By Peter Cochrane, 30 October 2003 11:15
COMMENT With malware on the rise and security threats more common than ever, Peter Cochrane wonders how bad it's going to get before somebody takes action...
Over the past month IÂ’ve watched the escalation of network attacks on my home computers that roughly track the global trend that has seen more than 170,000 individual network attacks on the US alone in the first six months of 2003.
In my case the average time between attacks has rapidly fallen from days, to hours, to minutes and now to around one every four seconds, and I think I have topped out. I may be wrong, but this seems to be the response time of my combined ISP server, connection, home network, and machines.
All attacks manifest themselves as warning flags on my screen from my firewalls and virus catchers. These inform me that threats have been repelled and I am still secure, or not.
A primary result has been a visible slow down in network performance, and I estimate that the SoBig virus and Blaster worm consumed more than 50 per cent of the global network capacity at their peak. Ultimately I had to switch off my monitoring flags and to only show violations, but at the end of each day I had logged thousands of individual attacks.
Upon analysis I found that the majority originated from customers connected to my ISP, and it is clear that thousands of local computers had been infected. ISP communities were thus acting as unwitting distribution centres.
Several variants of Slammer/Blaster,SoBig/Nachi/Welchia are still appearing on my screen in the guise of messages from people I know, or indeed don’t know, with headers such as – help, your order is confirmed, sexy girls, that movie, returned email and more. Fortunately, I find it relatively easy to identify virus-carrying emails and not being a user of the dominant operating system and office products, I’m a lot less prone to infection anyway.
To date I have resisted the temptation to install a dedicated hardwired firewall into my homework network, preferring instead to leave it wide open to visitors who want to access via Wi-Fi. I ensure protection by installing firewalls on individual machines and while I am in some respects open to attack, I am willing (for now) to take this risk for the overwhelming benefits of flexibility in the working environment.
I have however experienced first hand the devastating impact of this new style of attack of combined virus and worm on my son's PC. He does use the dominant operating system and office products, and despite the fact that this machine has a firewall and virus protection, somehow the worm got in and the machine was rendered useless. It took more than a full day and concerted effort to rebuild, fully protect and get it back onto the network. What a waste!
If you multiply up this level of effort we are talking billions of dollars in repair costs and even more in lost business revenues. Experts estimate that the Blaster and SoBig events alone cost global businesses more than $2bn. And be sure, this is only one incident - there are going to be thousands more of a gradually increasing seriousness. To date virus and worm attacks have been relatively benign. I think we are fast heading to an era when they are going to become really vicious and there is a very real risk of bringing down business and seriously disrupting society.
If the last attack could stop trains running, foul up traffic control systems, stop banks trading and cripple small businesses, watch out. The question is: what are we going to do?
After more than five years of concerted and growing virus/worm attacks it is paradoxical that our general ability, as a lawful society, to resist these attacks has not significantly improved. The perpetrators are not fun loving geeks thumbing their noses at us, they are cyber-terrorists and as individuals and groups they present a rapidly growing threat to business and society.
If they were planting high explosives, cutting power lines, wrecking property and killing people we would engage our police and security services to track them down, arrest and lock them up. With only a very small per cent of the estimated $500bn that will be lost this year alone due to these people we could set up security teams across the planet to do exactly the same on the internet. It is easy to track down these people on the net and if we canÂ’t physically get at them because they are behind an unfriendly country border, then we should set about electronically attacking them, and if needs be blockading that country to exclude it from the internet community until they clean up their act.
No matter what you do as a network administrator or as a self-contained small business it is extremely difficult to ensure that all machines and all possible routes of attack are 100 per cent up to date all of the time. Sooner or later something will slip through and you will find yourself becoming part of the distribution network for an unwanted infection.
Given the size, speed and interconnectivity of the net, viral and worm infections now spread far faster and wider than any other human infection generated from a single sneeze. The difference is that we possess a natural immune system, which seeks to automatically learn about, assimilate and reject all forms of infection. It is obviously a roaring success as a systems concept otherwise most of us wouldnÂ’t be here.
It seems to me that we need to design and engineer electronic antibodies for all our computers and other technologies, and we need them to look out for, identify and learn about any invaders of the viral/worm variety. Instead of just sitting there and being attacked, our machines could then respond by broadcasting successful antidotes across the net which would rapidly outstrip and kill the infection before it gained a hold and caused major disruption. If a virus/worm such as SoBig can emanate from a single source and spread across the network in a matter of 10 hours, then so could antidotes.
