Wednesday, February 19, 2014

Book Review: Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn (2010)

Executive Summary

If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. The author, Joseph Menn, is able to capture the early years as the cyber criminal community was just beginning to productize its cyber business, to professionalize it so that it ran more like a business. He tells the story through two early cyber security practitioners: a very young Barrett Lyon—a cyber security services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker—at the time, an agent for the UK's National Hi-Tech Crime Unit. Lyon gets sucked into protecting organized crime operations that dabbled in offshore gambling and pornography, and Cocker used old-fashioned police work to arrest some of the early cyber criminals when the FBI seemed completely impotent at the prospect. Menn also manages to sprinkle in a discussion of some of the most significant cyber security milestones between 1995 and 2009, such as the emergence of the Russian Business Network and the identification of the Chinese Network Crack Program Hacker group. Fatal System Error is a vital historical reference for the cyber security community regarding the evolution of cyber crime. It is worthy of being a part of the cyber security canon, and you should have read it by now. 


Introduction

Most of this book is about the incipient history of cyber crime. Menn[1] tells the story through two early cyber security practitioners: a very young Barrett Lyon—an early cyber security services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker—at the time, an agent for the UK's National Hi-Tech Crime Unit. Menn also manages to sprinkle in a discussion of some of the significant cyber security milestones from around 1995 to about 2009. 

He talks about the rise of cyber espionage and one of the first public discoveries of a state-sponsored amateur hacker group called the Chinese Network Crack Program Hacker (NCPH) group.[2] Any first tier country on the world’s political stage has the ability to conduct cyber espionage. The Chinese method is different though. Where other countries try to maintain as low a profile as they can, the Chinese effort does not really worry about getting caught. Besides their own internal cyber espionage capabilities, the Chinese have no problem outsourcing some of their low-level collection efforts to in-country amateur hacker groups. The NCPH group was one of the first groups to get noticed by the cyber security community.

Menn also describes one of the first and most notorious known organized cyber crime syndicates called the Russian Business Network (RBN),[3] which was virtually untouchable by law enforcement during this period. The owner of the syndicate was the son of a high-placed political official, so even if a Russian police officer felt the urge to arrest this cyber criminal, there were powerful forces within the Kremlin that made it a good idea not to.

Menn also covers the familiar ground of Estonia,[4][5][6] Georgia,[6] and Kyrgyzstan[7] where attackers first proved that cyber warfare was possible, and he documents some of the first uses of distributed denial of service (DDoS) attacks as an extortion tool. He explains the rise of bulletproof-hosting providers (essentially criminal Internet service providers) and the impotence of US law enforcement when tracking Russian cyber criminals during this period. In fact, Menn almost takes relish in describing the complete lack of respect for the FBI from the cyber security community during this time.

The Story

These details are side stories. The bulk of the book is about the rise of cyber crime. Lyon’s story is how he was sucked into protecting some less-than-savory companies that dabbled in offshore gambling and porn. Organized crime rings ran most of these operations, and the criminals involved were not above trying to sabotage their competitors’ efforts. Offshore gambling became popular about the same time that hackers discovered that it was possible to launch DDoS attacks that could take a website or a data center offline by simply bombarding it with random data streams from thousands of computers – a botnet – around the Internet. These new cyber criminals used those kinds of tools against their competitors in an effort to drive them out of business. Lyon’s company owned the technology that could mitigate these kinds of attacks, and the organized crime operators came calling to get his help. Lyon’s story is about how he naively gets involved with these cyber criminals and subsequently tries to get himself out of the situation. It was not easy.

Cocker’s story is a bit different. He was an old-school British police officer frustrated with the inability of law enforcement to break down jurisdictional lines across international borders to arrest known cyber criminals. He and his National Hi-Tech Crime Unit decided to do something about it. Instead of waiting for Russian law enforcement to be compelled by political leaders to cooperate, Cocker went into the Eastern Bloc countries to build relationships with local law enforcement officials who were just as eager to bring these new cyber criminals to justice as he was. He had one tried-and-true method to accomplish this task: drink lots of vodka together. Over time, he built trust and friendships with his Russian counterparts and had amazing success arresting cyber criminals in the Eastern Bloc.

