Internet attack defense: License and registration please...

Internet attack defense: License and registration please...

Summary: Governments all over the world are challenged with cyberspace security. Could regulations and government oversight and management be the solution?

SHARE:
TOPICS: Security, Browser
26

This past Tuesday (Jan. 26) I posted the story about China's view of the attack and break-in that occurred at Google. The attack was widespread, similar to Ghostnet. I had indicated this was the beginning of a new Arms race, which has been underway for several years. The events which occurred in China affected Google, Adobe and others, has created the final catalyst needed to build the next defensive hardware and applications required and be used on computers and smart devices connected to the internet.

The tools used to attack any target, whether it be an individual or organization, an activist or military institution are sophisticated, difficult to detect and clearly with several goals in mind. Some attacks will be focused, others will attempt to collect as much data as possible for real-time or long term digestion to prepare its agenda subscribers. With this in mind, the programmers and designers will have very unique sets of challenges to overcome and be an intense creative process in which several intelligence techniques need to be understood or its ability to be used as a defense is weakened. This is in a league where the goal is beyond just a science fiction writer's novel or blogger's commentary, it's going to affect every internet user with real consequences. Adobe's reputation is vulnerable and will recover - this time. What the future holds for the company will demand new thinking and approaches to how it designs its products.

Internet attacks are a nuisance. Everyone simply want ease of use connecting to the Internet at work, or home in their daily lives, it's practically an essential service for many. Internet security costs money to prepare against. It consumes valuable resources in a corporate and individual user world, which offer no return on investment, except to protect their intellectual property and employees. The cost to protect the devices we use to use to connect to the internet is rising. When combined with the complexity that is required to prevent attacks, users are now faced with multiple problems, trust, ease of use and very likely, future mandatory compliance of understanding and using protection services or appliances for their computers and mobile phones. The next wave of sophistication to be used and be applied in any attack of a computer system connected, will be the most complex ever since the invention of the micro processor. Some argue that it cannot be done, that there is no single defensive application, service or computer network architecture that can prevent future internet attacks.

Governments all over the world are challenged with cyberspace security. Could regulations and government oversight and management be the solution? Regulations rarely work well in their first round of attempts and it would be impossible to regulate anyway, it is an international network with no borders. Even if the country decided to just regulate the internet within its own borders, it would be impossible to enforce with so many people visiting the country with their own computers and smart devices.  Even if an agency like the FCC or DHS recorded every MAC address of every device 'allowed' in the internet network or Identifier code like Intel tried with the Processor Serial Number (PSN) program in the late 1990's, the management costs let alone civil rights controversy would kill such a program and still wouldn't prevent attacks occurring, it may only find the source of the attack - after the fact. Yet the reality is, governments may have to reconsider such an requirement. It may not fly today, but don't be surprised if it becomes reality in the near future. Every device connected to the Internet will have a permament license plate and without it, the network won't allow you to log in.

The private sector has to step up to the plate and come up with defensive solutions to prevent further risks to not only the individuals but the network itself. Several companies that make logical sense to be front and center of these requirements are Cisco Systems, McAfee, Symantec, Checkpoint and many others. But firewalls and anti-virus software will only work with a users understanding of what these products will and will not do.  Consumer and employee expectations for ease of use will have to ratchet up a notch or two if we are to see a reduction in sophisticated attacks on users of the internet. Education of its users is going to be a vital link. While some may think Internet security for Dummies is a great place to start, it will need a severe upgrade. Forget about 2.0, try jumping to Version 10.0 and doing it right now. The future security model will require user understanding, of a trust model when heading out into cyberspace and clearly we have a long way to go before that is understood.

Software companies, other than Microsoft are now feeling the pain Internet Explorer and every version of Windows has experienced and as they are finding out, it's not a pleasant experience, just ask Adobe. Operating systems such as Linux, and Apple will also be used (and have been in the past) in the next wave of exploitation.  Another new problem before us, is hardware with embedded software that can contain exploitation tools and lay dormant until needed. Nobody has public proof of it occurring and nor is any intelligence agency going to comment on such capabilities (I did ask several press officers at the NSA for comment on this story) or implementation of this type of capability.  When a device can have a 4 GB micro-SD chip in it the size of a dime, it's time to begin to be concerned. That's just the easy and over simplified scenario. In a discussion with several hackers, they not only implied it can be done, it's easy to do. Often referred to as Linux on a stick, Apple's OS X can also be booted from a stick. Google's Chrome Browser can be operated from a SD chip. Which Chrome extensions do you trust? Combined with the new Open Source Android software, it's a dream come true for some, a nightmare for others. Red Hat believes it has one of the most secured Linux distro's out there and it probably is, considering the competition, yet it too constantly requires patches for its products.

With this kind of ability and its continued growth, it may influence how Internet services are designed and secured for its users. This is where the philosophical issue of intellectual property versus open source collides head on. In an open source environment, critique, ideas, review and options on how to solve the problem and inspection of code can be audited, reviewed and endorsed by the widest possible audience. But it's also its weakest link, with potential for abuse because the program is so open and easy to embed features that an end user has no idea is there. Let's face some hard facts, Microsoft and others are not doing any better job solving security loop holes by doing it their way either. Steve Ballmer wants an open and free internet. Nobody disagrees with that idea. The question is, how much longer will it last.

Verisign's approach on how a user should safely use the Internet is based upon well thought out processes and policies, yet its implementation is rarely understood by the average web surfer. The simple reason why it isn't deployed everywhere is the expense and maintenence of this kind of approach. Other tools will be used such as encryption at the https, SSL and other application layers. Even with these capabilities, it will not stop the information security issues we all face.

China's probe and attack has side benefits for its nation, besides information desired and use by its Intelligence community (MSS) and thus, the attack likely served multiple purposes. It is faced with a future problem that it simply cannot afford; copyright and download monitoring. The Green Dam is but one tool it uses to keep out information from the internet world, while at the same time, it needs to find ways to track and find information that actually is illegal - copyright and intellectual material already inside the country. If you can break into Google or piggy back on Adobe, what else can they do. The grand experiment may have accomplished more than just tracking a few human rights activists.

In the end, there are no magical cyber shields to solve the problem. One thing is for sure, a lot of money is going to be spent trying and sooner or later, everyone may have to pay with an Internet cop instant messaging you - "license and registration please"

[poll id="37"]

Other resources:

Dana Blankenhorn's story - What China wants in Internet battle is wholly proprietary

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Problem with registration and licensing

    on the Internet will be the same as in the real world: Real world criminals use stolen guns and cars. Same thing will happen on the Internet with the exception that real world theft victims know their car or gun was stolen and (usually) report it before it is used in commission of a crime. Internet theft victims seldom know they have been robbed until after a crime has been committed. With our current somewhat over zealous justice systems, how many information theft victims will end up being charged and convicted, as their only defence will be their word that they didn't do it.
    anothercanuck
    • Good question

      I agree that any registration system is fraught with problems, particularly global registration issues. I also forgot to add the network diagram, which I have now fixed. Take a look.

      Other problems with it are:
      1) Public computers
      2) Selling or giving away devices
      3) False information

      But the system would be able to "lock out" systems that are found to be used in attacks and thus, it does solve the problem.


      thanks for writing.

      Doug
      doug.hanchard@...
    • Washington DC = Highest Crime rate

      And they have gun control... Obama is FAILED socialist riding out 3 more years of WASTED Tax dollars.......
      Use_More_OIL_NOW
  • Some good.....some bad here I guess

    The bad would be (as someone else already mentioned) the very real possibility of having one's computer turned into a bot with a virus/trojan. At that point, your next move is to wait for the storm troopers to kick in your front door for selling kiddie porn or plotting terrorist attacks, while some hacker in a faraway land walks away undetected. Good luck proving your innocence.

    The potential good is that problems like spam-bot machines could be cut off from the internet. I emphasize "could". ISP's and backbone providers would have the ability to detect and cut off PC's sending spam. They could do that today if they wanted to, but they won't. I doubt they would do it even with a registration system in place.
    shawkins
    • Wanna think that thru all the way?

