 I said hello, everybody! Woo! Okay. Basically, we're supposed to have Maj here to moderate. I suppose it didn't wake up from partying. That's cool. It's Defcon. It is cool. It is indeed. If Dan says so, it's correct. Now, what we're doing here, I'll go over this presentation real quick because we don't have two hours, we have only one, and that's probably going to go to 40 minutes because everybody is behind schedule, what a surprise. And as we are Defcon, we are not going to be serious. We hoped to be drunk, but there is no drinking here, and the bar was very far away, so we'll have to excuse us, and especially Dan. You're lucky we came here at all. And what we are basically going to do, we have no idea what we are going to do, but the basic idea behind what we are doing, that we have no idea or whatever, is to be able to give you guys a glimpse which you will choose into not vulnerabilities, not malware, not anything else, but what's going on that's really a threat. I don't care personally. I don't care about black-head archers, gray-head archers, white-head archers. These guys will probably feel differently, depending on each on its own view. We care about the Russian mob. Again, I have nothing against Russians, and I'm not afraid, so don't say that. And last year I said a lot of disclaimers about the Russian mob before I actually said their threat, and this guy thought I was just afraid of Russians, so whatever. So, not being funny, the purpose is there is a lot going on on the internet. Some of it involves the mob, the mafia. Some of it involves a lot of guys wanting to make money. Some of it involves spammers. Some of it involves DDoS. And beyond vulnerabilities, beyond all that we see day-to-day, or whatever else might actually be useful, there are operations, and that's what we want to discuss from two angles. One, what the bad guys are doing, and two, what's being done to try and counter that. I'm done. Let's go real quick over the presentation, and since Maj isn't here... Hello, Maj! Yo! No, since Maj isn't here, Dennis Fanny, I'm an idiot, will co-moderate this panel. Quick introductions. I'm Gadi Avron. Nice to meet you guys. This is Dan Fakin-Kaminsky. I love this guy. You guys suck. Now, please do excuse us. There are some very serious people on this panel, and they are shocked right now. I did warn them it's DEF CON, and I did warn them we are not going to be serious, although we are trying to be professional. So, I'll get the hits, whatever. And you guys just do whatever you want. This is Andrew Fried with the Treasury Department. That's how you say it? Yeah, yeah, you don't have to... Also known as the IRS. Yeah, it's from the IRS! You now know what the IRS looks like. But to be serious, is one of the guys doing a lot... One of the few guys that are doing a lot in law enforcement today. And not to get black hats, to get the guy that steal your grandma's money, or make her pay for Mozilla Firefox. This guy over there is Dan Hubbard. He's one of the greatest guys today to talk about web vulnerabilities and who is actually using them to take your grandma's money, or yours. The guy next to him is another one of the best law enforcement officers today, going after all these bad guys. He's called Tom Grasso, he's with the FBI. He's the G-Man. And next to him is Paul Vixy. I don't know how many of you may know him. Yeah! He's not law enforcement. Come on, he's not the G-Man. You can applause. He, in a couple words, wrote Cron, wrote Bind. He's probably one of the... If not D number one, he's probably one of the three most respected network operations guys today in North America. And, well, they can talk about themselves later. I said they have five words, they can have a real geek moment for a second. Buffy, five words. Out for a walk, bitch. I don't know how many of you watch Buffy, but whatever. Yeah, Buffy told Spike, he has five words. So, okay, never mind. We have a lot of other guys here in the front rows who are part of groups that help mitigate these issues daily. They may just jump on stage at any point and try and answer some questions. Is Nicolas here? Nico? Okay. And there is Ryan here, I see him. I don't see other people, but I'm blind. So, they may answer questions on their own and stuff that they understand better. And now I'll give the mic over to these guys with five words to introduce themselves. Dan, you don't need it. Seriously, you don't need it. You can take the mic. My name is Andrew Freed. Okay, give it... Whatever. Dan runs WebSense Labs. You have one more. Bitch, okay. I feel like I'm on a dating game. I feel like I'm on a dating game. This is not a TCP-AP drinking game. That's tonight. You don't get points. Okay. I am not your mama. Stop acting like it. Get started. I'll go real quick over this presentation and we can get into business. Internet Wars is the name we chose. I don't know why it seemed cool. We don't know what we're going to talk about yet. Purpose of this panel next. What it means to have this panel at DEF CON? Well, we figured... We discussed these things behind closed doors, secret ancient clubs, 50s... I don't mean to insult any white people or Christians in here. Okay, this is kind of something people say or I say. 50s all rich, all white, all Christian clubs, you know, of the Internet. We do the secret security. We don't let anybody know anything. Full disclosure is bad, all that shit. Well, we decided there is a reason that security community is so huge and that basically you guys are the people who face the threats every day or create them. I don't know. And if these things, especially those that are already public in a way, need to be disclosed and discussed publicly so things can get done so your mother doesn't get... doesn't pay for the whole Firefox. Whatever. You're really scared of this whole paying for Firefox thing, man. It's not my joke, I stole it. I'm allowed. I have to pay for Firefox? You feds, too. Okay. The moderator, Maj. I want to hear from you. Come on, Maj. Woo! Well, whatever. Yeah, the TCPIP drinking game tonight and he's great, so be there. Free beer. Members... Unless he participates in the DEF CON drinking game in which case he'll be unconscious. Threats. Forget that word. It's a buzzword. Internet security operations. Usually, shut up. Usually that means local networks, for example in ISP or whoever runs operations and care for their business and their network staying alive. For antiviruses, it means following what new threats, viruses, whatever are out there and getting things done. We speak about the Internet itself. Stakeholders of the Internet. Who are the stakeholders of the Internet? Can anybody shout a name? There are a lot of stakeholders to the Internet. For example, eBay, Google, but they're all as big as they may be pretty much centered on their own business. In my opinion, that's my opinion alone, the stakeholders of the Internet are Microsoft and the Russian mob. I said that last year. The reason for that, well, you'll see later. The economics game. What we're talking about is economics. And why are we talking about economics? Because this is not about kitties. A hacker sitting at home will look for challenges, cool stuff, whatever he wants to do. These guys, if they keep developing worms, if they keep funding operations overseas physical operations, these phishing attacks, whatever they are, are actually real-life fraud operations using the Internet. Cybercrime is not about somebody breaking into somebody else's box. It's about using their techniques and their skills to perform real crime. Just a couple, one number. It is estimated that by the end of this year, 2006, about $2 billion will be lost from phishing alone. That means phishing alone. Not countermeasures, no preventative measures, not reimbursing users, whatever is around that, and that's only phishing again. So, yes, there is a lot of return on investment for the bad guys and the good guys are not really sharing information beyond certain circles and then some, I guess, well, not really. What people are doing, the right thing, fighting on the right side of the fence, we'll discover that in a moment. Just in a couple of words, not really everything, but technologies that play a significant part in this fight. The bad guys, they have dynamic DNS providers that they can just say, go register some host, change the IP addresses, or register a new host as much as they want. So if they have, for example, a botnet command and patrol server or a phishing site, they can just keep sites, keep IP addresses or whatever else as quickly as they want and these services are free, so why not? Fast plugs, imagine changing your IP address only every 10 minutes. That's kind of cute. Now imagine not doing it for your A record, but actually changing your name server. That's kind of nice. Trojanorses, a couple of words. Everybody knows about phishing, right? Getting fake websites, emails, whatever, your bank account has been stolen, go whatever. Please enter your password or whatever. Well, today the game is a little bit different. I'll give you an example. This has been in the news a little bit, not really in a big way. People are not talking about it too much, but it has been published recently. For example, several organized crime groups these days have released different types of Trojans. We can call them worms, if you like, that go around, infect people, and whenever these people, using different hooks, using rootkit techniques, whenever these people would go to an HTTPS site, their credentials would be stolen and reported back to their controller, which means these guys have huge databases of your credentials if you're infected wherever you go, so that would mean a few hundred thousand sites if you're just one of these guys and say we get 10 sites for a person per day, just throwing a number. It gets to gigabytes of information every day of stolen accounts for thousands, on thousands, on thousands of users. Again, last time I checked there, several hundred thousand URLs such as these with one guy was checking into this stuff. So if you're entering an HTTPS site and your information has been stolen, it's saved somewhere, but that's a lot of data, so somebody has to do something with that. So these organized crime groups, for example, would have the triage team which would look at them, see if there is anything interesting, do statistics to see if any sites repeat themselves. A lot of users go to a certain bank, or a certain bank suddenly developed an online activity that may be interesting to them. They would then pass it on to the operational team which would steal the money, for example, if there are accounts that are really worth their time, if there is enough money in there. And basically they do a good job. Then they would have banks or other organizations, not just banks, e-commerce sites that would be directly targeted. So if you enter some sort of URL and that URL is in your watchlist, basically, they would download specific regular expressions to steal this data, and it would move in real time so the transaction can be in the middle technology box itself, the transaction can be altered and the money can't be sent immediately to a money mule as you do transactions online. There's a lot of technology involved. Trotonor says it's a big part of it. If you didn't get that, we'll talk about it tomorrow so never mind. Hey, Gotti? Move this along, we're half past the hour. Yep. In fact, why don't we start having a conversation about this stuff? I'll be done in a second. I wanted to hear myself, thank you very much. Spyware, spam, botnets, whatever. These are all legitimate technologies being used by the bad guys. Good guys, well, whatever. So I'm actually interested