What do you think happens when you connect your computer to the Internet? In less than an hour, it may not be yours anymore. While you’re Googling your name and checking e-mail, a hacker, perhaps in Eastern Europe-let’s call him Ivan-quietly takes over your machine. There are a dozen ways Ivan could do it, but he probably found you with a program he didn’t get at Best Buy called a port scanner, which roams the Internet like a clumsy cat burglar, trying every doorknob until it locates one left unlocked. Then he makes a connection to your computer-sort of like starting a chat session, only invisible to you-and uses it to deliver a “backdoor,” a small piece of code that lets him take control of your PC whenever he wants. You won’t know it, but you’ve just become part of a “botnet,” a small army of computers that Ivan will rent to international organized-crime rings, which will use it to spew spam, steal identities, or hold corporate Web sites hostage (not to mention slow down your PC).
Sound like a scare story? It happens to more than 300,000 computers each day-PCs connected to the Internet without security precautions such as a firewall, anti-virus software or an up-to-date operating system. According to the FBI, $67.2 billion was lost last year to online crime. Sure, there are ways to fight back [see “Five Things You Can Do Today to Protect Yourself”], shutting down “zombies” (PCs surreptitiously controlled by hackers) and prosecuting the handful of Ivans the police have managed to catch. But it’s like playing a huge game of whack-a-mole. Knock the criminals over the head in one spot, and they pop up someplace else. “No matter what solution you come up with, it takes the bad guys about five minutes to get around it,” says Lance Spitzner, president of the nonprofit volunteer Honeynet Project, which sets out vulnerable computers as bait so researchers can study attackers’ behavior. “The creativity of cyber-criminals is amazing.”
Fact is, the system is easy to game because it was never designed to be secure. The Internet was created 40 years ago so university geeks could share research, not so you could buy baubles on eBay. As companies developed ingenious ways to build security into things like online credit-card transactions, hackers came up with equally ingenious ways to get around it, launching a security arms race that Ivan and his comrades are so far winning.
If we want to fight back, we need a new approach, something that fundamentally changes the way computers interact with the Internet and how the Internet functions. Companies and organizations all over the world are working on these kinds of long-term solutions, but one of the most radical ideas is being developed at Carnegie Mellon University’s CyLab, the world’s largest Internet-security research hub. Launched in 2003, CyLab has 70 faculty researchers and 140 graduate students at its Pittsburgh campus, with satellite facilities in Korea and Japan. Its approach is to make the Internet function like a biological entity that wards off attacks the way a healthy body fights off a cold-in other words, to build a network with an immune system.
“Unless we move toward that goal, we’ll just spend all our time solving new problems,” says Pradeep Khosla, dean of Carnegie Mellon’s college of engineering and co-director of CyLab. You can’t build something that’s perfectly secure, so you make something that can survive the attacks you can anticipate, making it harder and more expensive for criminals to do their thing. Even Fort Knox could be taken, but it would require a small army to do it, which would cut heavily into the bad guys’ profits. CyLab has dozens of projects at various stages of development; many are years from implementation and would cost billions of dollars to put in place. But the following remedies-creating resistance to attacks and finding their sources-are necessary medicine for an Internet that’s getting sicker by the minute.
Remedy 1: Create Diversity on Your Desktop
Make software and operating systems that evolve when attacked, so the same trick doesn’t work on so many computers
In June 2004, Internet-security researchers discovered a vulnerability in Internet Explorer 6 that could let attackers take over your computer when you visited an infected Web site. The attack exploited a flaw in how IE 6 managed security, fooling the browser into thinking that malicious code was running in a so-called “trusted zone” on your local machine instead of on the Internet. Once a machine was infected, the attackers could do anything they pleased-erase files, install a key-logger to steal bank-account information, or turn the computer into a zombie. The problem was so bad that the U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, advised Web surfers to stop using IE until Microsoft issued a patch, which it did in August of that year. The worst part? Because every single copy of IE 6 contained the same flaw, the attackers had tens of millions of potential targets.
“The reason the human race is so robust is that there’s diversity in the gene pool,” Khosla says. “The problem with [software] is that every version has the same damned bugs.” Researchers at CyLab are studying how plants and animals evolve in response to disease, hoping to emulate those processes by building software that adapts when attacked. If some copies of Explorer “evolved” to resist the attack, hackers would soon give up and go looking for easier targets. Taking the idea one step further, CyLab imagines creating programs or entire operating systems that would randomly change the way they functioned as they operated or that would execute instructions in a different order every time. For example, each copy of IE might use a slightly different method of determining security zones.
