RE: Nato warns of strike against cyber attackers
So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. -Original Message- From: J. Oquendo [mailto:s...@infiltrated.net] Sent: Tuesday, June 08, 2010 3:08 PM To: na...@merit.edu Subject: Nato warns of strike against cyber attackers From the NetSec mailing list... At http://www.timesonline.co.uk/tol/news/world/article7144856.ece June 6, 2010 Nato warns of strike against cyber attackers Michael Smith and Peter Warren NATO is considering the use of military force against enemies who launch cyber attacks on its member states. The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China. A team of Nato experts led by Madeleine Albright, the former US secretary of state, has warned that the next attack on a Nato country ³may well come down a fibre-optic cable². A report by Albright¹s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation. Article 5 is the cornerstone of the 1949 Nato charter, laying down that ³an armed attack² against one or more Nato countries ³shall be considered an attack against them all². It was the clause in the charter that was invoked following the September 11 attacks to justify the removal of the Taliban regime in Afghanistan. Nato is now considering how severe the attack would have to be to justify retaliation, what military force could be used and what targets would be attacked. The organisation¹s lawyers say that because the effect of a cyber attack can be similar to an armed assault, there is no need to redraft existing treaties. Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause ³if, for example, a cyber attack on a country¹s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack². Nato heads of government are expected to discuss the potential use of military force in response to cyber attacks at a summit in Lisbon in November that will debate the alliance¹s future. General Keith Alexander, head of the newly created US cyber command, said last week there was a need for ³clear rules of engagement that say what we can stop². The concerns follow warnings from intelligence services across Europe that computer-launched attacks from Russia and China are a mounting threat. Russian hackers have been blamed for an attack against Estonia in April and May of 2007 which crippled government, media and banking communications and internet sites. They also attacked Georgian computer systems during the August 2008 invasion of the country, bringing down air defence networks and telecommunications systems belonging to the president, the government and banks. Alexander disclosed last week that a 2008 attack on the Pentagon¹s systems, believed to have been mounted by the Chinese, successfully broke through into classified areas. Britain¹s Joint Intelligence Committee cautioned last year that Chinese-made parts in the BT phone network could be used to bring down systems running the country¹s power and food supplies. Some experts have warned that it is often hard to establish government involvement. Many Russian attacks, for example, have been blamed on the Russian mafia. The Kremlin has consistently refused to sign an international treaty banning internet crime. Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
On 6/8/10 3:08 PM, Peter Boone wrote: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. Note i'm just using Russia and China in examples here, no specific reason that it could only be them. If I didn't know any better, I'd say they let Bush write their policies. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Nato warns of strike against cyber attackers
On 2010-06-08 13:03, J. Oquendo wrote: Jorge Amodio wrote: All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. The bots don't need to spoof source addresses... and therefore the filtering associated with preventing that while a solid belt and suspenders exercise is by no means a panacea.
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 5:15 13PM, Brielle Bruns wrote: On 6/8/10 3:08 PM, Peter Boone wrote: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? There's no mention in the article about any kind of electronic response to the attack. Of course, their reasoning seems to be that theres no possible way an attack could be from Russia, but using a open proxy, relay, etc in China. Its not like an IP is guaranteed to be directly controlled by someone in that country. So, we end up invading China, and while all of our troops are there, Russia comes in and takes over the US or the EU without much effort. Note i'm just using Russia and China in examples here, no specific reason that it could only be them. If I didn't know any better, I'd say they let Bush write their policies. Packets of mass destruction? The issue of attribution -- and the extreme difficulty of doing it in the online world -- is *very* well understood in Washington, even at the policy-maker level. I'm currently a member of a National Academies study committee on cyberdeterrence (http://sites.nationalacademies.org/CSTB/CurrentProjects/CSTB_054995); we've discussed that point ad nauseum. Consider this text from p. 9 of our letter report: for many kinds of cyberattack the United States would almost certainly not be able to ascertain the source of such an attack, even if it were a national act, let alone hold a specific nation responsible. For example, the United States is constantly under cyberattack today, and it is widely believed (though without conclusive proof) that most of these cyberattacks are not the result of national decisions by an adversary state, though press reports have claimed that some are. In general, prompt technical attribution of an attack or exploitation—that is, identification of the responsible party (individual? subnational group? nation-state?) based only on technical indicators associated with the event in question—is quite problematic, and any party accused of launching a given cyberintrusion could deny it with considerable plausibility. Forensic investigation might yield the identity of the responsible party, but the time scale for such investigation is often on the order of weeks or months. (Although it is often quite straightforward to trace an intrusion to the proximate node, in general, this will not be the origination point of the intrusion. Tracing an intrusion to its actual origination point past intermediate nodes is what is most difficult.) But read the