in... Where do we go from here? Now we can start talking. Dan, thank you. So, you're here from the FBI. Why don't you tell us about some of the interesting things that you've seen? I mean, from the perspective of actually seeing malware on the ground. Well, I think what Gotti was saying was kind of hidden on what the big problem is right now is he's organized crime groups that are on the internet conducting these different types of fraud and scams. And I guess the way I would sum it up is that it's everything. Everything is related. I can't say that computer intrusions are a specific problem or phishing is the big problem or spam is the big problem because what we're seeing is that these are all related. They're all part of an underground economy and they're all kind of feeding each other and contributing to the problem. I know that's... I'm not trying to be evasive or whatever, but that's just the reality of the situation right now. You have malware that is being written by some very skilled people and they're making money writing their malware and they're selling it to these other people that conduct phishing or they conduct spam or other types of scams. And then the spammers are hiring people to do DDoS against the anti-spam sites. The organized crime groups are doing carding. They're popping e-commerce servers. They're doing phishing to get carding numbers. They're compromising ATM machines. It's all feeding. It's all fueling this underground economy that we have right now. Danny, you look like you have something to say. Sure. Yeah, so just to get into a little bit more details, you know, the highest numbers that we're seeing are in two areas in Eastern Europe, particularly in Russia. These are the guys that are creating the kits that allow the people that aren't so skilled to create these attacks. So those kits, the most popular today is Web Attacker, Root Launcher, and Nuclear Grabber. Those are really the top three kits that are on the internet and being dispersed on the internet today of those regions. Those are used all over the world, particularly going after banks and e-commerce. Then the Brazilian crews are really all about deception and just simple deception techniques. They're really more about volume and just going after beating signatures in AV. So they're really going after just a low-hanging fruit. Hey, you got a greeting card. Click on this, grab it, and they just go after, you know, literally thousands of new variants of bank hoses every week. I mean, kits, yes, but... Okay, sorry. So what they're doing is they create online storefronts on the internet basically for anywhere from $30 to $1,200. You can go online, buy a kit, basically essentially a piece of software. In many cases, it comes with a manual. It shows you how to do an attack online and steal credentials from many users. Another big group out there is something called the iFrame Cash Biz folks. They're online. They actually front an affiliate program that is really, at the end of the day, designed to install adware, potentially unwanted software. And for some of their affiliates, which most likely are their friends or themselves, they're also downloading keyloggers and rootkits and stealing credentials from the users. So it's funny, I actually saw this... There was one really great piece of spyware or adware that actually had a ULA. And one of the things they said is, you know, it was picked up off a porn site. And... Hey, I have no idea how I... Dan, are you going to porn sites? Are you googling for porn? Did you get lucky? Oh, no, it was great, right? It said, we reserve the right to deem certain sites as unsafe and to silently redirect you to safe sites. So what they would do is they would wait for people to actually try to buy access to one porn site and would silently redirect the money elsewhere and make it appear that they had gotten the other one. She'd have these porn sites that, you know, had the steady income and it would plummet because suddenly all their money was being taken and migrated to a different site. Paul, guys, we don't have time so we'll leave time for questions, okay? Paul, we are getting into the economics and you're one of the guys to lead that debate. I would like to hear from you. The economics of the problem. Yeah, world-famous economist Paul Vixie here. We call this an underground economy in the same way that we would call a protection racket an underground economy. But there are actually a lot of real goods and services moving along these channels and, you know, ultimately it will be people, you know, being counters at the IRS who are kicking in these doors because we'll be getting them on tax evasion because in many cases that's the only thing we'll have proof of. What's, you know, I liked the characterization Gadi made. This is unusual for me to agree with Gadi by the way where he said it's not really... I do know where you live. It's not really a crime to just break into somebody's box. You have to actually damage something and that's sort of always been true. We've tried to make the victimless crime of reading people's files a problem but it hasn't really worked out. There's no global version of that. There is a global version of if you delete and steal their money then you're a criminal. So it all has to tie back to the real world which most of us don't live in. That's why I'm happy we have the Fed and the other people here who do live in that world. There are billions of dollars moving around. I hate the the label that we give. Gadi said that there will be two billion dollars lost. Well, it won't actually be lost. If it was lost then it would be buried in holes where it was. What's happening is the two billion dollars are going to be transferred against the will of the people who had it before. So I want to say stolen not lost. And when you have that level of theft and so forth you've got banks out there. I've been party to meetings where a bank will say you know when it was only 30 million dollars a month we didn't worry but when it got to 40 million dollars we didn't do something. You know? And I hate that but that's the rules of their game. They've got an economics game as well. And this will ultimately come down to people are only going to stop doing something if they can't make money at it anymore. And as long as people as long as my grandma keeps clicking on yeah I'd like to buy a Firefox then they're going to keep selling it to her. And so economics is not about money. I've said this at every presentation I've given here economics is about human action. That's why Von Mises titled his book The Way He Did. And you know if humans are going to keep clicking on this stuff then human action is going to dictate that there's going to be more and more of this crud for sale and I don't know how to fix human nature. Question for the panel. All right go ahead. Basically what I'm seeing a lot of from the IRS perspective we're getting hit with a lot of phishing sites right now and early on when we first started seeing these we actually went out and tried to follow the emails and we executed search warrants went into people's houses, took their computers only to find out they were infected and just being used as an open relay to send out the phishing emails. Then we started trying to follow where the people were coming in and taking over systems they were using to send emails because they stopped using phishing computers. Most of what we're seeing right now are systems being compromised through really really simple SSH brute force attacks when they take over a system and when they say these people take it over they're using this as a launching pad to get their next round of systems that they can send out 300,000,000 emails and start sending out more phishing sites. Probably on average I would say one out of every five systems are infected right now. Now all of you sitting out here saying screw it, they're too stupid, they deserve it. Suppose somebody got one of your credit cards and while you're out at DEF CON you got a call from your bank saying we just had a charge for Romania we're canceling your card and now you go to play the hotel and your card doesn't work you're really screwed. So there's a lot of fallout from these victims that are getting these things. We have a lot of problems with the money that's being moved as Mr. Vixy said. Anybody here from Romania? I was hoping to make an arrest before I left here but we're seeing a lot of traffic coming from overseas but interestingly enough right before I came here this week I went and made a charge for $10 a Skype credit and within about an hour my bank called me and said we just got a charge from Luxembourg and I think what that tells us is that a lot of the people that are doing a lot of these crimes related to like credit card fraud can't use those credit cards where they live. Those credit cards have to be brought back in the US and there's a couple hotspots that we know of that that happens in primarily the LA area. So what we really have is not some poor Romanian kid who's just out to try and make his allowance by sending out a fishing kit out in the United States getting that Romanian to do that getting the cards back and then using them here in the States and to give you an idea how prevalent this has become there's a lot of sites on IRC that you can buy stolen credit cards for $3 a piece. That's how prevalent they've become. Are those fully validated credit cards? Yes. They were fully validated credit cards. Five dollar limits on those cards. I hope if you go there you find your card on the list. We have another visitor? Okay, I'm Nico. I'm running the security group at one of the largest terracters in Europe and Gatti just want me to join. I don't know why. Good stuff. So if it's from France New York, France! Oh shit, they're sitting next to me. Question. If a stolen credit card is worth only $3 on the open market, doesn't that imply stolen credit cards aren't that easy to monetize? I think it implies there are so many of them that it's a glut market. Fair enough. In fact, there are sites out there that come up that try and sell a lot of these products and when they first bring the site up online they'll give these things away. It's like the first 100 people that sign in. There's a complete underground economy that deals in a lot of this stuff. I'm sorry, the question? How do you buy stolen credit cards? Generally enough, the gentleman asks how do you buy stolen credit cards with your real credit card? They generally will use money transfer services like PayPal or e-gold or some of the which is the one in Russia, e-gold? You would know that. I wouldn't, but I would like to make another note. Many, yes, thank you. Shut up, Gatti. When some of these guys, the concept we probably all know about is called the mule. Mule, whatever mule. These guys get emails, I'm sure you all got them. Are you looking for a job? A good job for the summer. Are you able to carry these sized boxes for about twice every week? Yes, this is good. You'll get 75k a year. Of course, you'll get the rest of next week, but we won't tell you that. Because these guys sit in Romania, they can't get the money directly. So what they do, they use these mules and then say use Western Union completely anonymized and you only need a password. They'll use Western Union, send the package out and the money is gone. Poof. So there are a lot of ways. For example, some people have been using eBay. For example, I would go to somebody who is a very well-known, respected researcher or client of eBay and I would buy something for $500. Then I would say send by mistake 5k. And as that guy has a lot of stars of ratings and everybody loves him and he's a really good business