Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

How to Get Everyone To Secure Computers

Botnets are a huge problem—one that can’t be solved without persuading recalcitrant owners of millions of infected private computers to take action.

If you want to get your malicious software loaded on 1,000 U.S. computers, it will cost you about $100, or a dime each, on the black market. Getting your malware on 1,000 machines in Asian countries will cost you only $5.

These infected computers—collectively known as botnets—can be used to send spam, steal passwords or other private information, and hack into corporate computer systems. Researchers estimate that five million computers around the world were infected just in the first quarter of 2012.

With infections perennially hard to stop, especially on computers with outdated software or lacking in antivirus protection, one key front in the war against botnets involves enlisting millions of average people—hapless owners of infected computers—to take action by cleaning their machines and keeping them up to date. Even if the government or industry wanted to bypass these users, it couldn’t, because in the United States, and many other places, private machines can’t be touched without a court order.

“There is a fundamental conundrum in the fact that we can identify literally millions of compromised machines that we are not in a position to do much about with regard to cleanup,” says Stefan Savage, a computer security researcher at the University of California, San Diego.

Last week, the White House and major computer and Internet companies that make up the Industry Botnet Group—a partnership formed last year—pledged to step up industry action against botnets. The new effort includes increased coöordination between industry and government, progress toward information sharing between Internet service providers and financial institutions, and a Keep a Clean Machine campaign to step up consumer education. All of this is voluntary.

There is wide acknowledgment, however, that a crucial problem is figuring out how to persuade technologically naïve and apathetic users to protect themselves. Efforts to study what sorts of warnings actually trigger productive action by computer owners is one part of that approach. And ISPs will play a key role, since they are the natural point of contact with computer users.

“Botnets today are where spam was in 2004, when we thought spam would sink the Internet, or at least e-mail,” says Michael O’Reirdan, a Comcast executive who is cochairman of an industry group that, among other anti-abuse efforts, tries to improve how ISPs notify people and help them fix their machines.

ISPs eventually took a leading role in fighting spam by hiring technical staff and creating filters to catch junk messages. But their efforts to combat botnets by notifying computer owners of infections are still primitive—“like DOS 1.0,” as O’Reirdan put it, referring to Microsoft’s original 1980s operating system.

Attempts to understand how consumers might be persuaded to take a more active role in securing their machines have followed law-enforcement agencies’ recent hijackings of major botnets. Last November, the FBI hijacked DNS Changer, a botnet that redirected people to infected websites, and arrested those involved. The FBI no longer allows the redirections, but it can still see the flows of requests coming in to DNS Changer, and therefore how many active infections are still out there—350,000 at last count.

This kind of information will help ISPs determine what kinds of alerts and messages prompt people to take action, says O’Reirdan. The ISPs can see changes at specific times and from specific geographic areas in traffic flowing to DNS Changer. “This will be the first time we’ve had a population where we’ve done some of this correlation and research,” he says. No findings are yet available.

Paradoxically, compounding the problem is that “people have been trained not to click on e-mails or pop-ups they don’t understand because it might be a phishing attack—but how else do you contact your customer? We have to start somewhere,” O’Reirdan says.

It’s also proving difficult for software companies to have an impact. Last year, Microsoft played a leading role in shutting down the command-and-control servers of another botnet, called Rustock, in a civil action. But only 58 percent of machines infected in the United States are thought to have been cleansed of the actual virus.

“All of these operations mean little if you don’t get to the victims,” says Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “That’s one of the cornerstones—notifying the victims and stopping the continued victimization.”

A surprising number of people have switched off automatic updates for their operating systems and have no antivirus software installed, Boscovich adds. (Software companies cannot change things on people’s computers unless the user gives permission in advance.) Users of Microsoft operating systems can visit this site to learn how to use Windows Update; other security information is available here.

To take Rustock down, Microsoft got court orders to seize botnet-related Web addresses and servers. While efforts like this one are helpful, they do little to change the business model of botnets. And while the tools in the fight against malware have gotten a lot better, Savage says, they have not gotten good enough to change the game.

“The fact of the matter is that compromising large numbers of machines is still easy,” Savage says.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.