The difficulty lies in replicating enough of the code so that every application does the same thing, without replicating its vulnerabilities, says CyLab’s technical director, Mike Reiter, who thinks we might begin to see programs like this in three to five years. “Why do we have epidemics?” Khosla says. “Not because there are germs out there. It’s because we can’t control their propagation. You can’t stop the dissemination of viruses and worms, but you can reduce their speed of propagation.”
Remedy 2: Boost Data
Protect corporate databases so they can’t be stolen from, and the networks around them so they can’t be brought down for ransom
Eran Reshef thought he’d figured out a clever way to combat spam. The CEO of Israeli company Blue Security created a method of flooding junk e-mailers and their clients with opt-out requests-essentially, spamming the spammers. Within a few months, Reshef claimed, six of the world’s biggest junk e-mailers had agreed to stop spamming his customers.
Then, this past May, a Russian spammer known as PharmaMaster fought back. Using a botnet, he launched what’s called a distributed denial of service, or DDOS, attack. If too many computers try to access a Web site at the same time, it overwhelms the servers that host the site and shuts it down. DDOS attacks do this relentlessly, keeping a company’s site offline until it agrees to pay a ransom.
And PharmaMaster didn’t stop there. He took down Blue Security’s blog service, its Internet service provider, and the security firm it hired to repel the original attack. Then he sent Blue Security’s customers e-mails infected with a virus. After two weeks of relentless attacks, Blue Security just gave up. At press time, Bluesecurity.com was still offline. (Reshef declined to be interviewed for this article.) Nobody knows how many of these attacks occur every year, because few companies admit to being attacked for fear of revealing their weaknesses. Today DDOS attacks are largely fought by redirecting the enormous amount of traffic to servers that can handle it. Often companies hire firms that specialize in such defense.
Someday, these attacks could be solved by self-healing networks that can continue to function while under attack-the electronic equivalent of a head cold. But such systems are still years away from being built in the lab, let alone deployed on the Internet. CyLab isn’t even working on them yet. But if they can’t yet protect a network from being attacked, they can at least protect the large databases of information-say, a bank’s customer records-behind those networks. A version of these so-called survivable data-storage systems is in place at CyLab today.
One way to think about CyLab’s system is to imagine a database as a sheet of paper. If you tear the paper into 1,000 differently shaped pieces and store them in 1,000 different places, you make it harder to steal. But if an attacker finds and destroys just one piece, you can’t reconstruct the paper. If you make four copies of the paper, though, cut each copy into 1,000 different pieces, and store all the pieces on 1,000 different computers, you’ve made the target so big and elusive that an attacker can’t possibly take down enough of it to cause you problems. And because there are copies of every bit of data, the system itself can replace any compromised pieces. “An attacker would have to take down 80 percent of your computers to bring the system down,” Khosla says. “Even if you’re under a massive attack, it won’t totally die.”
Remedy 3: Find the Source of Infections
Fix the backbone of the Internet so criminals can’t hide their tracks
Diagnosing anthrax or another infectious disease is easy; the hard part is finding where it came from. Today’s Internet has a similar problem: Malware is easy to spot, but its origin is often a mystery. Information travels around the Internet in data packets, each one with an Internet Protocol (IP) address, a 12-digit number that indicates from which machine it originated. Unfortunately, it’s easy to “spoof,” or fake, the IP address to hide the data’s actual source. (There are even legal tools you can use to hide your computer’s IP address so that you can surf the Web anonymously.)
CyLab’s Fast Internet Traceback (FIT) technology can follow each packet as it moves across the Internet, “like leaving a trail of breadcrumbs,” says Adrian Perrig, assistant professor of electrical and computer engineering at Carnegie Mellon. With FIT, each packet would get a small marker added to it as it passed through a router, a machine that directs and relays Internet traffic. These markers would allow computer-forensics experts to identify the routers through which a packet had passed, ultimatel tracing it back to the computer that originally sent the data-whether it belonged to Ivan, a botnet or a teenager just causing trouble-and choke it off.
But for FIT to work, Perrig estimates, at least a third of the Internet’s roughly 100,000 routers must be upgraded, a process that would take many years and cost billions of dollars. Even then, tracing packets would get you only so far, says Bruce Schneier, founder of California-based consultancy Counterpane Internet Security. “It’s easy to prove that your computer did something, but it’s hard to get from your computer to you,” he explains. That is, the chain of evidence breaks once you try to prove that it was Ivan’s fingers on the keyboard. You need some way to absolutely verify his identity, such as authentication and biometrics. But this, in turn, raises serious privacy concerns. Do you really want Uncle Sam or your boss to be able to pinpoint where you go on the Internet? What if you’re a political dissident in Iran or China?
