back to article Security world ill-equipped to solve digital whodunnits

When anthrax-laced letters killed five people and sickened 17 others shortly after the September 11 terrorist attacks in 2001, investigators were able to pin point the precise lab where the deadly spores were manufactured. And when Confederate General Stonewall Jackson was shot on the battle field some 150 years ago, forensics …


This topic is closed for new posts.
Black Helicopters

For God's sake, Dan, where is your cynicism...?

“Theres' (sic) a lot of people that the second they see a big company get compromised we immediately think its a state-sponsored effort and likewise when we see a power company get some malware we immediately think that it's a targeted attack sponsored by a nation state when in actual fact it turns out to be someone viewing a Viagra commercial they shouldn't have looked at. "

There's a very simple reason why you don't have effective systems for pinpointing web 'attacks'.

Who is going to benefit from the realisation that most 'Cyber Attacks' are really bored staff, script kiddies and spam merchants? NOT the US and UK Security Services, who build up their budgets on the assumption that the 'Axis of Evil' is behind all attacks on the freedom-loving western democracies.

The last thing they want is for the politicians to realise that the reason for their collective existence collapsed with the Berlin Wall. You want work in this field, you'd better be prepared to pretend that western computing is continually under attack from sources that ONLY a State Security Service can defend against.....


Cynicism? Or what?

The thing is, given the lead times on weapons procurement and the tightness of budgets, we maybe need well-funded, competent, intelligence services. Maybe we need cyber-police, rather than cyber Bond-age, but it's a part of the intelligence problem, whether attacking or defending.

Is it still called Special Branch? The Police in the UK have been dealing with terrorists for a long time.

Equally, we don't want to become so fixated on technical means of intelligence gathering that we forget how to handle people.


Malware identification

Identifying who wrote a particular piece of malware is pretty useless in the grand scheme of things...

A lot of such code is widely available, so a given piece of malware is likely to be a slightly modified version of something else, or a hodge podge of cut+pasted code from various sources.

Also who's to say the author of the code is the same person who actually used it? It may not even have been written specifically for them, they could have acquired it from virtually anywhere... They may have even been infected by it themselves, and chose to modify the command & control server address by hacking the binary.

Actually tracking down whoever is responsible for an attack is extremely difficult unless the attacker is grossly negligent... Chances are there will never be any direct connection between them and you, they will be relaying through multiple systems in different countries... Those servers will be compromised and configured not to log any of their actions, and will be specifically chosen from a pool of such systems the hacker has... They will typically choose systems in several countries that are unlikely to co-operate, on networks where a lot of systems are compromised to minimise the risk of logging being performed at the network level.

In order to trace these people you need to go backwards step by step, depending on the owners of the stepping stone boxes to co-operate.. If even one of those hops hasn't got some kind of logging which the attackers were unable to subvert then the trail goes cold unless the attacker comes back and can be observed live. Chances are most of these places won't co-operate, or won't have any useful logs.

Many places get hacked, lots of big name companies and government agencies... Most of these places never want to admit they got hacked, so unless the hacker did something obvious like deface a website most companies will want to sweep the issue under the carpet... Some have even been known to pay hackers to keep quiet.

Go on IRC and hang around with some of the script kiddies, you'd be amazed what kind of things kiddies on IRC get into, and virtually never get into any trouble for it.


Non-technical, huh?

“It's important to have these tools that non-technical people can use to try and dumb down that knee-jerk reaction to miss-point fingers” said Parker.

It's non-technical people (and non-technical people _pretending_ to be technical people, and non-technical people _deluding themselves_ that they are technical people) who are making knee-jerk reactions, or advising people in power to do so.

Complicated things are complicated.

That's why we have (truly) technical people.

My firewall logs showed a host port-scanning my workstation. The IP address of that host is allocated to an ISP in China. Does that mean The Yellow Peril is sponsoring a cracking attempt on my workstation?

Who knows? It could be a bored Chinese script kiddie. It could be that the host which was port-scanning me was itself hijacked by some malware ("Click Here to See Free Big-Busted Blonde Babes!"), allowing it to be remote-controlled by someone in Eastern Parmistan, in Australia, or even in the Good Ol' U.S. of A.

