PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
As the "I Love You" computer virus morphed into myriad new forms, such as unfunny forwarded "jokes" and malicious Mother's Day wishes, on May 5, the vulnerability of the world's relatively new interconnectedness stood naked for all to see. The virus wormed its way through the e-mail address books of still-untold numbers of unsuspecting users. Estimates have ranged from hundreds of thousands into the millions. And guesstimates at the damage to businesses range from $200 million to $10 billion. Companies ranging from old-world carmakers to cutting-edge dot-coms shut down their entire computer systems to avoid getting hit -- or to repair the damage.
By Monday afternoon, the tide seemed to have subsided, as most businesses were back up and running. But network administrators and info-tech departments around the country had better not get too comfortable. Fact is, this is likely just the beginning of a wave of virus scares that could plague the Net world well into the 21st century. E-mail is already ubiquitous and growing more global by the day. And e-mail viruses -- a young phenomena -- are easy to write and a snap to disseminate because people are trusting.
Also, businesses don't want to sink massive energy and resources into effective security. And while the technology exists to track down virus-spreaders -- as cybersleuths zeroed in on a residence in the Philippines as the probable origin of the "I Love You" virus -- arrest and prosecution across international borders remains problematic. Add these together, and you have the makings of an endless security risk.
CONQUERER WORM.
First, let's tackle the trusting part. For millennia, trust has been based on the ability of the human brain to identify someone visually and associate that person with past actions deemed to be reliable or trustworthy. Later, thanks to Alexander Graham Bell and the telephone, voice recognition became a somewhat viable substitute.
Compared to looking someone in the eyes or hearing their voice, e-mail is like taking sweets from a stranger you can't see. All you can identify is someone wearing the equivalent of your mother's, your boss's, or your co-worker's nametag. And until the technology allows us to easily package video or voice into e-mail messages, we'll continue to be at the mercy of the hackers who create so-called worm programs that replicate themselves through the address books of unsuspecting victims.
"You can blame Microsoft for adding easy access to powerful features, or users who don't know any better"
In the case of the "I Love You" virus, people who merely read the e-mail escaped harm. You had to open the attachment to unleash the danger. Therein lies another trust issue that all computer users should face. Many e-mail programs automatically open attachments unless specifically set not to. And many security experts believe the "I Love You" virus specifically targeted Microsoft programs via a language hackers have long used, Visual Basic.
Says Ryan Russell, a security expert at portal SecurityFocus.com (www.securityfocus.com): "There are two places you can place blame for the "I Love You" problem. You can blame Microsoft for adding easy access to powerful features, or users who don't know any better." Russell says Microsoft could easily add security checks in its scripting language for Visual Basic that could curb some, but not all, viral problems. But as for the millions of people on computers out there, "I can't see users getting smarter as a whole," he laments.
A second ingredient in the latest viral outbreak is the ubiquity of e-mail. About 300 million people are now on the Internet worldwide, according to Global Reach, a marketing and research firm, and almost all of them use e-mail. Most corporate communications now travel in bytes and not voice or paper. "It's something that the majority of companies now take for granted," says Chris Rouland of electronic-security systems company Internet Security Systems Inc. (www.iss.net). Even more important, says Rouland, "the attachment is something that they all use so much." Businesses' reliance on and acceptance of e-mail attachments may explain surveys that found businesses far more adversely affected in the latest assault. According to an Angus Reid Survey, only 3% of home users reported having trouble with the "I Love You" virus.
THE POWER OF DUMB.
With mechanisms that are invisible to the naked eye, viruses themselves seem inscrutable. But like their brethren in the biological world, they're generally simple. The success of Mafia Boy, the Canadian teenager who has been linked to shutting down CNN and attacks on Yahoo!, eBay, and Amazon.com in February, illustrates the power of dumb code. In this case, the assault simply tied up company Web servers. Similarly, hackers generally scoff at the Melissa virus and the "I Love You" virus as artless.
