Firewall Nation In August, IBM released a study reporting that "virus-laden e-mails and criminal driven security attacks" leapt by 50 percent in the first half of 2005, with government and the financial-services, manufacturing, and health-care industries in the crosshairs. In July, the Pew Internet and American Life Project reported that 43 percent of U.S. Internet users -- 59 million adults -- reported having spyware or adware on their computers, thanks merely to visiting websites. (In many cases, they learned this from the sudden proliferation of error messages or freeze-ups.) Fully 91 percent had adopted some defensive behavior -- avoiding certain kinds of websites, say, or not downloading software. "Go to a neighborhood bar, and people are talking about firewalls. That was just not true three years ago," says Susannah Fox, associate director of the Pew project. Then there is spam. One leading online security company, Symantec, says that between July 1 and December 31, 2004, spam surged 77 percent at companies that Symantec monitored. The raw numbers are staggering: weekly spam totals on average rose from 800 million to more than 1.2 billion messages, and 60 percent of all e-mail was spam, according to Symantec. But perhaps most menacing of all are "botnets" -- collections of computers hijacked by hackers to do remote-control tasks like sending spam or attacking websites. This kind of wholesale hijacking -- made more potent by wide adoption of always-on broadband connections -- has spawned hard-core crime: digital extortion. Hackers are threatening destructive attacks against companies that don't meet their financial demands. According to a study by a Carnegie Mellon University researcher, 17 of 100 companies surveyed had been threatened with such attacks. Simply put, the Internet has no inherent security architecture -- nothing to stop viruses or spam or anything else. Protections like firewalls and antispam software are add-ons, security patches in a digital arms race. The President's Information Technology Advisory Committee, a group stocked with a who's who of infotech CEOs and academic researchers, says the situation is bad and getting worse. "Today, the threat clearly is growing," the council wrote in a report issued in early 2005. "Most indicators and studies of the frequency, impact, scope, and cost of cyber security incidents -- among both organizations and individuals -- point to continuously increasing levels and varieties of attacks." And we haven't even seen a real act of cyberterror, the "digital Pearl Harbor" memorably predicted by former White House counterterrorism czar Richard Clarke in 2000 (see "A Tangle of Wires"). Consider the nation's electrical grid: it relies on continuous network-based communications between power plants and grid managers to maintain a balance between production and demand. A well-placed attack could trigger a costly blackout that would cripple part of the country. The conclusion of the advisory council's report could not have been starker: "The IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects." The system functions as well as it does only because of "the forbearance of the virus authors themselves," says Jonathan Zittrain, who cofounded the Berkman Center for Internet and Society at Harvard Law School and holds the Chair in Internet Governance and Regulation at the University of Oxford. "With one or two additional lines of code...the viruses could wipe their hosts' hard drives clean or quietly insinuate false data into spreadsheets or documents. Take any of the top ten viruses and add a bit of poison to them, and most of the world wakes up on a Tuesday morning unable to surf the Net -- or finding much less there if it can." In Part 2: Why patching up the Internet with layers of security software isn't working -- and what a safer new architecture might look like. |
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Favorite
Print
E-mail
Defending Laptops from Zombie Attacks
03/21/2008
Comments
Guest (Eileen McCluskey) on 12/19/2005 at 10:09 AM
1
Guest (artMonster) on 12/19/2005 at 11:43 AM
1
Guest (Bellinghamster) on 12/19/2005 at 4:52 PM
1
Guest (Matej) on 12/19/2005 at 9:11 PM
1
when this article was mentioned on "The World" (WGBH) they mentioned that NSF is planning to release $300M for "development of new protocols which would make Internet safe" (and another $300M later for implementation). Why in the world we need another protocols when we are not using the current ones? My Linux here has support for IPv6, S/MIME, etc. etc. but no-one in the world uses them, because the problem with unsafe Internet is not in the technology, but in the organization and social problems (like how to make everybody identifiable over Internet, when US public doesnt want to be identified in the first place)?
Matej
Guest (Mike) on 12/20/2005 at 1:30 AM
1
If they want to spend $200M, send it my way and Ill demonstrate a cool solution to make it easier to deploy new web-based services, to any device, saving major corporations Billions in the process. Cheers!
