PayPal, FBI and Others Wage War on Botnet Armies. Can They Succeed?
Since botnets have absorbed threats such as spam and DDOS attacks, they have become the biggest threat to the Internet and activities like email, online gaming, and e-commerce. Not only can botnets disable the mechanisms used to protect against DDOS and phishing attacks, they can threaten the online activities of banks, online betting companies, ISPs, and entire countries.
A botnet army thought to have originated in Russia brought down the computer infrastructure of Estonia in May 2007. In March 2008, the UK gambling site Gala Coral was taken down for 30 minutes by one of the most sophisticated DDOS attacks to be completed by a botnet army. This botnet army consisted of 30,000 PCs and Macs.
Botnets are successful because they can be easily launched to a large number of Internet-attached computers via a variety of malware programs. Once the computers download the malware program, they are connected to a Command and Control (CC) center via an Internet Relay Chat (IRC). A specific IRC server known as the Bot Herder issues commands to the botnet computers (pawns). Sample commands would be to launch a DDOS attack, a phishing and identity theft scams, spam, and click fraud. Each pawn executes these commands at a different speed, depending on its processing capability, its Internet connection, and its geographic location, which is another strength of the botnet attacks. It’s harder for defense programs to detect the activity because there isn’t a discernible pattern.
The Storm Worm Botnet was identified in January 2007 and is estimated to have included at least 200,000 pawns in a large-scale DDOS attack. The Storm targeted security vendors and analysts known to be investigating botnets. These types of attacks have discouraged some security companies from researching botnets directly. Additionally, Storm used peer-to-peer communications to issue commands from a subset of pawns, rather than from a single Bot Herder. These pawns issued commands on a rotating basis, which made for an elusive target. Storm also encrypted its instructions.
Botnets have also launched straightforward identity or banking frauds, aimed particularly at PayPal. Some of these scams are easily discovered, but many people have fallen victim to botnet scams. Furthermore, botnets allow fraudsters to “buy time” on an existing botnet, rather than launching their own attacks individually.
By tapping into the broadband bandwidth of a million or more computers, botnets can access bandwidth of a petabit per second (1 million Mbps). This enormous bandwidth can overwhelm any penetrated network or website during a DDOS, but can also delivery spam and phishing emails to large numbers of people very quickly.
During phase two of its “Bot Roast” in November 2007, the FBI uncovered a million compromised computers and secured two convictions. While significant, this may have merely exposed the scale of the problem. The anti-botnet vendor FireEye estimated that there are 150 million bot-infected computers worldwide. Another anti-bot vendor Damballa identified 7.3 million pawns carrying out commands each day in January 2008, which is over twenty times the 333,000 each day in August 2006. Included in the activity was a large amount of spam, which in March 2008 accounted for 91% of all email, up from 64% in June 2007.
Along with government agencies, the security industry is responding to the botnet threat. Symantec announced a new botnet detection capability through its Managed Security Services in October 2007. MSS can detect botnet activity and which malware was used to recruit the botnet pawn.
PayPal has developed a learning-based system which revises the profiles and customer, merchant, and bank behavior. This allows PayPal to identify fraud at various stages and take further action such as limiting or blocking certain customer or merchant accounts or seeking further identity verification. The biggest challenge is to attack botnets without impeding legitimate activities.
Mr. Hunter seems to think that it’s almost impossible to completely stop botnet attacks. While the FBI, security industry, and individual sites like PayPal are all working toward a common goal of hindering botnet attacks, Mr. Hunter spends most of the article explaining why this is almost impossible. This seems awfully pessimistic, but it may be a realistic conclusion that Mr. Hunter has come to as a result of his extensive research.
I think this article is important because it explains in detail one of the biggest threats to all Internet-users. Prior to reading the article, I had obviously heard of spam, phishing, and DDOS attacks, but I wasn’t aware that most of attacks are actually initiated by botnets, much less that botnets could shut down the entire computer infrastructure of an entire country. Drawing new attention to the threat that botnets pose can cause more Internet users to be more cautious and also demand that further strides be made in the fight against botnet attacks. If knowledge is power, then this article can provide an immense amount of power to those previously uneducated about the issue.
I would definitely recommend this article to other people. I think that it’s important for Internet-users to be educated about the potential dangers of their online activities. Understanding how botnet attacks are launched and taking steps to protect their own computer from becoming a pawn can help protect not only their identity and data, but also the identities and data of (potentially) millions of other Internet-users. In addition to becoming more knowledgeable about this topic, I think that Internet-users need to take steps such as setting strong passwords, downloading and using antivirus/anti-malware programs, and ensuring that their Internet connection is secure.
Hunter, Philip. “PayPal, FBI and Others Wage War on Botnet Armies. Can They Succeed?” Computer Fraud & Security 2008.5 (May 2008). 8 Dec. 2011 <http://www.sciencedirect.com/science/article/pii/S1361372308700824>.
