Anniversaries present an opportunity to reflect. Sometimes we celebrate anniversaries (birthdays, graduations, some marriages), and sometimes we grieve (deaths, disasters, and some marriages). There are also anniversaries when we compare what might have been against what has actually happened (all the above, and more).
By 2005, malware existed that spread by Web pages, email, and other network services. "Blended" threats were common, including components spread by inadvertent user activation. Malware developers quickly overcame new defenses as they were devised, deploying alteration of OS functions, code to disable security mechanisms and antivirus programs, and self-modification to foil pattern-based detection. Some malware applied vendor software patches to prevent other malware from displacing it: ironically, that malware performed better at maintaining systems than their owners!
Malware now includes "social engineering" components to entice the careless, unprotected, and unwary. Phishing, botnets, cross-site scripting and SQL injection have become commonly known terms. There have been many notorious uses of malware, including political action in Estonia, supporting military actions against the country of Georgia, and spying on human rights activists and the Dali Lama.
Early malware was developed for bragging rights or out of curiosity; today's malware is often written by criminalsincluding organized crimeto commit fraud, distribute spam email, obtain identity and account data, and steal proprietary commercial information. Malware-generation tools have proliferated, including some posted online for anyone to use. Globally, annual losses from malware may total in the tens of billions of dollars (or more)and how do we put a price on the loss of national defense information, or the safety of activists opposed to oppressive regimes?
Tens of thousands of new instances of malware appear daily,e although it is impossible to get a precise count because of their often-polymorphic nature: a "new" version is created each time a download occurs. Of those, only a fraction is detected because of built-in stealth techniques and poor security practices by the victims. Current malware may remain without detection indefinitely (the APT or Advanced Persistent Threat; see http://www.wired.com/threatlevel/2010/02/apt-hacks/), and some botnets whose origins cannot be traced may include millions of compromised hosts (for example, Conficker).
Early malware was developed for bragging rights or out of curiosity; today's malware is often written by criminals.
The science fiction story of 40 years ago is now a scourge causing huge global losses and evolving as a new tool of organized aggression. The public is beginning to realize what specialists have known for years: these problems are getting worse. How did this happen? And what can we do about it?
In no particular order, some of the most notable factors contributing to the proliferation of malware have included:
We can reduce the malware problem by actions on four major fronts.
Economics. The economics of security need to be changed. This includes increasing our understanding of the long-term risks and cost-effectiveness of security-related choices to enable better choices by system owners and operators; reducing the barriers to competition that might lead to safer products such as by embracing vendor-neutral, open standards to improve portability; and reexamining those parts of regulatory and intellectual property regimes that interfere with research and (re)use of sound security features. Judicious use of rewards and penalties for product quality might help. Changes to liability protections for vendors, ISPs, and end users could also encourage more proactive actions by all involved.
Milieu. The public needs basic education about good security and privacy practices to make better-informed choices. Where private owners cannot afford necessary upgrades or services to "disinfect" and reconfigure their systems, public "computing health" organizations should be created: contaminated clients are a threat to the community as a whole. Although not without their own problems, some uses of virtualization and software as a service (SaaS) present opportunities for migration of end users away from poorly maintained systems.
There must be a change in the attitude that end users are solely responsible for their systems' security. Customers are not to blame that systems are shipped without appropriate safeguards, nor should they be forced to buy and maintain a large (and growing) set of additional protections to use their systems safely. Additionally, everyone should learn that patching a system is not security, and penetration testing is no substitute for proper design and development.
Technology. As a field, we should reexamine construction of smaller, more protected systems and applications. Known, effective techniques such as putting code in read-only devices, code whitelisting, integrity monitoring, and better separation of privileges could all play a role if used integrally rather than as add-ons. Tools, programming languages, and platforms in use should also be reexamined from the perspective of how to build functional, safe systems cost-effectively rather as instruments perpetuating legacy decisions. Test methods, including some that were previously considered to be too complex to be practical, should be reconsidered given our continually advancing capabilities.g
Law. Most malware is a law enforcement issue, not a military one; it is cybercrime, not cyberwar. Police need tools, trained personnel, authority, and a clear mandate to pursue the authors and operators of malware. This will require a concerted international effortbut the trends are clear that people in every country are at risk if effective actions are not taken. Perhaps, with some creativity, approaches other than traditional criminal statues might be employed, akin to using tax law violations to convict Al Capone. Authors and operators of malware presented with a significant risk of substantial penalties might instead choose to pursue more legitimate professions.
It has taken decades for computing to evolve into the current worldwide infrastructure. Malware and automated attacks have also been evolving, and the result is an increasing, usually unnoticed drag on our innovation and economy. We are now at a point where it is becoming an existential issue for some companies and even governments.
Current and past methods employed against malware have perhaps slowed the growth of the problem but certainly have not stopped it.
Current and past methods employed against malware have perhaps slowed the growth of the problem but certainly have not stopped it. If we simply continue to do more of the same we will continue to be victimized, and the problem will get worse. The longer we wait, hoping that piecemeal and uncoordinated responses will be enough, the more difficult (and expensive) it will be to address the problems when we finally attempt to do so.
Change requires resources, will, and time. We do not need to do everything everywhere at oncebut we do need to start. Unfortunately, some of those who are in the best positions to make changes are also under the most pressure to defer change precisely because it requires resources and disruption of the status quo. It is up to all of us to facilitate the changes that are neededbefore too many more anniversaries pass us by.
c. Early history of computer viruses can be found in many references, including "Virus" by E.H. Spafford in Internet Besieged: Countering Cyberspace Scofflaws; D. Denning and P. Denning, Eds., Addison-Wesley, 1997.
g. This is a special case of what I described in "Rethinking computing insanity, practice and research" available at http://snipurl.com/rethinking.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
No entries found