogan meant to provoke a pavlovian response. Just like, oh, how about "democracy" as a knee-jerk word that can be used to commit/cover-up any crime. Those words are being used to prevent people from thinking. Ahh, good old-fashioned newspeak. For doubleplus good bellyfeel
Nuclear launch codes might be a bit of a leap here, but I don't think you can discount the power of distributed computing.
Using a wireless router is less riskier than leaving your unpatched windows PC connected straight to your DSL or cable modem.
Nearly all the wireless routers out there have the firewall enabled by default as well as standard default deny from the external side.
Is it me or has there been a rise in journalists who are less than savvy writing these kinds of stories? It all seems to come from them trying to make these almost ‘drop the dead donkey’ stories more readable for the completely uninformed and more sensational for the editor. All this is a bad combination.
Look at the story about the MMR jab in the UK, where as a series of sensationalist stories convinced swathes of the population to not give their children the injection. Despite numerous groups of scientists rubbishing the claims the 'myth' of autism caused by this injection prevailed.
"Nuclear launch codes might be a bit of a leap here, but I don't think you can discount the power of distributed computing."
No argument with you there.
With regard to MMR there are considerable holes in the "scince" as reported by various "scientific experts".
Most of the reports published claiming that MMR is safe, are based only on previous reports most of which are flawed in one way or another (ie study time period to short, looking for other factors etc). The more recent studies are showing considerable evidence that MMR does cause gut problems and risidual virus in nerve endings (however the shenanigans caused by the UK Government is making the reports very very muted in their findings).
Dr Wakefield had a very small study group that had significant gut problems and as he pointed out a very significant increase in Autisum over the national average that needed to be investigated. This again is not in dispute his co-authors and medical records kept at the Royal Free Hospital in Hampstead London confirm this.
Oh one other point to consider, the seperate jabs usually only need to be given once to give effective protection. It now appears thet MMR has to be given atleast twice for a significant percentage of those receiving it, and may need a very expensive set of tests to confirm it is actually effective after the second set...
A simple fact to consider is what drug companies have to pay to the US Government as insurance against problems. If you total up the payment for the three single jabs it comes to considerably less than the payment for MMR...
Also if you are into "Conspiracy theory" you could ask why the UK Government has done everything it can to stop any cases getting into court to be heard before a (probably) impartial judge?
I will stop before somebody points this is well off topic.
Bot networks can surely be powerful, but if you're gonna brute force a key with one and have n computers at your control you're only eliminating log2(n) bits from the key compared to doing it with one computer. That is, if you got 256 computers, you're eliminating 8 bits, if you got 65536 computers you're eliminating 16 bits and so on. A million computers would only get you about 20 bits gain.
This probably doesn't need pointing out, but even if 100% of bot-nets are "0wned" by criminal organisations and not "hackers", they are not likely to use those cycles for high-end cryptoanalysis. These organisations are opportunistic masters of social engineering -- why do advanced mathematics when there are much easier ways to steal money?
The most obvious use of a zombie net is to extort money against the threat of a DDoS attack. To most people here that's old news, but it's still a real threat.
I work for Cybertrust. Peter Tippet is always a problem. He will talk this kind of shit, and the rest of us have to assure the customers that we're not a bunch of dipshit lunatics. (we're really not, with the exception of Tippet and a few commonly-quoted others)
I'll be fascinated to read your bots article. Are you saying that Tippet's suggestions are *technically* impossible. Not so.
The only things that are missing are the wherewithall to get things organised on the part of terrorists, a good slab of $$$$ and the right pair of hands on the keyboard. There is absolutely no reason why, instead of being dedicated to spam, DDOS attacks or surreptitiously loaded phishing sites, zombies could not have an analytical program installed for data crunching. Once a PC is owned, the hacker can install any darn thing he wants. Its not getting the zombies lined up that is the problem, its getting hands on data worth crunching.
There are no *technical* issues blocking terrorists from using the similar techniques to those used by professional phisers, pharmers and spammers.
I agree that the potential computing power of a distributed computing network using bots is not to be underestimated; although, I think getting nuclear lanch codes is a bit far fetched. Code can be downloaded to these compromised computers to turn them into a large distributed computing network. A few research sites are using BOINC software for distributed computing where users download and install this software on there machines. Some uses are the cure for cancer and the search for extraterrestials. There is nothing to stop someone from using these compromised zombie machines from turning them into a distributed network using specialized BOINC software for nefarious means.
With that said, most criminals are more likely to use social engineering to gain that data they want without resorting to some brute force type of attack. We already see this with the phishing scams.
As far as sensitive information on the web, our own government puts it there. It's just a matter of knowing where to look on the web, and compiling bits and pieces to gain useful knowledge. An example of sensitive information are the various offender registries as these post pictures, physical descriptions, addresses, and in some cases even social security numbers that can be abused by ID thieves. Terrorists could possibly use this information as a recruitment tool as we have sown the seeds of discontent. Just look at Florida's career criminal registry as an example of likely targets. I am not saying that people on the registries would necessarily be turned into terrorists, but there is always that possibility. However, that aspect of the various offender registries is a thread in itself.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.