Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 460 - 479)

WEDNESDAY 31 JANUARY 2007

MR ROY ISBELL, MR ILIAS CHANTZOS, MR MARK SUNNER AND MR PAUL WOOD

  Q460  Lord Mitchell: If you had access to that information, it would be really useful to get that.

  Mr Isbell: We can certainly investigate whether we can get you some detail on that. The only other statistic that I brought with me is that we currently have 120 million desktop gateway and enterprise AV systems deployed out there, so again based on market share we might be able to extrapolate some information for you.

  Q461  Lord Mitchell: A question to MessageLabs, if I may. In your submission you talk about targeting trojans, which you regard as one of the most significant threats in recent years, and we really wanted to know to what extent do these affect individuals or are they largely an issue for corporate security?

  Mr Sunner: I think it is first and foremost an issue for corporate security, but this is something which is at a very, very early stage. Would you mind if I took a step backwards to illustrate what we are really talking about here? This is at the other end of the scale. As opposed to something which is very high volume, these are the one-off. In January 2006 we were intercepting two instances of this behaviour per week, so that is two within one and a half billion emails, a very, very feint blip on the radar. This month, January 2007, that ratio is now one per day. So this is the Trojan which has been built with the express intention of getting inside a single company or a single individual's machine and to then allow remote access into that system. Because it is a one-off, the chances of that ever getting onto the radar of the broader security community become just about zero. The purpose behind this is to gain remote control of the machine for the purposes of taking off data or in the corporate world industrial espionage. But if that individual, perhaps, is an author or someone who has some intellectual property of some worth, he is a potential target. What is worrying is that towards the end of 2006 toolkits appeared to make these kinds of trojans. So suddenly the barrier to entry has been lowered. All you have to have now is the intention and you can buy this capability from certain nefarious Russian websites, as opposed to potentially needing a really high degree of technical capability. As we have seen with viruses back in the early 1990s with traditional viruses but without being malicious, the minute toolkits appeared, lowering the barrier to entry, a slew of viruses followed. We are at that early embryonic stage now with targeted attacks, so we would anticipate that whilst the ratio is one per day within two billion emails at the moment, I think very conservatively by towards the end of this year, by December, that ratio will be closer to between five and ten.

  Mr Wood: The other concern from the targeted attack perspective also is that if your machine becomes subjected to the control of one of these criminals where they install a botnet code onto your computer which then gives them remote access, they then have access to your files on your computer. We have seen instances of spyware then appearing on those machines which then report back other information to the criminals where they really take off kind of extras on the side in terms of payment for hosting the botnet code. So if they want to send out spam emails, for example, then if they find any other information which may be of benefit to the criminals then they will use that to their advantage, and in so doing they can deploy spyware onto those machines and use that information which they gather to understand your browsing habits, which banks or which online sites you will then visit. As my colleague mentioned about the trojans which are now starting to appear, they are now becoming customised to particular banking sites where most of the phishing activity we see at the moment targets banks and organisations which do not deploy what is called the "two factor authentication" where you have a key fob, for example, which will authenticate as well as your username and password, because once you lose your username and password then anybody can then gain access to your bank account, potentially. If you have a key fob, which you physically have, then that gives you some degree of protection, but what we are now seeing from the trojan perspective is that the trojan will potentially take over your browser session after you have completed the authentication. So rather than stealing your personal username password, it will wait for you to authenticate, and if you never go to that particular site that trojan may be just dormant on your machine, and that is certainly where we are seeing some increased activity now.

  Mr Isbell: In principle, we agree with MessageLabs's findings. On targeted trojans, with the social engineering the targeted nature of them makes it less likely that they will be reported and appear on the radar.

  Q462  Earl of Erroll: Presumably they are using standard toolkits which they are downloading from websites, wherever? Those will have a signature to them and you will be able to recognise the code and it will make it much easier to clean them up?

  Mr Sunner: First of all, the toolkits are not standard. The emergence of toolkits is quite new and kind of worryingly if you buy one of these off-the-shelf trojans you actually get the bad guy equivalent of a service contract, so that if detection for your newly-made trojan starts to appear they will send you a new version. Unfortunately, it is all too easy to keep this kind of code alive, not by changing the code but by changing the encoding format it is stored in, which will basically in effect give it a new lease of life from traditional detection methods.

