Information sharing could be the tool that sends a powerful blow against cybercriminals, says a security researcher who is reviving a mailing list to prod information sharing on botnet research.
Gadi Evron, a former manager of the Israeli government CERT, is reviving the botnets mailing list. Evron said the list was fairly successful two years ago, but quickly lost steam, because some researchers didn't feel confident in sharing their information in a public setting. Since Evron revived it this week, researchers have been actively sharing raw data to other list members.
"We have better tools, we're better organized, we know what we're doing, but still we have not really made a dent," Evron said. "There have been some arrests, we've taken down some operations, but what it comes down to is … the criminals are still making money."
Evron said the communities that are currently active are closed and by their nature more secretive. Less information gets out and less information is shared because people who should be trusted cannot find the right groups or it's too difficult to find an information sharing group.
"We're already seeing malware everywhere," Evron said. "The only thing the criminals have to do is log online and Google and they can find pretty much anything they want."
Gadi Evron and Estonia:
How Russia became a malware hornet's nest: Security experts Eugene Kaspersky and Gadi Evron explain how the Russian economy and lax police work helped make it a malware hotbed.
Estonian attacks were a cyber riot, not warfare: Researcher Gadi Evron says recent attacks against Estonia weren't government-sponsored warfare, but the U.S. and other large countries could learn from Estonia's successful response.
Evron helped investigate the massive Estonian cyberattacks that crippled the nation in 2007. The researcher said criminals in charge of botnets will likely strike again, bringing down critical IT systems.
The Estonian attacks showed how communities are formed around information sharing, Evron said. The ultimate goal of the mailing list is to get more IT administrators and security researchers involved in combating cybercrime, get them to care about the problem and get them organized, Evron said.
"Maybe the mailing list won't work out; maybe we'll decide that it's just too dangerous, but it's time to give it a shot," Evron said.
Evron acknowledges that many people in the security community have financial objectives, and information sharing will always be somewhat limited.
"A large portion of this community is financially based and we need to accept that," Evron said. "It's still important to share, because there are many people doubling their resources, researching the same thing over and over again."
Evron would not comment on the way the domain-name server DNS flaw was handled by security researcher Dan Kaminsky. Kaminsky, director of penetration testing at IOActive Inc., shared the details of the flaw with the affected vendors but kept most of the security community out of the loop. It resulted in a massive patch release July 8. By keeping the details private, IT administrators had 13 days to deploy the patches, Kaminsky said.
"While I have personally coordinated quite a bit of international global incident response, I was not involved with the DNS vulnerability," Evron said. "I don't know much about it."
Evron said those that object to information sharing have reasonable objections.
"We're all technical people with strong egos and personalities," Evron said. "Information sharing is complicated."