Legions of consumers are not taking reasonable steps to combat botnets, leading some some experts to suggest that ISPs should monitor broadband connections and block botnet-generated traffic.
A botnet is a network of servers or PCs that have been surreptitiously infected with malicious software for the purpose of generating Internet traffic without the owners' knowledge or consent for some criminal purpose. Antivirus software offered by vendors such as McAfee, Microsoft or Symantec eliminate malicious software, but many consumers don't utilize these products even when they are available for free.
Continue reading "Not a simple matter for ISPs to block botnet traffic" »
From George Gilder's column in today's Wall Street Journal,
Meanwhile, Secretary of State Hillary Clinton and the president's friends at Google are hectoring China on Internet policy. Although commanding twice as many Internet users as we do, China originates fewer viruses and scams than does the U.S. and with Taiwan produces comparable amounts of Internet gear. As an authoritarian regime, it obviously will not be amenable to an open and anonymous net regime. Protecting information on the Internet is a responsibility of U.S. corporations and their security tools, not the State Department.
The full column is here
Congress could increase funding for organizations which enable foreign citizens to breach Internet firewalls operated by closed society regimes, according to Senator Arlen Specter (D-PA).
The money would aid groups like the Global Internet Freedom Coalition, maker of the FreeGate software described by Nicholas D. Kristof:
... small enough to carry on a flash drive. It takes a surfer to an overseas server that changes I.P. addresses every second or so, too quickly for a government to block it, and then from there to a banned site ....
E-mails sent with it can be encrypted. And after a session is complete, a press of a button eliminates any sign that it was used on that computer
The coalition is running out of server space, and a Washington Post
that a $50 million appropriation would enable it to provide access to 100 million distinct users every day -- as opposed to something under 1 million users now.
President Obama received a Cyberspace Policy Review from cybersecurity experts this week and pledged to create an Office of Cybersecurity Coordinator in the White House.
A federal cybersecurity coordinator may help government agencies better coordinate their responsibilities and authorities and eliminate duplicative or inconsistent efforts.
But most of the networks and computers which power the world's most dynamic economy and support the strongest military are owned and operated by the private sector, as the cybersecurity experts and the President acknowledged. The private sector has been hard at work improving the reliability of software and building security features into the network.
The importance of the network in combating cyber attacks has largely been overlooked. Network operators eliminate most spam, which, according to Semantech, comprises 90 percent of email.
Unusual traffic patterns give network operators early warning of worm strikes and distributed denial-of-service attacks. Network operators can divert malicious traffic to scrubbers so it never reaches its intended destination. Networks are the first and possibly the most effective line of defense.
The federal government will not dictate security standards for private companies nor monitor private sector networks or Internet traffic, according to the President. But with new high-level officials there will be a continuing temptation for government to micromanage the dynamic technology, telecommunications and cable sectors.
The President may bemoan the extent of taxpayer investment in cyberspace,
just as we failed in the past to invest in our physical infrastructure -- our roads, our bridges and rails -- we've failed to invest in the security of our digital infrastructure,
but unlike roads, bridges and rails, there are still opportunities for profit in software, hardware and broadband.
The biggest threat to continued private investment in cyberspace may be the President's oft-repeated support
for net neutrality regulation, which would divert investment away from the core of the network. Cybersecurity requires investment throughout the network. The network is an ecosystem in which everyone has an important role to play.
The President's interest in cybersecurity is a good thing. But the federal government can do more to harm cybersecurity than to promote it.
Senate Commerce Chairman John D. Rockefeller, IV (D-WV) this week conducted a hearing entitled "Cybersecurity -- Assessing Our Vulnerabilities and Developing An Effective Defense" during which he signalled that cybersecurity will be a major focus of the committee.
Mentioning his experience as a member and former chairman of the Senate Intelligence Committee, Rockefeller commented
I know the threats we face. Our enemies are real, they are sophisticated, they are determined and they will not rest.
I do not believe it is only the job of the Intelligence Committee or our national security and defense agencies to protect us from the threats we face. This committee can and must play a very proactive role in keeping Americans safe.* * * *Because the topic of cybersecurity is so vast, a single hearing cannot possibly hope to address or identify the many facets of this issue. But this hearing is the first of many under this Committee and will serve as the beginning of a very valuable foundation.
Witnesses included Dr. James Lewis, Director and Senior Fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, who said
that the task is enormous.
The internet as it is currently configured and governed cannot be fully secured. Changing this to gain the further advantages offered by information technology will require a restructuring of governance, practices and standards. Right now, however, the advantage lies with the attacker.
Lewis chided the Bush administration's Comprehensive National Cybersecurity Initiative because it was "over-classified" and focused on securing federal computer networks. According to Lewis,
Economic strength, technological leadership and the ability to innovate will be as important as military force in creating national power, particularly in competition with the rising nations who wish to reduce U.S. influence without resorting to open military conflict. The primary damage to U.S. national security and economic strength from poor cybersecurity comes from the theft of intellectual property and the loss of advanced commercial and military technology to foreign competitors. A failure to secure America's information infrastructure weakens the United States and makes our competitors stronger.
Lewis beieves that the solution consists of two interrelated sets of actions.
The first is to strengthen our national ability to innovate. Innovation is the process of coming up with news ideas, goods, and services. It has become a central element in economic competition. A more innovative nation will be stronger and more secure as it will have a stronger economy and better technology. A purely defensive strategy will not succeed. The second set of actions is to secure the networks upon which we rely for commerce, innovation and security.
Ed Amoroso, who is AT&T's Chief Security Officer, testified
that network service providers can play an underappreciated role in protecting those lifelines.
