Problems on the Internet

This section discusses problems on the Internet - that is, problems which affect people who use the Internet. Examples are a deluge of unwanted spam emails, viruses taking over people's computers and well-disguised attempts to defraud people of the contents of their bank accounts, insurance policies and life savings.

The Internet itself works extremely well. The problems discussed here are problems of human behaviour. These problems - a better term is 'attacks' - are generated by people who, for a variety of reasons, want to pursue their own agendas on the Internet at a cost to others.

Attackers

In the Internet's early days, those who abused it were seen by many as harmless explorers, or even as romantic heroes who were pushing back the boundaries of technical knowledge. If it was ever true, that scenario is now out of date. Today, viruses are designed to compromise machines so they can be used to send spam or attack web sites; networks of compromised machines are sold or rented.

People attack others over the Internet for a variety of reasons, including social status among their peers, for entertainment, for petty theft, for ideology, or to prove to themselves that they are capable [Know Your Enemy, (Honeynet Project 2004), by Max Kilger et al. Esp. chap. 16 ]. They apparently believe that this is acceptable behaviour, or at least that they will not get caught because of the difficulties of tracing people across the Internet and the problems of transnational jurisdiction. New Zealand-based research [ Disinhibition on the Internet: Implications and Intervention, by Quentin Atkinson, University of Auckland.] shows that communications across the Internet are subject to a form of disinhibition in which participants behave quite differently online compared with how they would behave in the real world. [For a tragic example see the story of Brandon Vedas ].

With the increasing use of the Internet for business, Internet attacks have also become a tool of organised crime gangs for extortion and fraud. This is now a very serious problem world wide. [For example: Bookies suffer online onslaught, BBC News 19 March 2004. ] According to the National High Tech Crime Unit in the UK [Presentation at AusCERT2004 by Detective Superintendent Mick Deats, Deputy Head of NHTCU] , these gangs have built on their traditional activities of prostitution, drug sales and extortion, to use the Internet to do similar things online. They operate from countries where organised crime is common, and see Internet crime as low risk, high reward. In July 2004, three men were arrested in Russia in connection with these attacks. [ Bookies extortion gang caught, BBC News 21 July 2004. ]

The Internet has brought great benefits to people over most of the globe. Unfortunately, it has also enabled criminal behaviour at a distance, across international boundaries. It lets the unscrupulous exploit others whom they never meet and with whom they have little in common. It amplifies the scope of traditional criminal behaviour by giving criminals wider access to victims and little chance of prosecution. Because the Internet crosses jurisdictions it is harder for each government to protect its citizens.

How Internet attacks work

This section outlines the reasons for threats on the Internet and explores the extent to which they are inherent to its design.

History of the Internet

The Internet began with a technical research project funded in the 1970s by the US government. Through the 1980s, the engineering work which underpins it was done. The quality of this work drove the initial expansion, and the network effect (as people began to realise how useful the Internet could be) drove it through the late 1990s.

Through the mid-1990s the Internet began to get press and government attention. Much of the press coverage warned of the use of the Internet to spread pornography while ignoring other more beneficial uses. Governments realized that the web gave them an opportunity to get closer to their citizens by publishing information directly and at very low cost. By the late 1990s the Internet had become part of the mainstream, with companies increasingly using the web not just for publishing but to host all or part of their business.

The Internet is a co-operative. Anyone can join by paying only their own expenses. This fact has led to people being able to experiment and develop services which run across it. Email and the web are both examples of things developed to run over the Internet by people who thought they would be a good idea.

The Internet's open architecture is both its main strength and its undoing. Its lack of built in security and service quality control has prevented it from being captured by providers and governments; however this lack also makes policing the Internet difficult.

The success of the Internet is primarily a social phenomenon. It contains some superb and unique engineering which, as a matter of policy, was made available for all to copy and mass produce without charge. The Internet's expansion has been due at least as much to the policies that surround it as to its technical brilliance.

