Internet security is broken, and no one knows how to fix it

By John Markoff
Sunday, December 7, 2008

SAN FRANCISCO: Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to improve the security of its Windows operating system software, malicious software is spreading faster than ever.

The so-called malware surreptitiously takes over a PC and then uses that computer to spread the software to other machines exponentially. Computer scientists and security researchers acknowledge that they cannot get ahead of the onslaught.

As more business, commerce and social life has moved onto the Web, gangs of elusive criminals thrive on an underground economy of credit-card thefts, bank fraud and other scams that rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A single Russian company that sells fake antivirus software, which actually takes over a computer, pays its distributors as much as $5 million a year.

With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race. "Right now the bad guys are improving more quickly than the good guys," said Pat Lincoln, director of SRI International's Computer Science Laboratory.

A well-financed computer underground has built a major advantage by working in countries that have global Internet connections but ineffectual law enforcement agencies that have little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency.

That was driven home late last month when RSA Fraud Action Research Lab, a security consulting group, reported that it had discovered a cache of a half-million credit-card numbers and bank-account log-ins, all of which had been clandestinely harvested by a large network of zombie computers remotely controlled by an underground online gang.

In October an independent group of researchers at the Georgia Tech Information Security Center in Atlanta reported that the percentage of online computers infected by such robot networks, or botnets, was likely to increase to 15 percent by the end of this year from 10 percent in 2007. That suggests a staggering number of infected computers. About 10 million robot computers are being used to distribute spam and malware over the Internet each day, according to research compiled by Panda Labs.

Security researchers acknowledge that their efforts are largely an exercise in the game of whack-a-mole, to large extent because botnets that distribute spam, trojans and viruses are still relatively invisible to commercial anti virus software. A research report by Stuart Staniford, chief scientist of FireEye, a Silicon Valley computer security firm, indicated that in recent tests of 36 commercial antivirus products, less than half of the most recent malicious software was identified.

There have been some recent successes, but they are short-lived. On Nov. 11, the volume of spam, which transports the malware, dropped by half around the globe after Mycolo, an American company with Russian ties, was disconnected from the Internet. But spam levels rose again as a new connection was established through Hong Kong.

The malware has consistently evolved and now programs can be targeted to hunt for a specific type of information - including any kind of personal information stored on a personal computer - or for certain documents.

For example, some malware uses the operating system to hunt for recent documents created by a user, on the assumption that they will be more valuable. It is designed to routinely watch for and then steal log-in and password information, specifically targeting consumer financial information.

The sophistication of the programs has begun in the past two years to give them almost lifelike capabilities. For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but remove competing malware programs.

Recently, Microsoft anti-malware researchers disassembled an infecting program and were stunned to discover that it was programmed to turn on the Windows Update feature after it took over the user's computer. The infection was insuring that it was protected from other criminal attackers.

And there is more of it. Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the past half year.

The severity of the situation was driven home not long ago for Ed Amaroso, security chief at AT&T. "I was at home with my mother's computer recently and I showed her it was attacking China," he said. "'Can you just make it run a little faster?' she asked, and I told her, 'Ma, we have to re-image your hard disk."'

There have also been reports of successful cyberthefts from both the Obama and McCain election campaigns and from a nonclassified network in the White House.

The U.S. government has begun to recognize the extent of the problem. In January, President George W. Bush signed National Security Presidential Directive 54 establishing a clandestine national cybersecurity initiative. The plan, which may cost as much as $30 billion over seven years, is directed at securing the U.S. government's own computers as well as the systems that run the United States' critical infrastructure, like oil and gas networks and electric power and water systems.

That will do little, however, to help protect businesses and consumers who use the hundreds of millions of Internet-connected personal computers and cellphones, the new target of the criminals.

Beyond the billions of dollars lost in stolen money and data is another, deeper impact. Many Internet executives fear that basic trust in what has become the foundation of 21st-century commerce is rapidly eroding.

"There's an increasing trend to depend on the Internet for a wide range of applications, many of them having to deal with financial institutions," said Vinton Cerf, one of the designers of the network and Google's chief Internet evangelist. "The more we depend on these types of systems, the more vulnerable we become."

It is a vastly different world than 20 years ago when the first worm was inadvertently unleashed by a 24-year-old Cornell University graduate student. It wreaked havoc through the Internet, then located almost exclusively in the United States and composed of just 60,000 computers.

Written by Robert Tappan Morris, now a respected computer scientist at the Massachusetts Institute of Technology, the worm contained a small design error that led the program to replicate explosively and ultimately jam many of the computers on the Internet.

"Modern worms are stealthier and they are professionally written," said Bruce Schneier, chief security technology officer for British Telecom. "The criminals have gone up-market and they're organized and international, because there is real money to be made."

The cybercriminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible. As software companies have tightened the security of the basic operating systems like Windows and Macintosh, attackers moved on to Web browsers and Internet-connected programs like Adobe Flash and Apple Quicktime.

This has led to an era of so-called drive-by infections, where users are induced to click on Web links that are contained in e-mail messages. Cyber-criminals have raised the ability to fool unsuspecting computer users into clicking on intriguing messages to a high art.

Researchers note that the global cycle of distributing security patches inevitably plays to the advantage of the attackers, who can continually hunt for and exploit new back doors and weaknesses in systems.

This year, computer security companies have begun shifting from traditional antivirus program designs, which are regularly updated on subscribers' personal computers, to Web-based services that can be updated even faster.

"This is always an arms race. As long as it gets into your machine faster than the update to detect, the bad guys win," Schneier said.

Security researchers at SRI International are now collecting more than 10,000 unique samples of malware daily from around the globe.

"To me, it feels like job security," said Phillip Porras, an SRI program director and the computer security expert who led the design of the company's Bothunter program, which is available free at www.bothunter.net.

Despite new technologies that are holding some attackers at bay, several computer security experts said they were worried that the economic downturn will make computer security the first casualty of corporate spending cuts. Security gets hit because it is hard to measure its effectiveness, said Eugene Spafford, a computer scientist at Purdue University.

He, too, is not optimistic that his trade is making progress anyway.

"In many respects we are probably worse off than we were 20 years ago," he said. "Because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure."