Re: Over three million computers 0wned?
On Sat, 28 Jun 2003, Etaoin Shrdlu wrote: Sheer, utter, mind-numbing nonsense. If it weren't for the tremendous amount of software out there that makes it EASY to take over machines (and I include every single default install of every single OS that enables anything more than port 22), if it weren't for the stunning array of folk Heavy sigh. Unfortunately even that isn't good enough for some vendors. Yep, believe it or not, at least one vendor managed to create a buffer overflow in their IP stack which didn't require *ANY* ports to be open on the victim. If it was connected to the network with an active IP interface, that was enough. If you want complete network safety, you want wire cutters. Then you just have to worry about the traditional physical stuff like sneaker net, theft, etc. The unanswered question is what should be considered reasonable? And how much of a burden should the end-user carry?
Re: Over three million computers 0wned?
Hey, Sean. ] Trustcorps claims it has scientific and anecdotal resaerch supporting its ] conclusion that over three million computers are owned by malicious ] groups. Interesting. ] On the other hand, Information Risk Management questioned how any one ] person could own hundreds of computers at any one time. And systems are ] often not owned by a single group, but exploited by multiple groups How could one person own hundreds of computers at any one time? Since several individuals own thousands, tens of thousands, and even (low) hundreds of thousands of systems at any one time, I suppose the reason they don't own hundreds is because that isn't enough. :/ ] Like most statistics, the truth is probably a little harder to find, and ] a little bit scarier. Indeed. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
RE: Over three million computers 0wned?
It would be interesting to know if the FBI or any other group can characterize how many computers are 0wn3d per minute. Then, of those computers, how many remain 0wn3d indefinitely? Marc Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are owned by malicious groups. The FBI estimates a car is stolen every 27 seconds somewhere in the US. In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars were stolen; with an estimated value of $7.8 Billion. Police apprehend less than 15% of all auto thieves.
Re: Over three million computers 0wned?
Sean Donelan wrote: http://www.vnunet.com/News/1141901 Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are owned by malicious groups. Well, it isn't as if that article really had many of the details that were meaningful. I decided to go right to the source (www.trustcorps.com) and see what they had to say. Beyond seeing that they were yet another web site that looks great iff you are using IE, I found almost NO substance. I visited the Press Room, and the News items, and even the archives thereof. Nothing there (at least not those claims). Ok, so maybe they haven't put it on their web site yet. Still, I suppose someone made those claims, and I think they deserve a little examination. On the other hand, Information Risk Management questioned how any one person could own hundreds of computers at any one time. And systems are often not owned by a single group, but exploited by multiple groups Well, no one here is truly defining what owned implies. I know what a ruckus it kicked up here on NANOG when the first truly distributed denial of service hit eBAy (or was it Yahoo???). No matter. That was no where near three million computers, but it certainly didn't require a lot of control to qualify as control, or a lot of ownership to qualify as owned. I'm amused at the thought that so-called hacker groups are in any way coordinated, or working together, other than a few here and there (and more for monetary gain than fame and glory). Three million? Sure, I believe, if you stretch the definition thin enough, that three million is quite believable. Organized in any way? Nonsense. Sheer, utter, mind-numbing nonsense. If it weren't for the tremendous amount of software out there that makes it EASY to take over machines (and I include every single default install of every single OS that enables anything more than port 22), if it weren't for the stunning array of folk who think that expediency is valuable, and ethics malleable, if it weren't for the vast populace that just wants pabulum, and padded cells, none of this would be possible. Trust me. The only bad guys that are organized are the ones who are after $$$, and they have absolutely no need to control three million computers. One or two is plenty, and for just long enough. The idea that there is a vast underground of pimply-faced teenagers just waiting to control the world would be laughable, were it not for the continued commercial assaults that insist it is so. Unfortunately this computer crime doesn't fit the FBI crime reporting statistics well. Vandalism of Property? Is the cracking of computers happening more or less often than car theft? Car theft is clear. Someone takes your car, and then you don't have it. When someone compromises your computer(s), what do you lose? What do they gain? It's a very unclear question. -- I apologize; I take it all back. MS Exchange is RFC-compliant. See RFC 1925, point three. http://www.faqs.org/rfcs/rfc1925.html
Re: Over three million computers 0wned?