It would be to the advantage of all commercial operations of any size to invest in antidote technologies so that the broadcasting of solutions to repel/destroy boarders would occur at a far greater rate and effectiveness than those maligned individuals can perpetuate these attacks.
We are all watching the most revolutionary communications channel invented being taken down a step at a time by small groups of twisted individuals. At a modest estimate a combination of virus, worm and spam traffic is reducing the net to 20 per cent of its former self. If this was our oil, water, or food supply we would have to react real fast. Soon it will be. Take down our communications and all the rest will quickly follow.
So why haven't we done anything? My theory: because we havenÂ’t seen sufficient damage, inconvenience, pain, loss of business, or loss of human life to date. But I suspect we soon will. It is only a matter of time before a pharmacy, MDs surgery, hospital, or transport system has an induced event. I think we are rapidly approaching the point of no return where we really do have to decide to repel boards in a far more serious and professional way. I really donÂ’t think we should wait for the lights to go out, the taps to run dry, and the shelves to empty.
This column was typed while flying Washinton DC to Chicago on AA4204 and despatched from my Schaumburg hotel, which was having a free broadband Wi-Fi day.
Comments
There are 13 comments. Join the discussion
1. anonymous
"So why haven't we done anything? My theory: because we haven’t seen sufficient damage, inconvenience, pain, loss of business, or loss of human life to date."
Perhaps that's why WE haven't done anything. But the primary reason the company responsible for releasing products that allow this to happen has everything to do with money: they haven't seen any reason to correct their problem because they don't see any profit in it.
I use another OS. In nearly 7 years' use I've HEARD of about as many worms. I've yet to see one or to have heard personally of anyone getting one. I can't say that much about any of the last 10 worms and viruses that have affected the majority platform. I can name several for most and at least one for each.
Before I see the same old stuff about "not being the majority of users" and "wait until the numbers reach a high enough level and the exploits will grow" let me caution that nobody can point to so much as a similarity in percentages. My stock response to such dubious claims are just as substantive as the claims themselves: bla, bla bla.
The fact is, the other OS was never created to be secure (the words of one of their own bigwigs), while there are plenty of others that put security first, always have and always will.
I changed about 7 years ago because I saw the direction the majority platform was moving, and I saw very little chance they'd do anything about it before it became a real nightmare. So far I haven't been disappointed.
I wouldn't care a bit under normal circumstances. I usually offer my advice and let people reap what they sow. In this case, however, my networking is clogged with malware trying to attack my machines, too. So I'm being directly affected by something I don't use and consider to be an abomination. It makes no difference they can't harm my machines when they still slow me to a crawl.
2. anonymous
It all comes down to money.
Sooner or later, some 12 year old hacker will develop a super-virus that will take out most of the computers in the world, in the space of a few hours.
It will only be at this point that the network administrators start thinking about security and viruses.
They seem to have the idea that computer security and virus protection is important, but a serious infection will never happen to them, so why spend the extra money buying and installing the hardware/software.
3. anonymous
The ISPs could fix it:
As usual I find that I agree with most of what Peter has said, but I think that his solution is the wrong one. To me it is the ISPs that are at the heart of the problem - surely it is possible for them to stop the propagation of worms and viruses. All attacks have to pass through their systems and could be terminated before they got anywhere near the punter's computers... I can only assume that they have been 'got at' by the vendors of virus checkers and firewalls who clearly have an interest in the proliferation of hacks.
I have often thought that it must be very tempting to a virus checker company to boost sales by the strategic release of really nasty viruses to frighten people into stumping up the relatively small amount of money that their products cost... but then again, I'm just an old cynic!!
4. anonymous
A good theory, but in practice it has already been shown to be flawed. Any process that propagates itself through the internet and causes systems to slow down will be considered viral. Nachi was supposed to be an antibody for Blaster but it was badly designed and buggy. It caused just as many problems as it attempted to solve.
5. Richard South
Until Government sees it as its problem in the same way as physical criminal events are and commits tax revenue to blocking virus threats entering the national parts of the internet then there is no incentive for any individual, private or public corporation to commit its money to stopping a threat that does not just affect them. Altruism does not help profits.
6. anonymous
The comparison with "traditional" terrorists using explosives to attack society's assets is instructive. No single individual or organisation suffers if an electricity pylon is blown up, yet the police would take immediate action. Traditional law enforcement agencies also get involved in cases where a vulnerable person is being exploited, e.g. the distribution of child pornography, but rarely in cases of virus etc attack. This is despite the impact on major facilities - international airports were closed down this summer for hours on end by the Sobig virus.
