*NEWS*TECH IND.DO MORE TO STOP HACKERS ?/2004-09-12
*NEWS*TECH IND.DO MORE TO STOP HACKERS ?/2004-09-12
2013-06-23 at 3:40:51 am #2092Could the Tech Industry Do More to Stop Hackers?
Last fall, The Blaster Internet worm slammed into Cable Bahamas like a digital hurricane, clogging Web connections for the tiny Internet service provider's 22,000 subscribers.
"We got hammered," says Andre Foster, technology vice president for the Nassau-based company.
After recovering from Blaster, Foster began to rethink his main line of defense against Web attacks. Instead of relying on home PC users to lock down individual machines, he acquired costly hardware and software designed to screen out suspicious data coming into and out of Cable Bahamas' local system.
The result: Cable Bahamas' subscribers have gone largely untouched by the flurry of Web attacks this year. "Somebody has got to step up and at least attempt to protect the end user, and that's what we're trying to do," Foster says.
Comparatively few other tech suppliers are going as far as Cable Bahamas to help secure the Internet.
As cybercriminals toil with near-impunity, tech companies in the best position to make the Web safer – Microsoft, Internet service providers and anti-virus software makers – are failing to respond effectively to a snowballing threat, say security experts and industry executives.
Tech suppliers say they're doing all they can to make it easier for home users to secure their own PCs: guiding consumers to a raft of products and services they can use to lock out cyberintruders. But critics say that's akin to making car drivers responsible for installing their own seat belts.
"As long as we rely on the end user as the primary mechanism to secure their own computer, we will continue to have large quantities of unsecured devices," says Mitchell Ashley, chief technology officer at StillSecure.
In the past eight months, USA TODAY interviewed more than 100 tech industry executives, consultants, analysts, regulators and security experts who say tech suppliers could be doing much more to buttress Internet security. In pointing fingers, critics say that Microsoft could do more to supply basic protection for every Windows PC, that Internet service providers could significantly tighten key Web gateways, and that anti-virus companies could move more quickly to develop and distribute smarter software.
Instead, leading tech suppliers – bedeviled by competitive rivalries and hesitant to bear more product-support expenses – have proved incapable of joining forces to put up a unified defense, which is what it will take to clean up the Web, critics say.
"They're not working together, and because they're not working together, they're putting all of us at risk," says Alan Paller, research director of SANS Institute, a Washington-based Internet-security think tank and training center.
Much is at stake. Worldwide losses from cyberattacks will swell to an estimated $16.7 billion by the close of the year, up from $3.3 billion in 1997, according to tech consultant Computer Economics. As cyberattacks become more invasive, businesses across the USA are becoming wary of using e-mail as a tool. Some are pulling back plans to open more of their networks to customers, partners and mobile workers.
Meanwhile, consumers remain largely ignorant about the extent of the threat. Cyberintruders have begun to wrest control of millions of PCs in homes, small businesses, college campuses and government agencies. Compromised PCs are being transformed into obedient zombies slotted into underground networks to broadcast spam, carry out identity theft scams, even conduct cyberblackmail.
What's needed, security experts agree, is for tech suppliers to collaborate on implementing systemwide measures that protect consumers by default.
"Somehow, we need to find a way to let the good guys band together, and we'll all be a lot stronger," says Marc Willebeek-LeMair, chief technology officer at security firm TippingPoint Technologies.
Ed Amoroso, AT&T's chief information security officer, predicts: "There will be some set of catastrophes, then the lawyers will fight it out, and the question will come down to, 'Who's responsible if software flaws exploited over a network cause damage to society?' "
Russ Cooper, senior scientist at e-mail security company TruSecure, envisions a similar scenario: "It will take more calamitous events, perhaps an Internetwide attack that creates a huge public outcry, before regulators step in to protect consumers."
Mark Childs was a happy America Online customer for three years until the day he couldn't log on to his account. AOL had pinpointed his PC as a spam-spreading zombie. Without warning, AOL scrambled Childs' password, blocking his access to the Web.
Anticipating a call from Childs, AOL had customer support staffers waiting to guide him through steps to reclaim his account and clean up his PC. "I had no clue until they told me my PC was spamming," says Childs, 46, a land surveyor in Buffalo.
