[LINK] Rise of online mercenaries

Thu Jun 4 18:50:04 AEST 2009

<brd>
The internet doesn't look much like it was predicted to become when the
first graphics based browsers were developed in the last millennium.

Predictions are very difficult, especially when they involve the future.
</brd>

Rise of online mercenaries
Karen Dearne
June 02, 2009
The Australian
http://www.australianit.news.com.au/story/0,24897,25570856-24169,00.html

WITH about 130 countries engaging in cyber warfare activities, it is
possible that governments are behind some of the dangerous new blended
attacks, local IT security professionals have been warned.

Steven Bellovin, professor of computing science at Columbia University,
predicted the rise of online mercenaries prepared to carry out the
"nasty things" governments did not want to be associated with.

"Hackers are already doing nasty things for pay, and for covert
operations deniability is useful," he told the AusCERT 2009 conference
last month.

"I fear we may go back 200 years to letters of marque and reprisal,
where governments commission somebody to attack another government's
assets with perfect immunity under law."

A letter of marque is an official warrant authorising an agent to
capture and destroy specified assets belonging to a foreign party that
has committed an offence against the issuing nation.

Professor Bellovin said the US constitution explicitly permitted the
granting of such letters, "and the US has never disavowed the concept,
unlike a number of other countries".

Aside from those scenarios, many governments were known to be engaged in
cyber-spying or hostilities against regional rivals. "A couple of
laptops are a lot cheaper than a couple of F16s (fighter aircraft)," he
said.

"If a US official said the Government was prepared to use nuclear
weapons in response to cyber warfare, the other party doesn't need to
engage in computer game playing. They just need to do nasty things to
the US defence force's strategic communications network."

Professor Bellovin said certain new blended exploits -- involving
technical interventions and social engineering -- were beyond an average
hacker, but not a nation-state. "Suppose someone creates an
innocuous-seeming flaw in a chip (used in particular devices), and
plants code to trigger that flaw in certain applications," he said.

"You could put a data file on a web page or in spam, the CPU (central
processing unit) will execute that and a backdoor in the chip is triggered.

"I see absolutely no reason why this would not happen." In one instance
that came to public notice, a US government agency paid $US80,000 to an
individual who had devised a Linux flaw.

Hackers were already looking beyond the desktop and server stack, with
the focus now on such things as a worm that targeted wireless routers
and took them over. "The hacker can spy on all the traffic and even turn
the router into a botnet. Suddenly you have a virus on every computer in
your house."

Businesses and government agencies needed to be more cautious about
"inside" attacks through their supply chains, particularly in relation
to "software coding that is outsourced to dubious places".

A recent report from Russia described how ATMs had been programmed to
skim users' card details. When the attacker inserted a master-card, the
machine printed out the account names and PINs of all users since the
last download.

Meanwhile, industrial spies after corporate secrets were achieving
"high-end results for high-end customers".

"These are really broad-spectrum attacks involving networks," Professor
Bellovin said. "One attacker got access to a network through U3 flash
disks (essentially a USB stick and CD-Rom combined). The attacker left
some flash disks lying around the parking lot, and people couldn't wait
to install them to see what was on them."

Karen Dearne attended AusCERT 2009 as a guest of AusCERT

-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au