Thursday, February 23, 2006

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term.
RFC 2828: Internet Security Glossary aggregation (I) A circumstance in which a collection of information items is required to be classified at a higher security level than any of the individual items that comprise it.
The concept was first defined in the area of classification of national security documents, an area that provides fascinating and relevant illustrative examples. (A friend has told me that there was a story about the guy that invented the concept on NPR or Air America recently. If any of you dear readers have a link to that story, please let me know in the comments.) For several decades following the end of World War II, it was believed that the knowledge required to build an atomic bomb should be protected. (This concept might seem dated now, but it was almost certainly a valuable approach for the first few decades.) More than once during the past half century, curious students have apparently found their research classified, when they demonstrated that the basic plan for building and assembling an atomic bomb could be derived by non-experts from publicly available information. One such story, The Nth Country Project is detailed at the Guardian. This was an official project wherein the U.S. Army learned that indeed, a couple of competent physicists with no knowledge of atomic bombs could indeed figure out how to build one. This was decades before the internet, and it took two guys 30 months. The bar now is considerably lower. I have a recollection that a student created a plan for making a bomb within the last several years, using information gathered from the internet. We can't put the Djinni back into the bottle. Our hacker's [0x80's] problem with aggregation concerns disclosure of confidential information -- his identity -- that both he and the reporter desired to keep secret. Unfortunately, a series of small disclosures accumulated into an aggregation problem. Specifically, a modern, Slashdot and Google-fueled point-and-click aggregation problem. With direct implications for his daily freedom, 0x80's troubles began when he decided to allow himself to be interviewed by a reporter from The Washington Post. Brian Krebs constructed an excellent story, Invasion of the Computer Snatchers profiling what appears to be a typical young ne're-do-well -- albeit one making from $6,000.00 to $10,000.00 each month by unleashing worms which spread throughout the internet, cracking into your computer to install adware and spyware. A shady network of advertising schemes (see: The Hidden Money Trail [PC World]) funnels the money to the botmasters like 0x80, when people click through the pop-up ads which appear on their computers. (Yes, some people really do buy vitamins, Viagra and whatnot off the internet from pop-up ads delivered to their PCs by botnets. Go figure.) Within hours a story appeared on Slashdot, a discussion forum affectionately known as "News for Nerds". The editors linked to the Washington Post story, and opened a discussion, titled Interview with a Botmaster. Within minutes, discussion participants noticed that apparently minor tidbits of information could be aggregated to paint a strikingly clear portrait of the hacker. In the discussion, these facts were assembled:
  • male youth
  • 21 years old
  • lives in small town in the midwest
  • slightly long hair that covers his eyebrows
  • lives with parents
  • parent's house is a brick rambler
  • has a small dog with matted fur
  • speaks with accent which is mixture of southern drawl with midwestern nasality
  • smoker
  • tall, thin build
  • dropped out of high school
Then it was noticed that retouched pictures showing the obfuscated hacker included meta tags -- information in plain text attached to many photos. This information revealed the name of the photographer, the type of camera used to take it, the time and date it was taken, as well as the fact that the picture was taken in Roland, Oklahoma. The pictures themselves seemed to reveal that the hacker has blond hair -- at least the hair on his arms appears blond in one photo. The handle, "0x80" might also be a reference to another smoking habit, as it represents "the high bit" (see also "dread high-bit disease") which is probably an intentional double-entendre. (e.g. Perhaps he smokes marijuana as well as tobacco.) Data aggregation led one discussion participant to post a link to a Google map. It's pretty likely that the home of 0x80's parents is within a mile of that spot. (Google appears to have since removed the detailed imagery for this location. Their map now says, "We are sorry, but we dont' have imagery at this zoom level for this region. Try zooming out for a broader look.") So the FBI knows where to look for at least one elusive botmaster. They'll find him soon enough. They probably already know where he is and who he is, and are gathering information on his desperate attempts to cover his tracks. More information on the aggregation problem can be found here: Warring on the Web internet presents web of security issues Inferential Disclosure NOTE [1] Clearly the hacker referred to in the article as 0x80 hasn't been arrested yet. This article discusses in detail the internet security issue known as "the aggregation problem" or the "point and click aggregation problem", which will likely contribute to his arrest in the near future (even if he doesn't live in Oklahoma).

Technorati Tags: , , , , , , , , ,


Anonymous said...

Arrested? Do you know something we don't know. You should check your facts before posting inflammatory and plainly wrong headlines.

Gary W. Longsine said...

The headline is clearly a comical prediction of a very likely near future event. This appears to be clear to those who read the article, not just the headline, but perhaps I should make a footnote for those who are in a hurry. Sorry for the inconvenience.