Examination of Witnesses (Questions 460
WEDNESDAY 31 JANUARY 2007
Q460 Lord Mitchell:
If you had access to that information, it would be really useful
to get that.
Mr Isbell: We can certainly investigate whether
we can get you some detail on that. The only other statistic that
I brought with me is that we currently have 120 million desktop
gateway and enterprise AV systems deployed out there, so again
based on market share we might be able to extrapolate some information
Q461 Lord Mitchell:
A question to MessageLabs, if I may. In your submission you talk
about targeting trojans, which you regard as one of the most significant
threats in recent years, and we really wanted to know to what
extent do these affect individuals or are they largely an issue
for corporate security?
Mr Sunner: I think it is first and foremost
an issue for corporate security, but this is something which is
at a very, very early stage. Would you mind if I took a step backwards
to illustrate what we are really talking about here? This is at
the other end of the scale. As opposed to something which is very
high volume, these are the one-off. In January 2006 we were intercepting
two instances of this behaviour per week, so that is two within
one and a half billion emails, a very, very feint blip on the
radar. This month, January 2007, that ratio is now one per day.
So this is the Trojan which has been built with the express intention
of getting inside a single company or a single individual's machine
and to then allow remote access into that system. Because it is
a one-off, the chances of that ever getting onto the radar of
the broader security community become just about zero. The purpose
behind this is to gain remote control of the machine for the purposes
of taking off data or in the corporate world industrial espionage.
But if that individual, perhaps, is an author or someone who has
some intellectual property of some worth, he is a potential target.
What is worrying is that towards the end of 2006 toolkits appeared
to make these kinds of trojans. So suddenly the barrier to entry
has been lowered. All you have to have now is the intention and
you can buy this capability from certain nefarious Russian websites,
as opposed to potentially needing a really high degree of technical
capability. As we have seen with viruses back in the early 1990s
with traditional viruses but without being malicious, the minute
toolkits appeared, lowering the barrier to entry, a slew of viruses
followed. We are at that early embryonic stage now with targeted
attacks, so we would anticipate that whilst the ratio is one per
day within two billion emails at the moment, I think very conservatively
by towards the end of this year, by December, that ratio will
be closer to between five and ten.
Mr Wood: The other concern from the targeted
attack perspective also is that if your machine becomes subjected
to the control of one of these criminals where they install a
botnet code onto your computer which then gives them remote access,
they then have access to your files on your computer. We have
seen instances of spyware then appearing on those machines which
then report back other information to the criminals where they
really take off kind of extras on the side in terms of payment
for hosting the botnet code. So if they want to send out spam
emails, for example, then if they find any other information which
may be of benefit to the criminals then they will use that to
their advantage, and in so doing they can deploy spyware onto
those machines and use that information which they gather to understand
your browsing habits, which banks or which online sites you will
then visit. As my colleague mentioned about the trojans which
are now starting to appear, they are now becoming customised to
particular banking sites where most of the phishing activity we
see at the moment targets banks and organisations which do not
deploy what is called the "two factor authentication"
where you have a key fob, for example, which will authenticate
as well as your username and password, because once you lose your
username and password then anybody can then gain access to your
bank account, potentially. If you have a key fob, which you physically
have, then that gives you some degree of protection, but what
we are now seeing from the trojan perspective is that the trojan
will potentially take over your browser session after you have
completed the authentication. So rather than stealing your personal
username password, it will wait for you to authenticate, and if
you never go to that particular site that trojan may be just dormant
on your machine, and that is certainly where we are seeing some
increased activity now.
Mr Isbell: In principle, we agree with MessageLabs's
findings. On targeted trojans, with the social engineering the
targeted nature of them makes it less likely that they will be
reported and appear on the radar.
Q462 Earl of Erroll:
Presumably they are using standard toolkits which they are downloading
from websites, wherever? Those will have a signature to them and
you will be able to recognise the code and it will make it much
easier to clean them up?
Mr Sunner: First of all, the toolkits are not
standard. The emergence of toolkits is quite new and kind of worryingly
if you buy one of these off-the-shelf trojans you actually get
the bad guy equivalent of a service contract, so that if detection
for your newly-made trojan starts to appear they will send you
a new version. Unfortunately, it is all too easy to keep this
kind of code alive, not by changing the code but by changing the
encoding format it is stored in, which will basically in effect
give it a new lease of life from traditional detection methods.
