Fatal System Error 104
brothke writes "As computing and technology has evolved, so too have the security threats correspondingly evolved. The classic Yankee Doodle virus of 1989 did minimal damage, all while playing a patriotic, albeit monotone song. In 2010, aggressive malware now executes in stealth mode, running in the background with an oblivious end-user, and antivirus software that can’t detect it." Read on for the rest of Ben's review.
Cybercrimes have evolved using increasingly sophisticated techniques, and the resulting financial losses are staggering. Many criminal cyber gangs are well organized and resourceful and their ability to recover after new defenses have been deployed make it a challenge for those on the right side of the law.
| Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet | |
| author | Joseph Menn |
| pages | 304 |
| publisher | PublicAffairs |
| rating | 8/10 |
| reviewer | Ben Rothke |
| ISBN | 978-1586487485 |
| summary | Non-fiction cyber-thriller with super analytical advice |
Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is an excellent book billed as a non-fiction cyber-thriller, and describes the cyber gangs who operate on the Internet. Author Joseph Menn, a cyber security reporter for the Financial Times, takes the reader into the inner operations of today's cyber-criminal, who use the Internet as their personal mint.
While Willie Sutton never really said that the reason he robbed banks is because that's where the money is; the truth is that today's cyber criminal does know where the money is, and its address is the Internet. They use the net as a means to steal and extort money from businesses and individuals.
The book's protagonist is Barrett Lyon, a highly skilled technical engineer and entrepreneur, who founded companies such as Prolexic, BitGravity and 3Crowd. It was at Prolexic where Lyon developed the software used to fend off the DoS attacks that were bringing some of his client's networks to a standstill.
Lyon, along with the other major character in the book, Andy Crocker, a British policeman, were the 1-2 punch that resulted in the prosecution of a Russian cyber criminal. The fact that the prosecution took place via the Russian judicial system was a surprise to everyone. What was unusual about the prosecution is that criminals in Russia and Eastern Europe often operate with the assistance of corrupt political and police forces. Even though the evidence against the defendant was significant, the ability to secure a guilty verdict was far from a sure thing.
Much of the book deals with Lyon and his working relationship with BetCRIS, a company offering online gambling services, including sports betting, online casino games, online bingo and mobile gambling.
BetCRIS is an off-shore company, operating in the safe havens of the Republic of Costa Rica. In 2003, at the height of the DoS attacks, the BetCRIS website was down for nearly a month. With tens of millions of dollars of gambling revenue at stake, BetCRIS management were desperate for a solution, and they reached out to Lyon.
While Lyon created a first-generation solution to stop the early DoS attacks, the book details how the attackers were able to get around those countermeasures, and how it turned into a cat and mouse game of futility, where Lyon would create a fix, only to be beguiled by a new attack.
In the book, Menn writes about many of the major players in the Internet criminal world. He spends a good amount of time writing about the infamous Russian Business Network (RBN). He notes that little true business was carried out via the RBN; rather it was a front for Internet-based criminal activities in Russia.
Menn does get into some technical details, but not so much so to confuse a non-technical reader. He covers topics such as botnets, DoS and DDoS attacks, cyberwarfare, cyber espionage, and the difficulty in prosecuting the perpetrators.
Menn notes that there are many reasons why Russia and in Eastern Europe are ground zero for cybercriminals. The educational institutions there provide a good source of technical training; combined that with the fact that legitimate job opportunities are often quite limited. Add to the fact that political and law enforcement officials often ignore the cyber attacks again the rich capitalists of the US, the difficulty and challenges with jurisdiction, and you have a perfect storm for the creation of a sophisticated cyber criminal element. Finally, there is a long and established culture of corruption in Russia and in Eastern Europe that adds to the problem.
There are two directions that Fatal System Error takes. The main part of the book is Menn's narrative, which takes up 11 of the book's 12 chapters. These 11 chapters take the reader on an enthralling ride into the inner workings of the cyber-criminal world. Fatal System Error is an enjoyable read on par books such as The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage and Takedown: The Pursuit and Capture of Kevin Mitnick.
Where the book truly stands out is in the final chapter Fixing What's Fixable, and is worth purchasing for that chapter alone. Menn displays his incredibly deep understanding of the underlying issues around computer security and why we are vulnerable. He suggests numerous pragmatic solutions to the crisis, and how to better secure the Internet and networks.
Some of the ideas include significantly greater budgets for information security, more liability against software developers who write insecure code, greater information sharing between the cybercrime agencies in the US and their counterparts in Russia, and more. His on-target analysis of what the US Government can and should do to increase the security of the Internet infrastructure is quite impressive.
Reading the narrative part of the book, many readers will likely be scared to death to connect their computers to the Internet, and to a limited degree, rightfully so. Even with Menn's balanced and compelling account of what transpired, the threat of identity theft and ease of how financial accounts are breached may be too much for some readers many to bear.
If corporate America and the US Government would take Menn's suggestions to heart on how to create a secure Internet infrastructure, many of those security concerns he wrote about could be obviated, and the cyber criminals of Eastern Europe would have to look for different work.
Additional pragmatic ideas that Menn suggests are to legalize and regulate online gambling, more funding to teach safer computing in schools, and for a complete re-engineering of the Internet, in order to build in the necessary security functionality which should have been in there in the first place. As part of the process to re-engineer the Internet, Menn suggests designs that create accountability into the Internet fabric.
Finally, Menn notes that many end-users are not blameless. By not educating themselves on how to securely use the Internet, they are setting themselves up to becoming victims. He writes that anyone that connects a computer to the Internet needs to have significant security vigilance to ensure that they don't make themselves a victim. It is 2010 and far too many people are still oblivious to the security threats. Many still naively believe that someone from Nigeria really does want to make them richer with tens of millions of dollars worth of gold from their deceased uncle.
Menn shows how the underlying infrastructure of the Internet is significantly more vulnerable than most people realize. Finally, what exacerbates the problem is that those doing the attacks are working much quicker than those who are trying to secure it.
One of Menn's criticisms is that the US Government spends a fraction of what it should on securing its critical technology infrastructure. Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet is the wake-up call that those in Washington, and those charged with IT need to wake up to. Unfortunately, it is likely those that truly need to read this book, will press the information security snooze button yet again.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
He calls for the end of OSS (Score:4, Interesting)
more liability against software developers who write insecure code
So now we have to buy expensive insurance before we write OSS code? What about the liability of students?
Re:Uh, no (Score:3, Interesting)
Pretending that unix/linux solutions are inherently safe is about the same as sticking your head in the sand. The only reason they're safer is because people aren't that interested in exploiting the relatively few people who use them.
Inherently safe? Yeah, you're probably right. Even the best, most secure OS in the world can't protect a truly motivated idiot from himself. Inherently safer , however, is what I would claim for Linux, based upon my own anecdotal experience. It's harder to hose an entire Linux box than an entire Windows box and easier to clean up after the fact (having had to clean up both OS'...YMMV). I knew a Linux admin (and I use the term very loosely) who constantly had his boxes hacked on a regular basis. As a result of his experiences, I took a really long, hard look at my choice of OS to see if it really was that much better. In the end, I realized the guy was just an idiot. He didn't take basic precautions to secure his machines, and he was regularly exploited because of it. The one other Linux box I have ever seen compromised was a public-facing FTP and web server where a user with a weak password had their account compromised and PHPShell was uploaded into their public_html directory, and was used to install a spam relayer. That was the extent of the exploit -- they never gained root privileges, they never got outside of the user's home directory. It took us two hours to detect (because it was hacked one hour before we got to work), and maybe another hour to clean up. Cleaning up Windows infections is a whole other story, and that's why most home users just buy a new PC when they get a virus. They run A/V and if the problem is still there, they throw it out and buy a new PC. That's wasteful and expensive.
Like it or not, Windows is the premier operating system in the world, for personal computers.
For now, yes. But that's changing. Like it or not, Linux is becoming more mainstream. My entire datacenter, except for three servers, is Linux (well, and one FreeBSD-based appliance). *ALL* of the desktops our field personnel use are Linux. You can now buy Linux installed from mainstream OEMs.
The average user is never going to be a linux nerd...
