Internet Endangered: Enter at Your Own Risk

No official announcement is forthcoming, but the Internet is broken and it can’t be repaired. Oh, it’s still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too.

Sometimes reporters come to this kind of broad, presumptuous conclusion when a collection of otherwise unrelated reporting starts to form its own narrative. That is precisely what happened here. The idea that the Internet now suffers an incurably malignancy started its mitosis during my reporting of The Chilling Effect, CSO magazines January feature on Internet vulnerability disclosure. The picture that emerged from the interviews I conducted was one of an impossible-to-secure Internet overrun by vulnerabilities and legal quagmires. One source said, “There is no hope.”

At the CSO Perspectives Conference a couple of months later, a security executive in the financial industry was ruefully reliving some phishing scams, conveying how hard they are to contain and how hopeless they are to prosecute. With a casual wave of his drink and a wry grin he said, “Well, it’s not going to get better. The Internet wasn’t built for this, was it? It was built for a bunch of academics to share information, not online banking.” (He also shared the deliciously ironic story of the bank executive who tried to set up a personal account for online banking and quit in frustration because the multilayer security was too difficult to navigate.) At the same conference, a security consultant mentioned one client that was paying exorbitant sums of money to build a tightly controlled, discrete network for a sensitive project. Despite the obscene cost, the client felt it had no choice, because any other network, connected to the Internet, couldn’t be protected.

The same week, a forensics expert was asked what the good guys can do to counter the growing technical and legal threat of anti-forensics. “There’s not a hell of a lot they can do,” he said. Meanwhile, on an online forum, a botnet expert published an exegesis on the state of security for critical DNS infrastructure. “There are operational issues of the highest importance that are not being addressed,” he wrote. “The current situation can not go on.”

All the while, stories accumulated, thick and steady like a wet spring snow. Zero-day exploits discovered, and two weeks later, 2,000 websites still host the exploit code and still penetrate unpatched systems; network infrastructure weaknesses publicly demod and network compromises exposed; identity thefts uncovered; spam tactics exploded; major public events exploited; criminal enterprises revealed.

And this is just whats publicly known. Sources tell reporters you-didnt-hear-it-from-me stories all the time, like the one an investigator told me about the credit card processing service that exposed 130 merchants’ card transactions.

The sheer volume of serious security events doesnt blow your mind, it numbs it. And then comes something like Gozi.

Gozi is a bot that steals sensitive data off PCs. It can install itself without user intervention; all you do is visit a website (more coverage coming soon). It’s a significant bot, but not because it’s some technical marvel; it ranks in the middle on the malware sophistication index. What makes Gozi significant is that despite the fact that it has mostly disappeared from public consciousness after one fickle online news cycle, it still severely threatens the public. Despite the fact that banks have barely acknowledged it, their customers are the primary targets. Despite the fact that online banking uses SSL, Gozi gets around it. Multi-factor authentication? Some variants are working out ways to defeat it. Despite the fact that researchers and law enforcement know precisely how Gozi works, it still works. It has not been contained. As this is being written, personal data culled with Gozi variants is being peddled on the black market, and despite an ongoing investigation, no one is stopping it. Few are even talking about it. They are numb to it.

Don Jackson, the researcher who discovered Gozi, is not numb, hes alarmed. He wants to talk about Gozi and its implications. He works for a company that provides security services. He says, “I have a very pessimistic outlook on the question of what are we going to do. I think it’s inevitable. Mass identity theft, or anything you do online…there will be a run on that information. Gozi uses reasonably simple exploits. If someone knows what they’re after and can target their attackwhich is precisely what someone is trying to do with another worm Jacksons researching“there’s really no defense against it at all.”

There it was. No defense at all. A strand that entwined itself with all of the other strands of reporting that had been piling up over the past six months. No hope. Not a hell of a lot they can do. No choice. The current situation can not go on. It’s not going to get better. They wove and they wound until the thread thickened into this solid idea: The Internet is broken.

And it cant be fixed. How long before the toxic environment collapses like the veins of an old mine shaft? How long will consumers tolerate the unstable, ungovernable place its becoming? At what point do the risks that theyve borne to date in order to explore the mine become too dangerous to dare? Where are the big thinkers, the big idea for a public works project that will rebuild the mine shaft into something useful, or seal it up for good and start over? Who are the visionaries that can devise a stable, secure public network?

The canary has stopped singing. What do you see coming next?