Organised crime fails to stop skiddies
Disorganised web to blame
Comment About a year ago, I attended a top-level roundtable meeting of malware experts, where we discussed organised crime on the internet, and came to the conclusion that, in one sense, it might be a good thing for users.
That sense was trivial, of course, compared with the problems of extortion and "protection" rackets. But it looked real: it did seem as if there would be a small "up side" in that the big-time gangsters would find it irritating to be upstaged by script-kiddies, and might start taking them down.
At the time, that seemed good sense. In fact, it turns out to have been hideously naive, because it made two unjustified assumptions. First, it presumed that the gangsters were competent, and second, it assumed they would be able to protect their turf.
Two examples of internet hacking show that this isn't the case.
First, my own local ISP was subjected to a full-blown distributed denial-of-service attack (DDOS). And second, in the last week, a small time blogger has been catapulted into the limelight he has been seeking ever since he started his website, and has been systematically attacked by zombie farms. We'll keep his name out of it so the script-kiddies can't harrass him any more.
The style of the attacks shows that it's not organised crime trying to get money out of them, but is a spite campaign, designed to harass and bully.
Both these incidents - and I could quote dozens more without doing any serious research - are exactly the sort of script-kiddie exploit which my roundtable experts agreed was on the way out.
"It's a bit like trying to run a protection racket on three local news agents who are already paying protection money to the Mafia," said one of the experts a year ago. "All you'll get is a visit from the Cosa Nostra enforcer, telling you that they don't appreciate the competition."
In fact, it isn't like that. It's more like getting a bunch of innocent old ladies to block the entrance to a small newsagent by telling them the proprietor is giving away £5 notes. And the result is a nuisance - sometimes on a grand scale - but no money changes hands. And if no money changes hands, there's no audit trail.
Right now, tracing the origins of a zombie army is a task beyond technology. If the general of the zombie army is careless enough to leave a signature that betrays his location, he can be found, perhaps; but the real way to track a DDOS exploit operator is the cash.
What normally happens is that a large financial institution - a bank, a gambling site, or a large online shopping system enabler - is contacted by criminals who ask for money.
"They are in a real hole," said one security expert at the roundtable. "They know the risk is serious. Typically, they have a big payday coming up - for example, a bookmaker site the day before a big race like the Grand National in the UK, or the Kewney Stakes in Australia, or the Kentucky Derby in America. They know they can spend the next two days with their internet connections overwhelmed by multiple attacks from innocent PC owners, who have no idea they're doing it."
But if they pay up, the hard lesson of the last year is that the criminals immediately pass the word around that "so and so is an easy touch!" and a dozen other syndicates send similar demands and threats.
Nonetheless, sometimes they pay up and a deal can be done unofficially which says "hands off" to rival syndicates. And if money does change hands, it becomes possible to track the beneficiary - not easy, but possible.
With a spite attack, the only motivation is the misery of the target. In the case of the small ISP mentioned above, a script-kiddy hacker who regarded their own status as having been called into question by a claim that "we can block you" by the internet company, decided to prove them wrong. The result was that several thousand zombie PCs marched into action, and flattened the ISP site for a day. The perpetrator is known - there's no mystery there - but proving it? "Almost pointless to try," admits the victim.
In the case of the blogger, his only crime was to be hideously insensitive to the difference between political correctness and homosexuality. He exposed himself to public notice through his suggestions of what could be entertainment for a software convention, and when criticised, tactlessly suggesting that anybody who didn't like the idea was obviously gay.
The incident made a vaguely amusing diary story. But someone - or a group of someones - took personal offence, and set about a campaign of online harassment - subscribing the victim to porn sites and mailing lists and bombarding his ISP with a mini DOS attack. Again, it is almost pointless to try pinning this on any one perpetrator.
Even if you could track all of them, it's doubtful that anybody would; the damage is already done, and won't continue.
The notoriety of the victim is typical of a "15 minutes of fame" blip - within a week you'd expect the world's attention to have shifted to a mother of triplets who was claiming Sir Paul McCartney was the father, or a footballer who sent rude texts to a film star, or a dog which tried to hang itself.
Or maybe even an innocent tech journo who found himself displaced from BBC News TV by a job-seeker who wanted an entirely different type of interview...but that's probably too unlikely.
The problem is difficult to solve with current technology, it seems. Just occasionally, some teenage hacker goes to court accused of hacking crimes and is careless enough to leave an unmistakable audit trail, or even admits to it in public.
At that point, retribution is possible. Either the organised crime syndicate whose patch has been disrupted can arrive by night and threaten the kid, or else the process of law can proceed - but that doesn't concern the next thousand hacker geniuses, all of whom know perfectly well that they won't make the same mistake.
Both are irrelevant in the search for more secure internet computing. And if you try to tell me that Windows Vista will be the breakthrough which we're all looking for, I will probably laugh... ®
Sponsored: Customer Identity and Access Management