To catch a cyber thief

Author: Sholto Macpherson

Increasingly sophisticated fraud and theft conducted over the internet by criminal organisations have pushed the skill levels of hackers and their pursuers to greater and greater heights.

Some computer security companies have upgraded their own programming and tracking capabilities by taking a leaf, and sometimes staff, straight out of the military’s handbook.

Verisign, one of the companies responsible for the maintenance and operation of key Internet infrastructure, has formed iDefense, “an open-source, cyber-security intel shop” run by director Rick Howard, who until 2004 served as chief of the US Army’s Computer Emergency Response Team (ACERT).

Howard is one of the few people in government or business who can legitimately claim experience on the offensive as well as defensive side of IT security. Howard directed ACERT’s network warfare operations against Iraqi communications and computer networks during the US invasion in 2003, the details of which remain highly classified. (Click here for the feature on cyberwarfare between the US and China.)

Howard has modelled iDefense after his military intelligence alma mater and split it into two departments, technical and analytical. The technical side includes two teams operating 24 by seven, one tracking software vulnerabilities as they are reported, and the other tracking viruses, worms and other malicious software.

But Verisign’s crack troops in the software-hacking arms race are six reverse engineers who form the labs team at the company headquarters in Virginia.

Howard says that although none of the software specialists are formally trained (“some went to college but realised they knew more than the instructor”) they are world class experts at finding loopholes in popular software. They meet every day for one purpose: “All they do is hack code.”

These six engineers are “typical geeks”, jokes Howard. “Fashion is not the most important thing to them, neither is hygiene. We literally keep these guys locked up in a dark room and we throw pizza and Jolt Cola under the table. We don’t let women talk to them because women scare them.”

The technical teams are complemented by a division of political science and journalist analysts who speak a host of languages, including Arabic, Farsi, Chinese, Korean, Vietnamese, German and Russian.

“These guys are not technical per se; they are really smart, but not reverse engineer smart,” says Howard. “They hang out in terrorist forums and underground forums and listen to what those guys talk about in their native language and write about it.”

The analysts are also sent in-country to talk with law enforcement agencies and investigate local hacker communities. Verisign’s detailed report on the Russian Business Network was written by two iDefense analysts who interviewed former cyber-police in Russia.

Although iDefense looks and functions like a military intelligence operation, Howard is at pains to stress that its agenda is strictly civilian.

“It is completely in the open. We are not covert, it is not a secret military mission or anything like that. We are more like journalists,” says Howard.

The technical side can also call in backup. The software engineers manage a pool of 400 independent researchers who are paid bounties for each new vulnerability they discover. Every claim is verified by iDefense engineers and then passed on immediately to the relevant vendor and to all Verisign’s customers, along with instructions for minimising the threat until a patch is released.

Verisign doesn’t make the flaw public until the vendor has developed a patch, a process which, after quality control, can take several months. Microsoft averages 125 days to complete a patch.

iDefense also runs quarterly challenges on specific programs with cash prizes as incentives; $10,000, $8,000 and $6,000 for first, second and third places, respectively.

Despite the sizeable money on offer, the challenge doesn’t always dig up many secrets.

Microsoft’s latest version of its Windows operating system, Vista, was the target in the first quarter of this year. iDefense’s engineers told their researchers, “Try to hack Vista and see what you can give us.” “We got nothing,” says Howard.

Howard has two theories for the result. The first, which Microsoft would be very happy to hear, is that Vista is a lot harder to hack than everyone thought it was.

The second theory is that no-one has hacked Vista because nobody has bought it yet – not even the bad guys.

“There really is no incentive to go after Vista yet, no-one has it deployed,” says Howard.

There is a third theory. A rumour surfaced earlier this year that the black market was paying $50,000 for a vulnerability, five times iDefense’s best offer. Was Verisign just outpriced?

Other IT security companies pay for vulnerabilities, including Tipping Point, a vendor which sells an intrusion prevention system for computer networks. Howard says no vendor is paying anywhere near $50,000 for Vista vulnerabilities, and none have reported finding any.

As for the black market, Howard says a criminal organisation could contract hackers to find a vulnerability, but he doesn’t know where the $50,000 figure comes from.

“One theory inside our shop is that it is the researchers trying to bump the price up,” laughs Howard.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: