Post Magazine: The Computer Bandit
Tuesday, February 21, 2006; 1:00 PM
Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of spam.
Brian Krebs, whose story about one of those hackers appeared in Sunday's Washington Post Magazine, was online Tuesday, Feb. 21, at 1 p.m. ET to field questions and comments about his article,
Brian Krebs is a technology reporter for washingtonpost.com.
Brian Krebs: Hello, everyone and thank you for joining me today. I'll get right to answering some of these excellent questions.
Tampa, Fla.: Other than running updated anti-virus and other security software such as Adaware and Spybot, what can we do to prevent having scum like the subject of your story take over our PCs?
As for 180Solutions, the clear solution is to bring criminal charges against them and their officers and directors. Hackers only do this because corporate criminals like 180Solutions make it financially worthwhile. Attacking the source of this problem is the only way to control it.
The law requires consent be knowing; hiding the true meaning of the agreement gives you a strong argument for nullifying the alleged consent. Prosecutors should take same attitude with 180solutions as they and others did with Napsters. If the courts can impose hundreds thousands of dollars of damages on grandmothers who unknowingly let their grandchildren illegally download a couple of songs, they should easily do the same with 180Solutions.
Kill 180Solutions and their ilk. Put them in a corporate grave alongside Arthur Andersen. NOW.
Brian Krebs: Thank you for your passionate question and comment. To answer your first question, aside from the precautions you already mentioned, the most important thing Windows users can do to keep their PCs safe is to be extremely cautious about clicking on links and file attachments that arrive via e-mail and instant message. These two mediums are among the most prevalent ways that worms and bots like the ones described in the Post magazine story spread.
On the consent issue, I can't argue with you one iota. Unfortunately, precisely what constitutes clear and unambiguous consent is a legal issue that is not terribly well defined in the context of modern technology. I believe that ongoing and future lawsuits will change that - it may take several years still - but eventually I think most of these companies will be driven out of business. However, one consequence of stricter enforcement may be that these types of companies all migrate to tiny island nations (like the porn dialer companies) or countries that do not have strict fraud and consumer protection laws in place.
Bethesda, Md.: I swear I'm not trying to stir up some kind of platform war with this question, but I wonder if Macs are as vulnerable to some of the programs 0x80 was able to create -- if it's just an issue with Internet Explorer in general, or particularly Internet Explorer for Windows?
Also, if a person does keep up with all the patches released by Microsoft, are they safe? I found it particularly chilling when you said that some of these little programs even allow hackers to peek through your webcam...
Every operating system contains security flaws, and is therefore vulnerable to exploitation. Macs are not exception, but they are not vulnerable to the extent that Windows machines are: the core difference is the default settings on both machines. In Windows, the default user can do anything on the system, from deleting things to installing files or manipulating them. Unless the user affirmatively creates a secondary and less privileged account - and makes a concerted effort to use that account for daily Internet use despite that fact that doing so can cause problems with third party applications - then the security of that user's machine is compromised when he or she visits a web site that tries to use a flaw in the operating system or Internet Explorer to install software, because that piece of software is being run under an account that has full read-write privileges on the operating system. A flaw that causes that application to crash and write data to the hard drive will not be prevented. In most cases, if Windows users are using a less privileged account and they run across such an attack, the exploit will fail to work properly.
On Mac OS X systems, the default account is "administrator" (on windows, the account by this same name is the most powerful), which is somewhat less privileged account than "root" or "superuser," which can do anything on the system. If the user is browsing the Web with an administrator account in Mac OS X, and a Web site were to take advantage of an unpatched flaw in the browser (Safari) to try and install software, it would fail, or at the very least - the user would be prompted to enter his or her root password and thus prompted that something was trying to install itself onto the system.
However, I'd urge you to check out a blog post that I put up on Security Fix today that discusses the emergence of such a threat for Mac OS X and Safari. According to that post, there is currently an unpatched flaw in the Mac OS X operating system allows a Safari to be hit with an exploit simply by visting a malicious Web site. "While a malicious Web site using this flaw would not be able to say, overwrite files or disable the firewall on administrator accounts, it could well delete that user's files or cause that account to send and/or receive various types of data."
To you last question, see my reply above: users still need to practice safe surfing and be extremely wary of clicking on links and attachments that arrive via e-mail and instant message.
Washington, D.C.: Are you aware that the Post failed to scrub the metadata from the images used in this article, leaving information about your town? This was picked up by users of the Web site Slashdot over the weekend. Using other clues in the article, they were even able to guess the intersection where you live. Have you been contacted by law enforcement personnel? Do you intend to take action against the Post?
Brian Krebs: As you know we take our obligations with sources very seriously and I don't want to comment about any speculation about sources.
Editor's Note: This question was edited to remove a specific reference to the town name.
Creep: Comment only. This guy and people like him are like the virus/worm designers. They create havoc for those PC users who either want to enjoy the Internet or their livelyhood is from the Internet. These people are no better than your school bully or burglar. I am sure they sleep good at night and don't realize what misery they create.
Brian Krebs: Thanks for your perspective.
Charlottesville, Va.: Brian,
Great story. Have you considered doing a follow up story on what your readers can do to help protect themselves?
Brian Krebs: Hi Charolottesville: We have done that in a sidebar that ran with the Post magazine piece, entitle Don't Let Your Computer Be Hijacked . Aside from that, tips on how to protect yourself from the latest threats are sort of the theme of the Security Fix column that I write.
Silver Spring, Md.: Brian -
Right now I use two firewalls on my home network (PC plus laptop): the hardware version in my router, plus the free version from Windows XP, SP 2. Do I really need a third software firewall, like from Zone Alarm? What benefit would I get out of it?
Thanks for your help.
Brian Krebs: This is a question that comes up in nearly ever Security Fix Live chat. The firewall that comes built-in to Windows works fine for keeping things out of your PC. But it does nothing to stop things that may somehow get installed on your machine without your knowledge from using your connection to phone home or retransmit certain data out of your machine without your knowledge. And the hardware firewall will not stop that type of transmission either.
That is why a third-party firewall would be ideal, because it allows you to control the flow of data in both directions. Now, a third-party firewall will still ask you cryptic questions from time to time, prompting to you make decisions about whether to allow , for example, hkcmd.exe, to access the internet. A lot of software firewall programs don't make it easy for you to figure out what that program is and who makes it - though that is changing - so it's far from a perfect solution, but a two-way firewall is better than the built-in Windows firewall anyday.
Vienna, Va.: Hi, I have a home network that reassigns IP addresses to computers connected to the router. Does the masking/reassignment of IP addresses protect a PC from being found by a hacker? Or is it just a misconception?
Brian Krebs: What you have is a router that does what's known as Network Address Translation (NAT for short), in that it can let multiple machines on the internal network share the same external address by assigning them private addresses that are not routable from the public Internet (e.g. 10.x.x.x., or 192.168.x.x.). To the external Internet, the router appears to be a single machine with a single IP address, which masks the fact that there maybe multiple machines on the internal network sharing that address. For a more detailed explanation of this dynamic, see Steve Gibson's write up at this link here .
The best part about NAT routers and firewalls is that the router acts as a switch, in that it only allows traffic to flow to one of the machines on the internal network if it sees that the traffic was initiated by the internal machine in question. As a result, any unwanted incoming traffic - port scans, worm attacks, etc - are simply dropped by the firewall or ignored. So, yes, to answer your question, your router should go a long way toward making sure a hacker or worm won't be able to find your PC online.
South Riding, Va.: Which is worse?
- Knowing that there are hackers controlling botnets, or
- Knowing that companies like JP Morgan Chase, Cingular, T-Mobile, Monster.com and Expedia.com will pay for their ads to appear on the computers on the botnet?
It would seem to me that part of the solution is to convince the big companies to stop paying 180solutions to distribute their ads.
Brian Krebs: You are right. As long as major companies keep feeding advertising dollars to distributors who outsource the online display of those ads to third and fourth and fifth parties (and rewards everyone in that chain), this problem will continue. The advertisers can safely hide behind the excuse of ignorance because deconstructing these kinds of elaborate arrangements is very complex and confusing, even for people in the anti-spyware business who are trying to expose this type of dynamic.
Ultimately, it will take more reporters and more major publications putting pressure on the advertisers - some of which herald from Fortune 100 and 500 companies - to -- as FTC Commissioner Jon Leibowitz said -- "shame" them into policing how their image is spread to the world online.
Arlington, Va.: I thought your article was great. It gives a good look into the real life of an illegal hacker and helps to dispell some of the otherwise myths about who these types of folks are and their habits and whereabouts.
