Uncovering the Dark Side of the world wide web

[William Knowles <wk () C4I ORG>]

http://cryptome.org/dark-spy.htm

Financial Times, October 20, 2000
By Marcus Gibson

In an achievement that is almost the equivalent of the Human Genome
project for the internet, a new Scottish software company has not only
succeeded in plotting a map of the world wide web but has also
uncovered its Dark Side.

The achievement had its beginnings three years ago at a brainstorming
session between a group of software programmers in Scotland. "How do
we write a program that detects anything bad that's going on on the
internet?" asked Stephen Whitelaw, former Glasgow University lecturer
and chief executive of Buchanan International, a security software
company based outside Glasgow.

A team member replied: "Well, you'll first need to map all that's good
and bad - an awesome challenge - and keep adding to it on a daily
basis. Only then will you be able to trace, log and map what's bad in
it."

The next morning Whitelaw declared: "OK, let's do it. No matter what
it costs."

And so The Map - of the dark side of the web - was born. Eighteen
months later, the team produced a unique profile of the world wide web
in all its inglorious forms.

About 40 broad categories of undesirable activity, including
pornography, fraud, anarchism, "freaking", virus creation, promoting
violence, cyber terrorism and hacking, have now been registered in
forensic detail.

The programmers found that more than 20,000 new hosts for pornography
sites were being created daily. The average site contained just 43
images, and 98 per cent held almost no original material. However,
some sites had more than 100,000 images.

The porn-viewing public - which forms just 2.5 per cent of the
database - cannot keep up: the number of sites is growing
exponentially but the number of visitors to them only linearly, says
Whitelaw. Child pornography, much of it now originating in eastern
Europe, is a big growth industry, he adds.

For the past decade, Buchanan has provided security software and
criminal-tracking services to the police, security services, banks,
the RUC and utilities such as airports and oil rig operators.
Recently, it was involved in tracing the international tentacles of
the vast Wonderland paedophile ring, which led directly to hundreds of
arrests. One password used by the ring took 35 days for Buchanan to
crack.

Eastern Europe also produces some of the best and most fanatical
hackers who thrive in semi-anarchic societies.

On his laptop, Whitelaw shows me how to find manuals on bomb-making
and sophisticated lock-picking techniques, complete with DIY diagrams.

Next, he demonstrates how easy it is to access lists of thousands of
unissued credit card numbers, and harness special software that
generates the addresses of credit card-holders, or smart ways of
robbing automatic teller machines. Banks already make up a big source
of Buchanan's income.

He shows me more. Criminals - who have a peculiar habit of inputting
all their deeds into PCs and handheld computers - often use software
to erase such incriminating information. Modern techniques, however,
such as the molecular analysis of a hard disc, can reveal much of what
was "deleted".

Finally, Whitelaw demonstrates steganography - the art of concealing
text within more text. "Steganography is considered the third biggest
threat to US security after biological and chemical attack," he says.

His laptop shows a letter containing seemingly harmless text. But,
once decoded, a very different meaning emerges: it is an order to
carry out an assassination.

Security experts are seriously worried about the threat of attacks on
airport flight management computers, power systems, and hospital
equipment, let alone stock markets such as Nasdaq.

To make commercial use of the map, Whitelaw late last year established
Actis Technology, a small company based alongside Buchanan, and on
Thursday at the Loch Lomond Golf Club, Actis launched a muscular
software program designed to provide total monitoring and control over
a company's electronic interface with the outside world, encompassing
IT networks, the internet and e-mail.

Unsuspecting companies are largely unaware that a great deal of the
world's criminal communications are carried out using their own PCs,
notes Whitelaw.

Actis has already secured an advance order for the program from
aerospace company Boeing. With 300,000 PCs linked to the internet, and
100,000 non-US citizen employees, Boeing is understandably nervous
about confidentiality.

The new program will allow the control and monitoring of input. The
software contains a vast list of trusted hosts, hosts that should be
treated with caution and "not trusted". Managers can fix response
options for each questionable activity or link being tracked;
downloading files from dubious sites using a company PC triggers an
alert.

In September, Orange Telecom sacked several dozen UK staff for storing
and swapping pornog-raphy on their PCs after an extensive
investigation. Whitelaw's software can be programmed to deal with such
abuses. "We can set up the system to turn a blind eye to files
containing fewer than 50 photos, or prompt an alarm with a
supervisor." More than 60 "options for action" can be programmed,
depending on the severity of the event.

Where serious crime emerges - such as transmission of paedophile
photos, or so-called "snuff", or murder, videos - the corporate server
can be programmed to take a copy of the file for use as evidence in
future prosecutions and then switch off power to that particular PC.

Later, using the Buchanan database, an offending file can be traced to
its source. Colin Rose, Actis' chief operating officer, said: "We can
drop the file into the map, and within hours it will tell us where it
was posted first, all the sites it was sent to and from what sites
information has been downloaded. You've then got a complete picture of
a ring. It's so easy, so quick. You'll soon know if it's a loner, or a
conspiracy involved.

"But some of the material we see is awful. You need counselling after
you've watched it."

The technical difficulties in creating the map were considerable.
Handling the data alone became a gigantic headache. Consuming about 80
gigabytes of data an hour, Buchanan and Actis have created the second
largest database of any organisation in Europe - governments included
- according to Oracle.

The team now has complete access to the world's newsgroups, where many
viruses are initially posted and distributed, and to every image and
every attachment. UK Home Office officials also visited Buchanan and
granted special access to Janet, Britain's national communications
backbone.

These intellectual feats breed eccentrics. One Actis employee, Roy
MacNaughton, a 21-year-old drop-out from Glasgow University and a
gifted astrophysicist who was also a concert grade pianist at the age
of 12, guards the database.

A second, a ruthless tracker of criminals known only as Stew, is
unkempt, sleeps in the office overnight and pads about barefoot. "We
found Stew in the PC section of a bookshop in Glasgow - the best place
to find his sort," says Whitelaw. "The last thing I want is
disciplined minds."

The results are impressive. When the Melissa virus disabled computers
around the world, for example, Actis showed how it could be tracked to
its earliest fingerprint, a programmer in New England, in less than 24
hours - two days quicker than it took the US authorities.

Actis was also consulted when the I Love You virus spread glob ally.
"No one else has the global map, or the back data," claims Whitelaw.

The company's fame at tracking files soon spread. Buchanan began to
receive hundreds of requests a day from global law enforcement
organisations wanting to track down dubious files.

But not all inquiries are welcome. The government of Singapore asked
if it could control web content; the Chinese authorities made a
similar request. Whitelaw refused. Helping to track criminals was one
thing; helping regimes find human rights activists quite another.

Eight months ago Buchanan stopped accepting requests, except from a
core clientele.

The company is also one of only two able to recover passwords almost
without fail, often a key element in bringing criminals to court - and
of use to companies hit by malicious former staff who change passwords
on leaving.

Actis is now directing its efforts to keeping the map up to date, and
assessing the threat of the new.

This year Actis received 4m in funding from the Royal Bank of Scotland
and Caledonian Herit-able, valuing the company at $25m, the highest
"day one" valuation of any Scottish start-up company to date.
Investors now realise the value of such a map is enormous. Estimates
range up to $300m - because without reference to such a database, no
filtering or other security software can fully cover the web.

Whatever happens to Actis, the completion of the map is probably the
first big step in the quest to control internet anarchy.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".