October 12, 2005 8:30 AM PDT
Security exec to cops: Talk to us
- Related Stories
Dutch police nab suspected 'bot herders'October 7, 2005
Zotob worm linked to credit card fraud ringAugust 30, 2005
Virus writers elude Microsoft's bounty huntNovember 5, 2004
Cybertrust to open for business in 30 daysSeptember 21, 2004
Cybercrime summit urges international cooperationSeptember 18, 2004
Son of MSBlast on the way?October 23, 2003
Peter Tippett, chief technology officer at Cybertrust, said that information provided by the security company led to the successful arrests of the writers of the Melissa and Kournikova viruses, yet he says the police still rarely ask him for intelligence.
Cybertrust maintains four databases, tracking 11,000 hackers and virus writers, Tippett said. The system, known as "The Brain," records where these cybercriminals pop up online, notes their known pseudonyms and details which of the 600 or so hacking groups they belong to.
The company also employs a team of 78 people to maintain and update the system. They are constantly "watching the underground and seeing what the bad guys are doing," Tippett said.
"We have worked with the FBI and Scotland Yard, and in the past, that has proven successful. We provided the police with the name and location of the Kournikova writer and also Melissa," he said. However, he added that there is still a great deal of room for improvement with law enforcement bodies who "rarely" request such data.
Tippett said that data doesn't typically implicate the people behind one of the most worrying trends in security--the creation of networks of compromised computers, or "botnets." While the armies of hackers and virus writers tracked by the Brain are the foot soldiers, the generals--believed to be members of the Russian mafia--do not surface in the channels monitored by Cybertrust, Tippett noted.
"The mafia aren't dumb enough to have their people yakking on public networks, though a lot of the people they are employing may do so," he said.
But catching those writing the code for these criminal gangs is definitely a step in the right direction, and the 11,000 individuals tracked by the Brain include those responsible for around 3,000 Web site defacements each day, according to Tippett, as well as more serious crimes, such as virus writing.
The police would normally have to subpoena information such as that held by Cybertrust, but one problem with that approach is that they often do not have the technical knowledge to know which information to ask for, in order to catch virus writers and hackers.
"The police know they do not need a subpoena with us," Tippett said. "They know they can call us any time, and sometimes, I'll even call them and tell them what questions they need to come and ask us."
But helping to catch virus writers does not pay the bills for security companies, and some may argue that it is not their job to fill in the blanks for the police.
"Five years out of five, we have not found a way of making money out of this," Tippett said. "The reason we do it is so we know what's coming next."
Tippett said security companies can learn a great deal from "the chatter" in the underground.
He said: "When Microsoft launched DCOM (distributed component object model) six years ago, the chatter went right up. All the hackers were saying to each other, 'Have you guys got anything for this?'"
Because of that, Cybertrust knew DCOM was going to be hacked, so the company spoke to all of its customers back then, Tippett said.
"Then in July 2003, Microsoft posted a patch for DCOM, and these guys in our database just lit up," he said. "The first two vulnerabilities came on the same day--one published by Microsoft and one published by the bad guys--and it became obvious this was something to worry about."
"A week later came SoBig, two weeks later came Blaster," Tippett said.
The writers of those worms are still at large, although one teenager was convicted earlier this year for writing a variant of MS Blast.
Will Sturgeon of Silicon.com reported from London.
2 commentsJoin the conversation! Add your comment