using eBay, he can't risk his business and I'll send him, hey dude, I'm really sorry please send me my money back. I have to get it today. I made a mistake in the transfer and the guy will keep $50 for yourself. I mean thank you. And the guy will send back the money to the address you will specify and there are many ways of doing this but I believe what Paul said is the most critical. For real people and real groups there have been threats made to people involved in stopping these people from doing what they're doing in the security industry and in other places and as long as killing botnet command and control servers for example is no longer scalable you can't really get things done when the bad guys can just keep a server like that or have incredible robustness with their current servers even if it's just IRC there are a lot of DNS games and a lot of other tricks they use with really good systems to stay live Paul we will be talking about it later from the ISPs perspective or the network operations perspective the point is you can't given the confidence games as theft been around forever what makes you so phenomenally arrogant as to think you can do something to fix, well I know why I know what makes you so arrogant what makes you believe that we can actually do what makes anyone believe we can do something to fix this variant of it ok the problem called drugs correct what makes us so arrogant as to believe we can call drugs a problem or on the other end what makes us so arrogant to think we can fix the problem of cold drugs so I'll tell you this first of all no I'll tell you this yes you're correct we cannot fix the problem it's a reactive game we're always one step ahead of us and we react that is why I said it is an economic problem but that said if I can stop being arrogant for one second with your permission I'll tell you this much I don't have a solution I don't know who does but if we don't do something today when it's two billion dollars and we keep ignoring it and keep killing small fires instead of dealing with the root problems as far as best as we can it will start affecting you as well it already does but in nature this is for you then so I'll tell you what makes me so arrogant on this topic anyway every new technology that comes along makes some things better and some things worse and we as a society as consumers of that technology as producers of that technology have a choice to make about which things are going to get made better and which things are going to get made worse we didn't have to lose privacy we didn't have a result of going to a digital economy we happened to have done but we didn't need to there were other ways and there may still be other ways and it's still up to us whether we have to have all of these new risks come with all of these new tools so the question that I've had has been a matter of jurisdictional issues the way we've dealt with human nature and the way we've dealt with crime historically is segment the world up into a small number of jurisdictions that have a certain amount of power over a certain region of land the internet has no geography it has a global jurisdiction in terms of crime can come from anywhere are we seeing advances on the international crime control front? definitely I think but the point that you make really is an important one is that the internet knows has no boundaries I don't work for the FBI I have no jurisdiction anywhere in the world that's not in the United States so if I have a subject that's over in Italy or over in Romania I have no jurisdiction over there now I can go to the authorities over there and try to make a case of them and say hey here's somebody that's causing a problem we would like you to do something about it but there's nothing I can do to force them to do something about it so international cooperation from a law enforcement perspective and we have made great strides in that area there are countries that five or ten years ago if somebody came to me with a case where we traced it back to this country, my response would have been I'm sorry there's nothing we can do about it these people just don't cooperate with us we get no response from them that's changing we're starting to see cooperation a lot of these countries that are sources are the main sources of the problem they don't have the law enforcement resources in place to deal with it so their law enforcement agencies are not familiar with cybercrime they don't have the training, the equipment to conduct cybercrime you mentioned Romania I can tell you stories from FBI agents that have been over to visit Romania and have done things like bought printer paper and things like that for the Romanian police and stuff like that for their printers and bottom floppy disks just so they have floppy disks because they're so underfunded that's the situation they're in I think one thing is this disparity between the law enforcement resources that we have here in the US which there are quite a few versus the law enforcement resources that are in other spots of the world and we can't affect those things in the other parts of the world one question though in the recent couple of years in the United States especially but in Europe as well and other places around the world really started making a difference in small strides but making a difference in themselves by taking these issues seriously raising cybercrime to a higher priority but still it's on the policy level these issues are not that important and obviously rape and murder should be more important but what's being done today in the United States not around the world for example to make things better right so in the United States for instance I can't speak for the IRS but FBI cybercrime is the FBI's number three priority so it's actually our number one criminal priority what I mean by that is that our other two priorities above cybercrime our terrorism and counterintelligence which are really not criminal issues so our first criminal priority is cybercrime and we have our FBI agents that are working cybercrime than ever and we're trying to build alliances with other law enforcement agencies one of our best partners right now is the US Postal Inspection Service they're doing an outstanding job fighting cybercrime and making inroads particularly into the carding stuff and things like that and also trying to develop resources with folks out there outside of law enforcement I think that's one of the people that are here on this panel right now people in the audience I think these are our best assets that we have at this point to help us with the problem I also see that Interpol has been facilitating a lot of things internationally and I think you even have a walking group nowadays at Interpol that actually deals with cybercrime just to follow up on that we really are putting much more emphasis on the international connections and we have relationships with Interpol with the folks over at Interpol and Yard over in the UK all over the world that's really where we see that being critical to being effective at this problem is forming these alliances with these other law enforcement agencies I know just quickly some of the disclosure laws like in California for example which probably good chance are they're going to be federal where companies actually publicly traded companies have to disclose public entities like universities have to disclose when they've had security problems and the virus have been leaked out that's throwing a lot of money at the problem it's actually an ancillary benefit but some of these laws actually are benefitting that Is disclosure actually happening? Like on a large scale when there are issues Choice point? Well yes, choice point but for your everyday compromise of 50,000 credit cards are people actually telling anyone or are they just keeping it secure? If we are to put organizations like Flux aside for one minute and if they disclose it or not or this or not there is a huge problem with the losses that are occurring with actual Trojan horses breaking into sites all these issues I can name millions of identities, online identities being stolen everyday and now nobody really takes notice to this yet because this is not one organization that gets it the problem today with information security management is that you need to secure the end user which may not be under your control or even related to you instead of your own sites Fair enough So I think we have a few questions in the audience Why don't you go ahead Use the microphone! Yeah, we've got a microphone right there Why don't you... AV people is it on? Excellent Let's try that again then What my real question is As this 2 billion number continues to increase and eventually becomes 5, 10 or 20 do you think that we'll ever see a great firewall of America where we are trying to keep these countries like Romania and Russia and Brazil and where most of the attacks are coming from and you know, botting people's computers and then attacking or relaying do you think we'll ever start legislating that where we're trying to keep the other countries out Every time we've seen national scale firewalls large scale proxy avoidance and large scale proxying become an everyday faster than possible Well there will always be ways around it but my real question is do you think that it's going to get to the point that they want to try and legislate it Andrew from the IRS will answer just one thing 2 billion from fishing alone it's more than 2 for just credit cards alone credit card theft alone and so on just once more note I think we're going to take technical steps to eliminate what makes a lot of this possible and while legislation might be helpful in some situations a lot of this stuff happens outside the country where our laws don't apply Paul In answer to your specific question would we see legislation around that I would say no because the risk of a false positive where a potential buyer or a seller that could be helping the American economy would be kept out by such a firewall is way too high so they will take the fishing and the spam and everything else with it as long as there are potential legitimate buyers and sellers of American goods and services Congress knows where the feathers in its nest came from And from a technical perspective from the service provider side you're going to see that whatever this legislation is going to be it's going to be difficult and not to say probably impossible to deploy in any large scale network So doing something for a couple of end users is one thing, making it scale to many of users is nightmare and that's why we also see that most of the solutions may be except the great firewall of China and even that one there's tons of ways to get around it never survive in a network because it just doesn't scale up and as Paul said false positives and whatever Another question Lou At my job I often get people that attack my network to get to my customers and what I find is a lot of legitimate almost businesses are using affiliate programs to shield themselves from any sort of liability oh it wasn't us it was a bad affiliate we're getting rid of them and then three days later they're at the same stuff again and what I'm wondering is one is there legislation which allows you to go after the end of the company that may or may not be legitimate and also these legitimate companies bank selling your email information and what not how much do you feel this affects legislation like you know the legislation we have for spam right now was watered down horribly because the financial institutions that want to sell your information to spammers make sure that it's very weak and how does that affect law enforcement because we have mainstream businesses