When the internet found its way into people's homes and offices en masse in the mid-1990s, it was widely regarded as beneficial, giving people access to information — and each other — in a way that was previously impossible.

The interconnectedness across thousands of kilometres that the global network offered gave its users access to a wider world, allowing them to find whatever they were looking for, and if it didn't exist, to create it.

That rule also held for people with less altruistic intentions, giving rise to computer viruses and other forms of malicious software. The threat they pose has become so pervasive and advanced that online security companies are forced to play an ongoing game of cat-and-mouse, according to experts who spoke with CBC News Online.

Computer security companies need to change if they are to keep up with would-be criminals, according to Ron Nguyen, director of consulting services for the security firm Foundstone Inc. (McAfee/Foundstone)

Profit motive prevails

"The amount of new and dangerous types of software is daunting and will continue to be that way for a while," said Ron Nguyen, director of consulting services for Foundstone Inc. of Mission Viejo, Calif.

Although Nguyen said severe, widespread outbreaks of computer viruses are increasingly rare, he noted that attackers' intent and the methods they use are evolving, as is their motivation.

"In the past, they may have been motivated by idealistic reasons," said Nguyen, who previously hacked into U.S. military computers to test their security in his role as an information warfare officer with the U.S. air force.

JARGON

• BOTNETS are networks of computers that have been hijacked by malicious groups or individuals to do their bidding. Their owners are usually unwitting victims who have no idea their machines have been infected and turned into so-called zombies. The zombie computers are typically used to distribute spam or phishing e-mails, or viruses and Trojans that let them hijack other computers. Botnet operators often rent time or bandwidth on their networks to spam e-mail marketers and phishing scam artists.
• MALWARE is a catch-all term for malicious software such as computer viruses, spyware and so on that compromise the security or function of people's computers.
• PHISHING is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails.
• PHARMING is an attack in which malicious individuals try to redirect traffic from one website to a false one.
• TROJANS are programs that appear to perform one function in order to hide a malicious one. Like the mythological Trojan horse such programs are named after, the deception tricks people into granting them access to a computer.
• ZOMBIES are computers that have been hijacked by attackers to perform commands and functions issued to them, often without the owners' knowledge. They are typically infected by Trojans that enable attackers to use them in a botnet. An infected computer is sometimes referred to as a bot - short for robot.

The old guard of hackers would discover a vulnerability in a piece of software, tell its creator about the flaw, and wait for a patch to be issued before they would publish details of the problem and "gain notoriety" among their peers, Nguyen said.

"Now they're motivated by money and can use the cash to discover new vulnerabilities, develop new techniques and tools."

Lower-risk flaws targeted

The scam artists are employing every tool in their arsenal, from spam e-mails that tout stocks in the hope of triggering a market move from which they can profit, to more direct attacks. For example, phishing messages and sites trick people into disclosing sensitive information such as banking login names and passwords, and viruses and Trojans can turn victims' computers into part of the attackers' so-called zombie bot networks to distribute spam, a lucrative business.

Today, when it's discovered that a serious security flaw is being exploited by an attacker, fixes or patches are issued more rapidly than they may have been in the past. In fact, few — if any — mid-sized or larger organizations lack their own online security, which means would-be criminals are seeking out lower-hanging fruit, Nguyen said.

"We have been noticing that because enterprise infrastructures tend to get better and better at patch management, they [attackers] are focusing on the consumer space and small business."

Why? Because those are the segments of internet users that are less likely to keep their security software updated or be aware of the latest emerging threats.

But despite faster fixes to the high risk flaws — which are generally automatically sent by software developers to the computers of consumers and small businesses when they go online — less serious flaws, which aren't patched as quickly, leave people and their systems exposed to attack, according to security researcher Dean Turner of Symantec Corp.

"From an attack perspective, the line between high- and medium-severity vulnerabilities has blurred," Turner said. "Medium vulnerabilities remain unpatched for a longer term."

That gap between the time a vulnerability becomes known and is subsequently repaired leaves a window of opportunity for attackers, making the smaller flaws a much more attractive target than the quickly closed high-risk security holes, Turner said.

It's all a numbers game, the experts agreed.

Attacks becoming 9-to-5 job

"It comes down to a cost-benefit analysis," Nguyen said, noting that although they may not be able to get as large a return from an attack on an individual user as they might from trying to exploit a large corporation, there are so many people who can easily be victimized that they begin to add up.

RELATED LINKS

CBC features

• Online crime
• Cyber-security

"There's certainly a professional aspect," said Turner. "It's hard to track real dollar amounts for this sort of thing. I've seen estimates of anywhere from hundreds of millions to billions of dollars. The truth is probably somewhere in between."

The trend is not surprising, Nguyen said, noting that as more people from all walks of life gain access to the internet, the likelihood is high that at least some of them will engage in illicit activities.

"The people running these campaigns, what were they doing before this? Maybe going into banks and robbing them."

But once they discovered the ease with which they could run scams over the internet and recognized that the scale and scope of their activities could increase without any significant cost, moving to online attacks was a logical choice, Nguyen said.

The trade has become so lucrative, that it has become a regular job in some circles, Turner said. He pointed to the example of the Bancos family of Trojans, which created fake login pages to steal usernames and passwords to give access to certain Brazilian banking sites.

"We felt it was a 9-to-5 job and when we looked at the release times and dates, that's what we found."

New strategy needed

The attackers are aided when they successfully hit trusted institutions such as banks, which tend not to report such problems unless required to by law, said Nguyen, relating his experience with clients.

"Ninety-nine per cent of the time, the customer is going to go down the route of not getting law enforcement involved" because the potential damage to their reputation would be too great, so they see it as a cost of doing business, according to Nguyen.

He said various malware groups may be co-operating with each other and becoming more effective — something that the security industry should emulate or risk losing customers who have lost faith in their ability to defend themselves.

"If the whole industry looks bad or is not able to keep up, it will hurt everybody," Nguyen said. "There's got to be some kind of paradigm shift so vendors can keep up with the game."

[an error occurred while processing this directive] [an error occurred while processing this directive]