What Is Wrong With The Internet

The Anti-Phishing Working Group (APWG) has just released their Phishing Activity Trends Report (pdf) for the first half of 2009, and as expected it shows a marked increase in the number of malware instances. In particular the APWG notes a massive increase in the variety and quantity of rogue anti-malware programs (unwittingly installed software which offers to remove non-existent malware infections). Luis Corrons, PandaLabs Technical Director states in the report that the second quarter of 2009 showed "the emergence of four times as many samples as in all of 2008." The report also shows a doubling of the varieties of banking malware, increases in the number of compromised websites and all round bad news. Is the internet broken?

There are five main causes of the increase in malware; piracy, the quality of programmers producing malware, poor internet access control, anonymity and learning curves. Some of these are systemic and would require major reform to resolve, some are a simpler fix and some are based solely on changing people's attitudes.

Piracy
Piracy creates two sets of problems. Installing pirated programs carries obvious risks, as there is no guarantee that the program installed is the same as the program that left the software house. Pirated operating systems (almost exclusively Windows XP) are more of a problem. They have all the problems of additional malicious programs being added, but frequently cannot be updated so that they remain vulnerable to old problems.

In Microsoft's defence, they do mitigate problems but do not always do so in timely manner. The introduction of the Windows Firewall cut down the computer worm problem of the late 90's, the Malicious Software Removal tool helped during the early 00's and the recently released free Microsoft Security Essentials tool may make a significant dent in the current generation of malware. In a similar fashion to vaccinations protecting the unvaccinated as there are no disease vectors to infect new hosts, there is a safety level which is reached when enough systems are secure. Security Essentials is a step towards this.

Piracy is going to be around for as long as software is charged for and the exploitation of those who use pirated software will remain as long as piracy exists. If Microsoft either perfects its copy protection scheme or moves to an open source model for Windows then the piracy of operating systems will become a thing of the past which would be significant progress.

Quality Programmers Producing Malware
There is something almost admirable about the quality of malware programs being produced currently. Their technical achievement has always been high, but this is now being combined with a design scheme that will fool most users and delivery methods which attempt multiple exploits simultaneously. There is a natural selection at work here - as a breakthrough is made in securing a vulnerability, malware producers will either reopen it in a new way or focus on breaking computers in a new fashion.

As long as there is money to be made, criminals will keep employing or coercing talented programmers into producing malware. The only solution to this is to focus on security during software development, maintain awareness of who is developing high quality malware and keep employing more talented people to work stopping malware.

Poor Access Controls
The fastest way to dent current malware distribution would be to not allow any computer running Windows Server 2000, IIS 5 or earlier or Apache I to connect to the internet. If it were possible to require either hosting companies or ISPs to immediately disconnect computers until the problem were resolved, this would be a great step forward. The only problem with the plan is that this is impossible to achieve under the current iteration of the internet and even if it were attempted the programmers writing malware would work round it.

This could only be changed with a complete change of either the technology the internet is built on or the international legal system for dealing with internet based crime.

User Anonymity
The anonymity of the internet is one of its most cherished features for some advocates, and the opportunity to either speak freely without fear of reprisal or gather information without it being noticed is a liberating, uplifting opportunity. The ability of groups to gather together and provide support to each other is a lifeline for many without local peer groups. The concurrent issue with this is that it is currently extremely costly to truly verify identities - the person making a large withdrawal from a bank could be any person with the right access codes, which could have come from anywhere.

Two part authentication (such as RSA Securid) would solve this problem, but the cost of implementing this for all websites where passwords are currently used would be prohibitive. What is more likely is that the single account across multiple websites OpenID model will be taken up but with a two part authentication addition to make it secure enough to use for financial transactions.

Learning Curves
The final problem with the internet is that the amount of knowledge required to use it is vast, growing daily and is completely alien to some people. This can only be combated by better design of software and websites, better training of users and a more imaginative approach to security.

Considering the challenges above, it is a strong possibility that over time the internet will adapt to become two different and co-existing things - an 'approved' internet with guarantees of identity and correspondingly higher setup costs, and a more traditional internet. The 'approved' internet would be a shopping district, where confidence in the security of sites could be high. The second, traditional internet would consist of an uneasy combination of users who wanted to use the internet for illegal purposes and users who would require anonymous free speech (much as Twitter was used during the Iranian election protests).