A Comparison of Website User Authentication Mechanisms
As more and more websites store and allow access to sensitive personal information, Internet-users are going to have to be more cautious in the way they authenticate themselves online in order to combat unauthorized access and identity theft. Online banking, commercial sites that store payment card details, and social networking sites all require adequate safeguards. However, most online accounts are only protected by a username (or email address) and password.
A study by the UK’s Cyber Security Knowledge Transfer Network found that, “Most security mechanisms are currently chosen to protect the technology, with little or no consideration of the impact on individuals. This compounds the effect of increasing system complexity. Many existing mechanisms create a high workload for individual users.” Specifically, the researchers cited the sheer number of passwords and PINS users are expected to manage and remember as an example of the problem.
Beyond usability, it would be good to move away from passwords because they’re not user-friendly and are considered to be vulnerable. Trying to simplify security for the user often relies on information that someone familiar with the target user could be in the position to know (reduces security). Methods that attempt to reduce vulnerability result in decreased usability by requiring users to remember more information or follow more time-consuming processes.
In the case of online banking, users are willing to complete additional security steps, because they want to protect their actual assets. However, extensive security measures like requiring a user to enter his/her date of birth and specific digits from a security number (HSBC website) or certain digits from a PIN and a random date using an onscreen key pad (ING website) wouldn’t scale well. And other security measures like requiring a card reader in order to access an account remove usability as well. While the website can be accessed from any Internet-ready device, the user would have to carry his/her card reader around at all times in order to access the site away from his/her primary computer.
An alternate security method is the question and answer approach. The user answers a set of questions when he/she originally registers for the site and for subsequent logins, the system randomly selects a small subset of questions at each login that the user must answer in order to proceed. An advantage of the question and answer approach is that it uses easily memorable, but still secret, information. A disadvantage is that it requires a lengthy exchange in order to gain entry; this is why some websites currently use this as a secondary level of authentication, rather than a primary level.
Sites can also use visual and graphical methods of authentication, such as these three approaches:
- The user remembers a sequence of images
- The user remembers something about an image
- The user has to draw an image
In theory, it’s easier for users to remember images than strings of characters. However, at this time, there isn’t much empirical data to support this in real users.
While all these methods are relatively straightforward, they all require different techniques and ongoing use would have different implications for the end-user:
- Mental effort (user’s ability to memorize and recall, varying levels of precision)
- Convenience (login speed, effort/engagement required)
- Applicability (able to work on desktop, mobile, and handheld devices)
- Flexibility (ability to change authentication credentials)
- Mutual authentication (the user can verify that the site is authentic at the same time the site verifies that the user is authentic)
Table 2. Comparing the Authentication Alternatives
There is no perfect option, since all methods have pros and cons. Users will probably prefer to continue using passwords because it’s easy, and websites will probably prefer to continue using passwords because they can be used from any type of device. This may change over time, once users realize the consequences of their accounts being compromised.
Mr. Furnell seems to resigned himself to the fact that the current system of usernames and passwords will continue to be the method that websites use, until the users themselves decide that their data is important enough to warrant stronger security measures. It’s clear from the extensive research that Mr. Furnell thinks that the question and answer or visual and graphical methods would be better for the user’s protection, but he concedes that the heavy burden on the user and web developer make these methods virtually unusable at this time.
This article is important because it reveals the potential location of a major security breach for many Internet-users. Not only do people need to protect their online banking information for obvious reasons, but it’s becoming increasingly important for users to protect their identities on social networking sites. As more and more employers and potential friends and romantic interests use the Web to research individuals, it’s vital that users make sure that the information about them is accurate. Without sufficient security measures, a user’s personal data could be compromised.
Again, I would definitely recommend this article to other people. Since websites won’t implement stronger security measures until their users demand them, the users need to be aware of the potential for loss and the options for additional protection available to them. I think that if people used one or two sites with slightly stronger security measures, they could quickly adapt and accept these methods at more and more sites. For example, in order to access my US Bank Visa account online, I visit http://www.usbank.com/ and enter my Personal ID. The site then asks me a security question from a bank of questions I answered when I registered for the site. Finally, the site shows me a picture that I selected with a keyword and requests that I enter my password. If I don’t answer the security question correctly, I can’t proceed. And if the picture and keyword don’t match those that I selected, then I know that I’m on the wrong site and I shouldn’t enter my password. This method doesn’t take much longer than a traditional login, but it has multiple layers of security for both me and the bank.
Furnell, Steven. “A Comparison of Website User Authentication Mechanisms.” Computer Fraud & Security 2007.9 (Sept. 2007). 8 Dec. 2011 <http://www.sciencedirect.com/science/article/pii/S136137230770115X>.