Childs' experience provides a glimpse into the massive resources Internet service providers are pouring into a patchwork of security initiatives that often confuses and frustrates customers.
ISPs supply the Internet connection in homes and businesses. They make money selling bandwidth, the channels over which data zip around the Internet. They are acutely sensitive to cybercriminals stealing bandwidth to engage in malicious activity.
ISPs have invested hundreds of millions of dollars on anti-spam systems and partnerships to distribute discounted anti-virus software to home PC users. EarthLink, which markets itself as a security-centric ISP, guides subscribers to tools designed to squelch pop-up ads, spyware and phishing scams. But like all other ISPs, it does not mandate that subscribers clean up PCs before accessing the Web.
"We do everything we can to educate and encourage consumers about security, but we do not require it," says Linda Beck, EarthLink's executive vice president of operations.
Instead, AOL, EarthLink and others have launched manpower-intensive programs to watch for and shut down tainted PCs as intruders put them to work. Typically, the home PC user whose machine has been hijacked is left out of the loop until the ISP moves to curtail Internet access or e-mail services.
AOL, with 23million U.S. subscribers, suspends thousands of accounts each day. The company has teams of specialists standing by to quell large virus attacks, which can quickly infect hundreds of thousands of PCs. Such large-scale attacks occur once or twice a month, says Brian Zwit, executive director of integrity assurance at AOL.
"There's a whole educational process we go through about cleaning up your hard drive, and running anti-virus and anti-spyware," says Zwit.
Deb Naybor, 47, a city planner in Buffalo, had to reclaim her AOL account after an intruder commandeered her PC to spread hundreds of pitches for financial services and prescription drugs. "It's all part of the price you pay to be online," Naybor says.
In a Bind Over Costs
ISPs face a dilemma. They typically get $50 or less a month from each subscriber. As zombies and malicious attacks proliferate, sucking up bandwidth and disrupting PC performance, consumers don't call the phone company or Microsoft, they call the ISP. It costs $8 just to have a service rep pick up the phone, about $50 to roll out a service truck on a house call.
ISPs remain conflicted, says Elias Israel, general manager for hosted solutions at MessageGate. "They all agree they wish other ISPs would police their networks better," he says, "and they all seem to agree that they themselves can't afford to do much more than they're already doing."
Charter Communications, which supplies high-speed Internet connections to 1.8 million homes, is a case in point. At its Atlanta headquarters, it recently installed anti-spam hardware and software that take up four times as much floor space as the e-mail servers they protect.
Charter has instigated a painstaking yearlong process of banning all its residential customers from using so-called Pop3 e-mail services, such as Outlook Express and Eudora, that allow users to retrieve e-mail stored on a remote server. Such services use a certain Internet channel – Port 25 – which has become the most widely used channel for spreading spam.
Charter and other ISPs have begun taking steps to partially or completely block Port 25. Charter is also attempting to set up a referral service to hand off subscribers who need help cleaning up and inoculating their PCs to a certified local repair business.
The balancing act that ISPs and other tech suppliers are attempting is a delicate one, says John Dreiling, Charter's vice president of advanced services: "How do I put enough resources in front of this problem without creating a cost model so high that I price myself out of business?"
The Convenience Factor
When Mike Nash pondered what Microsoft could do to make the Internet safer, he pictured cybercriminals going after his Uncle Ken.
As corporate vice president of security, Nash directs Microsoft's initiatives to help consumers secure their Windows PCs. It bothered him that Uncle Ken remained puzzled about how to install an important patching tool. Nash realized Microsoft had to do more.
On Aug. 6, after more than a year of development, the software giant released something called Windows XP Service Pack 2, or SP2. While Nash views SP2 as a quantum leap, security experts characterize it as a step in the right direction – but one that falls short in many areas.
SP2 automatically turns on the Windows firewall: a program designed to protect the PC from unauthorized access via the Internet. It also makes it easy to activate a free online service, called Windows Auto Update, that automatically downloads the latest Microsoft security patches.
But the firewall SP2 turns on is a porous one. It can be easily tweaked, even turned off, by an intruder, says David Berlind, executive editor of ZDNet, who has tested SP2.
