Reporting terrorism, affect your credit? (we’re doomed)

[This was originally published on attrition.org.]

Right as I am about to wind down for the night, ISN rolls in, filling the inbox of most people before they wake. One of the last articles caught my attention and I read the first few paragraphs.

Sandia to boot behemoth botnet

This article (full GCN article) was disturbing to say the least. A couple of academia researchers, cut-off from the real world, out of touch with reality and how the ‘world’ works, decide they need to control a bot net. Not a 10k node botnet, not a 100k node botnet.. but a 1 million node botnet. In case you haven’t read lately, the threat of a botnet is serious. Some men are charged in botnet related crimes, and the threat of a million-pc botnet is a threat to consumers. (Still don’t believe? Google ‘botnet threat‘).

From the article:

Starting in October, a huge botnet will be run not by nefarious underground figures but by the Energy Department’s Sandia National Laboratories.

“If you want to take a look at what is really threatening the Internet, we have to talk about the scale of the network we are working with,” Rudish said. “One million gets us pretty close to understanding these botnets.”

If someone takes over or controls 1,000,000 machines, they are a threat or at least a concern to the U.S. As said in the article, “Anything that scales to a million, it is impossible to watch any single thing,” Minnich said.. The FBI has aggressively pursued and prosecuted people in control of a 1 million node botnet. When the people in control admit “it is impossible to watch any single thing”, and cannot fully control it, they should be worried. You should be more worried.

I replied to the ISN post challenging the researchers, questioning if they don’t understand the power after controlling 10,000 or 100,000 nodes, how will they really learn anything by controlling 1,000,000 nodes? This kind of power with any type of net connectivity is dangerous. What if a bad guy gets ahold of THEIR botnet? They already admittedly don’t understand the power of a 1 million node botnet. Anyone that cannot learn from 10k or 100k machines, cannot learn from 1 million machines. If they can learn, they can also be tempted by the criminal nature of what they’re doing. The line between 100k and 1 million is amazingly blurry.

The Sandia researchers go on to talk about ‘study in the wild’ and imply that studying in the lab doesn’t suffice. If you can’t replicate this environment in the lab, then you fail as junior 101 collegiate researchers. If you argue, then see above, you are criminals waiting to happen and we’ll see you on ISN in a year or two. In the rare case we don’t, we’ll see your limp research paper buried in academia, as ‘academics’ that couldn’t figure out “real life 101”.

Clear and present danger…

While ranting about this to ISN, it occurred to me that this ‘test’ screams of ‘threat to national security’. Anyone who runs a million node botnet that couldn’t learn from 100k nodes should not be running it. Worse, the last twelve months of threats to the U.S. centered around ‘distributed denial of service’ attacks and botnets are exactly what we’re seeing here. As a responsible U.S. citizen, how do I report this crime-waiting-to-happen?

A quick search took me to https://tips.fbi.gov/ where they ask me:

Please use this website to report suspected terrorism or criminal activity. Your information will be reviewed promptly by an FBI special agent or a professional staff member. Due to the high volume of information that we receive, we are unable to reply to every submission; however, we appreciate the information that you have provided.

Your First Name
Your Middle Name
Your Last Name
Your Phone
Your Email
Your Street 1
Your Street 2
Your Suite/Apt/Mail Stop
Your City
Your State
Your Country
Your Zip Code / Route

Please enter your information:

In order to complete your tip submission, please enter the 5 digits listed below.

[Clear] [Submit]

Really? To ‘tip’ the government off on a threat to national security, you want that information with an open text box where I describe the crime, using no mandatory fields on ‘who’, ‘where’ or ‘when’? But hey, at least you have a CAPTCHA in place to stop spam.

Not wanting to go through that.. as a responsible citizen, reading about “a huge botnet” being controlled by Ron Minnich and Don Rudish, I have to be very concerned.

Per my searches, I need to contact my local FBI office at (303) 629-7171 and warn them.

“If you want to take a look at what is really threatening the Internet, we have to talk about the scale of the network we are working with,” Rudish said. “One million gets us pretty close to understanding these botnets.”

“Anything that scales to a million, it is impossible to watch any single thing,” Minnich said. “So you need to have this be a highly automated self-maintaining system.”