that are constantly watering down these laws because they're making money from it too we have real problems with a reluctance to take what you just described and describe it as organized crime it is the affiliate programs are a shell game and a mechanism of redirection that makes it difficult to apply legal remedies and no one is willing to really go ahead and change the law to say you know what what's going on in the adware industry has destroyed millions of machines and organized crime and needs to be dealt with criminally there was a pretty good case last week where a Warner brother website a group of Warner brother websites like scoobydoo.com actually we're serving up child pornography so pornography to kids basically through an adware network so I mean it's definitely a serious problem yeah just the one comment I would make on the first part of your question the FTC has been doing a lot of work lately in going after these affiliate programs in terms of spam they've been going after the affiliate programs suing them getting very large judgments against them because yeah the affiliate program is really at the heart of the problem they sign up these affiliates they tell them in their user agreement they say well if you spam we're going to cut you off or whatever we're not going to pay you in reality people are using spam to advertise these websites so I have to say the FTC is making some good inroads with that right now the FTC is a civil deals with civil judgments and the bottom line is that you know I was just talking to people from the FTC about this they've done a lot with the jurisdiction they have they've done a lot with the powers they've been granted it's not enough the law is not encoding the fact that millions of machines have been destroyed by these bastards you know guys we were in a real hurry to get this thing wrapped up if you guys are interested we are now good to go on fast the hour so we are going to slow down a little bit and not be so I'm not going to be so stressed out sorry Dan go on alright another question I know a lot of the problem is if there isn't any type of consistency I can't hear you sorry pardon I know that part of the problem nationally is there isn't consistent laws what might be a crime here in the US may not be a crime somewhere else so what type of efforts are there on the diplomatic level to try to create uniform laws treaties etc to put some standards behind you know if you do this you know it's a crime anywhere in the world again to Dan I would say that it's all part of what we are trying to do as far as our outreach to other countries is get some laws and books that affect this stuff no but you are right in some places it's not even a criminal act to commit a computer intrusion but you know usually with legal diplomatic agreements that we have mutual legal assistance treaties with these other countries we can have some type of investigative steps taken there based on the fact that it's a crime here in the US but the problem comes to be is that for stuff like this they are probably not going to extradite somebody over something like this if it's murder they will extradite them so yeah you still need to convince everybody to go ahead and prosecute the person and that's part of the challenge yes it is there is a line over there to speak yep you are clarified now the appointment to the doctor just a prescription right yeah guys can we get some technical questions too we have some technical guys here hello earlier Gotti said that there are millions of identities stolen every day and if I happen to come by some whether they are with credit cards or just the identity like a US citizen is there a place to send these identities if one comes by them so that some actually you made clear text right I've actually tried to call them and explain to them that I've found this and they might be interested in knowing that it's out there and they get pissed and they say I'm the police and the FBI and I'm like well that's great but is there a place if there's a million out there every day is there a facility that has the capability to take them in and do something with it you can report stuff like that to the internet crime complaint center the website is www.ic3 that's India Charlie the number three dot gov and they have an online form where you can report stuff like that or you can mail it to Tom or you can mail it to me if you'd like yes but probably best thing to do is to go to IC3 and report it there and can you take thousands per day or tens of thousands per day I'm thinking right now if they have the ability for you to attach a file to it as opposed to like putting in a thousand I mean you could certainly put in something and say I've got a thousand of these ten thousand here they are what are they going to do with a hundred thousand of them in a day I can tell you I've actually tried to get a hold of some of the credit card companies when we've taken over some of the fishing sites and found data there and they didn't return my phone call so now they're being audited by the way just a joke one last comment and what to do about the international nobody heard he said it was a joke nobody quote him on it please bad reporters bad desk gun reporters and what about the international stuff from Great Britain or the UK Australia, Germany usually what we see as a service provider you know the best way forward when you find such websites at least report them to national high-tech crime units there's actually an organization called APACS for Europe that works with the banks to England not Europe they actually work with other countries also deal with Australia and a couple other Ireland sorry Northern Ireland I've actually had pretty good luck working with the credit card companies directly with their security officers and basically as long as you're giving them just their credit cards they will take at and then monitor those accounts so if anybody wants to pass them my way I'll pass them that way sure is it the sense of this panel that this is not a technical problem that the technical faults we're seeing here are so low level and so easy that really our limitations are legal jurisdiction we I've actually seen a lot of I mean like iframe cash were the guys that were actually exploiting WMF before it was known so I mean these guys are used in zero days it's not just a click here and get infected scenario I mean obviously that happens and there's a lot of low-hanging fruit but I mean they're using some pretty sophisticated tools that you know it's through you know Google poisoning of search results and other things you can get infected without you know being deceived in some way you know I've seen a lot of these go ahead I've seen a lot of these phishing sites and to me they've almost become a non-invasive DNA test for intelligence you know we have people that will call us and say that they're responding to a refund and they live in some country that doesn't even pay taxes to the IRS so it's always difficult to protect somebody from being stupid and as long as we have that low element of stupidity these things aren't going to go away I mean remember that companies around the world send marketing emails from other domains that they don't own they don't use SSL quite often I mean this is a big problem this isn't just a dumb user sitting in front of a computer we're training the behavior of the users so if you're training them incorrectly that's what you get I would like for Paul we're surprised right now to try and answer all that about because guys everything every type of technology can be played with but I believe Paul himself is kind of close to one of those not specifically SSL certificates that say hey this site is secure or you can pay a little bit more and say really secure but Paul's been dealing with DNS for a long time and that's also a huge part of what you're talking about so I'd like to get some of Paul's comments DNS is not secure pretty much anybody who wants you to believe that a certain name maps to a certain address can make you believe that no matter what the name or the address might be there are solutions that have been sort of log jammed inside of the IETF for close to 12 years and we're sort of undergoing the periodic two year cycle where we think we're done but then we're not really done and we're going to start over soon now if we could get people to pay attention to the fact that this email came from Czechoslovakia but claims to have come from Visa International and it's actually a DSL connected machine in Prague somewhere then the fact that the DNS names are not authentic would begin to matter because people would begin to forge them but right now it is so easy to get people to click on just about anything that you don't have to actually exercise any of the weaknesses of DNS but that will be the next frontier if we can just close the holes they're using now another question earlier somebody asked about legislation and firewalls for like the great firewall of America the panel was that probably wouldn't happen what is the panel sense on legislation regarding monitoring of internet traffic as a defensive measure say and then follow on with more legislation along the lines of Kalia well you know China does in fact have a national firewall system yet probably 60% of the fishing sites originate from China so the firewalls aren't going to solve a problem it's not going to happen or is that a matter of political will they simply do not have the political will to stop this behavior well most security types I think would say that a firewall is not a magic bullet I certainly don't believe that it is I think it goes hand in hand with monitoring and other things which is why I have a question about monitoring I don't think there's a way to find out what's being monitored without a lawsuit so go talk to the EFF people about that be doing that today although there's an interesting question actually what should be monitored I mean you know that's kind of the elephant in the room what is the actually what is actually appropriate to monitor on the global internet and under what circumstances well what kind of crime are you sure we want to go there why not okay then technical no no no I'll start with Paul is the political guy here I would say you know what do we feel comfortable having monitored outside of cyberspace do we want all of our political conversations monitored in case we're talking about crime no and so I would extend that directly in the only monitoring that ought to happen is the monitoring that one end point or the other chooses all right I guess that's me I work for a company that takes us very seriously we tracked exploitation basically that we're being hosted in an IP space range hosted in St. Petersburg Russia when we try to work to get it taken down against and we bump up against this in Brazil as well as corruption which enables these actors to basically you know act with impunity so you know you can deal with all the interpol stuff as aggressively as you want but there still areas where corruption rules the money is basically funding you know itself survival so you know how do you you know start to tackle that as well because legislation here isn't necessarily going to take care of these issues over there we can't always fix all these problems but I can remember when the very early first thing the IRS it was in Mexico and we could not get in the Mexican authorities to do anything what we ended up doing is they had a really simple tracer out between my system and the fishing site and looked at the last ISP before it went outside the country and I asked them to put a block against it which they did not to say that all ISPs are that responsive but we can't control what's outside the US we can try and prevent people from getting to it but once again we don't control sites outside the IRS at this point I would like to know though and I'll let Nico say something because it feels very strongly about it actually I would like to direct this to Tom Tom we always like to talk about abroad but most of these problems originate from one place and one place alone and you know okay not Russia and you know what that place is and there are a lot of ISPs and I would like to direct that to Paul right after him that are not so responsive here in the United States and we know who they are it's public knowledge what are we doing about it so if the ISPs here in the US it's a lot better situation then sorry I'm sorry for Kain guys I love the ISPs in the US most of them are very responsible and very responsive just some of them are not and for a very long time part of the problem is that there's no law that mandates that an ISP has to keep any sort of records of anything so if we go to an ISP and say here's a subpoena please identify this customer of yours they can say you know we don't keep records we only keep them for three days and you miss the cutoff there's really nothing that we can do from a law enforcement perspective on it we can't say oh that's irresponsible your bad corporate citizen shame on you I mean that's really the extent of what we can do now there's always talks of legislation now mandating ISPs to retain some sort of records and then have those records available to law enforcement if law enforcement comes to them with the appropriate legal process but if the ISP chooses not to maintain these records it's just a situation that we're in and I think this is again where the public private I'm sorry the private sector people come in and play a role as far as identifying those rogue ISPs and doing things to hamper their business model what about the rogue ISPs that have things running right now and have been running them right now not three days ago for the past years yeah again if it's here in the U.S. and they maintain records then it's something that's definitely doable it's the situation this is the IP address that's been bugging me for two years now I'm sorry what's that hello ISP you're one of the few not nice ISPs in the United States these are one two three four IP addresses being used right now for a botnet command control server sending out phishing emails and stealing money they're being used right now and have been used for the past two years what's going on is it illegal and here I guess it comes down to this is it illegal to provide hosting services to a known criminal site and if so what sort of liability do these guys have for putting this stuff on the net yeah so I'm not a lawyer okay so but I don't I think the issue comes down to you know plausible deniability I think that's really what the issue is and I have run into this many times where we go to an ISP there's some type of mischief coming out of the ISP we go to them with legal process and they say oh boy you know I didn't even know this was a problem you know if you just would have told me or somebody would have called up and said we would have pulled the plug on these guys I mean it's plausible deniability it's very hard now the reality of the situation no you're right you're absolutely right the reality of the situation is there are places out there that are basically havens for these criminals there are some ISPs that are out there and these guys go there and they know they can park themselves there but again it's a matter of my job as a law enforcement officer to follow up on that would be somehow proving that the ISP knows that the person was a criminal coming in there and going to do something criminal if I can't prove that they know that then I have no right to even talk about it with them alright that's just the way that's just the situation there is a law so we're talking about money again let's talk about the voice market where you're using a cell phone or your wire line telephone if you read your phone bill you'll see references to all kinds of FCC tariffs PUC tariffs that's where the rates are being set or at least controlled, monitored in various ways by the government there are surcharges there are all kinds of things going on there it has been true for about the last 25 years that the dominant cost of providing telephone service is in maintaining accurate billing records and not in carrying the traffic and that's dominated by the cost of all of the telecommunications equipment the big switches everything that's got voice lines going into it would be way smaller, way cheaper would innovate much more quickly if they didn't have to maintain call detail records and keep them for a certain number of days and so on none of that stuff exists on the internet and so you can imagine let's say that 90% of the cost of sales for a voice telephone network is around billing and record keeping you're dealing with internet service providers whose entire margin might be less than 10% and you might be asking them to use a third of that to maintain the kind of records that the FBI would very much like them to have and they can't do it until and unless all of their competitors are required to do it too because otherwise they'll be the one that costs 3% more than all the competitors so I do believe in that sense that we're trending inevitably toward legislation that is like what we do with the voice network we do start to control the other way the other kind of telecommunications that makes the world go around the only thing is when you look at it in Europe this is the EU Data Retention Act and that one is basically you have to keep CDRs for voice and internet traffic and they want to push it even further at the moment it's just like username, IP address, timestamp what they're asking for is net flow from all your border routers into another country so at least your EMC is going to be happy if that one gets passed there are a few laws in the US specifically the DMCA law that if a website is hosting copyrighted material the ISP can become can become liable for that information so if you contact ISP and the ISP does not shut down that site they can be sued by the owner of the copyrighted information we've used that quite a few times to bring out phishing sites and that's one of the things that works in cases of phishing sites you can say that they're infringing on city banks copyright or whatever that works in that case but that's one of the few laws I know that actually boxes the ISP into some type of action there's another law if it's child pornography they're required to report it and do something about it but phishing sites, bot networks stuff like that we don't have that type of legislation if the phishing site is hosting copyrighted material which most of the time they always are they've got the graphics or something that was produced by the company and copyrighted by the copyright on the page where they took the original information from we've had very good response with ISP shutting down that information because they don't want to be liable for that DMCA issue the only thing you have to remember in that case you're only really talking about company providing hosting if you have to remember that most of the telco licenses require that you never ever look into traffic except for debugging, maintaining network purposes well if it's reported to them then they become liable for removing that information they have to shut down that website or that server it's a US law it's very specific to the US it's a US law so it only works if the server is in the US in theory 100% success rate 100% we've had 99% success rate really actually Rob Slade said something very interesting I don't remember the last one as we get a lot of success too in cooperation from law enforcement and ISP globally but there are certain things that will really get things done and that's the four horsemen of the internet I remember only the first three Rob Slade is a great guy child pornography, copyright laws copyright issues terrorism and mp3 music I don't remember really the four horsemen of the internet to get things done it is actually kind of amusing then we have stronger controls over mp3 music than we do over your wallet another question from the panel we've heard a lot of different things about I guess the bad guys using things from very simple websites to zero days I'm sort of interested in the panel as a whole talking about the technical sophistication how it's progressed recently and where you think it's going are the bad guys getting ahead of us are we catching up to them we're getting our butts kicked there's no doubt about it the technical solutions that are out there are not even close to what these guys are doing the research the cooperation amongst other parties they obviously have businesses too and they don't collaborate probably as much due to business reasons as they could there's a lot stronger bond of sharing of tools and information in their society than there is in ours it's actually pretty impressive when you see the kind of software the front end web interfaces to you have a botnet of 100,000 hosts how do you control that you can't control that with just little shell scripts so you really are getting some mature tools for managing these large scale networks I don't think there's anything like this on the defensive side I think part of the problem is it's not that they're way far ahead of us it's just that it's an arms race so the nature of this is that once the good guys come up with a solution the bad guys are allowed to develop a counter measure to it or something better and that's just what we see going on just an arms race in this whole thing that's what I think is part of the problem and the main point behind that is that we are in any warfare the defensive guy is always going to be reactive period and when we live in aside from being humans and reacting this way when we live in a capitalistic society and everything is about business you're not going like Paul said about banks and the banks really know how to do their risk assessments if the problem right now costs them money but they will lose more by investing to stop it they will not do anything about it because it's not worth their time yet now it is about what we discussed earlier and there are a lot of problems out there some of them are going to show up in a few years some of them are going to be have been ignored for years and for example, botnets, phishing, all this stuff has been known for a very long time routing issues, DNS as Paul mentioned it's been worked on for many many years now but the business incentive to kill the problem was not there when the problem was small spam for example was ignored originally and when it comes down to it these problems become unstoppable become too large to be stopped and all we can do is enter that arms race with them inventing new technologies and us running after them while we at very different angles all deal with certain business needs antiviruses, ISPs to try and maintain our own businesses well these guys have one business alone and that's exploiting people in order to make money and they're going to keep exploiting people in order to make money because when you have an ROI of billions of dollars every year and phishing is just something that's in plain sight there's a lot more going on if one avenue, if one channel is being closed or challenged there is going to be retaliation I've got a question for the panel I'd like to get each of your opinions on this really short thing will online banking survive? I think it will survive if they adapt and put in protections that require authentication