Even if 3mil machines are actively and currently compromised, of all reachable hosts on the Internet, it would not be unreasonable to assume that %80 or more are vulnerable to remote compromise in some way. That number is speculative, but most estimates from consutling firms are much higher. (Based on hundreds if not thousands of penetration tests against corporate networks with a %90+ success rate). So of all possible 0wnable machines (including those without basic anti-virus protection) I would personally speculate that the 3mil is a pretty low estimate. What these sort of stats mean is that ultimately, the Internet is not in a state in which security controls can easily be added, mostly because of the high degree of autonomy and relatively low level of sophistication of each host and user on the network. The other reality of this is that even if hackers aren't directly in control of that most machines, it would not be inaccurate to say that due to the intrinsic risks in being connected, users aren't really in control of their systems either. Security tools are the same as any other software in that they are controls that you add to a system to optimize it and extract value from it. These studies show that there is still lots of room for optimization (read: buy their software) and the implication that there is value in those optimizations. So yeah, buy more software. ;) -- Jamie.Reid, CISSP, [EMAIL PROTECTED] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 Sean Donelan [EMAIL PROTECTED] 06/28/03 07:09pm http://www.vnunet.com/News/1141901 Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are owned by malicious groups. On the other hand, Information Risk Management questioned how any one person could own hundreds of computers at any one time. And systems are often not owned by a single group, but exploited by multiple groups Like most statistics, the truth is probably a little harder to find, and a little bit scarier. The FBI estimates a car is stolen every 27 seconds somewhere in the US. In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars were stolen; with an estimated value of $7.8 Billion. Police apprehend less than 15% of all auto thieves. Unfortunately this computer crime doesn't fit the FBI crime reporting statistics well. Vandalism of Property? Is the cracking of computers happening more or less often than car theft? !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=iso-8859-1 META content=MSHTML 6.00.2800.1106 name=GENERATOR/HEAD BODY style=MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1Even ifnbsp;3mil machines are actively and currently compromised, /FONT/DIV DIVFONT size=1of all reachable hosts on the Internet, /FONTFONT size=1it would not be unreasonable/FONT/DIV DIVFONT size=1to assume that %80 or more are vulnerable to remote compromise /FONT/DIV DIVFONT size=1in some way.nbsp; That number is speculative, but most estimates from /FONT/DIV DIVFONT size=1consutling firms are much higher. (Based on hundreds if not/FONT/DIV DIVFONT size=1thousands of penetration tests against corporate networks with /FONT/DIV DIVFONT size=1a %90+ success rate). /FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1So of all possible 0wnable machines (including those without basic /FONT/DIV DIVFONT size=1anti-virus protection)nbsp;I would personally speculate that /FONTFONT size=1the 3mil is /FONT/DIV DIVFONT size=1a pretty low estimate. /FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1What these sort of stats mean is that ultimately, the Internet is not /FONT/DIV DIVFONT size=1in a state in which security controls can easily be added, mostly because/FONT/DIV DIVFONT size=1of the high degree of autonomy and relatively low level of sophistication/FONT/DIV DIVFONT size=1of each host and user on the network. The other reality of this is that /FONT/DIV DIVFONT size=1even if hackers aren't directly in control of that most machines, it would/FONT/DIV DIVFONT size=1not be inaccurate to say that due to the intrinsic risks in being connected, /FONT/DIV DIVFONT size=1users aren't really in control of their systems either.nbsp; /FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1Security tools are the same as any other software in that they are controls/FONT/DIV DIVFONT size=1that you add to a system to optimize it and extract value from it. These studies/FONT/DIV DIVFONT size=1show that there is still lots of room for optimization (read: buy their software) /FONT/DIV DIVFONT size=1and the implication that there is value in those optimizations.nbsp; /FONT/DIV DIVFONT size=1/FONTnbsp;/DIV DIVFONT size=1So yeah, buy more software. ;)/FONT/DIV DIVBRnbsp;/DIV DIVnbsp;/DIV DIV--BRJamie.Reid, CISSP, A
Re: Over three million computers 0wned?
On Sat, 28 Jun 2003 19:04:25 PDT, Etaoin Shrdlu [EMAIL PROTECTED] said: I include every single default install of every single OS that enables anything more than port 22), Speaking of which, a heads-up... Jay Dyson was reporting on the [EMAIL PROTECTED] mailing list that he's seeing an upswing in scans for ssh. There's no big spike over on incidents.org, but there was a comparative quiet for the last few weeks and higher activity last 2-3 days pgp0.pgp Description: PGP signature