Security News > 2000 > October > Uncovering the Dark Side of the world wide web
http://cryptome.org/dark-spy.htm Financial Times, October 20, 2000 By Marcus Gibson In an achievement that is almost the equivalent of the Human Genome project for the internet, a new Scottish software company has not only succeeded in plotting a map of the world wide web but has also uncovered its Dark Side. The achievement had its beginnings three years ago at a brainstorming session between a group of software programmers in Scotland. "How do we write a program that detects anything bad that's going on on the internet?" asked Stephen Whitelaw, former Glasgow University lecturer and chief executive of Buchanan International, a security software company based outside Glasgow. A team member replied: "Well, you'll first need to map all that's good and bad - an awesome challenge - and keep adding to it on a daily basis. Only then will you be able to trace, log and map what's bad in it." The next morning Whitelaw declared: "OK, let's do it. No matter what it costs." And so The Map - of the dark side of the web - was born. Eighteen months later, the team produced a unique profile of the world wide web in all its inglorious forms. About 40 broad categories of undesirable activity, including pornography, fraud, anarchism, "freaking", virus creation, promoting violence, cyber terrorism and hacking, have now been registered in forensic detail. The programmers found that more than 20,000 new hosts for pornography sites were being created daily. The average site contained just 43 images, and 98 per cent held almost no original material. However, some sites had more than 100,000 images. The porn-viewing public - which forms just 2.5 per cent of the database - cannot keep up: the number of sites is growing exponentially but the number of visitors to them only linearly, says Whitelaw. Child pornography, much of it now originating in eastern Europe, is a big growth industry, he adds. For the past decade, Buchanan has provided security software and criminal-tracking services to the police, security services, banks, the RUC and utilities such as airports and oil rig operators. Recently, it was involved in tracing the international tentacles of the vast Wonderland paedophile ring, which led directly to hundreds of arrests. One password used by the ring took 35 days for Buchanan to crack. Eastern Europe also produces some of the best and most fanatical hackers who thrive in semi-anarchic societies. On his laptop, Whitelaw shows me how to find manuals on bomb-making and sophisticated lock-picking techniques, complete with DIY diagrams. Next, he demonstrates how easy it is to access lists of thousands of unissued credit card numbers, and harness special software that generates the addresses of credit card-holders, or smart ways of robbing automatic teller machines. Banks already make up a big source of Buchanan's income. He shows me more. Criminals - who have a peculiar habit of inputting all their deeds into PCs and handheld computers - often use software to erase such incriminating information. Modern techniques, however, such as the molecular analysis of a hard disc, can reveal much of what was "deleted". Finally, Whitelaw demonstrates steganography - the art of concealing text within more text. "Steganography is considered the third biggest threat to US security after biological and chemical attack," he says. His laptop shows a letter containing seemingly harmless text. But, once decoded, a very different meaning emerges: it is an order to carry out an assassination. Security experts are seriously worried about the threat of attacks on airport flight management computers, power systems, and hospital equipment, let alone stock markets such as Nasdaq. To make commercial use of the map, Whitelaw late last year established Actis Technology, a small company based alongside Buchanan, and on Thursday at the Loch Lomond Golf Club, Actis launched a muscular software program designed to provide total monitoring and control over a company's electronic interface with the outside world, encompassing IT networks, the internet and e-mail. Unsuspecting companies are largely unaware that a great deal of the world's criminal communications are carried out using their own PCs, notes Whitelaw. Actis has already secured an advance order for the program from aerospace company Boeing. With 300,000 PCs linked to the internet, and 100,000 non-US citizen employees, Boeing is understandably nervous about confidentiality. The new program will allow the control and monitoring of input. The software contains a vast list of trusted hosts, hosts that should be treated with caution and "not trusted". Managers can fix response options for each questionable activity or link being tracked; downloading files from dubious sites using a company PC triggers an alert. In September, Orange Telecom sacked several dozen UK staff for storing and swapping pornog-raphy on their PCs after an extensive investigation. Whitelaw's software can be programmed to deal with such abuses. "We can set up the system to turn a blind eye to files containing fewer than 50 photos, or prompt an alarm with a supervisor." More than 60 "options for action" can be programmed, depending on the severity of the event. Where serious crime emerges - such as transmission of paedophile photos, or so-called "snuff", or murder, videos - the corporate server can be programmed to take a copy of the file for use as evidence in future prosecutions and then switch off power to that particular PC. Later, using the Buchanan database, an offending file can be traced to its source. Colin Rose, Actis' chief operating officer, said: "We can drop the file into the map, and within hours it will tell us where it was posted first, all the sites it was sent to and from what sites information has been downloaded. You've then got a complete picture of a ring. It's so easy, so quick. You'll soon know if it's a loner, or a conspiracy involved. "But some of the material we see is awful. You need counselling after you've watched it." The technical difficulties in creating the map were considerable. Handling the data alone became a gigantic headache. Consuming about 80 gigabytes of data an hour, Buchanan and Actis have created the second largest database of any organisation in Europe - governments included - according to Oracle. The team now has complete access to the world's newsgroups, where many viruses are initially posted and distributed, and to every image and every attachment. UK Home Office officials also visited Buchanan and granted special access to Janet, Britain's national communications backbone. These intellectual feats breed eccentrics. One Actis employee, Roy MacNaughton, a 21-year-old drop-out from Glasgow University and a gifted astrophysicist who was also a concert grade pianist at the age of 12, guards the database. A second, a ruthless tracker of criminals known only as Stew, is unkempt, sleeps in the office overnight and pads about barefoot. "We found Stew in the PC section of a bookshop in Glasgow - the best place to find his sort," says Whitelaw. "The last thing I want is disciplined minds." The results are impressive. When the Melissa virus disabled computers around the world, for example, Actis showed how it could be tracked to its earliest fingerprint, a programmer in New England, in less than 24 hours - two days quicker than it took the US authorities. Actis was also consulted when the I Love You virus spread glob ally. "No one else has the global map, or the back data," claims Whitelaw. The company's fame at tracking files soon spread. Buchanan began to receive hundreds of requests a day from global law enforcement organisations wanting to track down dubious files. But not all inquiries are welcome. The government of Singapore asked if it could control web content; the Chinese authorities made a similar request. Whitelaw refused. Helping to track criminals was one thing; helping regimes find human rights activists quite another. Eight months ago Buchanan stopped accepting requests, except from a core clientele. The company is also one of only two able to recover passwords almost without fail, often a key element in bringing criminals to court - and of use to companies hit by malicious former staff who change passwords on leaving. Actis is now directing its efforts to keeping the map up to date, and assessing the threat of the new. This year Actis received 4m in funding from the Royal Bank of Scotland and Caledonian Herit-able, valuing the company at $25m, the highest "day one" valuation of any Scottish start-up company to date. Investors now realise the value of such a map is enormous. Estimates range up to $300m - because without reference to such a database, no filtering or other security software can fully cover the web. Whatever happens to Actis, the completion of the map is probably the first big step in the quest to control internet anarchy. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".