On Conficker: The Return of the High-Profile Mass Infection Worm


They’re back!

It has been awhile since we had a good old fashioned, highly publicized, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here). Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers. Continue reading

Cloud computing: Swarm Intelligence and Security in a Distributed World

Reading through my blog feeds I came across something Hoff wrote in response to Reuven Cohen’s “Elastic Vapor: Life In the Cloud Blog, in particular I wanted to respond to the the following comment (here)

This basically means that we should distribute the sampling, detection and prevention functions across the entire networked ecosystem, not just to dedicated security appliances; each of the end nodes should communicate using a standard signaling and telemetry protocol so that common threat, vulnerability and effective disposition can be communicated up and downstream to one another and one or more management facilities.

I also wrote about this concept in a series of post on swarm intelligence…

Evolving Information Security Part 1: The Herd Collective vs. Swarm Intelligence (here)

The only viable option for collective intelligence in the future is through the use of intelligent agents, which can perform some base level of analysis against internal and environmental variables and communicate that information to the collective without the need for centralized processing and distribution. Essentially the intelligent agents would support cognition, cooperation, and coordination among themselves built on a foundation of dynamic policy instantiation. Without the use of distributed computing, parallel processing and intelligent agents there is little hope for moving beyond the brittle and highly ineffective defenses currently deployed.

Evolving Information Security Part 2: Developing Collective Intelligence (here)

Once the agent is fully aware of the state of devices it resides on, physical or virtual, it will need to expand its knowledge of the environment it resides in and it’s relative positioning to others. Knowledge of self, combined with knowledge of the environment expands the context in which agents could effect change. In communication with other agents the response to threats or other problems would be more efficiently identified, regardless of location.

As knowledge of self moves to communication with others there is the foundation for inter-device cooperation. Communication and cooperation between seemingly disparate devices, or device clusters, creates collective intelligence. This simple model creates an extremely powerful precedent for dealing with a wide range of information technology and security problems.

Driving the intelligent agents would be a lightweight and adaptable policy language that would be easily interpreted by the agent’s policy engine. New polices would be created and shared between the agents and the system would move from simply responding to changes and begin to adapt on its own. The collective and the infrastructure will learn. This would enable a base-level of cognition where seemingly benign events or state changes coupled with similarly insignificant data could be used to lessen the impact of disruptions or incidents, sometimes before they even occur.

The concept of distributed intelligence and self-healing infrastructure will have a major impact on a highly mobile world of distributed computing devices, it will also form the foundation for how we deal with the loss of visibility and control of the “in the cloud” virtual storage and data centers that service them.

US Military Seeks to Cyber Bomb Digital Combatants

The US Military is looking to cyber bomb digital enemy combatants (here) back to using an abacus, a stone tablet and some empty cans with string for calculations and communication.

The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.

The DoD’s mission statement is essentially to enable and support the warfighter – they exist for no other purpose. The mission of the warfighter is to deliver sovereign options for the defense of the United States of America and its global interests. It is quite natural for this enablement and support to extend beyond physical domains in a world with an increasing reliance on digital, satellite, and radio communications.

This recent RFP for a “Dominant Cyber Offensive Engagement and Supporting Technology” from the US AirFforce (here) details the requirements for a highly-sophisticated, stealthy, botnet with rootkit functionality. I have no doubt that the US military will implement and develop such a system. The question is can the US military effectively fight a cyberwar against a highly-distributed, disorganized, and undefined advesary?

One of the major challenges of the US Military in implementing effective offensive computing technologies is the same challenge we face in fighting terrorism today in the physical world. It is extremely difficult to attack a highly distributed enemy with loose or no central command and control structures. An army of independent combatants, connected only through a common ideology, taxes a military that has been optimized to defeat traditionally organized and centrally managed armies.

The challenge extends to cyber warfare as well in a even more exaggerated way. Cyber attacks against our national infrastructure are difficult to prove as state-sponsored, additionally the attackers can use spoofed IP addresses or route through compromised machines located in the US . Chinese backed hackers, for example, can work independent of the military and political establishments and in doing so present a radically different set of problems to the US Military which tends to suffer in effectiveness when the enemy is not clearly defined.

Additionally this method of decentralized warfare allows our enemies a many to one relationship in attacking the US. The US, on the other hand, is challenged by a one to many relationship with our attackers. Put another way, it is quite simple to develop weapons that can kill an elephant moving slowly through a savanna, but much more difficult to eliminate mosquitoes throughout the jungles of Southeast Asia, while limiting collateral damage to the butterfly population. This forces the US into a continual defensive or reactive posture that keeps us struggling to keep up with our current enemies tactics.

You should also read this post from Dancho Danchev (here)

The bottom line – why put efforts into building something that would generate a lot of negative publicity and might never materialize, when you can basically outsource the process and have the capability provided on demand? Just like the bad guys who do not have access to botnets do by using botnets as a service?