Over three million computers 0wned?

Sean_Donelan · June 28, 2003, 11:09pm

http://www.vnunet.com/News/1141901

Trustcorps claims it has scientific and anecdotal resaerch supporting its
conclusion that over three million computers are "owned" by malicious
groups.

On the other hand, Information Risk Management questioned how any one
person could "own" hundreds of computers at any one time. And systems are
often not "owned" by a single group, but exploited by multiple groups

Like most statistics, the "truth" is probably a little harder to find, and
a little bit scarier.

The FBI estimates a car is stolen every 27 seconds somewhere in the US.
In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars
were stolen; with an estimated value of $7.8 Billion. Police apprehend
less than 15% of all auto thieves.

Unfortunately this computer crime doesn't fit the FBI crime reporting
statistics well. Vandalism of Property? Is the cracking of computers
happening more or less often than car theft?

Rabbi_Rob_Thomas · June 29, 2003, 12:09am

Hey, Sean.

] Trustcorps claims it has scientific and anecdotal resaerch supporting its
] conclusion that over three million computers are "owned" by malicious
] groups.

Interesting.

] On the other hand, Information Risk Management questioned how any one
] person could "own" hundreds of computers at any one time. And systems are
] often not "owned" by a single group, but exploited by multiple groups

How could one person "own" hundreds of computers at any one time?
Since several individuals own thousands, tens of thousands, and
even (low) hundreds of thousands of systems at any one time, I
suppose the reason they don't own hundreds is because that isn't
enough.

] Like most statistics, the "truth" is probably a little harder to find, and
] a little bit scarier.

Indeed.

Thanks,
Rob.

Marc · June 29, 2003, 1:37am

It would be interesting to know if the FBI or any other group can
characterize how many computers are 0wn3d per minute. Then, of those
computers, how many remain 0wn3d indefinitely?

Marc

Trustcorps claims it has scientific and anecdotal resaerch supporting
its conclusion that over three million computers are "owned" by
malicious groups.

The FBI estimates a car is stolen every 27 seconds somewhere in the US.
In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars
were stolen; with an estimated value of $7.8 Billion. Police apprehend
less than 15% of all auto thieves.

Etaoin_Shrdlu · June 29, 2003, 2:04am

Sean Donelan wrote:

http://www.vnunet.com/News/1141901

Trustcorps claims it has scientific and anecdotal resaerch supporting its
conclusion that over three million computers are "owned" by malicious
groups.

Well, it isn't as if that article really had many of the details that were
meaningful. I decided to go right to the source (www.trustcorps.com) and
see what they had to say. Beyond seeing that they were yet another web site
that looks great iff you are using IE, I found almost NO substance. I
visited the "Press Room," and the "News" items, and even the archives
thereof. Nothing there (at least not those claims).

Ok, so maybe they haven't put it on their web site yet. Still, I suppose
someone made those claims, and I think they deserve a little examination.

On the other hand, Information Risk Management questioned how any one
person could "own" hundreds of computers at any one time. And systems are
often not "owned" by a single group, but exploited by multiple groups

Well, no one here is truly defining what "owned" implies. I know what a
ruckus it kicked up here on NANOG when the first truly distributed denial
of service hit eBAy (or was it Yahoo???). No matter. That was no where near
three million computers, but it certainly didn't require a lot of control
to qualify as "control," or a lot of ownership to qualify as "owned." I'm
amused at the thought that so-called hacker groups are in any way
coordinated, or working together, other than a few here and there (and more
for monetary gain than fame and glory).

Three million? Sure, I believe, if you stretch the definition thin enough,
that three million is quite believable. Organized in any way? Nonsense.
Sheer, utter, mind-numbing nonsense. If it weren't for the tremendous
amount of software out there that makes it EASY to take over machines (and
I include every single default install of every single OS that enables
anything more than port 22), if it weren't for the stunning array of folk
who think that expediency is valuable, and ethics malleable, if it weren't
for the vast populace that just wants pabulum, and padded cells, none of
this would be possible.

Trust me. The only bad guys that are organized are the ones who are after
$$$, and they have absolutely no need to control three million computers.
One or two is plenty, and for just long enough. The idea that there is a
vast underground of pimply-faced teenagers just waiting to control the
world would be laughable, were it not for the continued commercial assaults
that insist it is so.

Unfortunately this computer crime doesn't fit the FBI crime reporting
statistics well. Vandalism of Property? Is the cracking of computers
happening more or less often than car theft?

Car theft is clear. Someone takes your car, and then you don't have it.
When someone compromises your computer(s), what do you lose? What do they
gain? It's a very unclear question.

Valdis_Kletnieks · June 29, 2003, 2:46am

Speaking of which, a heads-up... Jay Dyson was reporting on the incidents@securityfocus
mailing list that he's seeing an upswing in scans for ssh. There's no big spike over
on incidents.org, but there was a comparative quiet for the last few weeks and higher
activity last 2-3 days....

Sean_Donelan · June 30, 2003, 7:59am

Heavy sigh. Unfortunately even that isn't good enough for some vendors.
Yep, believe it or not, at least one vendor managed to create a buffer
overflow in their IP stack which didn't require *ANY* ports to be open
on the victim. If it was connected to the network with an active IP
interface, that was enough. If you want complete network safety, you
want wire cutters. Then you just have to worry about the traditional
physical stuff like sneaker net, theft, etc.

The unanswered question is what should be considered reasonable? And
how much of a burden should the end-user carry?

Adi_Linden · June 30, 2003, 8:42pm

The unanswered question is what should be considered reasonable? And
how much of a burden should the end-user carry?

Plugging into the network is like owning a house. You're at the edge of a
public network, whether it be a road or a wire. Just as you lock your
front door, there needs to be a way to lock your computer. It is up to the
OS vendor to provide some user friendly means to access and secure ones
computer.

From a provider point of view, computer security is reactive, just like

our local police force. You call them once your own space has been
compromised to assist in catching the intruder.

Adi

Paul_A_Vixie4 · July 1, 2003, 6:08pm

marc@sachsfamily.net ("Marc") writes:

It would be interesting to know if the FBI or any other group can
characterize how many computers are 0wn3d per minute. Then, of those
computers, how many remain 0wn3d indefinitely?

what's interesting here is the changing definition of "0wn3d". there was
a time when installing malbots on someone's computer meant you "0wn3d" it
but now that there's spammer malware that searches for "open proxies" a
vast number of said proxies appear to be of "0wn3d" computers. therefore
a spammer who would not go so far as to install the malbot is absolutely
willing to make use of it once it's been installed by others. "0wn3rship"
seems to be pretty anonymous at this point. (shades of "shockwave rider".)

i guess palladium will fix all this, somehow.