Worm: The First Digital World War

"Worm is about the Conficker worm, which was one of the earlier very, very effective pieces of malware used to build an enormous bot. Mark Bowden goes in and looks at who the people are trying to stop it. And perhaps partly because of the other stories he’s written, it’s very much an action adventure/good guys and bad guys/race to the end of the world setup. Again, it’s an example of framing a narrative around one very particular piece of malware that affects many people and homing in on its impact and how it affects individual people in their day-to-day lives. One of the things I really took away from Worm is there were a lot of very smart people putting a lot of time and energy into dealing with it and it just kept evading them. It’s one of the first books that gave me a feel for, ‘Oh, this is what it means when they say attacking is easier than defending.’ The defensive efforts were well-coordinated and reasonably well resourced, but Conficker was very hard to get a handle on. Also, I write about attacks from the angle of, ‘What is it the attacker wants to get? Is it money? Is it espionage?’ Conficker is an example of how hard it is to try and combat a piece of malware when you don’t know what the person behind it wants. We still don’t really have any sense of who was behind it, or what was being built. That makes it a big challenge to defend against—it really restricts us to very technical means. It’s also scary. Part of the suspense build-up of the book is, ‘Who’s doing this? Why? To what end?’ There doesn’t even necessarily have to be a particular motivation. One of the things that people who build large botnets do sometimes is rent out their botnets and say, ‘Would you like to launch an attack? You can rent my botnet by the hour.’ So, there are many possible explanations for what’s going on. The story shows how hard it is to attack cybercrime in the abstract. It’s mostly died down and been replaced by other types of bots. Today it’s not in the top 10-20 things you need to be worried about. But part of what is interesting about that story, and is true of a lot of the threats today, is that they’re coming through our own individual devices. When I talk about cyber security with my parents—who are not interested in the field at all—one of the things they often say is, ‘I’ve nothing worth stealing.’ Every time we talk my mother says to me, ‘Who cares if they can read my email?’ One of the points that it’s hard to make but worth trying to get across is that a lot of this is not about your personal security. Just because you feel there’s nothing on your laptop worth protecting doesn’t mean that your laptop can’t be harnessed to do really dangerous and evil things to other people. Worm makes that point really gracefully and says, ‘Look. Whether or not you care that your machines are compromised, if you’re not willing to take on the responsibility of doing some basic security hygiene they can be used in some really scary ways.’ Bots are just groups of compromised machines that are all controlled by the same remote server. So if I want to do almost anything—send phishing emails to millions of people, steal money, mine cryptocurrency, conduct espionage through hotpoints—it helps to have control of a lot of computers that I don’t own. That’s because my computers can probably be traced back to me or to where I live. Bots are just a way of controlling computers you don’t own and having a lot of processing power that you can use. Support Five Books Five Books interviews are expensive to produce. If you're enjoying this interview, please support us by donating a small amount . We see it in espionage. If I’m stealing secrets from the UK government, if I’m working for the Chinese military, I probably don’t want to do it from a computer in Chinese military headquarters, because that’s probably going to alert the intrusion system. On the other hand, if I’ve compromised a bunch of computers at Oxford University, Oxford University has interactions with the UK government all the time. So you route your stolen data through Oxford University and it doesn’t raise any red flags. And then from Oxford you take it back to China or wherever else. We see universities playing this role a lot, because they often have more open networks, they often clamp down less on security than corporate or government networks. It’s a big thing at all universities, people’s computers getting compromised and being used as hotpoints for attackers. Krebs and Zetter are both very technical journalists. They’ve worked in the space a long time. Mark Bowden is interesting because he’s somebody who writes about all sorts of things, but then decided to write this book about computer security. Because of that, I think he has a very good ear for what people might want to have explained to them that people who are steeped in technical backgrounds might not think to define. Yes, absolutely. When we think about what we’re most scared of today and in the future just the fact that there are so many more devices online means that there’s more potential for bigger and bigger bots. The other piece of that is cleaning these devices. Once you create a bot, if I want to shut it down, ideally I have to wipe all those devices—which requires sending a lot of notifications and updates that everybody ignores. But hard as it is to get you to update your phone or your laptop, it’s so much harder to get you to update your wireless router or your security camera or anything that doesn’t have a screen or keyboard and the user interface that we’re accustomed to. That’s been a big, big challenge around the internet of things devices. You’re not going to bother changing the default password on your light bulbs because what do you care and who’s ever going to want to infect your light bulbs? And then they could all be harnessed really quickly because they all have the same password."