      It wouldn't be THAT hard to prove your innocent. If your computer is infected with Virus X, then gee, it would tend to leave a rather noticeable trace. Even if it was a bug no one had seen before - unless you've got the source code for the bloody thing and you've been compiling (also traceable), a bit of computer forensics and you're good to go.
      Wolfie2K3
      • Not necessarily... some viruses are SO GOOD

        At what they do, that they are basically unnoticable unless you are VERY GOOD at watching for 'unknown or strange processes' on your Windows PC.... some have even been found to be using Gutmann erasing procedures to 'cover their tracks'... so no, it would NOT be easy to prove your innocence, unless you are willing to allow the police to go through your entire hard drive/drives on a fishing expedition.... which when the feds came to MY DOOR and asked to do that because they had reports that I was trading child porn, I told them to TAKE A HIKE!

        After telling them a few other 'truths', they realized I wasn't hiding jack from them and went away.... that was about 6 1/2 years ago now.
        Lerianis10
        • Even Worse!

          Even fishing through your hard drive may not find anything if the virus has "secure erased" free space, the paging file, and any traces of itself.
          Also, what if the virus trashes your computer after the attack so you have to reformat and reinstall - prosecutors could argue that you were covering your tracks, and you couldn't prove otherwise. A virus might even sit in memory and force an automatic secure erase and reformat of your entire hard disk, which would look very suspicious and even if you had an independent witness present when it happened it would be virtually impossible to prove you didn't do it yourself - you could have written the code to do the erase and reformat yourself.
          P.S. Lerianis10 - I'm curious what the other 'truths' were that convinced the feds you weren't hiding anything.
          ausvirgo
        • unless you are willing to...

          I'd pester the hell out of them and if they didn't have a warrant, I'd make them sign something to be sure I got the machine back in the same condition it was in when they took it.

          Since I've nothing to hide I'd rather let them take my machine to begin with, have the reputation of being agreeable, and get it over quickly. Too many people are too paranoid OR actually do have something to hide.
          twaynesdomain-22354355019875063839220739305988
          • Better Still - a replacement (loan) drive

            Why can't law enforcement authorities copy a suspect hard drive onto an equivalent or better substitute drive or PC before taking it away to be examined.

            If this is not feasible (eg a large disk could take 10 hours or more to copy), it wouldn't be too hard to provide a replacement machine with a good complement of software and copy over critical files such as "My Documents". With modern internet technology they could even allow the PC owner to access their hard disk remotely on a read-only basis while it is being checked. A wireless connection could be provided in most places for those without broadband.

            Such solutions would allow the authorities to do their job with minimal adverse effect on the PC owner, who is after all innocent until proven guilty.

            Cost would be minimal, as the loan machine could be re-used for other investigations.
            ausvirgo
  • My Internet attack defense: Firefox & Ubuntu

    Here are some interesting facts:

    "Firefox 3.6 has been downloaded?
    24,274,408
    times since January 21, 2010" -
    http://www.mozilla.com/en-US/firefox/stats/
    IndianArt
    • Firefox is #1 & Linux distro's are SECURE

      Big Socialist Gov is going to fix it like the waiting line to get a license??????????
      Another FAILED concept from Obama & Thugs.
      Use_More_OIL_NOW
  • STOP blaming the customer! Regulate the INDUSTRY!

    STOP...governments worldwide have the responsibility to protect national security and their citizens. Any democratic government has long seen that INDUSTRY REGULATION through legislation IS THE WAY to approach that protection of the citizen.

    This has been accepted practice for decades with the car industry, pharmaceuticals/ food and drugs, air transport, healthcare provision, fire prevention, safety and on and on .. BUT NOT the computer/IT industry. Firstly you have to FORCE the ICT industry to produce and offer systems that ARE FIT FOR USE on the Internet and then, just like seat belts in cars, you set out the rules for using those security (safety) systems.

    (Remember "C2 by '92" - no-one cared and it was not enforced. A trusted operating system with associated hardware IS THE BASE to build on and that comes from the IT industry - not the end-user. Just look at the failure of SELinux to reach commercial acceptance at any real level along with the earlier "turning off" of the hardware security features, segments/rings/typing, of the Intel 286/386/486/Pentium that were a critical part of the security architecture of those processors! Yes - it's in the IAPX-286 design documents!)

    Imagine a car industry where brakes and seat belts were "add-ons" to be purchased, installed and managed by the owner/driver. The same with computer systems - if a consumer buys a PC for Internet usage then - by law - that PC should be "fit for purpose" - no add-ons, no "if's". Viruses/trojans/botnets are a failure of product integrity at the OS level...NOT the responsibility of the end-user.

