Sunday, Sept. 27, 2009 | The poster outside the third-floor office in the University of California, San Diego’s computer sciences building depicts Doc Savage, the big-muscled, bald-headed, fearsome-faced comic book hero. Inside the office sits a different Doc Savage.
Stefan Savage is a pale-faced, 40-year-old, T-shirt-and-shorts-wearing college professor. But in the world of cybercrime fighting — where the strength of your code, not your biceps, is what matters — this Doc Savage cuts quite the imposing figure.
Long considered a top cyber-security expert, Savage leads a team at the Collaborative Center for Internet Epidemiology and Defenses that last year infiltrated the infamous Storm botnet, which victimized millions of people through internet spam scams. And last month the center, which is a joint UCSD and UC-Berkeley effort, was awarded a five-year, $7 million grant from the U.S. Navy’s research arm to study botnets and the threats they pose to national security.
The threats, both to national security and personal security, are real, Savage says. And he has become convinced those responsible for protecting against the threats are going about it in the wrong way.
“By any reasonable measure of us against the bad guys in cyber security, the bad guys are winning,” he said. “The best we could be doing is playing catch-up, but we are falling further and further behind.”
We’re falling behind, Savage argues, because we are still going after online crime like it is being perpetuated by 1990s-era basement hackers who are looking for more fame than fortune, when today cybercrime has become big business.
Old-school hackers weren’t organized, or well financed. It didn’t take long to develop blacklists of servers from which the malicious code was coming and develop anti-virus software.
But the advent of botnets has changed all that. Botnets are networks of computers that, unbeknownst to the owners of the individual machines, are being controlled by a third party. They allow criminals to set up scams via spam e-mail as well as steal credit card numbers, and in the worst cases, entire identities.
The first big botnet, or worm as it is also called, was Code Red, discovered early this decade. It exploited a vulnerability in the Microsoft web software and in the course of a day took over about 350,000 computers. It attempted an ill-fated attack on the White House computer system, but Code Red didn’t accomplish much.
It did, however, prove that being able to compromise very large numbers of computers was easier than experts had previously thought. Since, botnets have only become more powerful and sophisticated. Conficker, which has infected millions of computers this year, is the latest example.
And the crime committed via botnets is exploding, according to a report released this month by Websense, a San Diego-based internet security company. The number of malicious websites has grown 671 percent in the past year, and 86 percent of all unwanted e-mails in circulation contained links to spam sites and/or malicious sites, according to the report.
Perhaps the most shocking finding in the report is that 77 percent of websites with malicious code are legitimate sites that have been compromised. “In the olden days — which was just three years ago — people thought the malicious websites were in the seedy places of the internet, porn sites and gambling sites,” said Dan Hubbard, Websense’s chief technology officer.
“Don’t visit the bad neighborhoods on the internet and you were safe. Problem now is that there are a lot of good neighborhoods that have gone bad.”
Botnets also represent an intelligence and national security threat. During the Cold War era, sensitive information was kept on relatively few computers, and huge defenses could be built around them. But these days the military depends on the internet like everyone else — and there are countless computers with access to important information that can be picked off by a botnet.
Exploiting all these vulnerabilities is extremely profitable, as Savage’s team has been able to prove through its infiltration of the Storm botnet. The lucrative payout provides plenty of incentive for criminal enterprises to develop ways around defenses.
But there is still too much focus protecting individual computers and computer networks, the so-called end hosts, and not enough on the economic pressure points of the criminal organizations that commit the cybercrime, Savage said.
“For a very long time we’ve had our head in the sand as far as the bad guy,” Savage said. “The bad guy is economically motivated and we shouldn’t ignore that.”
If you know where to go on the internet, and have the right connections, you can buy a botnet as easily as you can buy a book from Amazon.com. But in order for the bad guy to pocket money from the botnet, there has to be a financial transaction.
Whether you are Amazon, or you are someone selling illegal goods, you need to be able to process Visa and MasterCard transactions. And to do that you have to have a special bank account, called a merchant account, which is expensive to establish and can be monitored, Savage said.
“We need to be gathering intelligence about who the bad guy is and how he operates — what his weak points are,” he said.
Savage and other researchers at the joint UCSD/UC-Berkeley endeavor revealed the money-making power of a botnet last year when they infiltrated the Storm botnet, which was first discovered in January 2007. The botnet ultimately gained control of hundreds of thousands of computers through a variety of ways including advertisements for cheap Viagra and other lifestyle pharmaceuticals.
The group purposely infected computers with the botnet, and created an exact replica of a site run by the botnet that sold counterfeit pharmaceuticals. They then figured out a way to divert 1 percent of all the traffic generated by the botnet to their site.
Based on the traffic they diverted, Savage’s group was able to determine that the spammers had to send 12 million e-mails to get one person to buy. They also determined that even with such a low success rate, such scams are worth it to the criminals.
While others in the field share Savage’s opinion that the economics of cybercrime need to be better recognized, some argue that it is not all that is being neglected. An almost complete lack of regulation of the internet is also an issue. And, they say, more must be done to make the average person more aware of the risks of being online.
“The U.S. government should be more aggressive in its regulation of the internet,” said Giovanni Vigna, a professor of computer science in UC Santa Barbara.
Vigna said there could be, for example, stricter regulation of how internet service providers hand out domain names. But one problem facing regulators is that the criminal organizations running the botnets cross international boundaries.
So even if the United States would significantly beef up its regulations, the criminals could get around them (and do) by operating out of countries like Russia and China, which in many respects have little or no regulation.
Ethan Arenson, the spam coordinator for the Federal Trade Commission, acknowledged that better regulation is part of the solution, but said that all the regulation in the world can’t stop a consumer from harming themselves by clicking on a bad site.
“Educating the public about all the threats on the internet is a huge challenge,” Arenson said.