  Q463  Lord Mitchell: Just a couple of points. The first thing is, since they are so hard to detect do you think that is going to give individuals a false sense of security?

  Mr Sunner: The first thing is the level of awareness of this. Because it is in such low numbers when compared with things like spam or phishing, I do not believe this is really on the broad radar, certainly for the consumer and even for the corporate world. I do not think people realise the potential which is out there at the moment. I think if they did, then they really ought to be focusing on putting defences in place which can stop this stuff, because frankly traditional detection methods, which are reliant on signatures, which are ultimately reactive, are blind to stopping this new kind of threat.

  Q464  Lord Mitchell: In your evidence you conclude "defensive countermeasures woven into the fabric of the Internet itself will become the key component of any . . . solution." Then you describe it as "fundamentally a technical problem [which] will always require a technical solution, first and foremost". Do you see risks in placing such dependence upon technical solutions and should not end-users, whether criminals or private individuals, be the prime focus of our attention?

  Mr Sunner: The Internet was fundamentally based on protocols to be opened and in some cases things like email were designed decades ago and never catered for the kind of abuse which is now taking place. So the kind of security we are talking about is a fundamental requirement which is missing, which must be there. Unfortunately, given the technical sophistication of some of these trojans which we are talking about, I think it is really out of the reach of what you solve with education now. How can you educate, for instance, against something which is a perfectly rendered online banking site to all intents and purposes? You cannot tackle that with human education, it has to be by spotting the malicious code behind the scenes, which you can only achieve with Internet-level filtering.

  Mr Isbell: I think we are seeing that this is the ever-changing threat landscape which is an on-going feature of the Internet and how we have to react to the threats and new threats as they appear. Whilst I agree with my colleague about technical means, technical countermeasures to technical attacks and technical threats is a requirement, I still think that a multi-layered defence is practical to give you some defence in depth.

  Q465  Lord Young of Graffham: Most of what I wanted to ask about actually has been covered, and perhaps I should say at the start that I am not bothered about marketing spam. By coincidence or otherwise, we use MessageLabs and very few actually comes in, and also Symantec on some machines, and others, but what does concern me greatly are the things you have just been saying for the last few minutes about having tailored trojan horses coming into the network. Things have got so bad that in companies which I am involved with any IP we keep on networks which have no access to the Internet for that very reason, so we get in the ridiculous situation of not being on the Net, we are on an intranet, if you like, with no connection outside. If you can see a world in which criminal forces essentially can tailor-make a trojan horse to attack a particular bank, what is that going to do to the future of banking, Internet banking, and indeed inter-commerce banking? Is it going to go off the Internet and have to go into private networks?

  Mr Sunner: I think we have to bear in mind that this stuff succeeds at the moment because there is no detection in the majority of cases in the stream of traffic, so we are talking about an open target from the bad guys' perspective. This is why we believe quite passionately that we actually urgently need this level of filtering to be interwoven into the fabric of the Internet. Now, whether that is us or whether it is with other ISPs adding this to the flow of traffic, that is how this problem will get solved. So I do not think that we are heading to a situation which is unsolvable. The source of all this is the Internet, therefore that is exactly where the solution needs to be.

  Q466  Lord Young of Graffham: We have had evidence in some of these sessions about whether security should be at the centre or at the periphery and there is a difference of opinion, but what you are telling us, I think, is that these are tailor-made viruses and tailor-made trojan horses attacking a specific target, and very few of them, and therefore the detection software has not been developed. How is it going to be developed in the future, because if I were doing this I would be looking at one specific trojan horse to attack one particular bank account, to remove one large amount of money and then stop? That is like trying to develop something in the medical world against an illness which only appears once.

  Mr Sunner: That is absolutely right. Basically, this is where with scanning at the Internet level a lot more becomes possible in terms of the computational power which you can throw at the problem. It would really be impossible, for instance, to be decoding all potential encoding formats on a PC or on a gateway. You just cannot do that, which is why those mechanisms are reliant upon getting signature updates. At the Internet side of things, all those things do become possible and that is how we are able to spot this stuff at the zero hour. As I say, whether that is us or whether it is another vendor, I think the sooner we can get that level of aggression into those protocols, which at the moment are currently wide open, the better and that is when this problem will start to abate.

