NYT article on the (ever-more-sophitsticated) bot wars

[David Farber <dave () farber net>]

Begin forwarded message:

From: Kurt Albershardt <kurt () nv net>
Date: December 8, 2008 1:18:18 AM EST
To: dave () farber net
Subject: NYT article on the (ever-more-sophitsticated) bot wars

<http://www.nytimes.com/2008/12/06/technology/internet/06security.html>

December 6, 2008
Thieves Winning Online War, Maybe Even in Your Computer
By JOHN MARKOFF

SAN FRANCISCO — Internet security is broken, and nobody seems to know  
quite how to fix it.

Despite the efforts of the computer security industry and a half- 
decade struggle by Microsoft to protect its Windows operating system,  
malicious software is spreading faster than ever. The so-called  
malware surreptitiously takes over a PC and then uses that computer to  
spread more malware to other machines exponentially. Computer  
scientists and security researchers acknowledge they cannot get ahead  
of the onslaught.

As more business and social life has moved onto the Web, criminals  
thriving on an underground economy of credit card thefts, bank fraud  
and other scams rob computer users of an estimated $100 billion a  
year, according to a conservative estimate by the Organization for  
Security and Cooperation in Europe. A Russian company that sells fake  
antivirus software that actually takes over a computer pays its  
illicit distributors as much as $5 million a year.

With vast resources from stolen credit card and other financial  
information, the cyberattackers are handily winning a technology arms  
race.

"Right now the bad guys are improving more quickly than the good  
guys," said Patrick Lincoln, director of the computer science  
laboratory at SRI International, a science and technology research  
group.

A well-financed computer underground has built an advantage by working  
in countries that have global Internet connections but authorities  
with little appetite for prosecuting offenders who are bringing in  
significant amounts of foreign currency. That was driven home in late  
October when RSA FraudAction Research Lab, a security consulting group  
based in Bedford, Mass., discovered a cache of half a million credit  
card numbers and bank account log-ins that had been stolen by a  
network of so-called zombie computers remotely controlled by an online  
gang.

In October, researchers at the Georgia Tech Information Security  
Center reported that the percentage of online computers worldwide  
infected by botnets — networks of programs connected via the Internet  
that send spam or disrupt Internet-based services — is likely to  
increase to 15 percent by the end of this year, from 10 percent in  
2007. That suggests a staggering number of infected computers, as many  
as 10 million, being used to distribute spam and malware over the  
Internet each day, according to research compiled by PandaLabs.

Security researchers concede that their efforts are largely an  
exercise in a game of whack-a-mole because botnets that distribute  
malware like worms, the programs that can move from computer to  
computer, are still relatively invisible to commercial antivirus  
software. A research report last month by Stuart Staniford, chief  
scientist of FireEye, a Silicon Valley computer security firm,  
indicated that in tests of 36 commercial antivirus products, fewer  
than half of the newest malicious software programs were identified.

...

Beyond the billions of dollars lost in theft of money and data is  
another, deeper impact. Many Internet executives fear that basic trust  
in what has become the foundation of 21st century commerce is rapidly  
eroding. "There's an increasing trend to depend on the Internet for a  
wide range of applications, many of them having to deal with financial  
institutions," said Vinton G. Cerf, one of the original designers of  
the Internet, who is now Google's "chief Internet evangelist."

"The more we depend on these types of systems, the more vulnerable we  
become," he said.

The United States government has begun to recognize the extent of the  
problem. In January, President Bush signed National Security  
Presidential Directive 54, establishing a national cybersecurity  
initiative. The plan, which may cost more than $30 billion over seven  
years, is directed at securing the federal government's own computers  
as well as the systems that run the nation's critical infrastructure,  
like oil and gas networks and electric power and water systems.

That will do little, however, to help protect businesses and consumers  
who use the hundreds of millions of Internet-connected personal  
computers and cellphones, the criminals' newest target.

Despite new technologies that are holding some attackers at bay,  
several computer security experts said they were worried that the  
economic downturn will make computer security the first casualty of  
corporate spending cuts. Security gets hit because it is hard to  
measure its effectiveness, said Eugene Spafford, a computer scientist  
at Purdue University.

He is pessimistic. "In many respects, we are probably worse off than  
we were 20 years ago," he said, "because all of the money has been  
devoted to patching the current problem rather than investing in the  
redesign of our infrastructure."

...

Security researchers at SRI International are now collecting over  
10,000 unique samples of malware daily from around the global. "To me  
it feels like job security," said Phillip Porras, an SRI program  
director and the computer security expert who led the design of the  
company's Bothunter program, available free at www.bothunter.net.

"This is always an arm race, as long as it gets into your machine  
faster than the update to detect it, the bad guys win," said Mr.  
Schneier.

...











-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com