How simple was the "I Love You" virus? So simple that anyone with a few weeks or less of computer programming time could alter the subject line of the e-mails bearing the virus in minutes. The result? Copycat viruses bearing "Mother's Day" or "joke" subject lines exacerbated the problem and forced system administrators to spend more time battening down their networks. But the simplicity of the "I Love You" virus isn't an aberration. The virus was so obvious that most virus protectors just aren't programmed to detect such an unelegant hack. "Most of the really bad infestations have this characteristic," says Rouland.
Effective security means forcing everyone from the receptionist to the CEO to follow sometimes cumbersome protocols
That said, most businesses still could have intercepted the "I Love You" virus in time to save their networks if effective security measures had been in place. But according to Rouland, only 30% of U.S. businesses have put security procedures and software buffers in place to combat computer pathogens.
That low percentage has a simple explanation: Effective security is a pain. It means changing password codes regularly, taxing users' brains with mind-numbing random numbers and letters. It means forcing everyone from the receptionist to the CEO to follow sometimes cumbersome protocols when dealing with unknown e-mail. It means a lot of effort -- and businesses, until now, have not proven themselves up to the task.
The other side of prevention is enforcement. Hackers might think twice before unleashing a damaging virus if they knew they might end up in the Big House. Until now, many viruses have originated in the U.S., Canada, or Europe, and authorities have quickly collared the most visible perpetrators. The "I Love You" virus is the first major attack from a Third World country. Now, authorities are wrestling with what the formal charge will be. A big problem: In many countries, cyber-attacks aren't dealt with in criminal statutes.
VIDEO I.D.s?
In this case, the Philippines have proven cooperative in efforts to apprehend suspects. That may not always be the case. While cybercrimes now harm victims regardless of location, true enforcement and swift retribution against perpetrators could be decades away. As it stands, a handful of countries don't have extradition treaties with the U.S. and some remain downright hostile toward Uncle Sam. But every country is connected to the Internet and e-mail.
To be sure, the use of false identities that tricked so many recipients of the "I Love You" virus may be addressed with new technologies that will package video and voice into traditional e-mails. Those technologies are rapidly approaching and should be sped by growth of telecommunications bandwidth and high-speed Internet access. But the day when every e-mail comes in the form of a video clip remains a long way off. Meanwhile, malicious hackers have started to look to other forms of online communication as grist for their next attacks.
Increasingly popular file-exchange programs, like Napster, CuteMX, and Gnutella, that allow downloads of data from unknown sources floating out in the cyber-ether are clear invitations to trouble (see BW Online, 5/4/00, "Forget Napster. Net File-Swapping Now Goes Way Beyond Music"). And the prolific growth of peer-to-peer messaging systems, like America Online's Instant Messenger (IM), provide yet another inviting opening. While companies are loath to discuss it, theft of screen names on America Online and other instant-messenger services occurs with frightening regularity.
"The [instant] messaging programs are undocumented and completely unsecure environments"
It's a fairly elementary procedure for a hacker to use the pilfered screen name of someone you know to open an easy path for sending you an e-mail or IM "Trojan horse" bearing nasty viral tidbits. Such a virus could cripple the computers of the tens of thousands of businesses that use AOL IM as a cheap means of communicating over the Internet in real time. "The messaging programs are undocumented and completely unsecure environments. No company should allow their employees to run these types of messaging systems," says Rouland.
So far, computer systems at hospitals, utilities, and airports have remained largely unaffected by these viruses -- thanks largely to obsolete equipment. "The older legacy systems are probably fine, as they tend to be obscure and stand-alone. They would have to be specifically targeted for attack. Virus authors tend to want as large a spread as possible, which means mainstream desktop operating systems," says SecurityFocus.com's Russell.
But now, these entities are racing to upgrade their systems to webs of networked desktop PCs. So, sometime in the near future, when a virus goes berserk, planes may lose radar guidance, streets may darken, and patients may suffer. It's the dark side of the networked economy -- and something that we all have to confront, the sooner the better.
Salkever is a staff reporter for Business Week Online in New York EDITED BY DOUGLAS HARBRECHT
Get BusinessWeek directly on your desktop with our RSS feeds.
Add BusinessWeek news to your Web site with our headline feed.
Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.
To subscribe online to BusinessWeek magazine, please click here.
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
