[59455] in North American Network Operators' Group
Re: Over three million computers 0wned?
daemon@ATHENA.MIT.EDU (Jamie Reid)
Sat Jun 28 22:11:50 2003
Date: Sat, 28 Jun 2003 22:11:08 -0400
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: sean@donelan.com, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_3669FBD4.1071C8BD
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Even if 3mil machines are actively and currently compromised,=20
of all reachable hosts on the Internet, it would not be unreasonable
to assume that %80 or more are vulnerable to remote compromise=20
in some way. That number is speculative, but most estimates from=20
consutling firms are much higher. (Based on hundreds if not
thousands of penetration tests against corporate networks with=20
a %90+ success rate).=20
So of all possible 0wnable machines (including those without basic=20
anti-virus protection) I would personally speculate that the 3mil is=20
a pretty low estimate.=20
What these sort of stats mean is that ultimately, the Internet is not=20
in a state in which security controls can easily be added, mostly because
of the high degree of autonomy and relatively low level of sophistication
of each host and user on the network. The other reality of this is that=20
even if hackers aren't directly in control of that most machines, it would
not be inaccurate to say that due to the intrinsic risks in being =
connected,=20
users aren't really in control of their systems either. =20
Security tools are the same as any other software in that they are =
controls
that you add to a system to optimize it and extract value from it. These =
studies
show that there is still lots of room for optimization (read: buy their =
software)=20
and the implication that there is value in those optimizations. =20
So yeah, buy more software. ;)
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
>>> "Sean Donelan" <sean@donelan.com> 06/28/03 07:09pm >>>
http://www.vnunet.com/News/1141901
Trustcorps claims it has scientific and anecdotal resaerch supporting its
conclusion that over three million computers are "owned" by malicious
groups.
On the other hand, Information Risk Management questioned how any one
person could "own" hundreds of computers at any one time. And systems are
often not "owned" by a single group, but exploited by multiple groups
Like most statistics, the "truth" is probably a little harder to find, and
a little bit scarier.
The FBI estimates a car is stolen every 27 seconds somewhere in the US.
In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars
were stolen; with an estimated value of $7.8 Billion. Police apprehend
less than 15% of all auto thieves.
Unfortunately this computer crime doesn't fit the FBI crime reporting
statistics well. Vandalism of Property? Is the cracking of computers
happening more or less often than car theft?
--=_3669FBD4.1071C8BD
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Even if 3mil machines are actively and currently
compromised, </FONT></DIV>
<DIV><FONT size=1>of all reachable hosts on the Internet, </FONT><FONT size=1>it
would not be unreasonable</FONT></DIV>
<DIV><FONT size=1>to assume that %80 or more are vulnerable to remote compromise
</FONT></DIV>
<DIV><FONT size=1>in some way. That number is speculative, but most
estimates from </FONT></DIV>
<DIV><FONT size=1>consutling firms are much higher. (Based on hundreds if
not</FONT></DIV>
<DIV><FONT size=1>thousands of penetration tests against corporate networks with
</FONT></DIV>
<DIV><FONT size=1>a %90+ success rate). </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>So of all possible 0wnable machines (including those without
basic </FONT></DIV>
<DIV><FONT size=1>anti-virus protection) I would personally speculate that
</FONT><FONT size=1>the 3mil is </FONT></DIV>
<DIV><FONT size=1>a pretty low estimate. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>What these sort of stats mean is that ultimately, the Internet
is not </FONT></DIV>
<DIV><FONT size=1>in a state in which security controls can easily be added,
mostly because</FONT></DIV>
<DIV><FONT size=1>of the high degree of autonomy and relatively low level of
sophistication</FONT></DIV>
<DIV><FONT size=1>of each host and user on the network. The other reality of
this is that </FONT></DIV>
<DIV><FONT size=1>even if hackers aren't directly in control of that most
machines, it would</FONT></DIV>
<DIV><FONT size=1>not be inaccurate to say that due to the intrinsic risks in
being connected, </FONT></DIV>
<DIV><FONT size=1>users aren't really in control of their systems either.
</FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>Security tools are the same as any other software in that they
are controls</FONT></DIV>
<DIV><FONT size=1>that you add to a system to optimize it and extract value from
it. These studies</FONT></DIV>
<DIV><FONT size=1>show that there is still lots of room for optimization (read:
buy their software) </FONT></DIV>
<DIV><FONT size=1>and the implication that there is value in those
optimizations. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>So yeah, buy more software. ;)</FONT></DIV>
<DIV><BR> </DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 <BR>>>> "Sean Donelan"
<sean@donelan.com> 06/28/03 07:09pm >>><BR><BR><BR><A
href="http://www.vnunet.com/News/1141901">http://www.vnunet.com/News/1141901</A><BR><BR>Trustcorps
claims it has scientific and anecdotal resaerch supporting its<BR>conclusion
that over three million computers are "owned" by malicious<BR>groups.<BR><BR>On
the other hand, Information Risk Management questioned how any one<BR>person
could "own" hundreds of computers at any one time. And systems
are<BR>often not "owned" by a single group, but exploited by multiple
groups<BR><BR><BR>Like most statistics, the "truth" is probably a little harder
to find, and<BR>a little bit scarier.<BR><BR>The FBI estimates a car is stolen
every 27 seconds somewhere in the US.<BR>In 2000, FBI Uniform Crime Report
statistics showed that 1,165,559 cars<BR>were stolen; with an estimated value of
$7.8 Billion. Police apprehend<BR>less than 15% of all auto
thieves.<BR><BR>Unfortunately this computer crime doesn't fit the FBI crime
reporting<BR>statistics well. Vandalism of Property? Is the cracking
of computers<BR>happening more or less often than car
theft?<BR><BR><BR><BR><BR></DIV></BODY></HTML>
--=_3669FBD4.1071C8BD--