next paragraph, which discusses other ways to figure out who did it. We can hope that no one in Washington (or Beijing or Moscow or the capital of Elbonia) is stupid enough to rely on IP addresses of the actual attacking machines as a definitive indicator. Given how widely understood that is, it's not even on my list of things to worry about. The question that report is tackling is this: *if* there is a serious online attack on critical infrastructure -- say, turning off some generators with extreme prejudice (http://edition.cnn.com/2007/US/09/26/power.at.risk/index.html), and *if* you know who did it, is a kinetic response on the table? This has nothing to do with the botnet du jour, nor with Sen. Lieberman marching in to your NOC with a subpoena for your enable passwords. And while people in Washington (or Beijing or Moscow or the capital of Elbonia) can be quite stupid, they're (usually) not quite as stupid as as all that. And yes, serious mistakes can be made. One more quote from the report (p. 8): History shows that when human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they often substitute supposition for knowledge. In the words of a former senior administration official responsible for protecting U.S. critical infrastructure, 'I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of a [cyber]attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but never in doubt.' --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 1:30 PM, Brielle Bruns br...@2mbit.com wrote: On 6/8/10 2:12 PM, Dave Rand wrote: It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Problem is, there's no financial penalties for providers who ignore abuse coming from their network. Actually, the real problem is that if providers *don't* start doing something to remediate abuse originating within their customer base -- and begin policing themselves -- I don't think they will like someone else (e.g. the gummint) forcing them to do something (which actually may be worse). The opportunity for providers to address this problem by policing themselves is being overshadowed by the real possibility that the government may step in and force them to do so, unfortunately. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDrt9q1pz9mNUZTMRAl7nAKC3hrq4Jbyq3HzOPJBrQFSDAESroACgxzPu ZiRk4x2DQGNqPcLOn/iqDIA= =x4JB -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
On 6/8/10 10:07 PM, J. Oquendo wrote: So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... We must distinguish between the m.o. of an actual response, and deterrence. If we speak of deterrence, I wrote about it not long ago. Deterrence online is one of the biggest idiocies of the past couple of years. There are some interesting research possibilities in the subject matter, but not as it is portrayed today -- a cure-all strategy. Strategic experts are very comfortable with Cold War strategy following around 70 years of practicing it, so when asked to deal with the Internet, they ran to deterrence. In order to have deterrence, you require first an ability to respond to an attack. On the Internet, you may never find out who is attacking you, and data may be intentionally misleading when you think you do have some bread crumbs. It is just virtually impossible to tell who is behind an attack from technical data alone. Thus, deterrence against whom? You may say that by setting an occasional example, it doesn't matter who you attack. That is mostly false as well. If we do know who is attacking us, then consider the players can now be (and indeed are) unaffiliated individuals or groups who may not care about the infrastructure of the country they are in nor have any infrastructure to speak of (which can in turn be targeted). Any attack will likely be against a third-party that has been hacked, i.e. compromised. And if you're dealing with large-scale attacks, such as DDoS, responding in kind (with DDoS, botnets, etc.) will also hurt the Internet itself with collateral damage. There are some particular instances where deterrence does work online, and it may also be used as a general addition to real-world deterrence (we have cyberweapons -- beware!), but these are just points that would muddy the water in the wider argument before us. I think supporting such folly is generally folly itself. For further reading, I'd point you to this comprehensive and quite excellent document: Cyber Deterrence and Cyber War, by Martin C. Libicki: http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf Gadi. -- Gadi Evron, http://gadievron.com/
Re: Nato warns of strike against cyber attackers
On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me. I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind. Gadi. -- Gadi Evron, http://gadievron.com/
RE: Nato warns of strike against cyber attackers
Have no fear geolocation is here, you are not in peril. It will be a surgical strike. If Google and others are willing to assist, they will know exactly where to send the JDAM. Chrome now collects data from your wireless card if you let it. When you are asked where you are, Chrome then also records any IP and MACs it hears over your card (or so I am told). The same is being done on cell phone OS. Being on a GRE tunnel will make no difference. http://www.google.com/support/chrome/bin/answer.py?answer=142065hl=en http://google-code-updates.blogspot.com/2008/10/introducing-gears-geolocatio n-api-for.html http://news.cnet.com/8301-30684_3-20006342-265.html Here is one commercial application of this process. http://www.skyhookwireless.com Cowering under my desk, Jim -Original Message- From: Gadi Evron [mailto:g...@linuxbox.org] Sent: Tuesday, June 08, 2010 3:46 PM To: nanog@nanog.org Subject: Re: Nato warns of strike against cyber attackers On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me. I think Jay is worried about steps operators may have to take during such an eventuality of an attack, not to mention the collateral damage to the Internet infrastructure if DDoS is what they have in mind. Gadi. -- Gadi Evron, http://gadievron.com/
Re: Nato warns of strike against cyber attackers
Military reply doesn't have to mean bombs and guns. There is nothing keeping it form mean offensive cyber counter attacks. This would mean manage the battlefields :) On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron g...@linuxbox.org wrote: On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me.