Q463 Lord Mitchell:
Just a couple of points. The first thing is, since they are so
hard to detect do you think that is going to give individuals
a false sense of security?
Mr Sunner: The first thing is the level of awareness
of this. Because it is in such low numbers when compared with
things like spam or phishing, I do not believe this is really
on the broad radar, certainly for the consumer and even for the
corporate world. I do not think people realise the potential which
is out there at the moment. I think if they did, then they really
ought to be focusing on putting defences in place which can stop
this stuff, because frankly traditional detection methods, which
are reliant on signatures, which are ultimately reactive, are
blind to stopping this new kind of threat.
Q464 Lord Mitchell:
In your evidence you conclude "defensive countermeasures
woven into the fabric of the Internet itself will become the key
component of any . . . solution." Then you describe it as
"fundamentally a technical problem [which] will always require
a technical solution, first and foremost". Do you see risks
in placing such dependence upon technical solutions and should
not end-users, whether criminals or private individuals, be the
prime focus of our attention?
Mr Sunner: The Internet was fundamentally based
on protocols to be opened and in some cases things like email
were designed decades ago and never catered for the kind of abuse
which is now taking place. So the kind of security we are talking
about is a fundamental requirement which is missing, which must
be there. Unfortunately, given the technical sophistication of
some of these trojans which we are talking about, I think it is
really out of the reach of what you solve with education now.
How can you educate, for instance, against something which is
a perfectly rendered online banking site to all intents and purposes?
You cannot tackle that with human education, it has to be by spotting
the malicious code behind the scenes, which you can only achieve
with Internet-level filtering.
Mr Isbell: I think we are seeing that this is
the ever-changing threat landscape which is an on-going feature
of the Internet and how we have to react to the threats and new
threats as they appear. Whilst I agree with my colleague about
technical means, technical countermeasures to technical attacks
and technical threats is a requirement, I still think that a multi-layered
defence is practical to give you some defence in depth.
Q465 Lord Young of Graffham:
Most of what I wanted to ask about actually has been covered,
and perhaps I should say at the start that I am not bothered about
marketing spam. By coincidence or otherwise, we use MessageLabs
and very few actually comes in, and also Symantec on some machines,
and others, but what does concern me greatly are the things you
have just been saying for the last few minutes about having tailored
trojan horses coming into the network. Things have got so bad
that in companies which I am involved with any IP we keep on networks
which have no access to the Internet for that very reason, so
we get in the ridiculous situation of not being on the Net, we
are on an intranet, if you like, with no connection outside. If
you can see a world in which criminal forces essentially can tailor-make
a trojan horse to attack a particular bank, what is that going
to do to the future of banking, Internet banking, and indeed inter-commerce
banking? Is it going to go off the Internet and have to go into
Mr Sunner: I think we have to bear in mind that
this stuff succeeds at the moment because there is no detection
in the majority of cases in the stream of traffic, so we are talking
about an open target from the bad guys' perspective. This is why
we believe quite passionately that we actually urgently need this
level of filtering to be interwoven into the fabric of the Internet.
Now, whether that is us or whether it is with other ISPs adding
this to the flow of traffic, that is how this problem will get
solved. So I do not think that we are heading to a situation which
is unsolvable. The source of all this is the Internet, therefore
that is exactly where the solution needs to be.
Q466 Lord Young of Graffham:
We have had evidence in some of these sessions about whether security
should be at the centre or at the periphery and there is a difference
of opinion, but what you are telling us, I think, is that these
are tailor-made viruses and tailor-made trojan horses attacking
a specific target, and very few of them, and therefore the detection
software has not been developed. How is it going to be developed
in the future, because if I were doing this I would be looking
at one specific trojan horse to attack one particular bank account,
to remove one large amount of money and then stop? That is like
trying to develop something in the medical world against an illness
which only appears once.
Mr Sunner: That is absolutely right. Basically,
this is where with scanning at the Internet level a lot more becomes
possible in terms of the computational power which you can throw
at the problem. It would really be impossible, for instance, to
be decoding all potential encoding formats on a PC or on a gateway.
You just cannot do that, which is why those mechanisms are reliant
upon getting signature updates. At the Internet side of things,
all those things do become possible and that is how we are able
to spot this stuff at the zero hour. As I say, whether that is
us or whether it is another vendor, I think the sooner we can
get that level of aggression into those protocols, which at the
moment are currently wide open, the better and that is when this
problem will start to abate.
