Security in the Virtual World

Jayant Gandhi

Defense in a Virtual World
Protecting Ourselves in the Age of Cyber Threats

Cyber-attacks pose a very real threat to everyone who uses the Internet; not only individuals, but corporations and governments as well. Accountability is not as easily determined as it is in the physical world as it is nearly impossible to trace back an attack to its source. The Internet’s ability to transcend borders turns this security issue into an international one. So how can the international community effectively deal with the threat of cyber-attacks? International cooperation to strengthen current security software is the best option in the short-run. Internet security was designed as an afterthought. The Internet was not designed with security in mind and this apparent in the tools used to protect it. Firewalls and anti-virus software are incomplete because of their reliance on quickly out of date malware libraries. The only solution to this is to take a more active role. The private sector began to hire hackers to attack their software with the goal of using the data collected from the attacks to strengthen the vulnerabilities they exploited. This method eventually spread of individual companies to industry-wide events. The only true solution is to rebuild the Internet with security in mind; a task being undertaken by the National Science Foundation. The best solution for the short-term, however, is to increase international cooperation in a fashion similar to how private corporations have been cooperating to continually test the Internet for security vulnerabilities and repairing them before hackers exploit them.

Security in the Virtual World

Since the introduction of the Internet, cyber-attacks have been a constant threat to those who wish to use the Internet. Unlike attacks in the physical world, these virtual attacks are nearly impossible to trace back to their sources so normal methods of deterrence are not effective. An attacker has little or nothing to lose by initiating an attack. In the virtual world, there is always an incentive to be the first to attack.

This poses a dilemma for states. States cannot threaten retaliation because of the difficulty in tracking where an attack came from; therefore any form of deterrence akin to the strategy of Mutual Assured Destruction would not work. Similarly, a state cannot always be on the offensive because this would most likely cause more trouble for the state than good and increase the likelihood that they could be detected. Building an effective defense is the only way to protect oneself.

This problem becomes magnified by the international nature of the Internet. By transcending borders, the security threats posed by cyber-attacks have developed into an international issue. The cyber-attacks on Estonia in 2007 and the Stuxnet worm in Iran demonstrate that these attacks in the virtual world can have very real effects (whether that is by consuming the resources of an entire government for a time, or sabotaging equipment used in nuclear facilities). So how can the international community effectively deal with the threat of cyber-attacks?

The Internet was not designed with safety in mind and its own evolution has led to several features that can be exploited by hackers. They benefit from nearly perfect anonymity and can turn the very thing that makes the Internet so beneficial (increased interconnectivity) against their target. This has led us to a very precarious position in internet security.

All the security systems that we have in place now have been retrofitted. This leads to a plethora of internal flaws that can only be fixed by constant updating. Firewalls and anti-malware software (the two leading security measures) rely on extensive libraries of known malware and are not good at dealing with evolving attacks. The problem is most hackers are constantly evolving their malware in order to circumvent the security software. Security experts are perpetually left one step behind as they rush to identify and protect against the latest virus.

In all this commotion, private companies have been left to fend for themselves. Where as a physical attack causing massive damage would be (hopefully) stop by the protection of the state in which that company resides, there exists no such protection in the virtual realm. A few companies responded to this absence by banding together and holding annual security conferences whose goal is to hack these companies’ software in an attempt to locate all holes in security. This has gone a long way to improving internet security because this level of cooperation has given security experts the edge they needed to catch up with hackers.

There have also been talks of a complete overhaul of the Internet itself. The National Science Foundation (NSF) has proposed building a new internet from scratch with their Future Internet Design (FIND) program. Eliminating the security problems inherent to the Internet would be a great victory for cyber-safety, but there are still concerns. Will this new internet work as efficiently as the current one does? Will it open the door for new bigger problems? These are questions that need to be addressed before this idea can be effectively implemented.

In the short term, however, the best hope for internet security lies in the cooperation of the international community. If the international community can mimic what private corporations have already begun doing, it would go a long way to ameliorating the state of internet security. By increasing the amount of information and resources shared by security experts they stand a better chance at identifying and disarming threats before they get out of hand.