    The problem we are now facing is simple - commercial, commodity computer systems were not designed to be trusted and secure and no-one in government took any notice or cared as these became the base for the national information infrastructure.

    The result will be - WILL BE - a cyber-meltdown before too long... and you can blame that lack of legislative interest by governments in oversight of the IT industry...on which modern society and the "digital economy" now totally depends.

    Will the Obama administration have the strength to act along WELL ESTABLISHED industry safety legislation lines? 2010 could be the "inflection point".
    w.caelli@...
    • Cars require customer MANDATED maintenence and insurance paid by YOU

      Interesting how you use the auto industry ... BAD choice :)

      You are still responsible to PAY for maintenence and ensure it is SAFE for the road, or you PAY as a liable consumer, especially if you get into an accident wiht faulty brakes that were not maintained, not the mfgr.

      Botnets are not a product of Microsoft, Adobe or any other company out there, it's an individual that has decided to attack. It's the same with exploitation of vulnerabilities, it's with INTENT.

      And that's why we have laws on the books for liability for both the auto and computer industry.

      Thanks for writing
      Doug
      doug.hanchard@...
      • Internet is FREE as in expression...

        You cannot drive 100mph or run people off the road. All you want is a TAX & FEE levied on something the Big Socialist Gov wants $$$.

        This will do nothing to secure, no different than Obama allowing the chaos with air travel...
        Use_More_OIL_NOW
      • Professional liability

        The IT industry enjoys a degree of indemnification that is unique among producers of engineered products with potential for large consequential damages from failure. That situation is an anachronism. It dates from the era when software was understood to be an experimental product and the user community was small, with a high degree of expertise either on board or readily accessible. The consequences of failure spreading across large networks were unforeseen. There is a much greater degree of implied trust between users and providers today. The trick is to find the optimal degree of accountability without creating a litigious train wreck.

        The civil engineering profession is regulated under State laws that define standards of professional practice. Liability is incurred if failure to follow professional standards results in loss due to failure. Liability is not incurred if professional standards are followed and failure results from circumstances unforeseeable under established standards, including misuse of professional products. That model seems appropriate for the current IT environment. Civil engineering is a public trust profession and, now, so is IT. Had such a model been in place for IT at the dawn of the internet age, we might be in a very different security environment today. The no-borders nature of IT would, of course, require a very different enforcement mechanism than that governing civil engineering.
        Lester Young
  • "You can't stop the signal" (NT)

    nt
    vikingnyc@...
  • RE: Internet attack defense: License and registration please...

    It is too long,ICP is different from ISP, now...
    lovelyting88
  • There is an easy way to stop all of these attacks

    Block the whole of China..... I'm quite serious with that solution, since 99% of China websites are virus-infested wrecks.... just exempt from the rules the VERY FEW good Chinese websites.
    Lerianis10
    • Yeah Sure! As if you could!

      What are you going to do, stop all travel from China so agents can't get out and attack the Internet from another location?

      And if you exempted any Chinese websites then attackers could use these to launch the attacks - if they're govt sponsored it would be easy.

      The trouble with kneejerk responses like this is that the brain is not in the knee!
      ausvirgo
  • Why not address the PROBLEM?

    I subscribe to the belief that computer viruses of ANY kind are inherintly "genetic" in nature -- that is, they MUST be created to target specific software platforms and services. So why impose a solution that affets everybody when there's clearly ONE LARGE POPULATION being targeted?

    Some basic facts I've seen kicked around: 85% of all computers in use today are running some version of Windows; 98% of all Windows computers have Outlook Express installed, and it cannot be fully removed because Windows will re-install (parts of) it if it's found missing; 80% of all Windows users run Outlook Express as their email client; 75% of those users have never changed any of the default settings or even updated the software.

    So if someone wants to build a virus, all they need to do is target years-old vulnerabilities in Outlook Express and they have a simple way to infect a HUGE number of machines! It's like shooting fish in a barrel.

    If you want to issue "licenses", then tie them to Windows users, because THEY are both the source and target of these jerks.

    I have no problems with any of these viruses on my Mac. So why would I need some kind of "license" to access the internet?

    Also, I've read bits about these break-ins at various sites, but what seems to be overlooked in the facts that are reported is what server software they're running.
    zdnet@...