Truth About Computer Security Hysteria
Super cyber sleuths in Badman backdoor bruhahaRob Rosenberger, Vmyths co-founder
Friday, 16 June 2000 WE NEARLY LOST the Internet for good last week, if you believe Fox News and the Associated Press. (What, not again?) Check out this orgasmic report:
The spread of a dangerous computer program masquerading as a harmless video clip may have been slowed in its sinister tracks Friday by a team of super cyber sleuths. Working through the night in the dark, musty offices of their 'attack lab,' investigators with the Hedron, Va., Internet security firm Network Security Technologies discovered a team of hackers had embedded a Trojan horse, a seemingly innocent application that executes destructive code, in computers across the globe.
Every firm has the right to re-edit a press release to make it look better. I merely caught NETSEC doing it."Super cyber sleuths"? A Dow Jones newswire disclosed an employee "inadvertently downloaded and launched the infected file onto a laptop computer, [which was] a serious breach of security etiquette." NETSEC even bragged how they "detected the Trojan on one of its PCs as the Trojan unsuccessfully attempted to contact the hackers across the company's networks." Yeah, and I'll bet a can of soda the employee downloaded it from a raunchy Usenet newsgroup. NETSEC guzzled from the fountain of newspaper ink thanks to an obvious PR event. It contained many of the elements reporters look for — such as an urgent meeting with FBI agents deep inside the Hoover building (a short drive from NETSEC's offices). The security industry refused to play along, though. A Command Software spokeswoman asserted "this is not a new find, it's not a new discovery. In fact, Backdoor.SubSeven has been in the wild for quite some time and should be detected by antivirus software. Even if it had not been updated recently, it should still be detected." ICSA went so far as to label it "hype" both on their website and in an email newsletter. If you screw up like NETSEC did, "then your pc is certainly compromised," cautioned ICSA. "But there is no reason to think that it will be successful with the next step, because all ICSA.net certified anti virus software has been able to detect SubSeven for some time... There are no new exploits. There are no new tricks. Trojans disguised as movies are common. There are five or six hundred posted to newsgroups each month." A fact which makes NETSEC's internal security failure all the more ironic. Marc Maiffret (eEye) flipped the bird at NETSEC in a public message. "I would be interested if someone could email me, personally, and let me know how NETSEC 'alerted the Internet community' because the only thing I've seen on mailing lists is people making fun of the [hysteria] that NETSEC media whored to everyone." Even the well-documented fearmongers at FBI NIPC chose not to scream about the Trojan. Man, if you can't get Michael "cyberHoover" Vatis to appear on-camera with you...
THE TIDE OF reporting quickly turned. Damaging headlines soon appeared on MSNBC and The Register. Even Hacker News Network chimed in:
Last Friday's announcement by NETSEC (Network Security Technologies) of a new DDOS tool installed on thousands of computers world wide created a lot of media attention but was really nothing new. The so called 'Serbian Badman Trojan' is nothing more than a repackaged version of Sub7, a remote administration tool similar to NetBus, that has been around for years. Sub7 is incapable of launching a DDoS attack in its current revision. NETSEC's discovery amounts to nothing more than a publicity stunt by an opportunistic security firm in quest of free advertising in the form of media attention.
"Super cyber sleuths"? NETSEC admits they got whacked by a well-known security threat. How will their customers react to such news?NETSEC president Jerry Harold fired off a rebuttal to Hacker News Network. "The naysayers here are the antivirus cartel who speculate without even bothering to gather fact (sorry to step on the toes of your little fraternity, guys.) This was proactive detection and prevention of an active attack before it caused major damage. What did companies like Network Associates and Symantec do to detect and prevent the last DDoS attacks BEFORE they caused millions in damage? The answer is: nothing." Another employee, Scott Shreve, decided to "set the record straight" in an open rebuttal:
While the media has performed to their regular standard of sowing the seeds of FUD, we have been guilty of nothing more than attempting to alert people to the fact that many hosts have been put in a position to unknowingly wreak mayhem. If we wanted press, NetSec would release the list of infected clients — THAT would would make good press. Nobody said there was a cutting edge new tool out there. We just found definitive evidence that several thousand machines fell victim to a slightly modified version of an old tool. The binary has been torn apart and distributed to several sources in the vain attempt to perform a service to the community and avoid much of the mudslinging that is currently going on. If anybody bothered to watch the CBS morning show they would have seen us state on National TV that the trojan was a modified version of SubSeven and the focus of the threat was not the "scariness" of the tool — it was the size of the infected populace and the serious nature of SOME of the infected clients.(Ignore Shreve's comment about identifying infected clients to reporters. It would violate one of marketing's Ten Commandments: "Thou Shalt Not Smite Customers By Name.") Perhaps NETSEC labeled it a known Trojan on national TV — but they buried the knowledge in their original press release. A re-edited version of the 8 June document makes the point more clear. (The original version remained on NETSEC's website until at least 11 June at 6:50pm CT. Hacker News Network bashed them the next day.) Notice the subtle differences, underlined here for clarity:
Childish hackers will accuse NETSEC of "evidence tampering." Au contraire: we're talking about ethics, not evidence. Every business has the right to modify press releases. The very nature of the web encourages change, and a press release by definition tries to cast its presenter in a good light.
Even FBI NIPC chose not to scream about NETSEC's "discovery." Man, if you can't get Michael "cyberHoover" Vatis to appear on-camera with you...I merely caught NETSEC doing it. As I mentioned earlier, NETSEC detected their security failure only when a laptop tried to contact its new masters. The press release ironically quotes CEO Ken Ammon: "security products [must] be managed by trained security professionals who understand how to use the products to detect, analyze, and eliminate these security incidents." Hmmm, sounds like a job for Serbian & Badman... Managed-security firms look stupid when they get whacked by a security threat. It stings even worse if they get whacked by a well-known threat. NETSEC's customers should demand to know why the firm searched for compromised PCs only after Backdoor.SubSeven infected one of their own systems.
A RUMOR IN the security world says NETSEC infuriated the FBI — by failing to turn over IRC chat logs and other "definitive evidence." (Their press release claims they "caught a group of hackers in the act of compromising thousands of computers.") I asked an FBI spokesman a simple yes/no question: did they receive any evidence? He couldn't give me a definitive answer. I suspect the altered press release will disturb FBI officials. It looks waaay too much like a PR event gone awry. Mulder & Scully create enough cyber-embarrassments by themselves; they don't need to take on NETSEC's as well. Oh, I almost forgot! You're reading the second edition of this opinion piece. I repositioned one paragraph about an hour after the original posting. (Guess which one.) If only we could rewrite history this easily...