Re: Nato warns of strike against cyber attackers
So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ...
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 14:30, Brielle Bruns writes:] Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I'm somewhat familiar with the concept :-) But yes, this indeed is currently the only effective way to cause change at the ISP level. Ferg is very correct in that Change Is Coming at the goverment level. That is the wrong place for it to happen, but it will also be very effective. I'm hopeful that more networks will take it upon themselves to make it happen before it is forced on them. --
Re: Nato warns of strike against cyber attackers
Perhaps a government operated black-hole list, run by same friendly folks that run the no-fly list, with a law that says no US ISP can send packets to or accept packets from any IP on the list. Now that would be some real fun to watch! :) On Tue, Jun 8, 2010 at 8:27 PM, Dave Rand d...@bungi.com wrote: [In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 14:30, Brielle Bruns writes:] Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I'm somewhat familiar with the concept :-) But yes, this indeed is currently the only effective way to cause change at the ISP level. Ferg is very correct in that Change Is Coming at the goverment level. That is the wrong place for it to happen, but it will also be very effective. I'm hopeful that more networks will take it upon themselves to make it happen before it is forced on them. --
Re: Nato warns of strike against cyber attackers
Changes the meaning of guns a blazing Bryan On Jun 8, 2010, at 8:31 PM, jim deleskie deles...@gmail.com wrote: Military reply doesn't have to mean bombs and guns. There is nothing keeping it form mean offensive cyber counter attacks. This would mean manage the battlefields :) On Tue, Jun 8, 2010 at 7:46 PM, Gadi Evron g...@linuxbox.org wrote: On 6/9/10 12:50 AM, Marshall Eubanks wrote: What any of this has to do with configuring routers escapes me.
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 5:45 PM, Dorn Hetzel dhet...@gmail.com wrote: Perhaps a government operated black-hole list, run by same friendly folks that run the no-fly list, with a law that says no US ISP can send packets to or accept packets from any IP on the list. Now that would be some real fun to watch! :) Personally, I think that's a horrible idea -- there's a real slippery slope to subjective blocking of offensive sites (not just malicious ones) like what they are trying to do in Australia. But again, since U.S. providers have demonstrated that they do not have the desire, nor the will, to police themselves, it is hardly a surprise that Government intervention is being considered as an alternative. I think residential-broadband ISPs need to follow the lead of [e.g. Qwest, Comcast, etc.], which are making a legitimate attempt to identify, notify, and mitigate abusive/botnetted customers. Also, the U.S. leads the rest of the world in hosting providers which are hosting Eastern European criminal malfeasance -- this is a fact. In other words, as things stand now, U.S. providers kind of deserve whatever the U.S. Government dishes out, since they have show that they do not have a willingness to police their own backyards. It is really sad, actually. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDuv6q1pz9mNUZTMRAjVqAJ480dH3CSSGYp9LOjlXwFNm+egdiQCfYcKJ I0tMJo4UuD7OrFiF8H6L/cA= =+5X/ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) pgpMMsR6Uys8L.pgp Description: PGP signature
RE: Nato warns of strike against cyber attackers
Actually I was thinking of my neighbor's noisy dog and what a predator strike to his house would do. :) -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Tuesday, June 08, 2010 8:32 PM To: Jorge Amodio Cc: na...@merit.edu Subject: Re: Nato warns of strike against cyber attackers On Tue, 08 Jun 2010 19:23:17 CDT, Jorge Amodio said: So let's say a cyber-attack originates from Chinese script kiddie. Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, the United Kingdom, and the United States will all respond by invading China? Is NATO trying to start a war here? Bigger tin hats required then ... Buy 10,000 shares of every South Korean company you can find, short them, then launch an attack from Seoul. Then sit back and profit. Oh, quit looking at me like that. You know you were all thinking it. ;) No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.829 / Virus Database: 271.1.1/2926 - Release Date: 06/08/10 13:35:00
Re: Nato warns of strike against cyber attackers
Dave, I realize your fond of punishing all of us to subsidize the ignorant, but I would rather see those with compromised machines pay the bill for letting their machines get compromised than have to subsidize their ignorant or worse behavior. Owen Sent from my iPad On Jun 8, 2010, at 1:12 PM, d...@bungi.com (Dave Rand) wrote: [In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 16:03, J. Oquendo writes:] All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. --
Re: Nato warns of strike against cyber attackers
Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 13:33, Owen DeLong writes:] I realize your fond of punishing all of us to subsidize the ignorant, = but I would rather see those with compromised machines pay the bill for = letting their machines get compromised than have to subsidize their = ignorant or worse behavior. I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done. --
Re: Nato warns of strike against cyber attackers
Sent from my iToilet why you will penalize with fees the end customer that may not know that her system has been compromised because what she pays to Joe Antivirus/Security/Firewall/Crapware is not effective against Billy the nerd insecure code programmer ? No doubt ISPs can do something, but without additional regulation and safeguards that they wont be sued for sniffing or filtering traffic nothing will ever happen. Do we want more/any regulation ? who will oversee it ? On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? My .02 Jorge I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done.