Crooks tend to pounce on weak defenses. An Atlanta man who neglected to restart his anti-virus and firewall programs – after turning them off to download software – not long afterward discovered his PC was being used to broadcast waves of spam, says tech consultant Kimberly West of SpyderWeb Technologies, who helped the man clean up his machine.
SP2 does nothing to stop most types of spyware that get installed when a PC user unwittingly surfs to a Web site riddled with such contagions. Spyware can add unwanted links to a favorites list, change the default home page, steer users to porn sites and dial-down privacy settings to let more spyware in.
In July, spyware turned Ed Kemmerling's Web browser home page into a search engine for porn and online dating sites. It took the 57-year-old manufacturing consultant from Brighton, Mich., several hours to reformat his hard drive. "You can't even use the damn computer anymore," he says, "It seems someone is always spying on you."
Microsoft recommends using free anti-spyware programs – Lavasoft's Ad-Aware or Spybot Search & Destroy – created and maintained by volunteers.
Security experts unanimously recommend using SP2, because it brings XP computers fully up to date with all of Microsoft's security patches. But Berlind and others caution that its limitations could mislead consumers into a "a false sense of security."
Nash contends that Microsoft is doing all it can "to harden our product and make it as secure as we can."
The Anti-Virus Question
By keeping vigilant watch for fresh malicious code, anti-virus software makers play a pivotal role in defending the Internet. But anti-virus companies are making so much money from old-style detection systems, designed to screen for known viruses, that a transition to more intuitive technologies has been sluggish, critics say.
In the past decade, Symantec, McAfee, Internet Security Systems, and Trend Micro grew from nothing to a combined market capitalization topping $24 billion by supplying anti-virus software to a hungry market. Their business model: Be the first to spot a new virus and the quickest to update a client's clean-up tools and filters to immunize against the latest threat.
But intruders have gotten lightning quick at counterattacks. They can tweak viruses just enough to slip past the latest filters. Virus writers used to take weeks to come up with a variation, which anti-virus companies assigned a letter of the alphabet. The Bagel e-mail virus, which first appeared in January, has been updated so many times that it's running through the alphabet a second time. The latest version: Bagel.AP.
In the past few months, new systems from TippingPoint, MessageGate and Cisco Systems designed to spot any code exhibiting a suspicious pattern have burst on the anti-virus software scene.
Because the newer, intuitive filters prevent the spread of anything that behaves like malicious code – rather than reacting to known virus signatures – wide use of them could be a big step forward in cleaning up the Internet, proponents say.
But the mainstreaming of intuitive filters will take years, experts say. Anti-virus suppliers will have to invest millions perfecting the newer technology so it doesn't accidentally block legitimate data. It will take time to get them to de-emphasize their highly profitable old-style filters.
Most consumers get introduced to anti-virus software by computer makers who supply it on a free trial basis on new PCs. But many consumers, such as Richard Riecker, a 29-year-old San Francisco corporate attorney, don't realize they need to pay for an ongoing subscription once the trial period expires, usually after 30 to 90 days. Riecker let his subscription lapse and fell prey to a virus, losing valuable data. "I thought I was covered," says Riecker. He now subscribes to an anti-virus program that automatically sends updates to his PC.
Microsoft estimates two-thirds of consumers don't have a current anti-virus subscription. Without one, they stop receiving updates, and their PCs become vulnerable to the latest virus attacks.
With no one stepping forward to define and enforce some basic rules of the road, and with cybercrime flourishing, it's hard to find anyone in the tech industry to dispute the notion that Internet security will deteriorate, at least in the near term.
"It's a pretty bleak picture," says MessageLabs security analyst Natasha Staley. "There's a general lack of confidence and an overriding belief that things will get worse before they get better."
Most industry executives, when pressed, concede that market forces likely will have to emerge to compel Microsoft, Internet service providers and anti-virus companies – all of whom are already pushing hard – to embrace an even larger burden for securing the Web.
"Our customers own their computers, and what they do with them is somewhat out of our scope of business," says Mary Youngblood, EarthLink's customer security strategist. "Our responsibility is to make sure they have the best Internet experience possible, and we already have strong policies, dedicated folks, and strong products in place to address the problem."
* Post was edited: 2004-09-12 10:38:00