Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Home » Data Protection » Malware/Cybercrime

Internet Endangered: Enter at Your Own Risk

In the coal mine of the Internet, the canaries have stopped singing.

By Scott Berinato

April 11, 2007 — CSO — No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too.

Sometimes reporters come to this kind of broad, presumptuous conclusion when a collection of otherwise unrelated reporting starts to form its own narrative. That is precisely what happened here. The idea that the Internet now suffers an incurably malignancy started its mitosis during my reporting of The Chilling Effect, CSO magazines January feature on Internet vulnerability disclosure. The picture that emerged from the interviews I conducted was one of an impossible-to-secure Internet overrun by vulnerabilities and legal quagmires. One source said, "There is no hope."

At the CSO Perspectives Conference a couple of months later, a security executive in the financial industry was ruefully reliving some phishing scams, conveying how hard they are to contain and how hopeless they are to prosecute. With a casual wave of his drink and a wry grin he said, "Well, it's not going to get better. The Internet wasn't built for this, was it? It was built for a bunch of academics to share information, not online banking." (He also shared the deliciously ironic story of the bank executive who tried to set up a personal account for online banking and quit in frustration because the multilayer security was too difficult to navigate.) At the same conference, a security consultant mentioned one client that was paying exorbitant sums of money to build a tightly controlled, discrete network for a sensitive project. Despite the obscene cost, the client felt it had no choice, because any other network, connected to the Internet, couldn't be protected.

The same week, a forensics expert was asked what the good guys can do to counter the growing technical and legal threat of anti-forensics. "There's not a hell of a lot they can do," he said. Meanwhile, on an online forum, a botnet expert published an exegesis on the state of security for critical DNS infrastructure. "There are operational issues of the highest importance that are not being addressed," he wrote. "The current situation can not go on."

All the while, stories accumulated, thick and steady like a wet spring snow. Zero-day exploits discovered, and two weeks later, 2,000 websites still host the exploit code and still penetrate unpatched systems; network infrastructure weaknesses publicly demod and network compromises exposed; identity thefts uncovered; spam tactics exploded; major public events exploited; criminal enterprises revealed.