Q467 Lord Young of Graffham:
But would you detect the first occurrence?
Mr Sunner: Absolutely.
Q468 Lord Young of Graffham:
You could be capable of that?
Mr Sunner: Yes.
There is a very small chance that you will miss one of these trojans?
Mr Sunner: Correct. I would say it is incredibly
small. From a malware perspective, ironically the more they try
to disguise themselves, from our perspective, the bigger these
things stick out. So they are generally always inside office documents
and are reliant upon the heavy use of encoding formats to disguise
the presence of these trojans. This is where, if you have a lot
of computational power, which you have from being in the fabric
of the Internet, you can get inside those encoding formats. The
key thing is decoding it. Once you can do that, you can see the
Q470 Lord Young of Graffham:
Does this cause a backlog, does it take time, and what is it going
to do to the transmission of material?
Mr Sunner: Email is a store and forward mechanism
anyway. You are generally dealing in seconds, so it would not
be something which would really be perceptible, but I think you
also have to weigh up what we are actually doing here. The actual
risk, as you have mentioned, in terms of loss of intellectual
property could be absolutely devastating.
Mr Isbell: If I may, the loss of intellectual
property is a higher value asset, so the strategy even for the
individual user, but especially with corporate, should be to do
a proper risk assessment and put in place a proper risk management
strategy for its intellectual property and its high value assets.
If you can detect them so easily, do you also know who they are?
Mr Sunner: What you can tell is the origin from
an IP perspective. Internet addresses have geography, a bit like
a phone number, but whilst you might be able to see the origin
that is a particular region, whether that was compromised by some
other region is the bit that you actually do not know. So depending
on where these things are originating fromobviously people
are motivated to employ a very high level of stealth and whilst
you can tell the geographic origin, that does not necessarily
belie the perpetrator.
Mr Chantzos: My Lord Chairman, if I may, to
address the question of detection is a question of, if you like,
technology as well as a question of legal instruments in the sense
that the process of tracing back to the perpetrator requires first
of all that you are able to capture the IP of origin, the last
IP of origin, it requires you to be able to go to the service
provider through which the IP of origin originated and ask to
find any relevant information which that service provider has
regarding the IP of origin. Maybe that information has been stored,
maybe not. If indeed stealth technique has been employed, if there
has been "hopping", if you like, between different geographic
locations through compromised computers, then you need to be tracing
back through the different geographic locations, through mutual
legal assistance agreements involving the law enforcement authorities
of every different country. Often, as this requires access to
personal data, you would require police warrants. As a result
of that, depending upon the level of co-operation between the
different law enforcement authorities, which may vary depending
on the countrywithin the European Union, for example, there
are established routes and channelsit may be more or less
easy to trace.
Q472 Lord Patel:
I want you to take this question seriously: how many "zombies"
are there in the United Kingdom?
Mr Isbell: I do not think I have that level
of detail with me to answer that properly.
Mr Wood: Certainly the last time we did any
research into this is going back to probably about the third quarter
of the end of last year and we estimated around about 140,000,
maybe slightly less, at that time in the UK, which is about 4.3
per cent of the computers which we were intercepting malware traffic
around the world based in the UK. It is likely that number may
be higher, although there is some evidence to suggest that over
the recent holiday period over Christmas the botnet numbers actually
decreased quite dramatically, probably around about 20 per cent
worldwide, because a lot of people either turned their computers
off for a length of time or they went out and bought new, faster
PCs because maybe they thought there was a problem with their
Q473 Lord Patel:
How would an individual like myself know whether my computer has
been taken over or not?
Mr Sunner: As you say, of course, to answer
all of these questions seriously it become incredibly difficult
to ultimately confirm absolutely yes or no because the level of
stealth which some of these trojans can employ can actually bluff
the whole operating system, let alone the anti-virus software,
into their presence so it become virtually impossible. Having
said that, if your computer, if it is a single machine and you
have not been doing anything on it for a very, very long time,
let us say five hours, yet your activity light for your cable
modem or ADSL connection is very, very busy consistently and is
for a very long time that might be a clue that something is awry,
not 100 per cent sure, but it might be an indication. If the machine
is obviously slowing down substantially, married with that, I
would certainly be suspicious.