Menn got a lot of help writing this book from various prominent cyber security researchers and journalists at the time. He singles out important commercial cyber security intelligence organizations like iDefense,[8] Team Cymru,[9] and SecureWorks.[10] He pointedly casts disdain on anti-virus vendors as being ineffective, and he specifically is astonished at Kaspersky's view of the world regarding how the Russians were not behind the attacks against Estonia,[4][5][6] Georgia,[6] and Kyrgyzstan.[7] At the time, Kaspersky thought the Russians were falsely persecuted by the rest of the world in terms of who was responsible for cyber crime, cyber hacktivism, and cyber warfare.

Menn praises respected independent security researchers like Kimberly Zenz (iDefense), Joe Stewart (SecureWorks), Rafal Rohozinski (SecDev), Don Jackson (SecureWorks), Jart Amin (independent researcher), Paul Ferguson (independent researcher), Avivah Litan (Gartner), and Dmitri Alperovich (Secure Computing). He also points to cyber security journalists like Brian Krebs, John Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John Leyden, and Robert McMillan as being the cream of the crop.

I do have a couple of quibbles with his story though. Menn claims that RBN was the main force responsible for the DDoS attacks against Estonia and Georgia. While it may be true that computers within the RBN botnet system participated in those offensive attacks, I do not find Menn’s evidence compelling that RBN leaders orchestrated the attack on their own. Both attacks had too much precision—some would say military precision—to be run from a civilian organization. I also do not like the way that Menn jumps back and forth in the timeline. For example, in one chapter, he will talk about events in 2008, jump to events in 2002, and then jump ahead to significant events in 2006. He makes it tough for the reader to understand the narrative arc. I would have appreciated a straight-up timeline to keep everything straight. But these are small quibbles. I do not have any compelling evidence either about who is responsible for the Estonia and Georgia attacks, and who am I to criticize the way that Menn tells this complicated story?

Note: 


Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.



Conclusion

If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. Menn is able to capture the early years as the cyber criminal community was just beginning to productize its cyber business, to professionalize it so that it ran more like a business. Fatal System Error is a wonderful historical reference that illuminates this transformation. If you read this book and another that I just recently reviewed called Kingpin,[11] you will have a fairly thorough understanding of the cyber criminal world. Fatal System Error is a vital historical reference for the cyber security community. It is worthy of being a part of the cyber security canon, and you should have read it by now.

Note

I worked for iDefense (a VeriSign Inc. business unit) the first time that I wrote about Fatal System Error. Jason Greenwood, the current iDefense general manager and an old friend of mine, has graciously allowed me to reuse some of the original content from that essay for this updated blog post. iDefense is still one of the best commercial cyber security intelligence outfits out there. If you have cyber intelligence needs, you should consider calling them.

Sources

[1] “JosephMenn.com,” last visited 13 February 2014,

[2] “Infamous Hacker Heading Chinese Antivirus Firm?” by Brian Krebs, Krebs on Security, 14 November 2012, last visited 13 February 2014,

[3] “Hunt for Russia's web criminals,” by Peter Warren, The Guardian, 15 November 2007, last visited 13 February 2014,

[4] “Cyberwar Timeline,” by Mark Clayton, The Christian Science Monitor, 7 March 2011, last visited 13 February 2014, 

[5] “Massive DDoS attacks target Estonia; Russia accused,” by Nate Anderson, Ars Technica, 14 May 2007, last visited 13 February 2014, 

[6] “Establishing a Cyber Warfare Doctrine,” by Adrew Colarik and Lech Janczewski, Journal of Strategic Security, Volume 5, Issue 1, pp. 31-48, 2012, last visited 13 February 2014, 

[7] “Kyrgyzstan Under DDoS Attack From Russia,” by Dell SecureWorks, last visited 13 February 2014,

[8] “Security Intelligence,” by Verisign, last visited 13 February 2014,

[9] “Team CYMRU Community Services,” by the Dragon Research Group, last visited 13 February 2014,

[10] “SecureWorks,” by Dell, last visited 13 February 2014,

[11] “Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011),” by Rick Howard, Terebrate, 8 February 2014, last visited 13 February 2014 , 

No comments:

Post a Comment