Did you talk to this kid's parents at all? You mentioned a conversation the kid had about his activities wiht his dad. Maybe a follow-up article on ways parents can prevent this from happening to their kids?
Brian Krebs: Thank you for the compliment. I spent 12 months reporting and writing the story and developing the sources.
I did not speak to his parents; they were not around when I visited him. However, I do believe that parents have a huge role to play in making sure their kids do not get pulled into the darker nether regions of the Web. Parents need to wise up and become aware of the very real and active threats that will come looking for their kids online, to say nothing of the trouble their kids can get into if the kids themselves go looking for it. In my opinion, allowing a child to have a computer in the solace and privacy of their bedroom is a recipe for disaster. Unfortunately, too many parents adopt the notion that they'd rather not know what their kids are up to online, because it might mean confronting them about uncomfortable issues such as pornography and...well, quite frankly technology and security, which sadly many parents are ill-educated about.
Bethesda, Md.: The thing to do is find out which companies pay to have their ads placed like this, and then never use their services. I use a no-ads host file, so I never even see any ads. Who looks at them? The more annoying and in your face they are, the less likely people are to respond to them.
And on a good note, this guy will be caught very soon. Just look at what the folks on Slashdot have done so far.
Brian Krebs: That sounds good and effective in theory, but the companies that ultimately display these ads to the "user" who has the adware on their machine still get paid a small amount for each ad they display, so whether or not the user clicks on one of those links, the adware company will still get paid.
Bethesda, Md.: When visiting my in-laws, they had 180solutions on this their toolbar. Should I get them to remove it?
Brian Krebs: I don't know. You should ask them whether they a) know that the software is installed, b) whether they remember agreeing to install the software, and c) whether they receive any benefit from having the software installed on their computer. I'm confident the answer you receive will be no on all counts, and in that case I'd say you'd be remiss if you didn't remove the software. You might consider doing a virus and adware/spyware scan on their machine as well. Good luck.
Potomac, Md.: Are intrusion prevention systems (IPS) such as Cisco, Symantec, McAfee and Tipping Point IPS products really up to the task of catching malicious "zero day" network traffic or more likely just another reactive traffic filter?
I already have a "deep inspection" firewall, Barracuda Networks spam firewall 300, McAfee enterprise anti-virus and "endpoint security" for VPN users (via Juniper Networks SSL VPN client with bundled-in Symantec/Whole Security client side host checking). Honestly I can't tell if I would sleep any better at night with an IPS system watching my outisde, DMZ and internal network connections for anomalies or identifiable malicious traffic unknown to any of the above. Thanks.
Brian Krebs: Sounds like you're behind a digital Fort Knox, there Potomac. I'd guess you don't have a lot to worry about, except maybe the social engineering aspect that most attacks on Windows systems adopt today. In fact, a really targeted attack from someone who knew a little bit of information about you and knew how to get your attention might be a big threat to consider. Some of these attacks are so well designed - they address you by name, and include a few pieces of legitimate information about you that you let your guard down and assume the sender already has a trusted relationship with you.
To you other question, I'm sorry but I haven't reviewed or used those products, so I can't really tell you much about their relative strengths and weaknesses.
Bethesda, Md.: Mr. Krebs, after reading this article, I am left with only one question. How can you not turn this guy in? Please don't tell me "giving your word" to this piece of scum is more important than protecting his victims.
Brian Krebs: You wouldn't believe how many emails I've received thrashing me for giving this person any attention at all. I've received just as many e-mails from people who know the reality of the situation I describe in the story all too well, and these people are extremely grateful for a story that explains this complicated but extremely important epidemic - and it is an epidemic - in a way that the average user can understand.
I set out to write this story in way that exposed not just the technical issues at play here but the human element involved as well, from the people who profit from it to the folks who suffer because of it to the growing number of professionals who dedicate huge resources and expertise (often at no personal recompense) to tracking these guys down. From the balance of the feedback I've received thus far, I am confident I accomplished that goal with this story.
Silver Spring, Md.: Yours was an excellent article. Thanks. It's somewhat sad to contemplate, though, that some are already turning away from the miraculous Web because of the dangers exposed in your article. Why can't commercial interests and grifters leave alone things that work really well?
Brian Krebs: Thanks very much for the compliment, Silver Spring, and for the softball question. Seriously, though, the answer is as old as the hills: because there's an obscene amount of money to be made, with little to no risk of getting caught by the perpetrator. That's a dangerous mix that almost always encourages the criminal element to take advantage of the situation.