that something people have and not just something they know until they go to like smart cards with certificates we're going to start to see a problem alright yeah I think they will their business model is dependent on it I mean when was the last time you went and sat in a line with your little book to talk to a teller it's a beautiful business model get rid of all your people put a computer up and then charge people to use the computer that's a great business model there's a lot at stake there and it's good to use too I've got a comment too I'm sorry you said certificate, smart card but you still have to trust the PC and the issue at the beginning with all the malware so you know then you're going to need something like trusted platform you know all the things you guys are going to like and the other option I mean we see coming more and more is out of band authentication for transactions you know trusting like GSM network which you can trust much more than the internet when somebody wants to do wire transfer to an external party that would be one of the options we see and I also think it's going to survive as you said because of the business model and the economics as long as it continues to make money for them and they've been able to accept the losses so far so I don't see that changing but I would say this I mean just think about this if you get your credit card statement you see there's a couple laptop computers from TigerDirect.com on there and you didn't buy those and you call up your bank and say hey bank I didn't buy these laptop computers your bank's going to say okay fine we're going to reverse those charges we're taking that money off your credit card we're going to make you whole again and you walk away from that sitting thinking boy that's really nice in my bank they care about me they just ate all that money there on my behalf but is anyone here an e-merchant you know what the reality of that situation is who gets stuck with that bill TigerDirect gets a charge back at the end of the month okay so it's I'm not trying to bash the banks or anything but this problem is hurting them but it's hurting other people more until that model changes I don't I think it's going to continue going the web channel itself is that the web channel is the cheapest channel available to the banks to deal with us lame users who don't have billions in our accounts and they will do whatever is in their power including reimbursing everybody completely where it is by law or where they have to do it regardless in the UK it's a law and the user therefore do not really bother fixing their computers in Germany it's not trying a little bit harder but as long as the web channel can remain active it will remain active because their goal is one maintaining the trust of users in e-commerce that's critical for them and to be honest just one F related note the banks are doing a lot seriously but in the United States both on the attacking side with phishing sites and on the defending side of the banks and other e-commerce actually not just banks the technology is way behind the attacks that people see in Europe and the defenses that banks put in Europe are a lot more advanced the UK is in the same trouble only the attackers are very very advanced the banks are at the same technology level of defense but seriously the US has not yet seen what the rest of the world has seen so actually I have a question then if we have a scenario where the Europeans are using much stronger protections on online banking are their fraud rates lower what? are their fraud rates lower has it helped the bank has just invented new stuff but yes it has helped I think just quickly on the banks Europe has a significant advantage against the US and it's a much smaller number of entities where they actually can work together I mean there's literally tens of thousands of credit unions in the US I mean it's not easy to get all these people in one room it's not legislated I mean it's all over the place it's not near as easy of a problem to tackle to their defense so Dan in answer to your question will online banking survive we've answered so far on the panel from two perspectives one is you know can you log in see your balances make your payments and the other is some of us have answered will we continue to be able to buy things with credit cards on the web right now you know you're using a 16 digit credit card number around a 4 digit expiration date and around a 3 or 4 digit CVV code as the way that you're authenticating yourself sometimes they'll ask you for your zip code or something like that it's very very weak but of the two types of online banking fraud or loss or I guess theft that we're seeing I think the credit card money transfers that are illegitimate are vastly outnumber the online banking transfers that are illegitimate not that you don't see phishing sites where people are trying to collect your online banking information but it's just much more common to see a dollar stolen through a credit card transaction I know that the world could not survive without that flow those flows in the economy are now that's our lifeline that's how we deal with each other but I think that around 20 ASCII numeric digits authentication is not going to survive I do not agree with our colleague from the IRS that two factor authentication is going to be the solution that's already been shown to be too weak so I think that the next step forward is going to be a bigger step than just moving to the two factor thing with the secure cards and we are certainly going to have to have a more trustworthy computing platform of which I hope that TCPA is not yet I just want to add something on top I mean we have been talking a lot about the banks but you guys know that most of the new point of sale systems hang on the internet actually and they store your credit card when it gets wiped and that people can make transactions on top of them so we are really focusing on the banks and online phishing and so on then you have all those poor systems hanging everywhere in every single shop on the internet on a wireless LAN and so many nice things on them that's something that's happening in the background that nobody cares about at the moment but it's going to hit us hard at some point let's try to go through our questions here what do you guys think of some of the volunteer phishing internet response teams do you have any favorites I have a couple of personal favorites Castle Cops has been a great help in the phishing area spam house in the spam phishing and other sorts of network mischief area there's really a lot of groups that I rely on as law enforcement officer people that are really if you saw my talk earlier I call them the white knights of the internet they're helping keep the wheels on the internet and people like the groups that Gaddy has put together that I've worked with on different malware outbreaks and things like that really people are helping keep wheels on things I think it's interesting that I don't think without this these homegrown volunteer organizations on the internet it would be the internet that we know it is today I think it would be significantly different funny little story very early on we had a phishing site in China and through one of these little groups I kind of put out an email saying if anybody in the group has access to the system would you get me the phishing kit a couple of files we were looking for phishing design and about 20 minutes later I got an email with the credit card information was captured I got all sorts of logs for SSH we got just everything I went back to the guy I said listen thanks I said you gotta fix your system now and he wrote back and said it's not my system so you gotta be careful when you ask for help he figured if it was vulnerable he'd get it as well which is what he did but I somehow lost his name and phone number because there is one critical point that needs to be made although I'm very much in favor of all of these groups da! I pretty much created some of them sorry da! yes I like them they're good they do good but they are all good wheel based because people want to help each other people want to share information when their employers sometimes do not want them to share information they do things out of free times that they don't have because they are the technical people and the management people that need to actually fix these issues for their own organizations and as long as there is not any meat space and law enforcement economic whatever else you want to call these issues to back all these efforts up and not make them in the press look like vigilante efforts which they are not they never take the law into their own hands they report, they help, they collect information I mean I support these groups they started some of them they are not going to be the solution they are not good enough so maybe they need to stop and let yes let's stop and say the internet die sorry the internet is not going to die nobody quote me on that that's stupid yes let's stop and see everything getting worse that's what we have right now and that's the best we can do but it's not good enough thanks next question I'm from a country that you consider the eastern block so a client of Adelphia ISP and I've been using software like let's say Adelphia no longer exists I believe they don't? they got bought Time Warner okay so I use DC++ to download some things and I received a letter from a company affiliated with Paramount which is called ATSP yes that was the name of the company and they pointed out specific files on my computer I tried this I've heard this that it happened on different operating systems not only windows and they pointed specific files on the computer that were downloaded on that day that time by that username from those hubs and so my question is what if you could say more details about how those people were able to read me so clearly and also since America the US is let's say the backbone of the internet is this going to happen in different countries in the world people are going to be receiving such letters saying that legal action is going to be taken against them if such files are found on their computer so one other country is going to be to suffer the same consequences yes thank you we had a situation about six or eight months ago where we received a letter an email from like a DCMCA whatever those initials are and basically what they stated was that an address that was owned by the IRS was seen sharing games I got the referral at three o'clock in the morning thank you I didn't want to sleep anyway so one of the first things we did when we got this referral was we looked at the IP address and it was space that was owned by the IRS however it was space that we weren't using so one of the next things I did there's some underground contacts that we have that monitor a lot of the BGP announcement routes so I went to them and said has this subnet ever been announced on the internet in like the last 90 days and of course the answer was no we went and made sure in our local area network that that address wasn't available and to make the long story short that address was never used to send out file games or anything like that what we suspect happened is somebody that was trying to discredit somebody who was looking for that was sending out fake data that was being picked up by DCMCA or whatever and then having them go after people that are totally unaware of what's going on so it's funny you mentioned that but that does happen we didn't talk we'll continue with the questions because I see you guys standing for a long time and I feel bad about it just one thing we didn't talk about routing nearly at all Paul can you say a few words