Nick Kingsbury's Blog

I was CEO of Chronicle Solutions from 2006 to early 2007. The flagship product is netReplay, a Network Content Appliance that captures, indexes and replays all user communications in real-time. This blog reflects my interest in that area.

Friday, September 22, 2006

The Bad Guys, where are they and what are they doing ?

We are nice. We mix with other nice people. We are too nice.

We need to spend more time thinking about what we would do if we were really really bad. I hasten to add that this in not my idle thoughts on an alternate career (honest!), merely that if we are to thwart the bad guy we must do some alternate thinking.

I have had three particularly worrying, but interesting discussions in the last couple of weeks. No names and all that, but here they are.

1) A potential customer for netReplay employs a few thousand staff and currently has one (quickly former) member of staff in prison awaiting trial on terrorism charges. He (allegedly) was running a web site that was raising funds for a terrorist organisation. Now I wonder how much time he spent using his employers systems, networks, storage, bandwidth plotting to destroy his neighbor's families. The bad guy was in the next cubicle. Scary in the extreme.

2) A partner of Chronicle's has a customer whose internet traffic network they monitor. The customer is a metropolitan city council. The strange thing is that messages are regularly and systematically going to IP addresses in Eastern Europe. There is no legitimate reason why this should happen. They plan to use netReplay to log and replay the traffic and find out at least what's inside the messages. So think bad thoughts. Details of home owners and their taxation could be useful. Councils collect tax, and also give it back. Maybe there are a pile of false addresses claiming rebates. We shall see, once we have netReplay installed. The bad guy is miles away and he or she is stealing your taxes or getting information about you to steal from you. Hopefully we can help capture the forensic data to pin them down.

3) They are out to get you; yes you (singular). Some of my friends who deal with the more shady security services have told me of a new trend. We tend to think of internet crime as rather blind; a blanket blast to find a weak spot, and so long as you are not too dumb and have the latest patches you are OK, right ? Wrong. The bad guys are targeting individuals. Who is the chief designer for that electronics company; could be good to get his data. Who is dealing with the big M&A deals in an investment bank ? Early knowledge of a bid could is very very valuable. Who is on the bid team for the xyz deal ? If you are the competitor and have few scruples then well worth targeting the key individual. This has been reasonably well publicised, its even in wikipedia; check out Titan Rain ; talking to those affected the personalised nature of the attacks is really alarming.

So if you are bad, how do you find those key individuals ? Go through their trash ? No, dummy, use search engines, blogs and social networking sites. Much easier, and don’t get last nights dinner on your hands, and if you are smart (which they are), you can write software to do it for you.

The really scary thing here is that they will be absolutely determined to make sure you don't even know its happened. You won't even know the bad guy exists, let along where he is or what he is doing.

Hey, just then my laptop seemed rather too busy doing something in the background. I wonder….

Nick Kingsbury


Anonymous Anonymous said...

Part of the problem is that targeted trojans work very well, and are not detected by antivirus/ antispyware software. Remember the Israeli targeted-trojan incident earlier this year? (

Getting better visibility on the type of network traffic entering and leaving the network can help, of course.

The other "fix" requires a sea-change in thinking around malicious code. Instead of the "allow all except that which is provably evil" (taken by antivirus today), we need to move to a "only allow programs which we know are ok" approach.

3:02 PM  
Anonymous Nate Carmody said...

It's so hard to define what is good, with so much going on and changing daily.
What would be more usefule and practical is an approach that would in essence whitelist all 'known good' traffic, and then allow you to further inspect that which is not known to be good. This targets your searching and doesn't interrupt your business process unduly, but allows you to still see all the details you need.
Check out for ways to achieve this

12:27 AM  

Post a Comment

<< Home