Though Estonia cannot be sure of the attackers’ identities, their plans were posted on the Internet even before the attack began. On Russian-language forums and chat groups, the investigators found detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets.This underlines a point I made in a paper last year about the discovery of the WMF vulnerability in December 2005. The discovery and exploits of the vulnerability appear to have been made by Russians, or at least Russian speakers, about two weeks before they became known in the West. What I wrote then remains pertinent:
Most of the discussion about WMF took place in English. Some of it was translated, but translation, understandably, took a back seat to ascending the learning curve—in English—and getting the information out in the easiest form possible, which meant English. This may have hindered the ability of users and sysadmins whose speak English poorly or not at all to get the information they need. Given the growing number of users who do not speak English, that is a topic worthy of research on its own.But another implication of this is that the blackhats can operate under the radar. Exploits of the WMF vulnerability were extant for about two weeks before they were made public—leaked—in an email message to an English language list. What if the leak had not been made? Websense may have been on the verge on discovering the vulnerability that the exploits it saw was exploiting, but few others began to move until they saw that email and the Metasploit module was released. It could easily have been several days before the vulnerability was recognized. Almost assuredly, Microsoft would have held off a patch until the January 10th, assuming that it knew enough to make one even then.
More broadly, how much is going on that we do not know about because the whitehat community as a whole has neither the language skills nor the predisposition to linger where blackhats talk in languages other than English? There are regions of the world where blackhats are developing exploits—writing them, testing them, using them—that may easily become global threats.
Businesses and governments in Europe and North America will be targeted by such exploits. We have some capability to create an early warning capability that can try to learn about what is happening in hidden hotbeds of blackhat activity like Brazil, China, and the former Soviet empire. WMF showed a little about what can be done, with iDefense and Kaspersky in particular producing essential information about the origins of the exploits. But it also showed that a stronger capability is needed, either from companies like iDefense and Symantec, or from government. Unfortunately, the required combination of skills—linguistic and technical—is scarce.
No comments:
Post a Comment