Re: Nato warns of strike against cyber attackers
On Tue, 08 Jun 2010 22:01:35 CDT, Jorge Amodio said: On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? Bad analogy. There's some plumes of oil in the Gulf of Mexico that are getting mapped out very well by only a few ships. You don't have to examine every molecule to find parts-per-million oil, or to figure out who's oil rig the oil came from. And you don't need to look at every packet to find abusive traffic either - in most cases, simply letting the rest of the net do the work for you and just reading your abuse@ mailbox and actually dealing with the reports is 95% of what's needed. pgp08eherLqiF.pgp Description: PGP signature
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. For instance, if you build a pool in your backyard, and you don't properly fence it, and kids illegally trespass on your property to get in to your pool, and they get hurt, you will be sued and will be held liable. You built this dangerous thing, and you didn't properly secure (fence it), and it's your responsibility even when someone *illegally* gains access and hurts themselves (or others). There are numerous other examples of attractive nuisances where individuals and companies are held liable for injuries caused by people who illegally gained access to improperly secured property and items. Why hasn't *someone* brought this up with Microsoft and Windows? http://en.wikipedia.org/wiki/Attractive_nuisance_doctrine jc
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 8:59 PM, JC Dill jcdill.li...@gmail.com wrote: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted? Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxLoq1pz9mNUZTMRAl5MAKDaMY6WeUbWp4l4tzYrJNNsLz/tqQCg6lNw xQsaZQxjjRym7vPPvlW+OTY= =8667 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy. jc
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 9:06 PM, JC Dill jcdill.li...@gmail.com wrote: Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy. Again, you can all continue to dance around and ignore the problem chance the probability that the U.S. Government will step in and force you to do it. Pick your poison. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxcQq1pz9mNUZTMRAgFRAKDX0N+DYck8tiOyRPMJ2E31fq0vEQCfVJEp dQuZqomm/Z42gZRgzshlLsc= =mRrQ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Nato warns of strike against cyber attackers
On 6/8/2010 23:22, Paul Ferguson wrote: Again, you can all continue to dance around and ignore the problem chance the probability that the U.S. Government will step in and force you to do it. Pick your poison. Or the world government will (note misspelled NATO in the Subject:). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? -- TTFN, patrick
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 9, 0:26, Steven Bellovin writes:] A liability scheme, with penalties on users and vendors, is certainly = worth considering. Such a scheme would also have side-effects -- think = of the effect on open source software. It would also be a lovely source = of income for lawyers, and would inhibit new software development. The = tradeoff may be worth while -- or it may not, because I have yet to see = evidence that *anyone* can produce really secure software without = driving up costs at least five-fold. The vast majority of users that I interact with (and yes, I am first to admit that it has been only thousands, perhaps less than 10,000 over the years, so it is a small sample) are quite happy to be informed of a compromised system. It's not, for the most part, that they are malicious. Just unaware. The bad guys are very stealthy, and the but, I can't see anything wrong on my screen! is a huge obstacle to overcome. Once they are made aware of the problem, the vast majority work quickly to fix it. Yes, some are clueless. Some want someone else to fix it. But most are simply unaware that they have been owned, and want the infection gone. We've tried to educate users for tens of years of the dangers of unsafe computing. Doesn't work. The users have been trained to click and install whatever they are told, because that makes it work. But when they _are_ compromised, and _are_ informed, most users do seek out a fix. Some will do it themselves. Some will hire someone to do it for them. When abuse desks content-filter reports, and don't pass on notifications to the customer, or wait until there are more complaints, or... this ends up with networks that have massive levels of infection. Yes, I know - we're all busy, and abuse@ is kind of the last priority on most networks, but it really is bad out there, and we need the network operators to help. Please. For those network operators that would like a 5 year view on their network, please drop me an email with your ASN, and I'll be happy to send you a text file, xls, or ods (your pick) of a view of the historical spam traffic. No obligation, and no salesman will call. Really. --
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 9:36 PM, Patrick W. Gilmore patr...@ianai.net wrote: But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Actually, it *is* market-share. That's the low-hanging fruit for criminals. And educating users? That bus left the station long ago. Let's not be distracted from the issue here -- ISPs. xSPs, and other similar providers have a responsibility here that should not shirk, or pass along. Police your own backyards. Before someone else forces you to do so. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxwAq1pz9mNUZTMRAssSAJ9HDGFhEQ3X1mfV25FPoVLCpx7xDACg3/Hr UbkgB/Mb+J0/Z7YRBO9OPL8= =E0MH -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Nato warns of strike against cyber attackers
