The month of June saw a host of Web-based attacks compromising legitimate Web sites.
One, dubbed “Nine Ball,” compromised more than 40,000 Web sites. Another attack injected a malicious script that antivirus vendor Sophos named “Troj/Iframe-CB” into large numbers of legitimate sites.
Victims who access or browse such tainted Web sites are infected with malware.
Facebook, the world’s leading social networking site, has been hit repeatedly by cybercriminals.
In May, a hacker cracked into Twitter’s internal administration system to gain access to the accounts of millions of users, including President Obama, singer Britney Spears and actor Ashton Kutcher.
What can be done about these attacks, and who’s policing the Web anyhow?
Who’s Doing What Where?
Nobody’s quite sure who should police the Web.
Some contend that ICANN, the Internet Corporation for Assigned Names and Numbers, should take the job. They say ICANN should overhaul and automate its creaky processes and be given more money and powers to do so.
Others say it’s better for ICANN, which coordinates the Internet’s naming system, to retain its very limited role. They contend that it’s better to retain the existing system, where security vendors, who already police the Web on behalf of their clients, exchange information about threats informally.
Still, there is an uneasy feeling among the supporters of the status quo that they need a more formalized cooperative approach. Three organizations recently set up the Chain of Trust Initiative to do just that.
Formed in 1998, ICANN is a not-for-profit public-benefit corporation with members worldwide.
It sees its mission as coordinating the global Internet’s system of unique identifiers and ensuring the stable and secure operation of the Internet’s identifier systems.
It does so by controlling domain registrars and top-level registrars; maintaining the domain name system (DNS); and coordinating policy development related to domain registration and the DNS.
ICANN clearly says on its Web site that it doesn’t control content on the Internet; it cannot stop spam; and it doesn’t deal with access to the Internet.
This disclaimer does not cut much ice with some in the security industry.
“That’s their get-out-of-jail-free card,” said Dave Marcus, director of security research and communications McAfee Avert Labs.
“What they’re saying is, they provide the road but they’re not responsible for the content,” he told TechNewsWorld. “Maybe they view themselves as road maintenance and think somebody else should be the state troopers.”
Start a Bad-ISP Slapdown?
ICANN should step up to the plate, said Randy Abrams, director of technical education at security vendor ESET.
“The registrars aren’t enforcing policy, and ICANN isn’t clamping down on the bad registrars quickly enough,” he told TechNewsWorld. “Time and again, we’ve seen malicious Web sites being registered with obviously bad information, and we notify the domain registrars and they don’t do anything.”
For example, it took the Federal Trade Commission to shut down San Jose, Calif.-based ISP Pricewert, also known as “3FN” and “APS Telecom,” for allegedly hosting and conducting business with malicious and illegal content providers.
The FTC alleged in a court complaint that Pricewert repeatedly ignored requests from the online security community to take down the offending sites, or shifted those criminal sites to other IP addresses it controlled in order to avoid detection.
Pricewert has objected to the shutdown and plans to fight the FTC in court.
However, many in the security community don’t like the idea of expanding ICANN’s funding or role.
“The security of the Web is not — and probably cannot be — the sole responsibility of one company or organization,” Vint Cerf, chief Internet evangelist at Google and the man generally acknowledged as “the father of the Internet,” told TechNewsWorld.
The rapid advance of technology has a lot to do with this.
“Because of the rapidity with which new domains can be registered now, I don’t believe ICANN can handle the problem by themselves,” Steve Webb, research scientist at enterprise security vendor Purewire, told TechNewsWorld.
“I believe this should be left to the security vendors, who have a much more vested interest in dealing with these issues than one central organization would,” he added.
The Center for Democracy and Technology presented a position paper elaborating on this view to the U.S. Department of Commerce’s National Telecommunications and Information Administration.
“ICANN has a very limited mission; its mandate and role is not to be the Internet cop,” CDT Policy Analyst Heather West told TechNewsWorld.
United We Stand
To combat the global menace, three leading cybersecurity groups recently launched the Chain of Trust Initiative to fight malware throughout the Internet.
They are the Anti-Spyware Coalition (ASC); the National Cyber Security Alliance (NCSA); and StopBadware.org.
The initiative seeks to link together security vendors, researchers, government agencies, Internet companies, network providers, and advocacy and education groups in a systemic effort to fight malware.
It will begin by mapping out the individuals and organizations that make up the Internet.
“The Internet’s a nebulous, constantly changing entity,” explained Maxim Weinstein, manager of StopBadware.org, a consumer-oriented nonprofit antimalware organization run by the Berkman Center for Internet and Society at Harvard Law School.
“Is it the network, the protocol, the content? It’s hard to define, and is constantly shifting and changing,” Weinstein added.
Once a rough map of the Internet is ready, the Chain of Trust Initiative’s founders will invite people and organizations on that map to a meeting tentatively scheduled for this fall, CDT’s West said.
“With the Anti-Spyware Coalition, our approach was to first define the space and spell out which behaviors are acceptable and which are not, and we’re trying to do the same here,” she added.