In January 2014, the Proofpoint security company discovered a botnet attack incorporating over 100,000 devices, including routers, multimedia centres, TV sets and even an internet-connected fridge. The attack sent out over 750,000 spam messages.
Heartbleed – a flaw in the internet cryptography standard, OpenSSL – was discovered in April and left hundreds of thousand of websites in the financial and banking sector open to botnet attacks.
What can be done to stop these attacks? An ISP has the incentive to take enough action against the most dangerous botnets in order to avoid being blacklisted by others, but doing more would not provide additional benefits. The customers seldom appreciate the urgency of protection, or understand that the real danger from a botnet is not in shattering attacks but in low-key infection.
As the number of connected devices grows, mobile technology will increasingly become exploited by cybercriminals, a danger exacerberated by careless use. Shadow IT is the term for applications, systems and infrastructure used without the approval of network owners. Half of all computer users around the world admit they have pirated software, which is often used as a cover for transmitting botnet infection.
Trust is an issue. Far too many security holes are intentionally left unpatched when detected. Analysing malware to exploit its vulnerabilities has become big business, and so has knowledge about critical bugs in networks. The US National Security Agency (NSA) and Britain’s GCHQ have several times found security flaws, but stockpiled them for their own use. These agencies have sabotaged open-source and closed-source products, leading to accusations that these official bodies have been piggybacking hacked botnets for their own purposes in connection with the Heartbleed flaw.
More formalised collaborations on security issues have fared better. Openness encourages ISPs to promote their participation in such programmes in order to earn headlines and goodwill taking down botnets. Last December, Microsoft’s Digital Crimes Unit, in collaboration with Europol’s cybercrime department EC3 and the US FBI, took on ZeroAccess, a large botnet attacking the Microsoft Windows operating system. Before the joint strike, ZeroAccess was estimated to control 19million infected computers; the raid liberated about 500,000 of them. At its peak, ZeroAccess made 100,000 infections a week with a potential daily profit of $100,000.
Policy could provide the right incentives for preventative measures against botnets. Classical countermeasures, like booting from a clean disk or reinstalling the operating system, are used when computers have already been infected. Educating users about how to protect themselves from malware is important, but difficult to achieve on a significant scale.
Remote clean-up with automated malware-removal tools would be a good way to combat botnets, but it poses legal and ethical questions. It would bypass the user’s rights, and downplay the responsibility of keeping one’s own system upgraded and secure. Since anti-virus software is often provided as ‘install-and-forget’, many users seem to appreciate this approach to keep the botnets out of their computers. The risks can be reduced through privacy-sensitive system design, appropriate supervision and transparency. If the users trust the security companies, that is.
Ingress filtering would make sure that incoming data packets actually are from the networks they claim to be from. It would require global standards and collaboration, as well as investment in hardware, security training and router reconfiguration. Insurance companies have an incentive to get involved in this new market to provide certification of ingress filtering and thus reduce premiums to their customers.
Cybersecurity is one of the most important areas for the US and the EU to attempt to harmonise regulations. The inclusion of digital services in the negotiation of the Transatlantic Trade and Investment Partnership (TTIP) free-trade agreement would give the opportunity to rebuild trust, improve cybersecurity and stop the botnets, which is especially important given the increasing use of cloud computing.
The internet was built as an open service, for honest users in a trusted environment. The explosive growth of users is challenging this assumption, as the internet is entering a mature phase. Policymakers face the need to restore this trust. The way to improve cybersecurity and counter the spread of the botnets is to facilitate trust between policymakers, ISPs and internet users through participation and mutual transparency.
Waldemar Ingdahl is a science and technology journalist based in Stockholm. Visit his blog here.
For permission to republish spiked articles, please contact Viv Regan.