|
| |
News
|
CPrivacye Piracy Fight -
Market News Magazine - July 7, 2004 |
| ' |
Business Week - SEPTEMBER 8, 2003
• Editions:
N. America |
Europe |
Asia |
Edition Preference
COVER STORY
Epidemic
Crippling computer viruses
and spam attacks threaten the information economy. Can they be stopped?
David
Farber, a professor of computer science at Carnegie Mellon University,
was sitting down to lunch with his wife at Taquería Moroleón, a Mexican
restaurant in Kennett Square, Pa., on Aug. 21, when his cell phone
started vibrating. An e-mail had landed in his cell-phone inbox. Yet as
soon as he had cleared the e-mail, the phone vibrated again. And again.
And again. He could hardly get a bite in edgewise. Farber was yet
another victim of a now-famous computer virus, called SoBig, that turned
computers worldwide into drones pumping out millions of e-mails bearing
malicious code. It was a digital snowball effect. Farber's conclusion:
"We're losing the battle against computer viruses."
Indeed, to those most affected, it seems as if this summer's onslaught
of viruses has reached epidemic proportions. Since early August, the
world's computer systems have been blitzed by hundreds of viruses --
some of them real doozies. On Aug. 11, the Blaster virus and related
bugs struck, hammering dozens of corporations, including Air Canada's
reservation and airport check-in systems. Ten days later, the SoBig
virus took over, causing delays in freight traffic at rail giant CSX
Corp. and shutting down more than 3,000 computers belonging to the city
of Fort Worth. Worldwide, 15% of large companies and 30% of small
companies were affected by SoBig, according to virus software tracker
TruSecure Corp. Market researcher Computer Economics Inc. estimates
damage will total $2 billion -- one of the costliest viruses ever. All
told, damage from viruses may amount to more than $13 billion this year.
And it could get worse. Six versions of SoBig have been launched since
January, each more effective than the last. Security experts are now
waiting nervously for the next one, expected on Sept. 11. Because the
author of the SoBig virus has turned thousands of computers into virtual
slaves standing ready to do his bidding as e-mailers, experts wonder
what he has in mind. Is he planning on linking up with spammers and
spreading their ads around ever more quickly? Or does he have something
more nefarious planned -- perhaps a mass delivery system for an even
more pernicious virus?
Even as the damage reports pour in, the Summer of SoBig provides a
jangling wake-up call to businesses, consumers, and the software
industry: Get serious about cyber security. Usually, after each huge
virus attack, people promise themselves they'll do a better job of
protecting their computers. Then they gradually forget about it. That
won't do anymore. "People buy anti-virus programs and firewalls and
think that's the solution, and they're secure. But they're not," says
Brian B. King, a Net security analyst at CERT Coordination Center in
Pittsburgh, which tracks viruses for the federal government. "There's
always a way malicious code can get in."
And that means the very vitality of the information economy could be at
risk. Combine viruses with the scourge of spam, and you have two heavy
anchors dragging on an already sluggish economic ship. Indeed, the virus
epidemic may undermine tech's productivity boost. A new focus on defense
could even discourage corporations from making investments in the latest
computers and software. "Every year, we spend more money on security, on
monitoring," says June Drewry, chief information officer at Chicago
insurance company AON Corp. "That's money you could be investing in
other ways."
At the same time, technology experts are warning of the dangers of
relying so heavily on just one outfit -- Microsoft Corp. -- to provide
the backbone of the computing and Internet world. With a 95% market
share, Microsoft's Windows desktop operating system is a fat, juicy
target for the bad guys. The company got so many complaints about SoBig
that senior executives, including Windows boss Brian Valentine, were
pressed into service manning customer support lines. Some critics even
say that Microsoft, as a virtually essential service, has an obligation
to ensure that its software is sufficiently hostile to hackers. And
while Microsoft has launched a safe-software initiative, tech experts
are calling on the company to make more fundamental changes in the way
it designs programs. "Microsoft has to write better software," says Paul
Saffo, director of think tank Institute for the Future in Menlo Park,
Calif. "It's outrageous that a company this profitable does such a lousy
job."
All of this raises a troubling question: Will people start to question
the effectiveness of the tech gear upon which they've become so
dependent? Already, e-mail systems and networks have proved unreliable.
Data aren't there at your fingertips when you need them. The e-mail
order you're expecting is missing -- while your inbox is overloaded with
hundreds of junk ads. In the future, tech systems could become less
useful, too. If companies and individuals resort to blocking e-mail from
addresses they don't know, it will short-circuit one of the nearly
magical attributes of the Web: Its ability to facilitate instant
connections between strangers.