Malware 101

So how do hackers threaten the security of the Internet? They use malware. Short for malicious software, malware is the principle tool for anyone wishing to execute an effective cyber-attack. This ‘bad’ software finds its way onto a victim’s computer and then executes its programmed directive. The results can be as benign as causing unwanted advertisements to open up in one’s web browser, or they can cause a complete system failure, forcing the user to wipe their hard drive.

These pieces of coding are readily available online for a price and recent advancements in programming are making them more and more user friendly, so the world of malware is no longer restricted to veteran programmers. Malware also comes in many varieties, enabling hackers to pick and choose the specific characteristics of the malware they need to meet their needs.[i]

Of these types, the most common are viruses, worms, and Trojan horses. Each of these has its own strengths and weaknesses and has the potential to inflict considerable damage. All three are designed to make their way onto a victim’s computer undetected and then complete their mission.

Viruses are perhaps the most well known of the different types of malware; this is because they are usually the most obvious. Viruses are not standalone programs. They require a complete piece of software to ‘piggy-back’ on and user interaction to allow them access to the computer (usually inadvertently). A user can download viruses from fake emails sent by the virus that trick the user into opening them or from websites that are hosting them. In a 2008 analysis of 4.5 million URLs, Google found that 700,000 of them were possible hosts for malware. Another study added that only about 20% of these websites were intentional hosts.[ii]

Once infected, the original software now becomes a tool for the virus; every time it is activated the virus runs as well. When the virus runs it not only causes whatever damage it was intended to do, but also attaches itself to other programs in order to replicate, making it that much harder to find and stop. It will then seek to spread to other computers. Normally this is achieved by hijacking a user’s email account or any other program that uses network access.

The other most common form of malware is the worm. The Stuxnet worm is a famous recent example of a worm and a good example of the nature of worms. Unlike viruses, worms are independent pieces of software. They do not attach themselves to programs within the victim’s computer, but rather locate specific security holes in a network and copy itself from computer to computer. For this reason worms are considered self-replicating rather than self-propagating.

Worms can spread incredibly fast once they have gained access to a network. In 2001, a worm called Code Red infected over 250,000 systems in just 9 hours.[iii] Once dispersed, a worm then unleashes its payload. In the 2010 Stuxnet attack, this meant executing a program overrode the previous program that monitored the frequency of the Iranian centrifuges and caused them to rotate at modulating frequencies. Because of their fast rate of diffusion and efficiency at executing their directive, worms are often used to create large botnets[1] that are then used in Distributed Denial of Service attacks (DDoS). However, it is this fast expansion that reveals one of a worm’s weaknesses. In the process of replication, it uses a large portion of the computer’s processing power and the networks bandwidth, briefly exposing itself to a vigilant network administrator.[iv]

While viruses and worms sneak onto a computer by exploiting security holes in software and networks, Trojans horses take the more direct approach. This type of malware claims to be a useful piece of software. An unsuspecting user would then download or install the Trojan horse thinking it is a desired piece of software. Unfortunately, once activated the Trojan horse reveals itself as malware and causes the intended damage (e.g. wiping the victim’s hard drive).

The major drawback of Trojan horses (from the hacker’s perspective) is that they rely completely on user interaction and have no way to replicate themselves. This limits their applications tremendously and requires greater creativity to entice users to download the Trojan horse. Conversely, they are harder to detect until they have already cause significant damage over a number of systems making them more visible.

No matter how a computer becomes infected by malware the intended goals usually fall into three categories. (1) They can damage the computer by erasing information or inserting faulty code. This can lead to a fatal error, forcing the victim to erase their hard drive. (2) They can gather information from the computer and send it to another location. This is normally done in preparation for a larger attack to check for the weakest spots in the computer’s security. (3) They can give commands directly to the computer, which could lead to physical and/or economic damage or turn the computer into a zombie[2]. All three have the potential to inflict great harm not only to individual users, as was formerly the case, but also to large companies and even government networks.

How the Internet Has HelpedHackers

The Internet has been an incredible boon to hackers. When the internet was being designed, very little thought was given to security; the idea of malware as a major problem seemed farfetched. At the time, most viruses were used in harmless pranks between computer scientists and worms were a legitimate tool for performing system maintenance.[v] Any actual malware that existed was more of a nuisance than a threat. However, as the Internet spread and the number of users increased, the opportunity to profit by turning these formerly benign forms of software into tools of aggression became a big enough incentive for hackers to invest in developing and evolving more malware.

