Life keeps getting more dificult for information security researchers - and it's not all down to the bad guys.
The old Chinese proverb "may you live in interesting times" seems to apply increasingly to IT security researchers. In the past few weeks, two, seemingly unconnected, events have caught my attention: the rise of the Storm worm and the release of a report on personal internet security by the House of Lords' science and technology committee.
By now, I'm sure most security professionals are aware of Storm. The name was first given to a particular mass mailing of a Trojan a few months ago. The purpose of the Trojan was to create a botnet. This botnet has been growing, sending out more emails as well as providing a number of other functions. One of these is to provide a large number of download sites (you can recognise a storm mailing by the use of just an IP address in the URL) from which the malware used to turn the target PC into a member of the botnet can be obtained.
We've seen the volume of spam, phishing and virus emails double through August - typically, around 90 per cent of all emails are now spam. The Storm botnet has been largely responsible for this dramatic increase.
The variety of emails has increased as well, promising everything from a new YouTube video to free downloads of football-related information at the start of the new season. In addition to emails designed to boost the botnet, phishing emails and sites tassociated with Storm are also on the increase.
Of course, "may you live in interesting times" is also a curse. One of the extra capabilities of the Storm botnet is a self-defence mode. If a pattern of access looks suspicious; for example, lots of requests to different parts of the botnet from the same IP, then Storm will launch a devastating counterattack against that IP.
I recently investigated one of these attacks: the number of IPs involved - tens of thousands - and the amount of traffic raised was on an extreme scale - gigabit links were easily saturated. To put it into perspective, this attack was larger than the well-publicised alleged "cyber war" against Estonia back in April. Faced with this kind of response, security researchers, perhaps trying to identify malware on the download sites, or just measuring the function of the botnet, need to be very, very careful. If you attract the attention of Storm, your ISP may not want you on its network.
Another very interesting, or even sinister, aspect of Storm, is that it underscores the changing nature of the threat from the bad guys. The people behind it are well organised and powerful, displaying all the attributes of a sophisticated part of organised crime.
However, the threats to security researchers aren't just from the bad guys. The House of Lords report on personal internet security draws a number of interesting conclusions, which could have a far-reaching impact if they go on to form the part of any future legislation.
A key recommendation is to drop the implication that end users are responsible for security and that ISPs should take responsibility for the traffic flowing over their networks. This could have a chilling effect on research, as most research consists of sending interesting packets over the network - the sort that could well be stopped by an ISP's new security policy.
Perhaps of more concern is the view in the report that the millions of pounds spent on IT security is part of the problem and an unnecessary expenditure. While there may be an element of truth in this, it ignores the fact that part of that expenditure goes on research and development - investment, in other words.
Finally, the report reminds us that the recent amendments to the Computer Misuse Act 1990 threaten to criminalise security researchers - making it illegal to possess or use common tools such as vulnerability scanners. We're still waiting for guidance from the Crown Prosecution Service - so, as security researchers and testers, we still don't know where we stand. Interesting times indeed.
- Ian Castle, CISSP, is a senior consultant at ECSC and heads the internet defence division.