TOM BEARDEN: There are some nasty critters out there in cyberspace: Creepy, crawly things called viruses and worms. Computer bugs with names like SoBig, Blaster and Slammer have already wreaked havoc, and it's only expected to get worse.
CORRESPONDENT: (Aug. 12, 2003) In Europe, Asia, and some parts of the U.S. today, computers mysteriously restarted, kicking...
TOM BEARDEN: Damage includes interruption to business operations, lost productivity and revenue, costs associated with restoring or replacing networks and systems, and damage to, or loss, of stored data. Vulnerability specialist Shawn Hernan says it's an expensive problem as well.
SHAWN HERNAN: Certainly, the threat to the United States economic health is serious. A disruption to our communications networks can cost billions upon billions of dollars and do real damage to the economy and to individuals' livelihoods and to individual companies.
TOM BEARDEN: So far this year, these bugs cost businesses and consumers more than $140 billion in damages globally, almost three times as much as in 2002. It happens quickly, too. This summer's MSblast worm was so advanced it infected almost 90 percent of the Internet within ten minutes.
Beyond the damage that's already been done, computer security experts fear viruses could disrupt electric utilities, air traffic control systems, telephone networks, banking systems -- anything that relies on interconnected computers.That's the escalating security challenge facing the people at CERT, the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh.
CERT was formed in 1988 as a center of Internet security expertise, a federally funded research and development center. Just this year, CERT formed a partnership with the Department of Homeland Security to combat cyber-attacks across the Internet. CERT is just one of hundreds of businesses, universities, and scientists worldwide trying to find ways to stop the global problem of viruses and worms. Larry Rogers is a senior member of CERT's technical staff.
LARRY ROGERS, Computer Emergency Response Team: A virus is just like a biological virus: It requires someone to transmit it. If you have a cold and you come in contact with somebody else, your contact with them can transmit the virus. A computer virus is usually e-mail borne and requires you to read an e-mail, open an attachment. And by opening that attachment, in most cases that attachment is a program written by someone to do something malicious.
In many cases, it opens up your address book and sends itself to all of the people that you know. This takes advantage of social engineering. I got mail from somebody I already knew, and so I'm going to trust them more than I would otherwise; I'm going to open that attachment.
TOM BEARDEN: Rogers says computer worms are even more dangerous.
LARRY ROGERS: Worms, in contrast, are just like worms in the ground. They drill through the earth and are self-propagating. They move from one place to another all by themselves.
TOM BEARDEN: And worms can propagate, or copy themselves, without the computer user doing anything. Indeed, most are unaware that they've been infected. Worms can then move from computer to computer via networks, the biggest network of all being the Internet. Any unprotected computer unwittingly spreads the worm to any other computer on the network. While there are many variations of viruses and worms, computer security experts like CERT's Shawn Hernan say the reason they're successful is sloppy programming.
SHAWN HERNAN, Computer Emergency Response Team: Most of it comes from simple programming mistakes, the kinds of things that you learn to avoid in your first programming course and then never remember to avoid again. Most vulnerabilities don't arise from complex interactions of big hard-to-understand programs. They're not subtle defects that no one could have predicted. The vast majority of them are things that are foreseeable and well understood.
TOM BEARDEN: Hernan says software manufacturers are not focusing on the basics anymore. Instead, they put their energy into glitzy new features. Unless that changes, computer users will continue to be as vulnerable to the same kinds of attacks that they have been for decades. Pradeep Khosla heads research at Carnegie Mellon's Cyber Lab, which partners with CERT on research issues. He says one of the primary goals of research is to make sure computer systems are always available to users.
PRADEEP KHOSLA, Cyber Lab: We are not going to stop attacks. We don't believe we can stop attacks. But what we can do is stop systems from dying when they are attacked. And we want to understand and develop technologies to find vulnerabilities in existing code, and to create methods of producing new software with fewer vulnerabilities.
TOM BEARDEN: Dawn Song is looking at ways of stopping computer worms. She says worms can spread so quickly that they act much like tsunamis, huge tidal waves that can come ashore in seconds, with catastrophic effects. She says that right now a smart programmer can write worms that infect the entire Internet within 30 seconds. To fight these attacks, Song is developing the Internet tsunami warning system. She monitors Internet traffic patterns for significant change, change which might indicate a worm is starting to propagate. She says early detection of an attack is key to solving the problem.
DAWN SONG, Carnegie Mellon University: That will give us time to put in countermeasures to counteract these attacks. For example, now we could develop patches and distribute the patches to the vulnerable hosts to help them defend against these worm attacks.
TOM BEARDEN: Patches are small programs that insert new computer code into existing software to block vulnerabilities that hackers exploit. Associate computer engineering professor Greg Ganger is researching a layered defense, an approach that he likens to a medieval castle.
GREG GANGER, Carnegie Mellon University: They worked really, really well for a couple of reasons. One was you had to get past tiers of defenses in order to get to the inside where presumably the king and the treasurer was. The difficult part is looking for the places where you're going to find tiers and the places where you're going to find towers, right? Well, if you looked inside of your PC, right, open up a PC, you'll find a bunch of things that can be your tiers and your towers. And what they are is all the different little computers that are inside of the thing that you think of as a computer.
TOM BEARDEN: Ganger points out there are many microprocessors inside every computer, from the disk drive controller to the network interface card, and that each one has its own operating system software.
GREG GANGER: Each one of them can do its own security functionality, so each one of them can do things like watch for misbehavior on the other components of the system. And so we get our tiers of defenses from things like network cards before you get to the main processor. We get our towers from things like disk drives and disk controllers that can check parts of what the system is doing, even though they can't check everything that the system is doing.
So we can do things like have the system run intrusion detection on itself. We can do things like when the system is observed to be misbehaving, we can throttle its access to the network, right? And it works inside of a box, and it also works with the other components in your environment.
TOM BEARDEN: Until research yields more effective large-scale solutions to computer security, Rogers says it's up to individual computer users to protect their own systems.
LARRY ROGERS: You need to be aware of what's going on. An intelligent consumer is a good consumer in understanding what information is at risk, how it's at risk, and what's really going on.
TOM BEARDEN: Security experts first recommend installing antivirus protection software. Individuals and network administrators also need to regularly download the latest software updates from their operating system manufacturers. Users should delete attachments to e-mail, unless they have been alerted by the sender of an incoming downloadable file. Finally, firewalls, which are software and hardware barriers to intruders who try to seize control of computers, should be installed.
LARRY ROGERS: Unfortunately, the technology that we're being sold today requires an awful lot of care and feeding. To do it properly requires spending time; learning how to do it.
TOM BEARDEN: Time, effort and money. But when weighed against the losses caused by a total system failure, computer owners may find the investment to be modest indeed.