Web attacks: Are ISPs doing enough?

Security experts and Net users are becoming increasingly vocal about their concerns that high-speed Internet service providers (ISPs) aren't doing enough to ensure the data security of home users. "It's been two months (since I notified my provider of three potential attacks)," wrote a California-based Web production manager to our US sister publication, ZDNet News Talkback. "And I still haven't heard from (them). I'm not overly concerned about prosecuting hackers, but I do care about my own privacy and the security of my system."

In the wake of the recent Denial of Service attacks against eight major Web sites, including ZDNet, personal security has become less of an add-on and more of a must-have feature for Internet surfers. (See Has your PC been hijacked?.)

Unfortunately, while high-speed ISPs are intent on making their networks secure, they frequently overlook the security of their customers, said Jeremy Rauch, manager of vulnerability content and co-founder of security information site Security-Focus.com.

"Broadband ISPs don't seem to be doing a lot on the problem right now," he said. "They don't seem to be going out of their way to educate customers about the problem."

For example, Rauch said that two months ago, Usenet news groups were ready to give the @Home Internet service the "death penalty" -- blocking any user from the @Home domain, from posting to newsgroups. The reason? Spammers were sending email out to the Internet using @Home customers' computers to camouflage the source. If the ISP had helped its users correctly configure their computers, then this problem never would have happened, said Rauch. Yet, providers insist that they are taking customer's security seriously.

@Home has learned from its checkered past, said Jacqueline Russo, spokeswoman for Excite@Home, and now has become more vigilant, adding a security page to its services sponsored by security software maker McAfee. "We are constantly keeping our eyes and ears open," she said.

Another problem for providers is the fact that personal firewall programs have become quite popular with users. Many of these programs warn users of every little ping and port request, which can result in paranoid users always thinking their PCs are under attack. "These programs have taken off in the past six to eight weeks as more people are going out and looking for security," said Curtis Benton, network operations manager for Internet-over-DSL provider, Flashcom Communications. "Yet, people get too concerned over security sometimes, and they become convinced that anything attempting to contact their computer is coming from a malicious personality." The result is a flood of email to providers that is as debilitating as the Denial of Service attacks that hit the Web on 7 to 9 February.

"We have an abuse coordinator that has a stack of complaints. He has to determine whether they are a serious threat or not," explained an on-system administrator for Road Runner, Time Warner's high-speed Internet service, who wished to remain anonymous. "It would be hard to respond to every single complaint, especially when people are sending us their BlackICE logs and the like every day, and we have thousands of users."

In the week following the attacks on major Web sites, personal firewall maker Network ICE has seen requests for its product, called BlackICE, skyrocket by 30 to 50 percent. Rival Zone Labs, maker of a free firewall called ZoneAlarm, has seen 400,000 downloads of its program in the past week.

Greg Gilliom, chief executive of Network ICE, admits that personal firewalls can generate a lot of alarms. "The problem (for providers) is that they don't have time to deal with every knock on a customer's door by script kiddies," he said. The next version of BlackICE won't explicitly tell users when it has blocked an attempt to access their PC, although it will log the incident.

Gilliom also stressed that broadband providers are getting better about integrating their customers' security with their own. "We are in discussion with several ISPs that are thinking about rolling out a security service," he said. "They can charge the end user $3 to $5 (£1.86 to £3.10). Later, as everyone starts doing security, it will just become part of the service."

This will allow ISPs to tailor security to the needs of the user, said Shawn Dainas, spokesman for Pacific Bell Internet Services. "Consumers have to decide if they need more security themselves," he said. "Just like in the real world, different people have different security needs -- some may want to have a state-of-the-art security system, others may just need a dog."

In the meantime, users should not wait for broadband providers to come to them, stressed David Davidson, a software engineer in a post to ZDNet News Talkback. "(Don't) take your security for granted," he wrote. "Learn and protect yourself."

For full coverage, see the Denial of Service roundup.