I called my local FBI office, told them I wanted to report a ‘botnet’ capable of DDOS attacks. The nice agent old me that I should report all tips through ic3.gov, which I typed into my browser:

http://www.ic3.gov/default.aspx

Welcome to IC3

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

[..]

Filing a Complaint with IC3

IC3 accepts online Internet crime complaints from either the person who believes they were defrauded or from a third party to the complainant. We can best process your complaint if we receive accurate and complete information from you. Therefore, we request that you provide the following information when filing a complaint:

* Your name
* Your mailing address
* Your telephone number
* The name, address, telephone number, and Web address, if available, of the individual or organization you believe defrauded you.
* Specific details on how, why, and when you believe you were defrauded.
* Any other relevant information you believe is necessary to support your complaint.

File a Complaint >>

Hrm. So I click on ‘File a Complaint’:

http://www.ic3.gov/complaint/default.aspx

If you think your life is in danger, please contact your local and/or state police immediately!

File a Complaint

Prior to filing a complaint with the Internet Crime Complaint Center (IC3), please read the following information regarding terms and conditions. Should you have additional questions prior to filing your complaint, view FAQ for more information on inquiries such as:

* What details will I be asked to include in my complaint?
* What happens after I file a complaint?
* How are complaints resolved?
* Should I retain evidence related to my complaint?

The information I’ve provided on this form is correct to the best of my knowledge. I understand that providing false information could make me subject to fine, imprisonment, or both. (Title 18, U.S. Code, Section 1001)

The IC3 is co-sponsored by the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Complaints filed via this website are processed and may be referred to federal, state, local or international law enforcement or regulatory agencies for possible investigation. I understand any investigation opened on any complaint I file on this website is initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information.

Filing a complaint with IC3 in no way serves as notification to my credit card company that I am disputing unauthorized charges placed on my card or that my credit card number may have been compromised. I should contact my credit card company directly to notify them of my specific concerns. Advisory:

You are about to file a complaint with the Internet Crime Complaint Center. The confidentiality of the information you provide may be affected by differing state law. As such, we cannot guarantee that your complaint will remain confidential. The complaint information you submit to this site is encrypted via secure socket layer (SSL) encryption. Please see the Privacy Policy for further information.

We thank you for your cooperation.

[I accept]

Uh, really? “Terms and conditions”? I actually have to agree to all of this about “notification to my credit card company” and any complaint is “initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information“? In short, there is a “click-wrap” license invoked on reporting a threat to national security that may relate to my credit, and that law enforcement MAY initiate an investigation. If I call 911, they initiate an investigation even if it’s a hangup. Yet telling the FBI about a threat to national security MAY initiate an investigation?

I told the kind agent “I really don’t want to agree to those terms.” She told me I could come down to the local office at:

1961 Stout Street
Denver, CO 80294

Or I could fax in a complaint to: 303-629-7171

Which is the same number I called, but ‘would recognize faxes’.

Not even two minutes later, it sticks in my head. Wait.. I call back to confirm, talk to the same nice agent who confirms I must make a complaint during business hours.

Again, really?! You have a click-wrap license for reporting potential TERRORISM to the FBI, or you make them fax something to the same glorified receptionist who told you that you must show up in person during business hours to report a threat to national security should you not trust the IC3 web site. You wonder why people are numb to any threats around them?

Before you write this off, remember; the FBI goes after criminals based on intent, not necessarily action.

Jesus H. Christ on a pogo-stick, we’re doomed.

– security curmudgeon

p.s. select * from database where job like “FBI agent” and fbi_office like “denver” and orientation like “bi” and gun_status like “CCW” and relationship_status like “single” and first_name not like “dieter”;

p.p.s cute sounding FBI agent answering the phone at 3:45a MST. i can offer you guinea pigs, kinky sex and more money than the FBI will offer you. call me, i know you have my number!

VDB Relationships (Hugs and Bugs!)

[This was originally published on the OSVDB blog.]

Like any circle in any industry, having good professional relationships can be valuable to involved parties. In the world of security, more specifically Vulnerability Databases (VDBs), the relationships we maintain benefit the community behind the scenes. Like ogres and onions, there are layers.