CyLab has policy experts who deal with these types of issues, which may prove harder to solve than the technical ones, given the international nature of the Internet. Achieving a survivable, self-healing Internet will be difficult-but not impossible. “If you want to eradicate disease from this earth, the problem is insurmountable,” Khosla says. “But if you want to eradicate smallpox, polio, measles or malaria, each problem is very difficult, but on their own, none are insurmountable.”
Three More Security Solutions
_Promising weapons in the fight against identity thieves and computer-killing viruses _
A way to use biometric security in your cellphone to verify your identity
Who: Carnegie Mellon CyLab
Problems addressed: Identify theft, fraud, unauthorized access
How it works: Before you can log on to, say, your online bank account, the computer sends a message to your phone to verify that you should have access to that account. You type a PIN into the phone and use the phone’s camera to take a facial-recognition scan. The phone delivers the information to a server, which gives the go- ahead to your bank’s Web site to let you log in. An early version of this system opens doors at CyLab today. The technology, named for telekinetic “X-Men” character Jean Grey, could ultimately replace passwords, security badges
and the keys in your pocket, says Mike Reiter, CyLab’s technical director.
When: A few years
More info: www.cylab.cmu.edu
Software that can recognize and stop never-before-seen viruses
Who: Microsoft Research
Problem addressed: Rapidly spreading viruses
How it works: Vigilante is a small program that sits in a computer’s memory and constantly scans for suspicious behavior. Once the program recognizes an attack, it generates a security alert to other machines on the network. They then create a
filter so they can identify any mutations of the attack and stop them from executing-
no human intervention needed. “If you want to contain fast-spreading attacks, humans simply can’t be involved,” says lead researcher Manuel Costa. “It takes them too much time to look at things.”
More info: research.microsoft.com/vigilante
A system that confirms users without revealing personal data
Who: Internet2 consortium
Problems solved: Identity theft and protecting online privacy
How it works: Shibboleth passes on only the barest minimum of personal information needed to sign on to a site or to complete a transaction without your having to disclose your identity. Penn State University students use it to log on to a free legal music download site. Shibboleth ascertains that they’re enrolled students without matching their names to the music they’ve downloaded. By giving out less information, you reduce your risk of identity theft, says Ken Klingenstein, director of Internet2’s Middleware Initiative.
More info: shibboleth.internet2.edu
**Who Are These Criminals?
Meet the Internet’s new bad guys. Where once “script kiddies”-young amateur hackers-wrote viruses just to cause havoc and show off their skills, they’re now building “zombie farms”-armies of PCs controlled from afar-and renting them out to the highest bidder on underground forums you’d never find with a Google search. Increasingly, they’re being hired by organized crime syndicates to steal identities and hold corporate Web sites hostage.
“Ten years ago we talked about the Internet as the Wild West,” says Peter Swire, a law professor at Ohio State University and a former top privacy official in the Clinton administration. “Now it’s more like gangland Chicago in the 1920s. The threats come from organized crime, not lone cowboys.”
These cyber-crooks may be dispersed across the globe, each with his own specialty. “This is not your traditional La Cosa Nostra type of organized crime,” says Dan Larkin, unit chief for the FBI’s Cyber Initiative and Resource Fusion Unit in Pittsburgh. “In many cases, they don’t know each other personally, just by trade and screen name.”
These gangs in turn may be linked to criminal groups in Eastern Europe, West Africa and South America, Larkin adds. And although international cooperation is steadily improving, he says, pursuing and prosecuting cyber-criminals thousands of miles away remains an enormous
If a criminal lives in Eastern Europe and the local authorities have more important crimes to deal with, there’s not much that can be done, admits Jody Westby, CEO of Global Cyber Risk, a Washington, D.C.” based security consultancy. And what might be illegal in the U.S. isn’t necessarily outlawed overseas. “Cyberspace has no borders, but law-enforcement agencies and diplomats do,” she says.
Worse, international crime outfits are beginning to pool their efforts, making them even more of a threat, Westby says. “The Nigerians, who are expert at taking over accounts, are cooperating with the Chinese, who are expert at counterfeiting. We’re facing a more sophisticated criminal operating environment, yet we’ve not gotten more sophisticated in our ability to catch them. They have an advantage, there’s no question.”
Dan Tynan is author of Computer Privacy Annoyances (O’Reilly Media; 2005).