  Q467  Lord Young of Graffham: But would you detect the first occurrence?

  Mr Sunner: Absolutely.

  Q468  Lord Young of Graffham: You could be capable of that?

  Mr Sunner: Yes.

  Q469  Chairman: There is a very small chance that you will miss one of these trojans?

  Mr Sunner: Correct. I would say it is incredibly small. From a malware perspective, ironically the more they try to disguise themselves, from our perspective, the bigger these things stick out. So they are generally always inside office documents and are reliant upon the heavy use of encoding formats to disguise the presence of these trojans. This is where, if you have a lot of computational power, which you have from being in the fabric of the Internet, you can get inside those encoding formats. The key thing is decoding it. Once you can do that, you can see the malware.

  Q470  Lord Young of Graffham: Does this cause a backlog, does it take time, and what is it going to do to the transmission of material?

  Mr Sunner: Email is a store and forward mechanism anyway. You are generally dealing in seconds, so it would not be something which would really be perceptible, but I think you also have to weigh up what we are actually doing here. The actual risk, as you have mentioned, in terms of loss of intellectual property could be absolutely devastating.

  Mr Isbell: If I may, the loss of intellectual property is a higher value asset, so the strategy even for the individual user, but especially with corporate, should be to do a proper risk assessment and put in place a proper risk management strategy for its intellectual property and its high value assets.

  Q471  Chairman: If you can detect them so easily, do you also know who they are?

  Mr Sunner: What you can tell is the origin from an IP perspective. Internet addresses have geography, a bit like a phone number, but whilst you might be able to see the origin that is a particular region, whether that was compromised by some other region is the bit that you actually do not know. So depending on where these things are originating from—obviously people are motivated to employ a very high level of stealth and whilst you can tell the geographic origin, that does not necessarily belie the perpetrator.

  Mr Chantzos: My Lord Chairman, if I may, to address the question of detection is a question of, if you like, technology as well as a question of legal instruments in the sense that the process of tracing back to the perpetrator requires first of all that you are able to capture the IP of origin, the last IP of origin, it requires you to be able to go to the service provider through which the IP of origin originated and ask to find any relevant information which that service provider has regarding the IP of origin. Maybe that information has been stored, maybe not. If indeed stealth technique has been employed, if there has been "hopping", if you like, between different geographic locations through compromised computers, then you need to be tracing back through the different geographic locations, through mutual legal assistance agreements involving the law enforcement authorities of every different country. Often, as this requires access to personal data, you would require police warrants. As a result of that, depending upon the level of co-operation between the different law enforcement authorities, which may vary depending on the country—within the European Union, for example, there are established routes and channels—it may be more or less easy to trace.

  Q472  Lord Patel: I want you to take this question seriously: how many "zombies" are there in the United Kingdom?

  Mr Isbell: I do not think I have that level of detail with me to answer that properly.

  Mr Wood: Certainly the last time we did any research into this is going back to probably about the third quarter of the end of last year and we estimated around about 140,000, maybe slightly less, at that time in the UK, which is about 4.3 per cent of the computers which we were intercepting malware traffic around the world based in the UK. It is likely that number may be higher, although there is some evidence to suggest that over the recent holiday period over Christmas the botnet numbers actually decreased quite dramatically, probably around about 20 per cent worldwide, because a lot of people either turned their computers off for a length of time or they went out and bought new, faster PCs because maybe they thought there was a problem with their computers.

  Q473  Lord Patel: How would an individual like myself know whether my computer has been taken over or not?

  Mr Sunner: As you say, of course, to answer all of these questions seriously it become incredibly difficult to ultimately confirm absolutely yes or no because the level of stealth which some of these trojans can employ can actually bluff the whole operating system, let alone the anti-virus software, into their presence so it become virtually impossible. Having said that, if your computer, if it is a single machine and you have not been doing anything on it for a very, very long time, let us say five hours, yet your activity light for your cable modem or ADSL connection is very, very busy consistently and is for a very long time that might be a clue that something is awry, not 100 per cent sure, but it might be an indication. If the machine is obviously slowing down substantially, married with that, I would certainly be suspicious.