Mr Isbell: If I could come back on that. I apologise,
I did bring some information with me. From our research the UK
has seven per cent of the botnets in the world during the measured
period behind America and China. The UK accounted for only two
per cent of all known command and control servers of those botnets,
which indicates that the majority of botnetwork computers in the
UK are likely controlled by servers which are outside the UK.
We observed an average of 57,700 active botnetwork computers per
day with over four and a half million distinct botnetwork computers
which were identified as being active at any point over that six
month period. I do not know if that gives you the flavour of the
scale you were looking for.
Q474 Lord Patel:
Yes, significant. So why do these bot-attacks originate in the
UK? Why does the UK have such a high rate?
Mr Sunner: It is a global phenomenon.
Mr Isbell: It is a global phenomenon, yes, that
Q475 Lord Patel:
So the UK is no worse than any other?
Mr Sunner: The UK is in no way particularly
Q476 Lord Patel:
So what is the Government doing about it?
Mr Sunner: From a traffic perspective, the ISPs
will be closest to this and they are, of course, self-regulating
so I think the Government is a stage removed from this problem
Mr Chantzos: When we are looking at it from
a public policy standpoint obviously, as we said, information
security is an issue of people, process and technology, and regulation
is by no means the only solution but regulation is certainly an
aspect in this area. So to start with, as I am sure you may be
aware, the Computer Misuse Act has recently passed also through
this House. The Computer Misuse Act was recently updated to include
things like denial of service attacks as part of its criminal
aspects. It was also updated to include an offence similar to
what is called the misuse of device, in other words using it as
a hacking tool, and now it is at the stage of implementation.
The updating of the Computer Misuse Act is a positive step. Nevertheless,
we as a company and my understanding is that a number of other
technology companies in this area feel that it is important there
is adequate clarity about the issues which the Computer Misuse
Act is covering because the current language is to an extent open
to some diverging interpretations and it is important that it
is clear about what aspects which the Home Office and the Crown
Prosecution Service want to see criminalised. One aspect is that
right now from a regulatory standpoint there is also a debate
in Brussels about what can be done in the area of information
security at the European Union level. The Commission has put some
proposals around the review of the directive 2258, which is covering
the protection of individual privacy on electronic communications.
Some of these proposals open a discussion about a more active
role of the ISPs in the area of information security. Some of
these proposals also pose the question of whether there should
be a similar regime to that of the US in the area of breach notification.
I think also if one looks at the directive 9546 and how that has
been implemented in the UK regarding the Information Commissioner,
both 2258 and 9546 cover the question of the issue of data protection
and information security, so we believe that the Information Commissioner
perhaps could see more powers in this area, to be more effectively
able to investigate and follow up cases relating to these kind
of abuses, spam certainly being an aspect of it. Also, there is
the Council of Europe Convention on Cyber Crime, which the UK
has signed but has yet to ratify. The United States have recently
ratified it and a number of other countries at the Council of
Europe have ratified it. The Council of Europe Convention is by
far the most complete international instrument in terms of law
when addressing cyber crime.
The Committee suspended from 4.22 pm to 4.30
pm for a Division in the House
Q477 Lord Patel:
How big are these botnets and what are they used for?
Mr Isbell: I think they vary in size in terms
of the botnets themselves in discrete networks owned by a command
and control service, so they vary depending on how many clients
they have actually managed to infect. Obviously the object of
the exercise for every bot-master is to increase his networks
to the maximum possible because that makes him more attractive
in a financial sense when he is actually selling that capability
on. It is a progressive thing. Botnets will grow and they grow
depending on how active that particular bot-master is.
Q478 Lord Patel:
What are they used for?
Mr Isbell: We are seeing more and more increases,
moving away now from the traditional area where somebody wanted
to be famous. It is now more financially-driven, for financial
gain. It is money and it is more around the retail markets as
well as getting identity theft, and those two seem to be the main
areas of focus.
Q479 Lord Patel:
What is the biggest one that you know of?
Mr Isbell: I do not think I actually know the
biggest botnet itself. I can come back to you with that particular
piece of information.
Mr Chantzos: I am aware of cases which have
been publicised that law enforcement authorities have come up
with, botnets which had even a million IPs. To come back to your
question, the motto we use to describe this sort of activity is
that hacking is no longer for fame but for fortune!