Any tools that "non-technical" people can use, as Parker is calling for, will by necessity be limited, make (possibly-incorrect) assumptions, and lead to further "miss-pointing".

No tool can ever be idiot- or ignorance-proof.


Newbie: "Space Shuttle AI, blast off and take me to the moon's surface as quickly as possible!"

AI: "I have multiple options for you to consider--"

Newbie: "Don't give me options, just do it, do it now, and get me there as fast as you can! That's an order!"

AI: "Acknowledged, sir."

[Later ...]

Newbie: "Ship, it looks like the moon is getting... VERY big, and the ship's engines are still off. Aren't we going to start slowing down soon? In fact, I want you to start slowing us down now."

AI: "Unable to comply, sir."

Newbie: "Why the hell not?!"

AI: "Zero fuel remaining."

Newbie: "Why the hell are we out of fuel already?!"

AI: "It was all burned accelerating the ship, in compliance with your previous order, 'get me there as fast as you can'."

Newbie: ".... Stupid computer."

AI: "Stupid human."


Big Brother

@Dodgy, etc

“Theres' (sic) a lot of people"

I figure that "a lot" is singular. It is a lot like how there is a gaggle of geese outside, pooping a lot of green shits on the brown grass. The example is in the "gaggle", not either of the "lots". Though, if the objection is to using a conjugation at the beginning of a sentence, there could be some debate. Tits rare that I practise that collective of grammatical functions.

Oh, security sleuthing... yeah, no, it's a pack of crap. At the end of the day, it is most helpful to have access to all systems (or at least the passers-betwixt-of-packets) involved. As for identifying code, fingerprinting API's, and that yummy fun, talk to law firms that buy patents for a living. To make it work, then, we need Apple Microsoft running Worldwide Homeland Security.

Will there be further release from The Department of Stating the Obvious (the sources, not the - surely - helpful El Reg'er).


Tits rare to you too.

What a lot of ordure.

Gold badge

code analysis is useless

In cases like this for several reasons...

1) you need something to compare it to. Look at this case, there's *identical* code just floating around on forums.. Anonymously. Any code analysis will just say "look it's identical!" and not help a bit identifying anyone

2) code reuse

3) short code segments, there's only so many ways to get certain thing done, unrelated writers WILL come up with the same code.

result? "oh this must be the writer, the computer sez so!11!11!!" as a few posters said, this is not something that can be made non-technical.

also in google's case, they didn't prove it was the chinese, but they had more evidence than you stated i think. It was just the media distorting it into "google sez chinese gov't hacked them". Again, non technical ppl trying to evaluate technical data.

Silver badge

Fluency and accuracy in any language is or was absent

from a great deal of program code that I've looked at. Programmers are, or have been, often quite illiterate. Spelling I'm thinking of particularly. Having said that, many creative writers and journalists also spell like ducks if you get to see their uncorrected text, so maybe we should after all banish the hobgoblin from our little minds that shrieks when our PVR misspells words such as "television" and "recording".


Time to ISPs to tackle use of hacked sites

Before trying to tackle the forensic issues, perhaps the industry ought to turn its attention to the offensive use of IP addresses. Today the Offensive IP Database at this site [] lists 34,603 pages of IP addresses that have been used to launch RFI attacks on other websites. There are IP addresses on their list which have been hosting such attacks for years. Why are the hosting companies not more proactive in taking down this hostile sites???



Programming code is not like handwriting. It's neither individual nor requires the writer to be present to give visible results.

My Hello World program code is going to look very much like anyone else's. And very much like my Goodbye Cruel World program. But a fair bit different from my payroll application.

And what if they can tell who wrote this piece of malware? if won't say where the attack came from. Nor who it was aimed at, considering most good malware today is designed to spread where it can. It doesn't hit people who were targetted, it hits people who self-selected themselves by having the necessary exploits open.

Instead of "Help! Important Government Function is under attack" it would be better to look at "Help! Important Government security is like a sieve".

This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2017