Fighting the worms of mass destruction
Date: November 28, 2003Source: Computer Crime Research Center
WHEN Microsoft released its latest monthly batch of software patches on November 11th, it included one designed to repair a previously unknown flaw in Windows 2000. Such an event often acts as a tip-off to the writers of computer worms and viruses, who know that new patches are never applied very widely or very quickly. It is possible that this new flaw could herald a series of computer failures at least as damaging as those seen earlier in the year.
Bill Gates, the chairman of Microsoft, once made a habit of using his keynote speech at Comdex, the computer industry's top annual trade show, to launch his company's “next big thing”. Not all of these innovations succeeded, though at the time of their unveiling they all contained something to excite the industry. But times have changed. Mr Gates began his speech at the Las Vegas show this month by unveiling a dull bit of software that manages the distribution of security patches on a network. He followed this with an almost equally dreary firewall and a new spam-filtering initiative. These, rather than glitzy product announcements, are the industry's new priorities. Closing loopholes exploited by viruses, worms and hackers, said Mr Gates, is “the largest thing we are doing”.
Eradicating spam is a top priority for the American government too. The Can Spam Act made comfortable progress through Congress this week, the first piece of federal legislation to attempt to reduce the amount of unsolicited electronic garbage passing over the internet. Opinion is divided as to how effective the new law will be. But if it works at all, it will also help to improve internet security. Spam is often the transmitter of computer viruses.
The biggest fear is that viruses and worms will be used by terrorists to hold societies to ransom. Last year, American spies found a shack in Pakistan where it appeared that al-Qaeda had been training hackers to break into the computer systems of dams, power grids and nuclear plants. Computer failures may have played a role in the vast power black-outs in north-eastern America and parts of Canada that occurred at the same time.
However, according to Bruce Schneier, a leading expert on network security, only one instance so far deserves to be called cyber-terrorism. In 2000, a hacker named Vitek Boden broke into the computers of an Australian sewage plant and leaked raw effluent into rivers and parks, killing fish but no people. However, Mr Boden was no ordinary terrorist. Not only had he helped to design and install the system that he attacked, but even with his inside knowledge he had considerable difficulty breaking in.
Terrorists may try more sinister acts. Nonetheless, the internet is a surprisingly difficult medium for them. Malicious code has the potential to cause huge annoyance and disruption. But for people intent on carnage and terror, rather than disruption, blowing oneself up or similar low-tech methods remain far more attractive.
A better word for the threat of internet crime is therefore “cyber-hooliganism”, says Mr Schneier. Less than 1% of recent computer attacks originated in countries that America considers breeding grounds for terrorists; the vast majority came from inside America itself. Hackers are more likely to be geeky teens on an ego trip, or greedy crooks hoping to steal money online, than Islamic fundamentalists.
The promise of the internet knows few bounds: economists think it can boost productivity, efficiency and prosperity much further; entrepreneurs are still excited by its facilitation of online commerce; and more and more consumers prefer it to shops. To realise its full potential, however, the net has to become more trustworthy.
Yet it is rapidly becoming less so. The Blaster worm and SoBig virus that attacked this summer caused estimated losses of $35 billion. Attacks are getting more frequent, as well as more insidious, relying less often on viruses (which require human action, such as double-clicking on an e-mail attachment) and more often on worms (which propagate by themselves through any unprotected connections on the network). This means that the threat can only grow as “always-on” broadband connections to the internet replace dial-up access, and as ever more devices in addition to PCs are connected.
Attacks are also happening faster. A few years ago, it typically took virus writers a year to exploit a software vulnerability announced by a vendor. This gap between disclosure of a flaw and attack has been shrinking. For the Slammer worm in January it was six months, and for Blaster in August a mere three weeks. It is almost three weeks now since Microsoft brought out its patch for Windows 2000.
Attacks are also more intense and brief. Slammer infected 90% of vulnerable computers within ten minutes. Future attacks, says Gerhard Eschelbeck, the technology boss of Qualys, a network-security monitoring firm, will do their damage within a couple of minutes. Qualys says that it takes organisations an average of one month to patch their known vulnerabilities.
Viruses and worms, moreover, are only one form of internet crime. Brightmail, the world's market leader in filtering e-mails for fraud and spam, recently found that 10% of all e-mails were scams of one sort or another. Nigerian letters are probably notorious enough by now to be more comical than dangerous. But a lot of fraud is cunning. This includes brand spoofs–e-mails that pretend to come from famous and trusted consumer companies–fake web pages, phoney press releases, and “phishing”, which tricks recipients into giving out sensitive information, such as credit-card numbers.
The resulting anxiety naturally suits vendors of protection technologies, whose sales have been rising sharply. Sometimes the vendors seem to be peddling fear, and it is working. Most companies and governments nowadays use firewalls (devices to keep malicious code out of their internal networks), intrusion-detection systems (which analyse what gets past the firewalls) and similar technologies. Consumers also increasingly have anti-virus software on their computers, though many of them fail to keep it up-to-date.
These gizmos work up to a point. Jerry Ungermann, the president of Check Point, the world's largest vendor of firewalls, boasts that none of his customers was affected by Blaster because Check Point was so quick to put the appropriate defences into its products. Rival vendors of anti-virus software often compete fiercely in their marketing, but share information as soon as a new virus appears. VeriSign, a company that manages the domain-name systems for .com and .net, is evolving into a sort of CIA of the net, spotting suspicious traffic early and warning those at risk.
Protective “good” code, however, is not by itself enough to fight off incoming “evil” code. As with crime in the physical world, the efforts to fend off break-ins need the support and sanctions of the law. Lawrence Lessig, a professor at Stanford University and an expert on cyberlaw, says that when it comes to cyberspace, policymakers have so far shown themselves to be consistently “stupid and bribable”. How else, he asks, to explain the curious hierarchy of their current priorities. Online copyrights come at the top because of the powerful lobbying of music companies, which are better described as firms faced with a rapidly eroding business model than as victims of crime. Near the bottom comes the online privacy of millions of consumers.
Though more government action will undoubtedly be needed, caution is also in order when considering new laws against cybercrime, lest they make matters worse. This is especially important because most of the experts who advise the lawmakers are not disinterested parties. Qualys's Mr Eschelbeck, for instance, thinks Congress should pass a law requiring companies to subscribe to automated audits of their systems, which happens to be the service provided by Qualys.
The issue of commercial interests interfering with sound responses becomes especially acute when the debate turns to Microsoft, the world's largest software company. Ask, for instance, Dan Geer, an expert on software security and a top executive of @Stake, a security consulting firm. In September, he led a group that wrote a report blaming Microsoft's virtual “monoculture” in operating systems for the internet's frailty. No sooner was the report published than he found himself out of a job. @Stake, which counts Microsoft among its customers, “fired me by press release, retroactively and in public,” he says.
The gist of Mr Geer's argument is that Microsoft has over the years created “unacceptable levels of complexity” in its computer code. It has done so because its main objective has been to lock users into its software by tying the Windows operating system together with applications such as Word, Explorer and Outlook. Complexity is “the enemy of security”, says Mr Geer's report, since “the defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack.” Moreover, complexity feeds on itself since “fixing a known flaw is likely to introduce a new, unknown flaw.”
On this analysis, many of today's problems stem from Microsoft's success in creating a virtual monopoly. Some 94% of PCs...
Next
Add comment
Email to a Friend
| Discussion is closed - view comments archieve |
| 2005-08-25 19:43:22 - Your blog is realy very interesting.... mishel |
| Total 1 comments |