[AT&T's] advanced network technology currently transports more than 17 Petabytes a day of IP data traffic, and we expect that to double every 18 months for the foreseeable future. Our network technologies give us the capability to analyze traffic flows to detect malicious cyber-activities, and, in many cases, get very early indicators of attacks before they have the opportunity to become major events. For example, we have implemented the capability within our network to automatically detect and mitigate most Distributed Denial of Service Attacks within our network infrastructure before they affect service to our customers.
Previously it has been reported
that network service providers have a window which enables them to see all kinds of potential cyber threats:
About 1 million of the home computers AT&T sees each day are thought to be infected with bots, reaching out to hundreds of other IP addresses far more quickly than any Internet surfer with DSL or a cable modem ever would. Before a worm strikes, technicians see strange spikes of traffic going to normally obscure ports, as malware developers test and tweak their code. A sudden, sharp increase in the amount of Web traffic worldwide could mean breaking news--or a distributed denial-of-service (DDoS) attack being lobbed at a single company halfway around the world.
But Amoroso's window into a rapidly junkifying Internet is largely just that: a window. For the most part, he says, all he can do is sit and watch through the glass, as unwanted or malicious traffic makes its way from point A to point B.
"The standard service-level agreement is that we just push the traffic in and out," he says. "We don't touch it. We can do some upstream and downstream filtering if we see something that will affect our infrastructure, but you getting a spam, or you having some weird protocol aiming at you--I would love to filter that, but it's not that simple."
Amoroso, again, means it isn't simple from a legal perspective, not from a technological point of view.
Amoroso suggested at the Senate Commerce hearing that
our government should rethink its own relationship with its network service providers. As attacks become more mobile and network-based, the service provider has the best vantage point to mitigate the threat. Too often, in our work at AT&T, we see government and business systems designed with the service provider at arms-length. This practice must be discouraged. In fact, agencies that run their own cyber-security operation should be ready to justify such decision. They cannot stop network threats such as botnets on their own.
The same goes with private networks. According
"So many groups with cybersecurity teams are trying to solve the same problem," he says. "Any one of us, as an engineer, would tell you that's about as inefficient as it gets."
All attacks pass through the carrier infrastructure, he says, and that's where the focus should be.
Researchers at Princeton have figured out how to crack encrypted files stored on a computer's hard drive, according to the New York Times.
"Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power," Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. "Just put the chips back into a machine and you can read out their contents."
This technique -- which enabled the researchers to retrieve encryption keys from DRAM chips -- can't be carried out remotely via the Internet or a WiFi connection, only if your computer is stolen or seized.
One way to look at this is to lament that one can't be sure anything one stores on their computer is safe. But that's pessimistic -- a bit like lamenting it's too bad someone can't build a ship which can't sink or a vehicle which can't be stolen. Just as it is true that any secret code can be broken, it's equally true there's no limit on the complexity or redundancy one can add to secret codes to make them harder to compromise. Microsoft and Apple suggest how to protect one's personal files in case their computer is stolen or seized:
Austin Wilson, director of Windows product management security at Microsoft, said the company recommended that BitLocker be used in some cases with additional hardware security. That might include either a special U.S.B. hardware key, or a secure identification card that generates an additional key string.
The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered.
An Apple spokeswoman said that the security of the FileVault system could also be enhanced by using a secure card to add to the strength of the key.
The Senate Commerce Committee approved a modified version of S. 687, a bill sponsored by Senator Conrad Burns (R-MT) and Senator Barbara Boxer (D-CA) which would target a variety of malicious practices that include: computer hijacking, spam zombies, endless loop pop-up advertisements and fraudulent software installation. A similar measure (H.R. 29) introduced by Rep. Mary Bono (R-CA) and Rep. Ed Towns (D-NY) has passed the House. The House has also approved H.R. 744, by Rep. Bob Goodlatte (R-VA) and Rep. Zoe Lofgren (D-CA), which addresses criminal penalties and prosecutorial tools related to spyware.
Spyware legislation is beneficial because it will promote consumer awareness and assist law enforcement. But technological solutions to the problem may ultimately prove more important. The industry is working on a number of solutions and requires flexibility to respond to evolving challenges. Lawmakers in both the Senate and House appear to be fully conscious of the danger of unintended consequences from legislating in this area. If the legislation's aims and means are too expansive or are not described with optimal clarity, for example, not only could it kill promising technological solutions but it could also ensnare legitimate applications and services that will make the use of computers more simple and secure for ordinary Americans.
It is already against the law in the U.S. to interfere with someone else's computer or commit traditional crimes with the aid of a computer, however many countires have gaps in their criminal laws governing computer-related crimes and have become havens for cyber-criminals. Another problem is that electronic evidence of crime is difficult for law enforcers to locate and secure when it crosses borders. A treaty is awaiting final Senate approval that would fully criminalize computer-related offenses in other countries and require each country to have the power to quickly preserve and disclose stored computer data, compel the production of electronic evidence by ISPs, to search and seize computers and data, and to collect traffic data and content in real time. These evidence-gathering and surveillance powers are already provided for under U.S. law.
The Convention on Cybercrime has been criticized on the ground that it could allow a foreign country to collect evidence or eavesdrop in the U.S. -- on who knows what? -- via "mutual assistance." But the evidence-gathering and surveillance powers are subject to conditions and safeguards under domestic law that protect civil liberties, such as the First Amendment.
The Senate should ratify the treaty, which will promote an international minimum baseline in computer-related criminal offenses and law enforcement tools.