Cyber security and the online arms race: the battle has just begun

In the fight against cyber crime, a winning move is proving hard to find. dlkinney

Cyber security has been in the news a lot lately. Corporate giants have had their data stolen, intelligence agencies have had their websites taken down and hacker groups have become household names.

Closer to home, an Australian web hosting company distribute.IT confirmed yesterday that a June 11 hack of its servers had rendered the data of almost 5,000 clients “unrecoverable”.

The recent spike in online criminal activity has led some industry players to call for significant overhaul to Australia’s cyber security laws and, indeed, the Federal Government has taken steps down that path.

All of this raises a particularly pertinent question: is the threat of online attack inevitable, or is there a way to make the internet an inherently safer place to work, play and shop?

Security giants

A recent public lecture delivered by Eugene Kaspersky – CEO and co-founder of one of the world’s largest anti-virus companies, Kaspsersky Lab – shed some light on this very subject.

Kaspersky’s interest in anti-virus systems was triggered when his computer was infected by a virus way back in 1989.

This computer virus stimulated his curiosity, and he started to compile a database of each new computer virus he encountered. This database of virus “signatures” became the basis for his first anti-virus software tool.

In those early days of the internet, the author of the virus that infected Kaspersky’s computer was probably also motivated by curiosity – in this case, curiosity to see whether it was possible to write a program that could spread between computers, even without the owners of those computers knowing.

While curiosity was a major driving force behind both the unknown author of the virus and Eugene Kaspsersky’s response, it’s clear that cyber security is no longer the domain of curious amateurs.

Serious business

Cyber crime is now a thriving industry driven by those within more traditional criminal circles and, according to Kaspsersky, the second most lucrative criminal activity behind the illegal drug trade.

So just how do hackers make money?

Well, consider the case of “distributed denial-of-service” (DDoS) attacks. In an attack of this kind, an online business or service is disabled by a flood of malicious requests via the internet. DDoS attacks can be used to:

  • Swamped an online betting agency with bogus transactions that overwhelm their servers, thus denying access to legitimate customers.
  • Blackmail online businesses by threatening to close down the business unless protection money is paid.
  • Disable online government services, as was the case in February of this year when Australian government websites were attacked.

For DDoS attacks to be effective, attackers need to generate a high volume of malicious requests which means having a large number of computers at their disposal.

Attackers can use computer viruses and other pieces of malicious software (or “malware”) to gain control of legitimate users’ computers.

A tangled web we weave

These infected computers (collectively known as a “botnet”) can then be used to launch large numbers of malicious requests in a DDoS attack at the attacker’s command. According to Kaspersky, recent botnet DDoS attacks have involved as many as ten million infected computers.

(By way of contrast, “only” a one-million-machine botnet was needed to take down most of Estonia’s online infrastructure in 2007.)

In response to these growing attacks, the network managers of online networks and services continually need to deploy higher-capacity servers and network links, together with filtering systems such as anti-virus software and network “firewalls”.

While this approach to defence aims to protect the target of an attack, it does little to stop the attack at its source, namely, the infected computers. Indeed, all that has emerged is an online arms race in which attackers and defenders are always trying to up the ante.

So, is there a silver bullet to network security that will defuse this arms race?

Catching cyber-criminals

One possible approach suggested by Eugene Kaspersky (among others) is to trace where requests to access online services are coming from.

In practical terms this might mean the introduction of some form of online identification – an internet passport, if you like. If a user was found to be engaging in questionable online behaviour – such as requesting the same page from a web server repeatedly in a short period of time – the user would need to produce their online identification in order to proceed.

Such methods would make it easier to trace perpetrators of cyber crime and, ideally, discourage such behaviour in the first place.

While better verification of the identity and reliability of users on the internet could help in the ongoing fight against cyber crime, it’s certainly not a silver bullet. This type of verification can itself become the target of a DDoS attack.

Indeed, no single strategy has yet been proven effective in protecting the internet from the persistence of attackers, nor is a single solution likely to emerge.

While the problem of cyber crime may never be completely eradicated, we can only hope that our efforts will someday raise defences to the point where it is uneconomic for attackers to continue with these types of attacks.