Anti-Spyware and PC Security News

With all the cyber spies and state-sponsored hackers on the Internet, is there any way to defend ourselves? Critics say not completely
by Keith Epstein

During the Middle Ages walls became less of a barrier. Soldiers would simply set up a catapult-like device known as a trebuchet. This enabled them to fling hundred-pound projectiles and disease-conveying corpses over supposedly impenetrable fortifications. Never mind how competently the 12th century’s security professionals routinely patched and updated their fortress exteriors, invaders got in.

Today, rapidly evolving cyber espionage threats, state-sponsored hackers, and other Internet miscreants are bounding over the best modern protections consumers, corporations, and governments can set up. The situation is providing a steady source of revenue—in the many billions of dollars—for the essential products and services of computer and network security firms.

Yet as illustrated by the intrusions described by a BusinessWeek investigation (BusinessWeek.com, 4/10/08), all these defenses—firewalls and antivirus updates—devouring an organization’s time, servers, and technology budget can be useless against even one moderately adept hacker engaging in open-source “net reconnaissance” such as simple Googling; crafty “social engineering” of fake e-mail attachments that trick recipients because they mimic messages from the boss or a client; and leveraging of cyber-break-in “toolkits” readily available online.

Disconnecting From the Internet
If the hacker hordes in China, Russia, or dozens of othercyberactive nations can catapult their Trojan programs and other malware over state-of-the-art safeguards—confounding some of the best cybersleuths that intelligence agencies and the private sector can muster—can any of us have confidence that our networks are secure?

Not the U.S. government. On classified orders from President Bush the government is, in part, now coping with the hacking onslaught by literally disconnecting from the Internet. The feds are closing as many Internet ports as they can, everywhere they can, possibly leaving open fewer than 100 of the current 4,000-plus conduits used by cyberspies and hackers. Imagine if the government took the same approach to securing U.S. ports, closing all but a few seaports to shipping vessels.

“We’re well past the point where plugging holes is effective,” says one of the nation’s most senior military officials, who requested anonymity so he could speak about Pentagon anxieties over cyberattacks and defensive weaknesses. “This is persistent activity at the speed of light. If I’m the adversary and I get in, the guy at the other end can have all the McAfee (MFE) products (computer security software) in the world but I’m always there. I’m in.”

Hoist With Our Own Petard
No wonder Microsoft (MSFT)—widely criticized in the past because its software has been riddled with so many vulnerabilities—is now proselytizing about rebuilding Internet trust through better security hardware. “Microsoft and the technology industry alone cannot create a trusted online experience,” acknowledges Scott Charney, Microsoft’s chief security strategist. “Time to change the game,” he says.

Some say it’s also time to publicly acknowledge the inescapable truth about a high-tech fighting force: By emphasizing technology meant to give us an edge over our enemies, we’ve given our potential enemies an edge. “We’ve shifted the field of military competition from nukes and ballistic missiles—hard to compete against—to networks and satellites where dozens of countries can compete. Our affinity for new technology has empowered all of our enemies,” says Lexington Institute Chief Operating Officer Loren Thompson, a defense analyst and consultant with close ties to the Pentagon.

The trouble is, nobody wants to put the technology away—not the government, the military, corporations, or the average user. The benefits are too many. Internet-dependent warfare, like Internet-dependent commerce and communications, will only grow in the years ahead, along with ever more challenging hazards. “Risk mitigation” is the strategy at the Pentagon’s Joint Task Force for Global Network Operations, which oversees security of the military’s seven million computers around the world—so many it requires 14,000 networks and 120,000 leased commercial circuits to tie them together. Break-ins soared 55% last year.

An Online Arms Race
Indeed, for every security fix it seems a counter-exploit emerges. About a year ago the military beefed up its Internet perimeter defenses with layers of security and automated intrusion detection, and by requiring users to log into computers with electronic cards and codes rather than passwords that can be “logged” by hackers. The result? The number of password intrusions fell by half. That’s when hackers turned from key-logging to more pernicious forms of spear-phishing. Yes, even the arms race is now online.

Even the fortifiers themselves no longer have confidence in the fort. Microsoft’s Charney, in a white paper unveiled Apr. 8 during the RSA computer security conference, is up front about his company’s struggle to make the Windows world sufficiently sheltered. “Although Microsoft Corp. and many other organizations have taken significant steps to improve the security and privacy of their products and services,” he writes, “these activities alone will not make the Internet secure enough and privacy-enhanced enough for many of its potential uses.”

Charney says the key to better security is seeking improved verification of users’ identities, the ability to monitor or review their action, and—most strikingly for a software firm—security that is “rooted in the hardware.” One of his solutions would tie the operating system to the hardware for a “trusted boot”—a way of ensuring no one has tampered with the software code. Says Charney, a former federal prosecutor of cybercrimes during the 1990s, “We need to create a more authenticated and audited Internet environment.”

Multi-Billion Dollar Overhaul
On the same day Charney presented his ideas, Homeland Security Secretary Michael Chertoff informed the same audience of the need for “a Manhattan Project to defend our cybernetworks.” While Chertoff studiously avoided disclosing details, he emphasized the bottom line: It will take something on the scale of that historic race against time to develop bold weapons to lessen the threats of cyberadversaries.

A largely classified overhaul of U.S. cybersecurity, expected to cost tens of billions of dollars, is already underway. President Bush quietly set it in motion by signing a pair of classified directives in January. Senior U.S. military officials tell BusinessWeek that still more money is needed, most likely requiring a partnership with industry. Behind the scenes there’s spreading talk in Washington of ways, both timeworn and seemingly novel, to fix Internet security, .

After what has been a revolving door of cybersecurity chiefs, the Homeland Security Dept., for instance, has made an unconventional choice. Last month it hired its fifth cybersecurity chief in five years—a Silicon Valley entrepreneur, Rod Beckstrom, whose trendy book, The Spider and the Starfish, suggests how to defeat competitors or adversaries with decentralizing, non-hierarchical tactics.

Insured by Internet Protection
Another unconventional approach, a public-private research and development endeavor on the scale of Los Alamos or the Manhattan Project, could involve sensors to broaden surveillance along Internet pathways, the better to warn companies of threats within milliseconds of when they might arrive, government sources say.

At the Pentagon, of all places, generals are quietly advocating a Federal Deposit Insurance Corporation-like agency that could, for example, certify financial institutions that have agreed to be part of this real-time, government-run monitoring system. Supercomputers would analyze massive volumes of traffic to detect intruders and assure the credibility of data flows. Financial institutions would help pay for the sensor and surveillance system. An “FDIC” sticker on the window—such as “Financial Data Insurance Corporation”—would reassure investors and depositors.

Other people in Washington are urging greater development of countermeasures and offensive tactics—ways to “hack back” and, yes, strike first. A “hack-back,” itself a form of hacking, is sometimes used by law enforcement (armed with a court order) to locate the source of an attack. Other forms involve striking back to disrupt or shut down an attacking machine, or planting software to spy on the attacker.

Absolute Security Not Possible
Meanwhile, defense contractors are trying to cope with a controversial government proposal worrying them. Though still informal and undisclosed as of April, 2008, it suggests that companies such as Boeing (BA) and Lockheed (LMT) open their private networks to government monitoring and scrutiny, or risk being unable to compete for contracts.

And then, of course, there’s the certainty that such solutions won’t work perfectly. A senior U.S. military official, after describing the possible fixes and paradigm shifts he views as urgently needed, suddenly stops during an interview. “Even then,” he says, sighing. “The truth is, absolute security won’t be possible.”

Bookmark to: