Version: 2008
  • On mySimon: Pea Coats Are Another Wardrobe Staple
advertisement Buy the all new Flip MinoHD camcorder
advertisement
Click Here
Security Watch : Don't get burned by viruses and hackers
State-sponsored cybercrime

By Robert Vamosi 
Senior editor, CNET Reviews
November 30, 2007

This week, McAfee released its third annual report on cybercrime. What makes this report stand out from other vendor reports is that it's not just what McAfee thinks; McAfee asked leading computer security experts from NATO, the FBI, SOCA, The London School of Economics, and the International Institute for Counter-Terrorism for their insight, which makes this an interesting read. In advance of the release, I spoke with Dave Marcus, security research and communications manager for McAfee Avert Labs, about some of the key findings with the report, such as state-sponsored malware, the prospects of a digital Pearl Harbor, the buying and selling of vulnerability research, and support contracts for malware.

State-sponsored malware
In June of 2007, the Pentagon's computer network was hacked, ostensibly by someone in China. According to Dr Richard Clayton of the Cambridge University Computer Laboratory, "The software used to carry out these intrusions (on the U.S. Pentagon) was clearly designed and tested by organizations with much greater resources than the usual individual hackers." Marcus agreed, saying that McAfee has seen companies that are owned outright by governments and that actually produce exploits. "We've seen more malware come out of certain countries, so it is very hard to say it's necessarily state sponsored; it's simply malware that's created by people who live in that country. But there's certainly also malware that shows direct evidence of government sponsorship, and I think you'll end up seeing a lot more of that just because there's so much darn money to be made in it."

According to Dr Richard Clayton of the Cambridge University Computer Laboratory, "The software used to carry out these intrusions (on the U.S. Pentagon) was clearly designed and tested by organizations with much greater resources than the usual individual hackers.
Another finding in the report states that "High-tech crime is no longer just a threat to industry and individuals. National security is also under attack." I asked Dave if he thought, with state-sponsored malware on the rise, we might see what Richard Clarke, former cyber czar for the White House, has called a "digital Pearl Harbor." Marcus disagreed. "I really don't think things are really going to be like that," Marcus said, referring to a single, crippling event that might affect thousands of people. "I think what you'll see is a lot of state-sponsored malware. I don't necessarily think you'll see huge impact events like that. I mean, most of the research we do, most of the stuff we monitor or look at, doesn't take us down that direction."

Selling vulnerabilities
Another finding in the report calls into question the fact that some security companies offer financial rewards to security researchers who come forward with newly found vulnerabilities. The idea is that the purchasing company can better negotiate with the affected vendor than can the sole researcher; at the same time customers of the vulnerability-purchasing company will have some form of remediation available should the vulnerability be exploited in what is called a Zero Day attack. The United States, according to McAfee in its report, is attempting to block the sale of 3Com, which owns Tipping Point, to a large Chinese company, in part, because it feels the vulnerabilities purchased by Tipping Point might fall into the hands of the Chinese government.

In many cases, we know a lot of times who creates certain classes of malware.... But doing something with that information or making that information actionable is very difficult.
"We've come out very publicly against vulnerability bounty programs in the past, and we will continue to do so in the future," said Marcus. He goes on to say, "I don't think the researcher should not get some kind of credit, or...payment in some way, shape, or form. I think based upon their research and their time, they deserve something, but the buying and selling of it simply means you get more vulnerabilities, and you get more malware."

And when vendors don't respond?
McAfee's advice to security researchers is to always work with the vendor. "Work with the vendor to disclose, so that way users are not put at risk," said Marcus "When a researcher either discloses prior or doesn't give the vendor time to get a patch out through their own research and QA; at the end of the day, users are put at risk. And that's our issue, and it'll always be our issue."

I disagreed, mentioning the experience of Chris Soghoian and others who want to act responsibly but find the experience of working with a particular vendor impossible. "I certainly understand that," Marcus said, "and what I think they mistake is the vendor taking the time the vendor needs to take for their QA process or their change control process, and thinking they're getting ignored. Because it is not the case. It's simply that the vendor has a software cycle, or a change cycle, or a QA cycle that they have to maintain. When the researcher submits a bug, first it has to be verified--it has to be verified that the bug is actually a bug, and those things take time. And I think the researcher gets frustrated, either because they're not getting enough communication, or it's just not taking what they feel is the right amount of time."

Support contracts for malware
As evidence that malware writers--either, solo, gang, or state-sponsored--are increasingly more sophisticated, McAfee cites that malware writers are now selling support contracts that guarantee their malware will exploit the latest vulnerabilities or remain hidden from the latest security signature files. Marcus said he's seen sites that "sell support contracts for a lot of the malware they would create, so even if there were just selling you, just providing you with a Trojan software, they would offer you an upgrade contract or a support contract, or free upgrades for X period of time. Or they would guarantee to get you past these certain security vendors for a certain period of time."

Where once malware writers wanted to remain anonymous, they're now in public, advertising their wares. You would think that selling a support contract in addition would expose the malware writer to litigation; it does not. "In many cases, we know a lot of times who creates certain classes of malware, or who creates certain types of password stealers, or who creates certain types of Trojans or downloaders and stuff like that. But doing something with that information or making (it) actionable is very difficult to do, which is why, in all honesty, we (at McAfee) focus so hard on the eradication of the malware."

You can hear more of my interview with Dave Marcus in this week's Security Bites podcast.

Is your personal computer home to state-sponsored malware?
TalkBack to me.
Security Bites Podcast
CNET.com's Robert Vamosi tells you about the latest security threats, what's coming, and how to protect your system. Listen now


CNET's free newsletters
Rob Vamosi's
award-winning
column on Internet threats and how to counter them 
Delivered Mondays
Sign up now        
All free newsletters



11/15/07
Killing botnets

11/8/07
The Energizer botnet: It keeps going and going

11/2/07
Cracking passwords

More commentary


Reviews & advice
Site map
Editorial policies
Meet the editors
How we test
Forums
Internet speed test
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET
sponsored