Following a six-month, bipartisan study, Sens. Sheldon Whitehouse (D-RI), Barbara Mikulski (D-MD) and Olympia Snowe (R-ME) have concluded that by following simple precautions like using and updating anti-virus software, average internet users can help secure America’s information networks.
“Simply put, computer users must practice active cyber self-defense,” the senators wrote in an editorial on cnn.com. “This means that if users would allow automatic, and generally free, software updates and maintained up-to-date anti-virus software, most cyber threats could be defeated.”
Almost 20 percent of cyber attacks originate from within the United States, three times more than any other country in the world. This doesn’t necessarily mean the cyber criminals behind these attacks are U.S.-based (the problem of attribution in cyberspace is a major headache for security professionals), but it does mean criminals hijack more computers in the United States than anywhere else.
These hijacked computers, or “bots,” are grouped together into “botnets” by professional hackers, often overseas, and used to carry out large-scale attacks. Attacks that use botnets include “distributed denial-of-service” (DDoS) attacks to bring down Internet service by simultaneously requesting massive amounts of data from targeted networks, and “phishing” attacks to steal personal data or create new “bots” by embedding malicious code known as “Trojans” or “worms” into spam email messages sent to millions of unsuspecting recipients.
In other words, the computer you’re using to read this post might be distributing malware to thousands of other computers, and you would have no way of knowing.
Fortunately, it’s pretty easy to keep your computer out of botnets. In fact, most of the bugs used to exploit computers in this way have already been fixed through free software updates and most malware can be spotted by off-the-shelf anti-virus software. Problem is, even though most software updates are free and off-the-shelf consumer, anti-virus software costs about $50 per year (compared with more than $1,000 for a new laptop), many Internet users don’t take the basic precautions that can prevent most of these attacks.
The senators write, “according to a recent report by Symantec, one-third of all Internet attacks between April and June 2010 sought to exploit a vulnerability in Microsoft Internet Explorer for which a patch has been available since 2004. The attack remains popular with hackers because six years later, many computers are still not patched.”
In other words, surfing the web with an un-updated browser and no anti-virus protection is like “hit[ting] the road in a car with bad brakes, no seat belts and worn tires:” an accident waiting to happen. In the same way a single careless driver can cause a 20-car pileup on the Beltway and claim innocent lives, a single unsecured computer can start a botnet that could take down a piece of critical infrastructure and cause millions of dollars in damage.
Moore’s law tells us that processing power doubles every 18 months, and that has held true since the 1970s, and Nielsen estimates there were 250 million Internet users in America on Dec. 31, 2009. In other words, there are at least 250 million potential bots in America, and each one has more computing power than cutting-edge microprocessors had 10 years ago. While there is no way to determine how many American computers are currently unwitting partners in botnets, the Mariposa botnet that was broken up this year had 12.7 million personal computers at its disposal.
Brute force defense against cyber crime isn’t feasible when criminals have such massive numbers at their beck and call. But if every American just kept their anti-virus software, operating system and web browser up-to-date, millions of computers could be taken out of these illicit networks. At the very least, if we apply the solutions we already have to cyber vulnerabilities, we can force hackers to spend their time working on new exploits instead of counting the billions of dollars they make annually dealing in stolen intellectual property and personal information.
In fact, when they’re not using them, hackers rent out their botnets for an average of $67 per day. It’s only a matter of time before terrorist organizations figure out they can do massive damage with little fear of reprisal by hiring hijacked American computers to damage American computer networks.
While targeted attacks on corporations and defense networks are long-term affairs that involve skilled hackers writing custom malware and playing cat-and-mouse with network administrators, the bulk of the cyber threat consists of tried-and-true viruses exploiting vulnerabilities in personal computers for which there is already a patch.
Keeping your software updated won’t just make your computer run smoother and faster; it’s the most important step every citizen should take in the fight against cyber threats.
Follow me on Facebook