The engineering of the Internet has handled its dramatic expansion remarkably well. An area it has perhaps not dealt with as well is the introduction of a wider spectrum of users with different agendas. The mainly technical people who used the Internet during its original building phase evolved a consensus on what behaviour was appropriate. Known as 'netiquette', this was a set of guidelines designed to help people not to waste others' time or the resources of the Internet. As the Internet expanded out of computer science laboratories the mix of people using it changed. Some new users started to exploit the commercial possibilities of the Internet, others used what they saw as their right to say or do whatever they saw to be in their own interests. [See, for instance: en.wikipedia.org/wiki/Canter_&_Siegel]

Attacks on the Internet, and on people via the Internet, usually exploit either technical weaknesses in software or human fallibility. Some attacks exploit both. These are discussed in more detail below.

Security weaknesses in software

Security weaknesses are continually being found in widely used software. These are sometimes published, often but not always, after the software author concerned has had time to fix the problem and issue a patch. Once a patch is available, all affected machines need to be patched. This may be challenging for technically naïve users even they if understand the need. In some cases, patches are issued so frequently that proving them and installing them on production systems can occupy a great deal of expensive technician time, as well as causing unacceptable levels of downtime.

Weaknesses do not spring into existence when their discovery is published. They are inherent in software from its release. Unscrupulous individuals finding weaknesses can exploit them without the software author even understanding what is going on.

Why are there so many weaknesses in software? There are many reasons. One is that modern software, particularly operating systems (where most exploitable weaknesses are found) are very large and complex, [Microsoft Windows XP is estimated to contain 40 million lines of source code. Linux distributions contain a comparable number. For a discussion of this and its relationship to security see en.wikipedia.org/wiki/Source_lines_of_code] and contain many parts which can interact in myriad ways. Another concern is that new software features are more attractive to customers than is security, which causes software authors to provide software where security is traded off against perceived usefulness. Finally, commercial imperatives drive software companies to release revised versions of products to a schedule, knowing that they can issue patches later.

The result of these problems is that a lot of the machines connected to the Internet, perhaps most of them, have software with known and unknown security weaknesses. These weak systems expose not only their owners but others on the Internet because, once compromised, they can be used to break into other machines. This effect is exploited by viruses and worms, which typically use a particular weakness to penetrate a machine which they then cause to scan for similar machines so they can pass on the infection.

A 2002 paper raised concerns about so-called 'flash worms' that could potentially spread across the entire Internet in minutes using clever scanning techniques. This was followed by the Slammer Worm which spread across the Internet in ten minutes and caused considerable disruption, including shutting down ATMs, airlines reservation and credit card processing systems. It did this without a destructive payload, simply by the enormous amounts of traffic it generated while scanning for new systems to infect [ Moore et al,The Spread of the Sapphire/Slammer Worm ] .

Internet users and customers of businesses using the Internet were harmed by Slammer whether or not they had machines which the worm compromised. This is an example of the network effect (which is more usually seen as a way of magnifying the benefits of the Internet).

Human factors

Another way to defeat computer security is to get a person to do it for you. Most email worms travel this way. The trick usually employed is to get users to run an attached file, which in most email programs just means clicking on the attachment. The ILoveYou virus tried various techniques to get people to run it, including inviting them to click an email attachment to see "who loves them".

Typically the virus or worm will email copies of itself to everyone in the users' address book. These people now receive the email which appears to be from someone they know, the owner of the compromised system. As with software weaknesses, once the user has been persuaded to subvert system security the potential harm to the system is virtually unlimited.

Attacks such as this rely on making the email sufficiently interesting or persuasive to get the user to run the attachment. Other attacks over the Internet (or via other media, but this is outside the scope of this discussion) can also exploit human factors. Most Internet fraud, for instance, works by persuading people to do something which is ultimately against their interest. Simpler techniques such as telephoning and pretending to be 'from IT' and requesting passwords also have a high success rate. The generic term for these techniques is social engineering, reflecting the notion that people are being manipulated like machines.