Police also ignore internet-related fraud in my own experience, even where there is evidence of concerted theft of identity emanating from a major UK internet-based retailer. This is probably a consequence of their priorities and capabilities.
Surely the lesson is that reliance on traditional law enforcement will yield nothing unless sufficient political pressure is brought to bear.
The solution of deploying existing networks to counter-attack virus authors is appealing, if the technology to do so is made widely available. Cynical views of the motives of anti-virus vendors might be countered if one of these companies chose to create a competitive advantage by developing such technology.
The idea of isolating countries harbouring techno-terrorists is also appealing. I was able to trace the fraud I encountered to Indonesia, or at least to a crooked IP address retailer in that country. The local Internet authority succeeded in closing that activity down, though with no sanctions as such against the company concerned. What hope to implement sanctions at a national level? The legal delays alone would cause the process to be ineffectual. But proper control of IP address registration, with legal penalties for infringement, would help create greater control.
A further remedy would be to stop unsuspecting companies from offering proxying to fraudsters and cyber-terrorists, by enforcing sanctions that would give such companies an incentive to put their house in order.
In other words, the well-tried methods of law enforcement and appropriate legal sanctions could do far more to improve matters, if only the political will were to exist.
7. David Hawkins
Best Uncommon Sense yet!
What are the IT industry representative bodies doing?
On top of the damage caused by successful attacks, just think of the cost of firewall/traffic shaping/analysis kit etc. and staffing costs we all have to have.
The penalties and law enforcement effort should be proportional - at least!
8. John Sniadowski
I agree with Peter that we need to do something before the lights go out and we all starve. However, I have a fundamental issue with the concept of anti-bodies. It is absolutely right that we would not be here if it wasn't for our autonomous biological defence system, but we can't acredit our survival to just our anti-bodies. As we have seen in history, there are many occasions where our defences have been overwhelmed and huge numbers of people have succumbed to one desease or another and the only thing that has saved us thus far is diversity. But even now there are deseases which can hijack our defences and turn them against our bodies regardless of our genetic diversity.
Whatever network defences we build must take note of nature and build in heterogenity and diversity of techniques, otherwise Peters vision of computers defending themselves and passing on the anti-body code could become the ultimate armagedon of the internet if the virus writers succeed in hijacking the defence systems to their advantage.
The funamental problem of the net right now is that we have too little diversity, one could be forgiven for believing that one particular vendor of a PC operating system based their design on a lemming!
9. Andrew Robb
Unfortunately the body's immune system is prone to errors - some fatal. Would we have to accept that an antibody to the operating system could spread and be far deadlier than a human coded virus? Would applications require that the system be isolated and the immune system supressed in order to allow it to be assymilated before it can run?
10. anonymous
Hmm... Peter Cochrane is missing one vital point: Recent experience with the welchia worm - which seems to have been designed specifically to remove blaster - shows that the cure is at least as bad as the disease - if not worse!
11. Mike Parsons
I know this article is about virus but much of what has been said applies to SPAM email. I am never normally a subscriber to conspiracy theories but am starting to ask the qustion; are the ISPs really trying to stop it all or are they getting paid for this traffic? viruses no but SPAM maybe?
12. Chris Jones
So what is antivirus software then, if not the antibodies Cochrane is banging on about? It seems to me he is acting like a consultant - using our own PDAs to tell us the time. Or he is writing a prequel to a Tom Clancy type novel - the Net Police? or to continue the medical theme a TV series - 'NetER' starring a very charismatic handsome doctor chappie totally wired with PDA's, WiFi, MP3 etc etc.(bit like Cochrane himself methinks?) . Anyway, it's all been done (imagined) by Tad Williams or the Matrix.
However, there is one real suspicion in all this, and that is... if there are no viruses there is no antivirus business. So, it is only a short step to wondering who, if I put my conspiracy hat on, is really behind some of these attacks.Mmmm...
13. Shaun Wilde
It will never happen.
What if the virus infects a machine and did not crash the machine but the 'cure' virus did and thus lose valuble data. Who is responsible? The 'cure' obviously, and since they would be easier to find than the original perpatrators, and it is because this may happen that it will not happen (especially with our extremely litigious society).
The architecture we have now could be improved with more user education, regular updates of virus signatures and use of home firewalls (hardware and software). But while we still have the daily tabloids educating the population, with their often inept advice, this is not going to happen.
Free firewalls and vurus checkers exists and therefore there is no reason for anybody's machine to be without protection.