Was Koobface exposé the right move?

Here’s a recent ZDNet guest editorial I wrote about the recent disclosures around Koobface. Ryan Naraine summarizes my text pretty well:

Stefan Tanase argues that the public outing of the Koobface hacker gang makes it even more difficult for law enforcement to act.

Just as a stand-up comedian carefully places his punch line at the end of the joke, I also usually leave my conclusions for the end of a post. Except for this time. This time, I would like to start with the conclusion: For an ongoing investigation not to be jeopardized, it is extremely important that all information related to those being investigated does not become public.

When (cyber)criminals suspect they’re being investigated, they become more careful. But when they are sure that someone is after them, they become unpredictable in their actions. Simply hiding, making a run, covering their tracks, buying their freedom, fighting back or any combination of these are just some of the options. I’m sure you know this if you watch the Discovery Channel. You also know this if you’re actively tracking the latest disclosures around the Koobface botnet.

What happened with Koobface after the identities of its authors and the inner workings of their underground business became public? The obvious happened, of course. They began wiping out all public information about themselves from the Internet: Facebook profiles, Twitter feeds, Foursquare check-ins, Flickr pictures, you name it. They are covering their tracks in the cyber-world as we speak, and only God knows what else they are doing in the real world to protect the most valuable thing they have right now: their freedom.

[ SEE: Facebook exposes hackers behind Koobface worm ]

A disclosure of information that can jeopardize an ongoing investigation is not something which I support, nor something with which I agree.

I’ve heard OSINT (Open-source intelligence) as an argument for this public disclosure. It’s not. OSINT is about using freely available information to produce actionable intelligence, not about making actionable intelligence freely available on the Internet. Was it done to push authorities by creating pressure or to aid them, in any way? I’m not sure the pressure supposed to push law enforcement into actually doing something in this case will be enough to compensate for the fact that the gang behind Koobface are now destroying evidence and going further underground. The public exposure has obviously hurt efforts.

Investigations can take years – many years. Anyone who has actually been involved in such an investigation knows how frustrating it can be. But it doesn’t mean that we should at one point make everything public and hope for the best. Bad guys go to jail after being on trial, not after being on trial by the media.

Koobface gang pulls server after Facebook exposes hackers ]

Therefore I am making a public plea to all security researchers that were, are or will be involved in cybercrime investigations: Don’t publish data that can ruin years of investigative work. Only share information regarding attribution with law enforcement and trusted contacts. Make sure you understand that certain legal procedures need to be followed and they might take time. Be patient and don’t become frustrated. In the end, everything will be ok. If it’s not ok, then it’s not the end.

I would love to be able to end this text in an optimistic note. However, in real life things are not black and white all the time. There are countless other e-crime related activities in which it’s not clear if law enforcement, either alone or with private partners, are working on a case. That often makes it difficult to ’stand by’ while it seems that nothing is being done. It’s a fine line. What is needed is a better way to determine whether something is being worked across various levels of law enforcement, and what level of participation is occurring with private partners.

* My thanks to Kurt Baumgartner, Jan Droemer, Andre’ M. DiMino, Costin Raiu, Roel Schouwenberg, Dmitry Tarakanov and countless others for contributing to this article.

PS: Here’s a Threatpost poll where you can cast your vote: Was exposing the Koobface gang a good idea?

Russian “Koobface” cyber-hackers gave themselves away

"Koobface" sounds like the cyberbully cousin of Scooby Doo. You might have been a victim of the Koobface gang. This Russian cybergang is responsible for viruses that spread through Facebook and other social network sites. Technically, none of the members are under investigation by law enforcement; it’s hard to prosecture people that you can’t find. Recently, the group has been “checking in” on Foursquare, completing their location with coordinates and pictures. With more and more information being leaked about the group, perhaps citizens, companies and governments will band together to help shut this group down — but even if they finally do, don’t click on anything you don’t trust. source

Follow ShortFormBlog



Самый известный троян для Facebook был создан в России. Раскрыты имена его владельцев

Немецкий канал SWR опубликовал фамилии создателей и владельцев самого известного трояна для социальных сетей - Koobface. Все они живут в Санкт-Петербурге и находятся на … Читать далее…

Facebook: le virus Koobface est de retour! | Actualites | Softonic

See on Scoop.it - L’actualité high tech

Attention. Le virus Koobface est de retour sur le web. Découvert en novembre 2008 par l’éditeur McAfee, il s’agit d’un ver informatique qui sévit sur Facebook.

Le nombre d’infections par ce fléau virtuel a notamment atteint un niveau record au cours du premier trimestre de 2013 selon McAfee toujours.

Le ver Koobface se propage en envoyant des courriels aux amis des personnes dont l’ordinateur a été infecté.

Une fois installé, le virus Koobface se cache dans un dossier du dossier Windows sous le nom “freddy35.exe”.

See on actualites.softonic.fr

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

I reviewed Ronald Diebert’s new book Black Code in this weekend’s edition of the Globe and Mail. Diebert runs the Citizen Lab at the University of Toronto and has been instrumental in several high-profile reports that outed government spying (like Chinese hackers who compromised the Dalai Lama’s computer and turned it into a covert CCTV) and massive criminal hacks (like the Koobface extortion racket). His book is an amazing account of how cops, spies and crooks all treat the Internet as the same kind of thing: a tool for getting information out of people without their knowledge or consent, and how they end up in a kind of emergent conspiracy to erode the net’s security to further their own ends. It’s an absolutely brilliant and important book:

Read the rest…