Until now, viruses have been little more than a nuisance. Most of the 80
or so brand-new viruses created each month have little effect, rarely
doing more than slowing traffic, clogging e-mail inboxes, and hobbling a
smattering of businesses.
But viruses have become far more dangerous of late. Blame that on the
ubiquity of the Internet: It has become a veritable virus superhighway.
A virus launched one morning can infect computers all over the world by
the end of the day. The Slammer virus, which hit in January of this
year, spread ultrafast, infecting nearly 100,000 computers in the first
10 minutes alone.
Virus writers are also getting a whole lot smarter -- and nastier. Take
the Nimda virus, which struck shortly after the September 11, 2001,
terror attacks. Known as a "blended threat," it had five different ways
of replicating and of attacking computers and networks. The culture of
hacking has changed, too. While the previous generation was often
renegade teenagers who broke into networks to show off to their friends,
security experts say that fast-moving, organized international teams of
hackers are now posing a much larger threat.
What really worries security experts is that someone out there --
perhaps even terrorists -- might be able to wipe out the contents of
tens of thousands of computer hard drives or shut down the power grid.
"I expect to see some viruses come along that will be seriously
disruptive," says Hal R. Varian, dean of the School of Information
Management & Systems at the University of California at Berkeley.
Even if such a killer virus never strikes, the combination of viruses
with spam e-mail have turned everyday computing into an ordeal for
consumers. When people check their e-mail, they're greeted with a
seemingly endless string of advertisements for penis enlargement,
Viagra, cheap mortgages, or sexy girls. And that's if e-mail is working.
Unpacking a new computer used to be exciting. Now it can be fraught with
worry. Just ask Linda Beebe, an American retiree who on Aug. 13 had a
new PC delivered to her Pyrenees vacation house in Mauléon-Barousse,
France. When Beebe connected to the Internet, she immediately caught the
Blaster virus, which shut down her computer. It took three full days to
get it working again. "Now I'm so angry I can't even think straight,"
says Beebe.
Of course, no one is arguing that viruses and spam will stop people from
using their computers. "We rely on our e-mail, on getting on the
Internet," says Beebe. And, for businesses, it's absolutely vital.
There's no turning back the digital clock. But these twin scourges will
turn computing into something akin to driving a car: Sometimes you're
tooling along the open road. Other times you're stuck -- cursing -- in
city traffic. And unlucky drivers have head-on collisions.
The computing world can't count on law enforcement to put virus writers
out of commission. Tracking down these criminals is incredibly
difficult. Since they're usually not interested in financial gain,
there's no money trail for sleuths to follow. Virus writers have proved
skillful at covering their tracks. So far, only 10 have been captured
and convicted -- typically because they bragged about their exploits.
And when it comes to the most complex viruses -- the ones like Nimda
that keep mutating to stay ahead of the cleanup crews -- there are
probably a dozen people in the world expert enough to figure them out.
It's a few dozen expert hackers that law enforcers worry about most.
They're brilliant at exploiting vulnerabilities in software, and they
work furiously once they spot them. For instance, after Microsoft
identified a major flaw in its latest Windows operating system versions
and posted a patch on its Web site on July 16, it took less than a month
for virus writers to come up with Blaster and a handful of other viruses
that picked on the flaw. And since many corporations and consumers
hadn't gotten around to loading the patch yet, they got hammered. It
could have been worse. Microsoft found the problem only because it was
notified about it in June by four Polish computer scientists, members of
the Last Stage of Delirium Research Group, which identifies software
vulnerabilities.
Security experts and corporate tech purchasers say the glitches exist
because Microsoft and other software companies have placed a high
priority on getting products out quickly and loading them with features,
rather than attending to security. They're calling on the industry --
and Microsoft in particular -- to make software more secure. Ralph
Szygenda, chief information officer at General Motors Corp., got fed up
when his computers were hit by the Nimda virus in late 2001. He called
Microsoft executives. "I told them I'm going to move away from Windows,"
Szygenda recalls. "They started talking about security all of a sudden."
Last year, amid much fanfare, Microsoft launched its Trustworthy
Computing initiative, a campaign it claimed would put security at the
core of its software design. As part of the campaign, more than 8,500
Microsoft engineers stopped developing the upcoming Windows Server 2003
and conducted a security analysis of millions of lines of freshly
written code. Microsoft ultimately spent $200 million on beefing up
security in Windows Server 2003 alone. "It's a fundamental change in the
way we write software," says Mike Nash, vice-president for security
business. "If there was some way we could spend more money or throw more
people on it, believe me, we'd do it." Yet, embarrassingly, Windows
Server 2003, released in April, was one of the operating systems
exploited by Blaster. The virus carried a snide message for Microsoft
Chairman William H. Gates III: "Billy Gates why do you make this
possible? Stop making money and fix your software!"