  Mr Isbell: If I could come back on that. I apologise, I did bring some information with me. From our research the UK has seven per cent of the botnets in the world during the measured period behind America and China. The UK accounted for only two per cent of all known command and control servers of those botnets, which indicates that the majority of botnetwork computers in the UK are likely controlled by servers which are outside the UK. We observed an average of 57,700 active botnetwork computers per day with over four and a half million distinct botnetwork computers which were identified as being active at any point over that six month period. I do not know if that gives you the flavour of the scale you were looking for.

  Q474  Lord Patel: Yes, significant. So why do these bot-attacks originate in the UK? Why does the UK have such a high rate?

  Mr Sunner: It is a global phenomenon.

  Mr Isbell: It is a global phenomenon, yes, that is correct.

  Q475  Lord Patel: So the UK is no worse than any other?

  Mr Sunner: The UK is in no way particularly singled out.

  Q476  Lord Patel: So what is the Government doing about it?

  Mr Sunner: From a traffic perspective, the ISPs will be closest to this and they are, of course, self-regulating so I think the Government is a stage removed from this problem currently.

  Mr Chantzos: When we are looking at it from a public policy standpoint obviously, as we said, information security is an issue of people, process and technology, and regulation is by no means the only solution but regulation is certainly an aspect in this area. So to start with, as I am sure you may be aware, the Computer Misuse Act has recently passed also through this House. The Computer Misuse Act was recently updated to include things like denial of service attacks as part of its criminal aspects. It was also updated to include an offence similar to what is called the misuse of device, in other words using it as a hacking tool, and now it is at the stage of implementation. The updating of the Computer Misuse Act is a positive step. Nevertheless, we as a company and my understanding is that a number of other technology companies in this area feel that it is important there is adequate clarity about the issues which the Computer Misuse Act is covering because the current language is to an extent open to some diverging interpretations and it is important that it is clear about what aspects which the Home Office and the Crown Prosecution Service want to see criminalised. One aspect is that right now from a regulatory standpoint there is also a debate in Brussels about what can be done in the area of information security at the European Union level. The Commission has put some proposals around the review of the directive 2258, which is covering the protection of individual privacy on electronic communications. Some of these proposals open a discussion about a more active role of the ISPs in the area of information security. Some of these proposals also pose the question of whether there should be a similar regime to that of the US in the area of breach notification. I think also if one looks at the directive 9546 and how that has been implemented in the UK regarding the Information Commissioner, both 2258 and 9546 cover the question of the issue of data protection and information security, so we believe that the Information Commissioner perhaps could see more powers in this area, to be more effectively able to investigate and follow up cases relating to these kind of abuses, spam certainly being an aspect of it. Also, there is the Council of Europe Convention on Cyber Crime, which the UK has signed but has yet to ratify. The United States have recently ratified it and a number of other countries at the Council of Europe have ratified it. The Council of Europe Convention is by far the most complete international instrument in terms of law when addressing cyber crime.

  The Committee suspended from 4.22 pm to 4.30 pm for a Division in the House

  Q477  Lord Patel: How big are these botnets and what are they used for?

  Mr Isbell: I think they vary in size in terms of the botnets themselves in discrete networks owned by a command and control service, so they vary depending on how many clients they have actually managed to infect. Obviously the object of the exercise for every bot-master is to increase his networks to the maximum possible because that makes him more attractive in a financial sense when he is actually selling that capability on. It is a progressive thing. Botnets will grow and they grow depending on how active that particular bot-master is.

  Q478  Lord Patel: What are they used for?

  Mr Isbell: We are seeing more and more increases, moving away now from the traditional area where somebody wanted to be famous. It is now more financially-driven, for financial gain. It is money and it is more around the retail markets as well as getting identity theft, and those two seem to be the main areas of focus.

  Q479  Lord Patel: What is the biggest one that you know of?

  Mr Isbell: I do not think I actually know the biggest botnet itself. I can come back to you with that particular piece of information.

  Mr Chantzos: I am aware of cases which have been publicised that law enforcement authorities have come up with, botnets which had even a million IPs. To come back to your question, the motto we use to describe this sort of activity is that hacking is no longer for fame but for fortune!


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007