about private reporting, routing problems and all that private announcing I'm sorry it's only a problem they don't work yeah well because the BCP38 that tells ISPs and other network owners to not let packets off their network that have a source address that didn't come from that network because that is pretty much the laughing stock of the internet backbone community and virtually no one is willing to turn on the various features of all modern routers built since 2000 that could just do that with a single thing you never really know where a packet came from you can build up a little bit of confidence if perhaps it's a TCP part of a TCP session and you were able to answer it and do a three way handshake that's only a little bit of confidence because all it takes is a local area route somewhere in the path that your default route is going to take that you may not be able to see in BGP that will siphon off those packets and there are plenty of places where you know I think maybe the whole internet needs what DEF CON has this whole wall of sheep concept could be a really good thing but in any case you don't have to go to the underground to find out what BGP announcements have been made there are plenty of above the table groups that like route views and what not who monitor the BGP announcements and so forth and you will be shocked at the number of times that address base that is owned over here is being advertised over there maybe it's a little cut out route maybe it's the whole thing maybe it's something that the real owner isn't advertising any part of it once you get past all that you will be shocked a second time to discover the number of times that you have had a TCP session with someone who was never in the global routing table at all so I would say that there is no cause for confidence just because you have received a packet I wouldn't believe any part of it payload or header next question that's actually where my next question was going was authentication security it seems to me that most of these criminal activities have grown because of difficulty in enforcement and the difficulty in enforcement is not being able to absolutely verify where either email or traffic has come from part of that issue how does the panel feel about new technologies to be able to more positively identify where traffic is coming from and the new sender ID framework I do think it is important to recognize that with the exception of SSL websites PKI is a complete another failure every place it's been tried and we need to you know it's 2006 we can admit it something's really broken in the way that we've been trying to deploy this stuff and it's not just like oh if we throw another couple hundred million dollars at it it'll work no there needs to be pretty fundamental shifts in how we try to deal with identity technology we've just failed too many times to ignore that obvious conclusion I think you're also underestimating what people are doing I think that 90% of what we see could be so flagrantly obvious that they're being redirected to like a site in Romania they'll still click on it they'll still enter their information so what you're talking about will address the 10% 90% is stupid people basically or people that don't know what to look at but mostly stupid one of the issues that we all seem to forget is that the internet was originally I wasn't there by the way I don't think I was born yet but the internet was originally yes I know but the internet was originally planned as a sharing network as a let's live and let's live and let's be friendly and let everybody use our own SMTP servers and relate through us and we live on that infrastructure today that's been discussed to dust and no the internet is not safe I'm sorry whenever I say that people get shocked no the internet and email is not safe neither is real life yes but the one thing I would like to say though the one thing I would like to say though is that today people don't really although these issues are there and they are being exploited they will be exploited even more I always get pissed at people when they say hey this bug is not currently being exploited we don't need to fix it yet right so two months later or two weeks later it gets exploited one thing I would like to say is that today with botnets you can identify somebody in some cases and you can say that's the guy who did it but it's not the guy it's somebody else who connected to him through somebody else through somebody else now everyone here knows that multiply that a few million times and you will get a picture of what's going on you don't really need this reliability I mean this reliability would be good Paul will not answer about that a little bit more but when you have botnets everywhere bots everywhere and their accessibility and cost is so low you can be anybody you want I would love the internet to be either completely anonymous but that's not the case we started this we started this discussion with phishing and you know your your grandmother getting an email and having to pay for not mine I think it was David Daggons but sure how does the panel and Dan feel about some of the the new sender ID stuff for email to weed some of the some of the major phishing stuff out in using sender ID DNS for sender ID how do y'all feel about that before we move into spam and before we move on to all that and that's been discussed by others we will answer you I'd like to give Paul the opportunity to speak you wanted to talk no no go on it is worth so email is dying like there's entire populations that have moved over to my space have moved over to you know only using their corporate work email that's just inside the company like the amount of spam that you can get I think 99.99% of my email is spam and that's without exaggeration so SPF even if it cuts out 95% is my email really useful and it doesn't and it was never meant for anti-spam Stan is that why you don't answer email because it's not actually no no then it's actually really funny I can't send mail to Paul his mail server says my mail server has been implicated in spam I have no idea why he has no idea why but I don't get mail I can't either don't worry it's a known problem it's a known issue around the internet Paul Vix's servers filter you out next question go ahead so if you want to steal money if you want to steal a lot of money you can do one of two things you can steal a little bit of money from a lot of people which we've been talking about here so far or you can steal a lot of money from a few which we haven't addressed so far and I wonder if the panel has an opinion any insights into what's currently going on in terms of extortion attempts and so forth being directed at corporate entities as opposed to phishing and and carding and so on directed at end users there's a couple more recent things I mean the whole extortion where thing where basically you get a payload on your machine and encrypts a bunch of files which used to be really bad but actually it's getting better and better now and then you get a message on your machine that basically says hey you want your files back give me money send it to this account otherwise you won't get them back so one of the questions that gets asked quite frequently on that is why are they only asking for $200 why are they only asking for $50 and I think it's a reluctance from them knowing and their success rate of asking for a lot more money is probably going to be less or $20,000 or $20,000 you might go to the authorities you might do something about it as opposed to just giving a little amount then there's the whole corporate espionage thing where big attacks are actually a lot more difficult to do you look at the Sumioto Bank thing in the UK where this guy was transferring I think it was $10 or $15 million and it just got caught up in their monitoring system so I mean it's a lot more effective to just trickle money a little bit at a time and you know that as you said banks monitor this type of things and you know and they're swift and we know that a lot of people look at swift at the moment so you know you don't want to send that much money that's going to trigger you and be on the top 10 watch list Banks are very very good at moving money around the losses we talk about is after they moved most of it back now about extortion on the internet it's really funny when you have I guess New York is the city of choice here in the US when you have problems with protection money you know that if you pay the guy you'll probably most likely not burn down your store and he will be back at the same date further if another group tries to take your money away you will probably protect you on the internet that's not the case you don't know the guys he will not protect you he is likely to attack you after you pay him anyway and if you pay him he will come back so the whole idea of extortion on the internet is kind of funny to me but it's a problem for a lot of people I think this is more of a good idea for us to shut up and let our FBI friend speak sure no we do see these extortion things going on I think the people that are most targets for it is if they're doing some business in the borderline business anyway so porn sites, online gambling sites things like that they might be reluctant to go to the authorities or believe that the authorities are not going to be responsive to their extortion problem they are the ones that are most likely to pay the extortion pay the extortion request sites that are also those two that I just mentioned are dependent on being online every second they're not online they're losing money and they're not like Fortune 500 companies that may have a lot of bandwidth to back them up and stuff like that so if it's someone that's susceptible to DDoS then I think they're already you know they're right pickings for extortionists and I think that the best thing that people can do, businesses can do is plan for this ahead of time you know think about what's going to happen if someone tries to extort me have a backup plan in place have that bandwidth available you know that's really the best thing you can do so one thing that seems to keep corporations out of this is it's politically a pain in the ass to pay a bribe I mean you have to get approval you have to figure out how to route the money what are you going to get a PO to get your business back up I mean just like the actual mechanics of how you would route money out is pretty painful and I think that's ironically enough one of the controls that keeps keep some of this under control yeah this is the smart cyber criminals the smart extortionists are targeting your non-corporate online entities that's what they're doing yep you got a sole proprietor who routes through a fair amount of money every day great target if you've got something where PO's involved move on yeah another side of corporations that we didn't foresee is a lot of people especially in Europe these days do their online banking from work they feel their world computer is a little bit safer they're probably right there's no IT department at home next question I have actually long again forgotten what my question was I wonder if we feel for you beer is on me I think it was somewhere along the lines on what you collectively think we can do on a technical front to secure up the vulnerabilities that are providing the opportunities for these criminals to operate on the internet and whose responsibility each of you believe that to be so one problem is just the scale of difficulty I mean there's an entire use model for PCs which basically you don't have a computer of your owner you don't carry around a laptop you go to a random internet cafe use a computer not under your control and you log