The first and most important flaw of the Internet is its support for anonymity. This has allowed hackers to operate with virtually no repercussions. IP addresses[3] were not meant to be used to locate specific people, they were only meant to facilitate communication between two computers by giving them a way to identify each other in networks with multiple computers. Since the introduction of malware into widespread use, security firms have been working with Internet Service Providers (ISPs) to trace attacks back to an individual by way of IP address.

At first this seemed like a promising method for bringing cyber-criminals to justice, however, hackers were one step ahead and learned how to spoof IP addresses. There are many websites that allow for CGI proxies (or Common Gateway Interface proxies) that allow users to access websites from a server other than the one provided by their ISP. Hackers can also now use programs that hide their IP address by creating an encrypted network of relays between the user and the target computer.[vi] Darknets[4] are another way to avoid IP address tracing. A hacker using a darknet will display an IP address that does not appear in the ISP’s lists making it impossible to trace using regular IP address tracing.

Peer-to-Peer (P2P) networks have also proven useful to hackers. These networks were originally developed to facilitate file-sharing between peers. There is no need to connect with a server as each member equally sends and receives data. Unlike in a server-client system, a P2P network will not fail if one member does. It increases in capacity as more devices join and is much cheaper to run as it does not require a system administrator like a server-client network. The problem with this feature of the Internet arises when extra overlay networks are added. A P2P network functions as an overlay network on top of the regular IP network, but, when more of these networks are created and information is routed through them in such a way as to obscure the identities of the members, a darknet is created.

Another flaw in the design of the Internet is the lack of authentication. Vinton Cerf, co-inventor of the TCP/IP protocol[5], said in an interview with FORA.TV that one of the things he would change about the Internet would be the inclusion of authentication at various levels that would help a user tell who they are communicating with.[vii]Currently the only forms of authentication available have been developed separate from the Internet (the most prevalent being firewalls) and therefore have their limitations.

This lack of authentication leaves security completely in the hands of software developers who often overlook minute details that could be exploited by a clever hacker. Viruses are expressly designed to attach themselves to software through these weaknesses. In this vacuum of security, developers have had to create retrofitted systems for protecting computers from malware attacks. These methods are forced to work from outside the structure of the Internet and this puts them at a disadvantage to the malware the exploits that very structure.

Current Internet Security

One of the salient features of the internet security industry is that it is constantly changing; it has to be in order to keep up with the ever evolving malware. The major aspect that has not changed, however, are the two main methods for dealing with and defending against malware: firewalls and anti-virus software. The reason for this constancy is partly due to the fact that these methods have been effective, but their effectiveness is only relative to the alternatives and not an absolute measurement.

Both firewalls and anti-virus software are not perfect solutions. Most internet users have some form of anti-virus software installed on their computers now and it is nearly impossible to find an internet connection that does not have even the most primitive firewall set up. The fact that malware attacks still occur frequently shows how this is an incomplete solution.

Firewalls are the strongest form of protection available. A firewall can be set up in an office environment where there is a large internal network which is then connected to the Internet or in a home environment where computers are usually have more direct internet access. They work by controlling the flow of traffic to and from the Internet. This is done in one of three ways. A firewall uses either (1) packet[6] filtering which analyzes packets against a library of filters; (2) proxy service which sends the information to a requesting system that authenticates the data; or (3) stateful inspection, a method that only looks for key parts of the packet to compare against a database of unwanted information.[viii]

In theory, a firewall can be 100% effective and block all malware and unwanted content, but this would also bring internet use to a halt by blocking all content. The only way to use a firewall then is to balance between allowing and stopping traffic. This can be done to varying degrees of security, but even the most well balanced firewalls often fall short. A November 2011 study conducted by Larry Suto (a security industry expert) found that a properly set up firewall can block about 79% of attacks.[ix]

Anti-virus software is not designed to prevent malware for entering a computer, but rather provides a method of dealing with it once infected. It achieves this by monitoring all the files on the computer in order to detect any signs of malware. This type of software relies heavily on virus dictionaries in order to compare the files to a list of known viruses. When a virus is detected it can delete, quarantine, or attempt to repair the file.[x]