On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote: On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote: Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection. It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Remove the users. The problem goes away. Just kidding on that. Really, the only way ahead is educating the users of the threats and all and maybe a learning experience is due for most of them. -- TTFN, patrick
Re: Nato warns of strike against cyber attackers
At 15:07 08/06/2010 -0400, J. Oquendo wrote: At http://www.timesonline.co.uk/tol/news/world/article7144856.ece A report by Albright¹s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation. Eneken Tikk, a lawyer at Nato¹s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause ³if, for example, a cyber attack on a country¹s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack². Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 Lets try to seperate the attacks into those that we (NANOG) have dealt with and those that NATO are referring to - and there is *no* overlap between the two. Attacks such as botnets, hpings, compromised machines, DDOS attacks, site defacements, prefix hijacks is what this list deals with, sometimes well and other times not. The attacks NATO is referring to are ones like causing trains to crash into each other, attacks causing oil and gas pipelines to overload and explode, attacks altering blood bank data, attacks poisoning the water supply, etc. - all of which can be done remotely. NATO is in no way (unless they have been out in the sun too long) condoning an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 people die from some cyber attack as listed above (I have many more scenerios). -Hank
Re: Nato warns of strike against cyber attackers
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Owen On Jun 8, 2010, at 7:39 PM, Larry Sheldon wrote: Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 8:01 PM, Jorge Amodio wrote: Sent from my iToilet why you will penalize with fees the end customer that may not know that her system has been compromised because what she pays to Joe Antivirus/Security/Firewall/Crapware is not effective against Billy the nerd insecure code programmer ? So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. No doubt ISPs can do something, but without additional regulation and safeguards that they wont be sued for sniffing or filtering traffic nothing will ever happen. Do we want more/any regulation ? who will oversee it ? Those safeguards are already in place. There are specific exemptions in the law for data collection related to maintaining the service and you'd be very hard pressed to claim that identifying and correcting malicious activity is not part of maintaining the service. On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? Your initial premise is flawed, so the conclusion is equally flawed. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. Owen My .02 Jorge I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. ISPs remain in the unique position of being able to identify the customer, the machine, and to verify the traffic. It can be done.
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 9:06 PM, JC Dill wrote: Dave Rand wrote: I'm fond of getting the issues addressed by getting the ISPs to be involved with the problem. If that means users get charged clean up fees instead of a security fee, that's fine. I urge all my competitors to do that. The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost. Heck, at this point, I'd be OK with it being a regulatory issue. Perhaps we need regulators to step in and put forth something like the following: 1. An ISP who receives an abuse complaint against one of their customers shall not be held liable for damages to the complainant or other third parties IF: A. Said ISP investigates and takes remedial action for valid complaints within 24 hours of receipt of said complaint. B. Said ISP responds to said abuse complaint within 4 hours of their determination including the determination made and what, if any, remedial action was taken. and C. If the complaint was legitimate, the remedial action taken by said ISP causes the reported abuse to stop. 2. Any ISP who takes remedial action against one of their customers as outlined in the previous section shall charge their customer a fee which shall not be less than $100 and not more than the ISP's full costs of investigation and remedial action. I'm not saying I necessarily like the idea of more regulation, but, if we as an industry are unwilling to solve this because of the above competitive concerns, then, perhaps that is what is necessary to get us to act. Owen
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong o...@delong.com wrote: Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often. Actually, that is another fallacy. The majority of SQL Injections are on Apache-based systems. Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever. The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys. I would certainly love to hear your solution to this problem. And stop pointing fingers. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDyh1q1pz9mNUZTMRAqUSAKD9e+Bt+f1Q6+xE1f0MS3edKfbCtwCeMMEp cGOjbQNIcm58ZPj5JaT5Q74= =Oz/Q -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