Tokyo, Japan: To what extent are botnets and their creators a threat to users of Internet banking services? I've used online retailers but have always hesitated to do any banking online for fear that someone like the subject of your article could be lurking.
Brian Krebs: Great question, Tokyo. Botnets are the single biggest threat to regular users and corporate networks: As a security expert I quote in the story says, they are THE primary source of all that is evil on the 'Net today, from phishing to spamming to denial-of-service attacks to spyware.
The reality is that if you are a Windows user and you follow all of the basic security advice we give over and over again -- use a hardware and/or software firewall, up-to-date anti-virus software, install security patches and avoid randomly clicking on links and attachments that arrive via e-amil and Instant message, you should be fine.
But you'd be amazed at how big a problem the bot phenomenon is for businesses. One of the guys I interviewed for this story -- whosedata on botnets we ran as a blog post because it was cut from the magazine for space reasons -- said in a recent presentation that he found one botnet with hundreds of infected machines inside of a major U.S. bank. Imagine getting a phishing e-mail that ACTUALLY WAS sent from an bot-infected users computer at your bank?
Fairfax, Va.: I remember seeing sites that would claim to "test" your computer by checking ports and what not, and tell you how protected your PC was. Are these tests reliable at all? Do you have any sites, or even third party programs, that can test a PC and give a vulnerability rating of some sort?
Brian Krebs: These kinds of sites aren't comprehensive: they test whether certain well-known holes on your machine may be listening for traffic from other computers. One popular test is over at Steve Gibson's site, called Shields Up! . I'm sure there are others as well.
Silver Spring, Md.: From your father-in-law. I ran Calwin over the weekend because of the story about ox80. It takes a lot of time to run but it found a virus. YOU KNOW HOW PARANOID I am about security. Everyone ought to run it but probably overnite.
Brian Krebs: Hey there, Daddy-O, and thanks for joining us (I think he meant ClamWin , which I mentioned in the article as one of only two anti-virus tools that detected the hacker's bot program. I've recommended ClamWin as a very effective and FREE anti-virus program for Mac and Windows users before because it appears to work very well, if a little on the slow side, as my dad-in-law notes.
Keep in mind, readers, that it's generally not a good idea to install two different anti-virus programs on your machine at the same time. They will fight for supremacy over your machine and more often than not -- flag a portions of one another's harmless source code as a virus and prompt you to remove it (and in so doing disabling the protection).
Charlottesville, Va.: Brian,
For what it's worth, your story was superb, and anyone who lacks the congnitive ability to understand the importance of journalistic integrity should be of little consequence to you.
Keep up the good work, Brian.
Brian Krebs: Compliments like these are always welcome!
Arlington, Va.: Brian, in the article you mention that several of these hackers are also capturing passwords, SSNs, credit card into from their infected networks of machines.
What you don't mention, however, is what they are doing with this info -- if anything.
I can't imagine this stuff wouldn't be for sale and that guys like 0x80 aren't selling.
Brian Krebs: Well, it just so happens that the hackers I interviewed for this story said they weren't doing anything with that information, even though the bot programs they were using to infect their victims most certainly had that capability with the push of a few buttons.
Over the past several days since the story ran, some new doors have opened up and and I've been permitted to take a peek further inside the world of people who hunt botmasters down for a living. What you find is that these bot programs serve the purposes of their masters: I have seen some that spread solely for the purpose of installing keylogging programs that record and transmit to the attackers every single thing the victim types on his or her machine. On Sunday, for example, I used my contacts with several ISPs to have them alert individual subscribers that their machines were infected with keystroke loggers. One of those people was a podiatrist in the midwest who had a keylogger recording stuff on his machine, which contained numerous sensitive patient records.
The data is very much for sale, and there is a very strong underground market for it that is thriving off of this type of activity. Sadly, much of this data is so common and easy to find or purchase that it is not worth nearly as much as you might think. For instance, if you know where to look online, you could purchase dozens of live, stolen credit card numbers for a few hundred bucks. These are cards that have limits of many thousands of dollars. More sensitive information is there for the paying customer but it tends to cost more.
Brian Krebs: Thanks to everyone for making this such a successful chat. I appreciate all of the wonderful questions and only wish that I had time to answer more of them.
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.