If by "Linux nerd" you mean someone like me, who likes to build and maintain Linux machines, yeah, you're probably right. But the average Windows user is not a "Windows nerd", either. They aren't downloading and installing beta versions of the next Windows OS, they aren't tweaking their system on a daily basis, and they don't rebuild the OS when their computer stops working. The average computer user just wants software that works, regardless of operating system. They don't really know the difference -- or care -- between Windows and Linux, because they only want to surf the Internet, send e-mail and type up the occasional document or spreadsheet.
...the OS is unstable...
Pot...Kettle...Black? I've got Linux servers and routers that have uptimes of over five years (well, I did...a few recent power outages that outlasted the aging UPS's changed that). I have *never* seen a Windows box with an uptime like that. Again, YMMV, and the plural of anecdote != data, etc., etc.
...and requires too much technical expertise with too little software support. You can deny that, but we all know it's true.
Yeah, I'll deny that. Ubuntu has become at least as easy to install as any version of Windows I've ever used. Once it's up and running, it's not any more difficult to use than Windows, and speaking as a sys admin who has to maintain about 70 Linux desktops that sit 500 miles away from my office, I can tell you it's far, far easier to maintain a Linux machine from the CLI across a satellite hop than a Windows machine using rdesktop or VNC. Even for a home u
Re:argh (Score:1, Interesting)
dude, this is /.
they hate, they judge, and never read the books :)
seriously...look at all fo the comments for this and others books.
the people who comment obsess on tiny little things (for this review, the word 'cyber'),
but they never discuss the merits of the book.
i feel your pain.
Re:Uh, no (Score:3, Interesting)
I managed a very small ISP for a while on the 90s, and have my own mail and web servers to this day.
The definition of 'lowest-hanging fruit' for all the attackers out there is much broader than you implied. If you have a host accessible via the Internet, you ARE a target. You are being attacked now, this very minute. That you deflect those attacks ahead of the host at firewall, router, or application level doesn't change that. It just makes your logs bigger or smaller.
Your operating system choice makes no difference. They attack everything. You just use different tools and methods depending on what's available and what works.
I know what you mean. I run a very small-scale personal-use SFTP server (no shell access for any account) so I can access some of my files remotely. I use SSHGuard to hinder brute-force attacks and LogSentry to keep abreast of the activity. I constantly receive attacks at all hours of the day. They're quite dumb and have little or no sophistication; most are just trying to guess default passwords for system accounts and such.
I have told many people the same thing you just said. I have explained that if you run any sort of Internet-facing network service, you will get attacked and probably with high frequency. There is no such thing as "so obscure and small-scale that you're under the radar". Expect it and plan for it. The people who are surprised when this happens are the easy targets.
I disagree that my choice of OS makes no difference. I submit that my Gentoo Hardened system with very strict security policies is more difficult to compromise than a Windows installation on the same hardware offering the same SFTP service. When you build everything from source, you can implement protections against buffer overflows and other vulnerabilities that aren't available on a closed-source OS. With a *nix system, the tools I am using are not some black box. I can take them apart, examine them, and really understand how they work before integrating them into my system. The system itself is transparent. If something goes wrong, I can always find out why and can almost always do something about it. If something breaks, it broke for a good reason, it'll stay broken until I fix it, and when I fix it it'll stay fixed. My experience with Windows has been nothing like this.
I am not saying that one cannot run a very secure Windows system. I am saying it's easier to achieve the same level of security with a *nix system. More than that, it's easier to actually understand what you are guarding against and why your measures are effective. I think the importance of that last point is underappreciated. It cannot be properly appreciated in the realm of "run this anti-malware product and hope it takes care of things for you" and the mentality that goes along with it.
Flying Under the Radar (Score:3, Interesting)
malware now executes in stealth mode, running in the background with an oblivious end-user
I've long need puzzled by malware that doesn't do this. Many trojans I've cleaned from people's computers download other pieces of malware. I once gave a demonstration of "drive-by" infection where merely viewing a malicious web page on an unpatched system resulted in nearly 20 new processes being spawned in the background. Impressive, in a way, but exceedingly obvious. Even clueless users can't help but notice that something is wrong, and IT gets called in to clean it.