Unfortunately, glitchy software is not so easy to fix. Security experts
say the company and the rest of the software industry need to undertake
a much more fundamental shift in the way they write programs if they
hope to make progress against virus writers. Aviel Rubin, a professor of
computer science at Johns Hopkins University, says a lot of the features
in Windows are designed to make PCs easy to use and to integrate one
program with another -- yet it's those very technologies that virus
writers exploit. "First, make programs secure. Everything else comes
after that," urges Rubin. "If you don't do this, computers will quickly
become unusable."
Some Microsoft critics believe that the only way for the software giant
fundamentally to mend its ways is for it to become liable for the damage
its customers suffer as a result of viruses. They propose that the
software industry adopt minimal standards for software quality and
security. "We need liabilities in software, just like any other consumer
product," says Bruce Schneier, the chief technology officer for
Counterpane Internet Security Inc., a security software company. "When
that happens, this will be fixed. Now, there's no business incentive to
fix the problem."
Others suggest that corporations and consumers switch from Windows to
avoid viruses. While Apple's Macintosh computer and the Linux operating
system aren't inherently more secure, they're not targets for virus
writers the way Windows is. Linux has gained traction as a corporate
server computer and industry analysts say Linux could become a more
attractive alternative on desktop computers if the Windows virus scourge
isn't brought under control. The Indian Institute of Technology in
Bombay, for instance, is now switching its workstations from Windows to
Linux, partly because of security concerns.
For now, much of the burden for combating viruses lies with computer
users themselves. Most large corporations already have basic anti-virus
software. But security experts maintain that they need to come up with
better procedures for frequently updating their computers with the
latest security patches to programs and inoculations against new
viruses. Verizon Communications (VZ
) Inc. has gotten serious about security in the past couple of years and
already has a system for automatically updating its 200,000 computers as
soon as patches are available. As a result, it escaped unscathed from
this summer's attacks. "As far as business impact, it was a nonevent for
us," says Chief Information Officer Shaygan Kheradpir.
Many corporations are sizing up a new generation of security software
that approaches threats holistically -- with all the defenses plugged
into one another. An integrated collection of virus-scanning, firewall,
and intrusion-detection software is designed to defeat viruses, no
matter how they try to enter the company. A new kind of scanning
software checks out not just the labels on packets of information that
are zooming along the networks but also makes sure the data inside are
really what the labels say they are. And a security dashboard keeps tabs
on everything that's happening on a company's network -- looking for
evidence that something many be awry. Their purchases are expected to
boost total sales of security software by 10%, to $3.8 billion, this
year, while the overall software industry remains flat, according to
researcher Gartner Inc.
Small businesses and home users need to be just as vigilant. Basic
anti-virus software now ships on most PCs, and network routers used for
Internet access are equipped with firewall software that scans for
viruses. But analysts say they fear consumers and small businesses
aren't taking advantage of the software they have. It's no wonder.
Unlike corporations, these computer users don't have their own info-tech
departments. Fortunately, several companies offer services with annual
fees of $25 to $35 that automatically alert people when a new virus
antidote is ready to be downloaded into their computer.
The key is slavishly downloading new software the moment it's available.
Jonathan Hamilton learned that lesson the hard way. The finance
newsletter writer in Norcross, Ga., paid no attention to the Windows
Update feature in his home office computer. When Blaster struck, his
16-year-old son, Daniel, dutifully downloaded a patch that blocked the
virus. Dad did not. The result: His computer was knocked out of
commission for five days, and he barely got his newsletter out on time.
"Live and learn," Hamilton says.
But even constant vigilance may not be enough. As with a war on terror,
it's not necessarily what you anticipate that can hurt you most. Tomasz
Ostwald of the Last Stage of Delirium Research Group, which spotted the
big glitch in Windows, says he's most worried about hackers coming up
with new forms of viruses. The worst threat, he said, would be worms
that wend their way into companies without being detected, hide, and
wait -- then perform some act of destruction or thievery. "The most
successful attack may be the undetected one," says Ostwald.
That's a chilling thought. In the cyberworld, with brainiac hackers
tapping away on their keyboards late into the night, any technical feat
is possible. And no threat is safely ignored.
By Steve Hamm in New York, with Jay Greene in
Redmond, Wash., Cliff Edwards and Jim Kerstetter in San Mateo, Calif.,
and bureau reports
|
|
| |
|
Printer-Friendly
Version
