The Wi-Fi explosion: a virus writer's dream
Opinion With the consumer Wi-Fi explosion, launching a virus into the wild has never been easier and more anonymous than it is today. Like a sneeze in a crowded subway, it's hard to find the human source of the latest viral infection. On the Internet it's not much different. The people who write these nasty little programs and release them into the wild almost never get caught. Why? The answer is easy, but it's also a sort of technical nemesis: there's simply no way to track these people down.
The current approach to catching virus writers isn't working. Code analysis and disassembly provides clues about the author, but it's not enough. Virus writers boast of their accomplishments in private bulletin boards, yet only the most vocal and arrogant few will get caught. Even with logs, IP addresses and private access, it's still near impossible to track them down.
Law enforcement agencies in every country are clearly ill-equipped to deal with the myriad of technical hurdles required to track virus authors down, and so they turn to a few elite security consultants, some working as threat analysts at the major A/V vendors for help. They can usually narrow down the source of a virus to having been released in a geographic part of the world, but the rest is a mere packet in the bitstream.
Add Microsoft's new $250,000 bounty into the mix and at first glance, you'd think we're right on track. Not a chance! There are simply too many ways to be anonymous on the Internet, and more so today than ever before. You don't even need to spoof IP addresses these days; there are too many ways to have perfect stealth. Imagine you're a virus writer and need a launchpad for your evil work. Just start with an untraceable MAC address on a borrowed IP address, linked into a wireless router down the street which has access logging disabled, and then you tunnel through countless proxies and compromised zombies until you reach the desired launch point. Someone who does not wish to be caught (and knows what they're doing), cannot be caught. With wireless, it become a physical battle between a million victims and one guy walking down the street.
Wi-Fi has exploded. Welcome to the truly anonymous Internet. There is no easier way to slip on and off the Internet now without being noticed than on an insecure 802.11x wireless network in a coffee shop, under a tree in Central Park, at a library or even just leaked through the walls of the apartment next door. North America, and indeed the rest of the world, already has an incredible number of wireless devices that are effectively free, unsecured, and readily available to anyone - to such an extent that it's more difficult to avoid these sprawling networks than it is to connect to them now. My Mac with embedded g-band happily connects to just about any network it can find, and it appears there are literally dozens, perhaps hundreds of insecure wireless Access Points now within a short walking distance from my office.
There are a mind-boggling number of Wi-Fi devices now, and only the ubiquity of these devices is new: while four or five years ago I may have been the first on my block with Wi-Fi, now there are so many devices I have to worry about interference to make sure I'm using the right pipe.
More than that, there are a mind-boggling number of wireless access point that are not Secure by Default, out of the box - just like the machine owned by your average Microsoft Windows user. But even if they were, it wouldn't matter.
I live in a sparsely-populated area, at least for a major metropolitan city. Yet without even leaving the couch of my living room, I can "borrow" someone else's Internet connection, mask my MAC address and have complete stealth on the Internet. It would be difficult, if not impossible, to ever track me down or prove a request or download came from me.
If I wanted to be a bit smarter about things, however, I'd walk to the park and get my access from there... less likely that the police come knocking on my door. Or I'd drive down to the coffee shop, and set up a launch from there. Or better still: point my home-made antenna (made out of a soup and used according to the exacting laws of wavelengths and physics) and bounce the signal off a digital satellite dish, extending my network's range by up to 2km. In other words, I could literally get my Internet access from home by simply pointing my directional antenna towards metropolitan downtown.
I have no malicious intent, however. I'm generally not searching for these insecure networks, they just appear all on their own. When I'm not publishing articles on SecurityFocus, I go for coffee at a shop at the bottom of our building. There is free wireless Internet access available, sure - though I'm not sure if it's actually provided by the coffee shop, or if it's coming from an office next door, or below me, or above me - the service has never been advertised. The owner of the shop doesn't know what wireless access means. One day I was sitting down and drinking chai... I opened up my Mac with OS X, and there was a new network(broadcasting itself, with no security). Most Windows machines, by default, similarly connect to the strongest local signal without discretion, and voila.
I check the connection, and can instantly surf the web. SSH works fine, and thus secure (and dynamic) SSH tunnels are possible. And secure email, through port 993, is possible as well. Web access, like usual, is in the clear (except when using SSL and then it too, is secure). No security whatsoever. It's wide open. I drink my chai and imagine opening up a can of worms... or rather, imagine someone logging onto his bot network through IRC, sitting anonymously in some coffees shop, drinking espresso and launching DDoS (distributed denial-of-service) attacks.
If I fudge my MAC address and make up a fake one, it will be impossible for anyone to know it's me. I'll change the apparent MAC address again tomorrow and maybe I'll sit in a different coffee shop, too.
Free but insecure networks
What I'm trying to get at is this "promiscuity" of wireless networks has already made security on the Internet redundant - a virus writer using this technology could never be tracked down. There are hundreds of access points within a five kilometre radius of me, and the number is growing every day. Having had 802.11x access myself for a long time, I clearly know that the technology and its weaknesses are hardly new. What's new is the proliferation of access points, the vast majority of which are freely available for personal use.
Even a robustly secured wireless access point can be cracked in a matter of hours. The extreme, industrial-strength security afforded using LDAP and/or RADIUS and rotating keys ciphers is possible, but not for the faint of heart. In other words, for tens of thousands of access points across the country and around the globe, basic wireless security is already irrelevant. For someone searching for a novel launch point for their virus, your router might just be the next in line.
Salon published an interesting (and entertaining) article by Micah Joel (requires free day pass) about the opening up access points and its legal implications: no security, broadcast the SSID, and turn logging off. Encourage people, in fact, to use the free connection. With no way to know who has used your Internet connection, there's no way that you could be held liable for inappropriate (or illegal) use. You'd be just like everyone else who took it out of the box, and plugged it in. No officer, you can't possibly prove that action was taken by me. While this theory has yet to be help up in court, at least here in Canada, a precedent is waiting to be set. It's already being done almost everywhere. Don't believe me? CNN published an article recently only confirming what many of us already knew: the insecurity of wireless networks has become extreme.
Of course, it would be just as easy to launch a virus from an Internet café in many other parts of the world, like Asia and India where anonymous access is given for a mere dollar an hour. And then there are the libraries, colleges, user groups and other institutions everywhere else that, once again, provide a bastion of easy, cheap anonymity.
Let me now be clear about my motivations: while I do not have the skills to write a virus myself, there are many, many people out there who do. Writing it and sharing code is one thing; launching it into the wild is another thing altogether. Similarly, technical stealth is now very easy to achieve in a multitude of ways, so we're left to rely on the social components to catch a writer: a coder who shows some arrogance, perhaps does some public code sharing, things that will ultimately do him in. The only way he might be caught is if one of his inner-circle friends squeal on them - and then traditional law enforcement steps in, grabs all the electronic equipment, and the forensics start. You might think the informant has a good chance at getting that juicy $250,000 bounty, but once he's linked to that inner circle of people sharing code, the token bounty once again fades into the mist.
Virus writers can launch their dubious malcode from just about anywhere in the world, a form of cyber-terrorism that cannot be stopped. Anonymity is generally a good thing, but not always. The promiscuity of the Internet is here.
Kelly Martin is the content editor for SecurityFocus.
Sponsored: Network DDoS protection