2008-12-18

Enemy Within

When considering our preparedness (or lack of it) for cyber warfare or fighting cyber criminals, an old African quotation comes to mind: "When there is no enemy within, the enemies outside cannot hurt you."

At first thought, the concept of an enemy within might call to mind the Federal Trade Commission halting the scareware schemes, in which e-marketeers falsely claimed their scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The FTC estimated more than 1 million consumers were duped into buying needless products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, at $40 per install. Yes, a cool $40 million from such a scam based on ineffective products.

The enemy within, though, is actually more insidious than that. According to an alarming annual security report from Cisco Systems Inc. (Nasdaq: CSCO), there was a 90 percent growth rate in threats originating from legitimate domains, nearly double what the company saw in 2007.

In addition, vulnerabilities in virtualization products nearly tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization to save money and increase productivity. The technology basically lets one computer do the job of many, by sharing the resources of a single computer across multiple environments. More importantly, you can further establish virtual environments for Web serving and data transit.

HostExploit was able to determine the problem with McColo by penetrating its virtual environment and exposing it for the business it actually was. This evil network was run from Moscow by cyber criminals; however, it was fully maintained within a data center in Southern California. In similar fashion, recent attacks on Georgia were launched from Plano, Texas, controlled by a Russian group apparently based in London.

The enemy within we should all be most concerned with are these collocation centers. Most would be surprised to learn one particular Russian network operator has three virtual hubs in the U.S.: Ashburn, Va.; New York; and Los Angeles. This may sound worse than it is -- U.S. operators have hubs and nodes in Moscow; this is just the way of the Web Wide World, and allows us to speed the flow or maintain virtualized Web-serving across the globe.

What is disturbing is this particular Russian network operator is RETN, also formerly known as Eltel, a very dirty Russian network infamous for hosting spammers and malware. RETN/Eltel will be reactivating the McColo IPs anytime now, allowing the botnets to contact their masters and the spam to flow again, according to Spamhaus.

In this virtual network operator jigsaw puzzle, consider the potential enemy within. In this unregulated and open market, anyone with a credit card (like RETN) can rent rack space or even simply dispatch a server, right next to equipment from Global Crossing, Level 3, Hurricane Electric, and many others, foreign and domestic. And that's all that's needed to launch a botnet-controlled attack for cyber warfare or cyber criminal purposes from St. Petersburg, Beijing, or Islamabad. Except that it's happening within U.S. cyber space.

Within a very short period, these virtual thugs can send billions of spam messages, distribute malware, or, as the hackers did earlier this year, access White House emails. Add to this the ability to use anonymous proxy networks via botnet C&C (command and controls), and they can make themselves look las if they're from the U.S., China, or whatever virtual destination they choose.

If there was ever a serious case for necessary government regulation and watchfulness, this is it, before anyone jumps up to call this infringing on Internet freedom or net neutrality. These are commercial, criminal concerns operating strategically important communication data and collocation centers; tighter controls would have no effect on individual Net surfing or Web hosting. What more oversight and control would do is create a less welcoming place to harbor the enemy within.

Internet Evolution