Guest (Owen N. Martinez) on 12/20/2005 at 5:47 AM
1
Guest (Rider) on 01/11/2006 at 12:00 AM
1
Guest (Si) on 12/20/2005 at 4:31 AM
1
Guest (Fergus Doyle) on 12/20/2005 at 5:39 AM
1
Guest (E Feustel) on 12/20/2005 at 6:30 AM
1
Guest (mrxsmb) on 12/28/2005 at 4:30 AM
1
The issues highlighted with MS [the debilitating Operating System, not the debilitating Physical Affliction] and its usability over functionality approach are all valid, but other OSs and applications have their own issues.
Of course business could actually pony up the money to build their own networks and not use the internet, but then how would that save them money? I believe some already do, as do Governments and sensibly so.
One bank in Australia has actually got with the program and realised they should issue their on-line banking customers with a swipe and pin security system the same as on an ATM, at each and every house. How much of the "problems" discussed would be solved by this simple change in attitude?
Guest (coet) on 02/04/2006 at 12:00 AM
1
Guest (George) on 05/05/2006 at 12:00 AM
1
I would say the question behind the security issue is what is required in terms of software and what is required in terms of network protocols to really achieve security.
Guest (CEC) on 01/07/2006 at 10:43 AM
1
The only thing to be gained by making the infrastructure more complex is a slower internet and more vulnerabilities in routers and other infrastructure devices.
The end point should be designed for the level of security it requires. I have no problem with network prevention of obvious malicious traffic (ie. worms), but I dont want the government owning this surveillance. I certainly dont want the internet to change only for the benefit of commercial interests and governments wishing to stamp out political dissent - that is belittling to the purpose of the internet.
Guest (liufly) on 04/22/2006 at 12:00 AM
1
Guest (p) on 12/20/2005 at 8:31 AM
1
I admit largeer TCP ISNs would be good, and SMTP should have a way to reject mail per-user after the mail server has read all of it.
Apart from that what you need is security in execution environmensts (where some of those EEs are OSs and some are browsers etc.).
This is one of several similar approaches - its no longer adequate to let a program do anything it chooses. The programs cant be rusted while handling suspect data. This is a different threat model from most computer security work historically.
http://www.google.co.uk/url?sa=U&start=5&q=http://www.cs.columbia.edu/~smb/papers/subos.pdf&e=42
Extensions to existing OS s/w are effective at providing this kind of security.
http://whitepapers.zdnet.co.uk/0,39025945,60150583p-39000584q,00.htm
Guest (Dr Hacker) on 12/20/2005 at 10:35 AM
1
Guest (Sundararajan Srinivasan) on 12/28/2005 at 5:47 AM
1
Internet and all the related protocols could have been designed more secure. But it would not have got the same popularity, as it is now. That is why, we are now paying security experts to build layers of security.
Guest (rmarino) on 12/30/2005 at 9:53 PM
1
Guest (The P-man) on 01/08/2006 at 8:36 PM
1
Guest (sorpigal) on 03/09/2006 at 12:00 AM
1
IM2k uses a 'pull' method of distribution which is inherently more reliable and safer. Go read up on it and make the switch.
Guest (Nart) on 01/11/2006 at 12:00 AM
1
Guest (J Tyrrell) on 02/13/2006 at 12:00 AM
1
Guest (webfrog) on 01/11/2006 at 12:00 AM
1
It was never built with security in mind because it was initally a private network between a select set of sites. It was designed to facilitate the easy movement of information between dis-similar systems, oh and by the way the government was already involved in the initial version which later expanded into the internet. It was called ARPANET and was devised by the U.S. DOD in the 60's
Guest (David Schurman in Berlin) on 01/13/2006 at 12:00 AM
1
And the arrogance that "perhaps some other labs than in US might take part"... WAKE UP... you don't grasp the damage done to the US reputation by GWB and Co.
Guest (Rahul) on 01/15/2006 at 12:00 AM
1
The article comes none too soon.
However, what about the users who cannot get off it? Suffer till help is on the way? What is the estimated damage?
Guest (Laszlo) on 01/20/2006 at 12:00 AM
1
Guest (Schmick) on 02/09/2006 at 12:00 AM
1
Guest (Abraham Y. Chen) on 02/26/2006 at 12:00 AM
1
Whtat goes into one side (Edge) comes out on the other side (Edge), no more, no less & no distortion, except perhaps some time delays due to natural physics.
Expecting Internet to take care of the security issues induced by poor caliber of late computer Operating Systems is going the wrong way from this basic rule.
A recent IETF (Internet Engineering Task Force) proposed activity, PWE3 (Pseudo Wire Emulation Edge to Edge) based on TDMoIP (Time Division Multiplex over IP) technology might be a good sanity check point.