into your online banking and move money around I mean this is an entire lifestyle that people use that is fundamentally insecure you believe it to be fundamentally insecure it is absolutely fundamentally insecure you've got a device here that you have no controls on anyone can put code on it in fact you actually had someone who was going around New York and just going to every single kink goes and putting malware on it because he was like well people do this they go to these boxes they put in their creds and I can you know imagine how hard it would be to secure your home PC if bad guys got a key to your home and just could walk in get physical access put some software on and leave and so you know that's the scale of problem that we're facing it really is more of a human problem than it is a technical problem so if there are any point us wasting our efforts securing our applications and building secure by design you secure your application so you aren't the source of the problem but I mean there's a global scale of you being the problem of there being a problem which we can't deal with you can deal with yourself being involved it's your fault personally you're responsible for all these fission there are a lot of weaknesses a lot of vulnerabilities everywhere and the attackers will always go for the weakest link or something similar to that now if you don't secure yourself they'll go after you and they do go after you so that's pretty much it what motivates a company to put out secure software that doesn't seem to be any efforts going into either rewarding or penalizing large corporations or making a lot of money and hopefully things like RFPs and buying criteria actually take security into their decision making process those are the types of things that have to be driven down from an economical standpoint if most features wins every time then we're back here again talking about the same problem so you're relying purely on economic models you don't think there's any call for government to step in no I think it's unrealistic at a global scale I mean we're going to mandate developers to write secure code that's just not realistic to be honest on one thing though because I'm usually not honest I'm a lot to be honest whatever one thing that is important here is something that KC from Kaida Kaida usually says every network in history usually had someone who came in and put order in the chaos if the water aqueducts from the Roman Empire or anything else somebody came in and made order usually that was the government now the internet has no government and I'm not sure if you want our governments getting involved in different aspects of the internet we already see them try on different areas and I believe this cannot be done without the governments but to be honest do you want any government around the world and there are a lot of games already being played on these things with user agreements telling you how to develop your software maybe they should I don't think it has to be a regulatory effort taking things like the AIDS virus that was fought through education you didn't regulate someone not to go and sleep with someone because they got AIDS you funded education through government and collaborative efforts I don't think the government should tell us how to do it I think somebody should maybe it's peer pressure maybe it's more PR I don't know what the solution is I'm not sure I want the government involved but it would be a lot better yes I agree but I think it's terms of education I think that's the role that the government can play we can help educate people to these problems that's kind of an axiomoron so what's on the agenda on that one can I ask you to clarify your question are you asking if there is or is not cause for hope because I have cause for hope I'm not sure if that's your question technically is there any way that technically people process and technology do you believe that we can get a grasp of what's going on without it being about chasing after the criminals and spending limited resources trying to address the problem from that direction okay so you know we've talked about is this a regulatory thing or is this an economics thing and those are usually in opposition to each other I believe it's an economics thing but it's not a classic economics problem now we've mentioned SSL here a couple of times today and it turns out you can have an SSL certificate for a person not just a website and so any one of us who wanted to go through the effort of creating a certificate for ourselves and getting it signed could then use that in commerce in about one site out of 10 million who actually knows how to deal with user level certificates in other words that didn't really catch on had it caught on then we would simply see the malware looking for you to type in your PIN number at the time you were attempting to use that certificate and capturing the certificate and your PIN number because they've already captured your PC now when you're dealing with economics and therefore with human action there are sort of two very different kinds of human action there are the actions that you take and the actions that affect you on the one side versus the actions that everybody else takes that affect you if we can get to the point where the people who want to be safe can be safe and the people who are willing to go take a class at the community college that's taught on Friday nights or whatever talking about my grandmother or whatever in order to learn what to click on and what not to click on we're five minute warning then we could get those people to be safe and that'd be fine I'm not safe as long as their computers are capable of d-dossing me and that's a bit of a problem so there's a lot of cause for hopelessness built into that just because as long as we have these monoclonal infrastructures and so forth we're all going to be sort of in the same stew pot but I do have cause for hope and that is that the internet was not built by a corporation who was looking for making a profit and it wasn't really built by governments or US military or US research money or any of that stuff those all had roles to play it was built by the open source community although it wasn't called that at the time and the web which came after the internet was also built not by a corporation who was investing and trying to get return on that investment but it was built by the open source community it was built by experimenters and I think that the fact that this is a gaping wound is going to cause a lot of real innovation that doesn't have have to prove ROI possibilities before it'll get out there to come out and give us authentication the same way it gave us the web and the same way it gave us the internet so that's my cause for hope is that we're here at all we've got two more questions for people who've been standing a little while so let's see if we can get through them we have like five minutes if that I got a couple technical questions I guess regarding botnets and they were laid around a particular security researchers efforts it's named steven racing I think it's how you say it from switch basically you develop an algorithm that would attract rhythmic patterns of IRC traffic in net flow in the future although I believe that it's been a while since I read it but I think maybe one of the problems of it was that the data set was too large which he was looking at so he had like tons of false positives anyway I guess my question was more of applying that on a reduced data set in a sense where the in a network where since bots have characteristics which are there are certainly patterns that you can find in bot behavior and those patterns have certainly been used to identify the boxes if we become a little too dependent on finding these patterns there are mechanisms you can use to just stochastically skew your results skew your time you can even represent all the botnet traffic to every kind of short of a person reading the IRC traffic there's no way to know just idiots going back and forth in fact the IRC can be a pretty challenging Turing test is this a human or is this a bot I don't know these people are pretty dumb sure you know it's true I guess we'll scale from 1 to bash.org I think you need to remember one thing again you know you're talking about watching traffic doing maybe deep packet inspection you're keeping track and so on man that's illegally most of the country has got to take a license now the thing is I'm sorry I'm trying to not babble here but I guess what I was saying was scanning is a pretty easy thing to identify and it's a common characteristic of a bot so once you've narrowed down your data set to a specific IP address it should be a lot easier to use that algorithm and more it's not hard to find these bots they're not exactly hiding themselves yeah that's all cool and we all use that but who will talk to the user who will pay the price or personnel or disconnect a paying client that's always a problem yes there are a lot of technology everything is being used but you need to remember that whatever we use the bad guys compensate for okay last one real quick was another one okay everybody has darknits you know there's public mailing lists you all guys work together you look at backscatter so you still see examples where there's spoofed attacks because you're getting the backscatter and your darknit yada yada yada do you see any use of maybe having like maybe a community effort of compiling the backscatter received in their darknits to identify active targets of an attack and therefore this is being actively done this is being actively done but it can only work to some level it's like you're suggesting an algorithm for acoustically determining the location of car crashes so we have one minute so we want to get the one last question let's go so it was brought up a couple times the fundamental problems with you know say DNS or with email and you know I'm not naive enough to think that you know a complete redesign of the internet would ever be possible but are there technical solutions for this that can help mitigate kind of human stupidity and we've brought up a couple times as well we can certainly do a better job of giving users a clear path towards being secure and we can do that through some technical information and we can do that through just guidance and education that can be done can we make it possible for a user to shoot himself in the foot probably not you can help a guy you can tell a guy how to be more careful for not getting robbed but you can't tell a girl how not to get raped okay sorry for being blunt I'm always blunt we'll ever get to a point say specifically with DNS where the problem will warrant a complete redesign of the protocol and kind of sacrificing that legacy support in favor of kind of a whole revolution versus evolution and patching on a problem Paul will finish with this because we have no time Paul is the most qualified on DNS I believe you know a little bit about that right the internet and DNS and all the other internet technologies SMTP and so forth are all laboratory grade they were not meant to be used in the real world they were meant to be used between cooperating researchers and whatnot and the answer is that it already warrants a complete redesign but we can't do that and so we're doing what we can do instead of what we should have done and what's actually preventing that there will be no more flag days on the internet where you know TCP is as bad as NCP was but we can't have another flag day DNS is as bad as the old sort of host access protocol but we can't have a flag day it's rolling now all we can do is try and steer it by poking it with a stick I think we're done here Thanks Dan