Someone from CVE and someone from OSVDB run an informal list called ‘Vulnerability Information Managers’ (VIM) for discussion of vulnerabilities as relates to post-disclosure issues. New information comes up, additional research, vendor confirmations, vendor disputes and more. It’s a great resource for us to discuss the details that help each VDB fine-tune their information. (No new vulnerabilities are posted there, don’t bother)

In addition, some of the VDBs have stronger relationships that allow for great dialogue and information sharing. A few examples of these, from OSVDB’s perspective:

– A couple of the CVE guys are great for very informal chat about vulnerabilities. Despite being the dreaded “government contractors”, they are respectable, very knowledgeable and have a great sense of humor. I just sent one a mail with the subject “PROVENANCE BITCHEZ?!” challenging him on the details of a given CVE. They are so nice, I broke my rule of not taking candy from strangers and happily accepted the bag of leftover candy from their BlackHat booth. Joking aside, the ability to coordinate and share information is incredible and a testament to their integrity and desire to help the industry.

– OSVDB uses Secunia for one of our feeds to gather information. The two guys we regularly have contact with (CE & TK) lead a bright team that does an incredible amount of work behind the scenes. In case it slipped your attention, Secunia actually validates vulnerabilities before posting them. That means they take the time to install, configure and test a wide range of software based on the word of 3l1t3hax0ry0 that slapped some script tag in software you never heard of, as well as testing enterprise-level software that costs more than OSVDB makes in five years. Behind the scenes, Secunia shares information as they can with others, and there is a good chance you will never see it. If you aren’t subscribed to their service as a business, you should be. For those who asked OSVDB for years to have a ‘vulnerability alerting’ service; you can blame Secunia for us not doing it. They do it a lot better than we could ever hope to.

– The head of R&D at Tenable contributes a lot of time and information to VIM based on his research of disclosed vulnerabilities. Installing the software, configuring, testing and sometimes noticing additional vulnerabilities. He is a frequent contributor to VIM and has worked with OSVDB on sharing information to enhance the Nessus plugins as well as the OSVDB database.

– str0ke, that mysterious guy that somehow manages to run milw0rm in his spare time. What may appear to some as a website with user-posted content, is actually a horrible burden to maintain. Since the site’s inception, str0ke has not just posted the exploits sent in, but he has taken time to sanity check every single one as best he can. What you don’t see on that site are dozens (hundreds?) of exploits a month that were sent in but ended up being incorrect (or as OSVDB would label, “myth/fake”). When str0ke was overwhelmed and decided to give up the project, user demand (read: whining & complaints) lead him to change his mind and keep it going. Make sure you thank him every so often for his work and know this: milw0rm cannot be replaced as easily as you think. Not to the quality that we have seen from str0ke.

Since we have no corporate overlords, I’ll go ahead and talk about the flip side briefly:

– ISS (now IBM) runs a good database. Very thorough, keen to detail on including original source and vendor information. In 2004, the head of that group (AF) left, and until that time, we had a great dialogue and open communication. Since then, even before the IBM frenzy, we’ve mostly gotten the cold shoulder when mailing. Even when pointing out problems or negative changes on their side. LJ, bring back the old days!

– NVD. Why do you waste taxpayer money with that ‘database’? We pay $22 for Booz Allen Hamilton to “analyze” each CVE entry (thanks FOIA request!), yet they find a fraction of the typos and mistakes I do? By fraction, I mean exactly none from what I hear through the grape vine (DHS cronies are cool). If you can’t notice and report simple typos in a CVE, and you botch CVSS2 scores left and right (yes, I’ve mailed in corrections that were acted on), what exactly are you doing with our money? Are you the virtual Blackwater of VDBs?

– SecurityFocus / BID. Sorry, not going to bother with verbal fluffing. My countless mails pointing out errors and issues with your database are seemingly dumped to a black hole. Your promises of certain mail archives ‘not changing’ were pure fantasy. To this date you make erroneous assumptions about affected products, and still don’t grasp “case sensitive”. I know some of your team, you have great people there. Just lift the corporate policy that turns them into virtual shut-ins, please?

Sorry to end it on a downer. I still dream of a niche of the security industry (VDBs) where we can all play well with each other.