computerwoche.de

Archiv

US laws needed to boost computer security

01.02.2007
Even though we have a new Congress, I doubt that much will change with regard to computer security. While a law related to identity theft will probably be passed in one form or another, I expect that it will be trivial and not deal with preventing the theft of individuals' personal information. Corporate lobbyists have proved themselves to be too adept at manipulating members of Congress so they don't pass laws requiring companies to be proactive, especially with regard to security measures.

Identity theft is a symptom of poor computer security. There are two underlying methods of identity theft: hacks of vendor computers, and client-side attacks. Vendor hacks are the result of poor security on the part of the vendor and often lead to the theft of thousands, or millions, of credit card numbers, at once. The laws passed in this regard basically state requirements that vendors have to follow once data is stolen. However, they do not lay out computer security requirements. The hope is that if vendors have to act if their security fails, they will try to better protect themselves. All you have to do is browse Computerworld.com to see how well that's working.

Congress, however, has taken no action to address client-side attacks targeting the end user. These include phishing, keystroke logging and virus attacks. The underlying enabler of these attacks are the bot networks that grow unchecked. Botnets are networks of PCs that have been compromised by a remote attacker through known vulnerabilities on the PCs. The attacker then has the compromised PCs do his bidding without the knowledge of the PCs' owners.

Bots send out billions of spam e-mails and their evil cousins, phishing messages. Just as important, bots are used for distributed denial of service attacks. DDOS attacks use thousands of computers to simultaneously send data packets to a victim's computer to overwhelm the computer and the supporting network infrastructure. The attackers then use the DDOS attacks to extort money from owners of various Web sites. For example, it's common for online gambling sites to be threatened prior to a major sporting event, where the attacker will say, "Unless you pay me $50,000, I will take you down for a day before the event." A successful attack could cost a good-sized gambling site more than $1 million.

Likewise, DDOS attacks have targeted critical elements of the Internet, such as the root DNS servers. Those attacks have crippled segments of the Internet for periods of time. It should be expected that similar attacks will occur in the future and will attempt to do even more damage. Frankly, I believe that if there is a significant Internet attack, it will involve bot networks.

So, for Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess.