The meeting at the Cabinet Office came just after the second set of London bombs, and was attended by the Home Office, police and almost 30 private organisations. They were all gathered, under the grand title of Project Endurance, to consider a desperate question: how do we stop these people? Project Endurance was about to wage war – but not against terrorism. The enemy is another force to which the UK is becoming alarmingly vulnerable: computer viruses.
In the jargon, personal computers harbouring viruses are “compromised”. And according to Steve Linford, chief executive of the spam-fighting company Spamhaus, the UK is now “one of the most compromised places in the world”. As we in Britain rush to embrace high-speed, always-on internet connections, our computers are turning into repositories for viruses and their nasty friends, worms and “Trojan horse” programs. Linford’s company has a “blacklist” of four million internet addresses of computers known to churn out spam. Some are commercial, but many are standard PCs infected by viruses tailored to take over the machine and make it unendingly produce spam, unbeknown to the user. He reckons “hundreds of thousands” of those belong to British internet users, who have unwittingly had their PCs subverted.
This is the problem which led to the July meeting at the Cabinet Office. The participants – including government officials, the National Hi-Tech Crime Unit and dozens of commercial companies such as high-street banks, the auction site eBay, the software giant Microsoft and makers of antivirus software – were trying to work out how to prevent broad-band turning into the most widespread computer problem the UK has ever suffered. Project Endurance aims both to educate average users of PCs, and to focus on ways to catch the criminals who steal tens of millions of pounds from Britons every year.
Steve Linford has watched the rising numbers of compromised PCs carefully. In part, he blames the rise of broadband, whose always-on quality gives hackers, viruses and worms unlimited time to attack a machine. A PC on a “dial-up” connection can be infected, too, but is less vulnerable because it is not permanently online. It’s the difference between a burglar having all day to break in to a secured house, or an hour.
But Linford also blames someone else: Microsoft, whose Windows software powers more than 90 per cent of all personal computers in use. “Nobody likes to say it, but the problem is insecurities in Windows,” he says. “The machines we list in our database aren’t running Apple or Linux operating systems – they’re all Windows. Microsoft really ought to be doing a hell of a lot more to correct the problem.”
Microsoft has not been completely indifferent to the internet’s abundant threats. Programmers know every piece of software has “bugs”. Some are trivial; others can allow hackers to break in to your computer. When Microsoft finds and fixes a crucial bug, it puts a free update online. There’s even a setting in Windows that makes PCs seek out such “security patches” and install them automatically. Windows also has a built-in “firewall”, which prevents intrusions from outside. But it is only since last September, three years after the introduction of Windows XP, that PCs have been sold with such defences switched on by default. Before that, you’d have to turn them on yourself – if you knew they existed, or were required. And most people don’t. Graham Cluley, senior consultant at the PC security company Sophos, says: “People buy computers as consumer items like an LCD TV – but they aren’t. With a TV, you just plug it in. A PC is more like a classic car: you have to do tweaks to keep it running perfectly. I really feel sorry for the guys in the street.”
Sophos demonstrated just how important such tweaks are last month. It found that if you hook a Windows computer to the internet using a broadband connection, but without any of the protection that professionals use, there is a 50 per cent chance it will be compromised within 12 minutes. That’s without user interaction – no web surfing, no e-mail. How? Compromised PCs probe for unpatched machines and infect them in turn. The cycle then repeats.
One might wonder where the harm is. After all, most modern computers have enough spare processor power to churn out some easily ignored spam. However, “malware” – the collective name for the arsenal of programs that infect or subvert PCs – doesn’t just use your machine. It watches what you do, so that if you visit particular online banking sites, or type what looks like a credit card number, or a user name and password, these details are recorded and sent silently over the net, using the connection you’ve paid for, to a remote location. Such “keylogging” was used in Israel recently for industrial espionage.
Then there is the problem of “phishing” – the fake e-mails (sent from compromised machines) saying your online bank account, or eBay or PayPal account, has been suspended or has hosted “suspicious activity”. A link in the e-mail directs you to a fake website (often on a compromised PC) where you are encouraged to enter the correct user name and password. These are collected and sent to the hackers. A phishing site running on a compromised broadband PC appears to the user like a real online bank, always available. (With a dial-up connection it would appear and disappear as the user logged on and off the internet. Phishers prefer broadband.) In 2004, £12m was filched from British bank accounts, says Apacs, representing clearing banks in the UK.
Who is behind it all? Nobody is sure, but the evidence points to organised gangs using skilled programmers in the Far East and eastern European countries such as Russia. Yet while Sophos spotted 7,944 new viruses in the first half of 2005, up 59 per cent on the same period last year, none of the perpetrators has been arrested.
This is not how it was meant to be. Broadband was painted as a saviour of British computing, the new white-hot technology that would raise us out of the primeval swamps of the information age and let us stand proud as a knowledge economy. Yet few internet service providers (ISPs) mention that protection of some sort is essential for anyone connecting a personal computer running Windows to a broadband connection.
Brian Aherne, of the Internet Service Providers’ Association UK, suggests it is “the punters” who are at fault for not paying enough attention to protecting their PCs with good security software. “We do advise people to get spam filters and firewalls,” he insists.
Project Endurance, meanwhile, has made only a slow start. Launched last November by Mike O’Brien, the minister for e-commerce, it came with the promise of an advertising campaign in spring 2005. No, you didn’t miss it. The members are still arguing about what to do.
Stephen Millard of the electronic communications security firm MessageLabs is on the project steering group. The problem, he says, is twofold. First, users don’t know what to do; and second, they won’t want to spend the money and time on antivirus and anti-spyware programs. “Tackling personal responsibility does have costs associated with it,” he says. But he likens it to an MOT: “You make sure your car is serviced and has passed an MOT each year.” Except that you don’t have to keep adding safety features to your car. Millard admits the analogy isn’t perfect. “Expectations change,” he says. “The level of threat has changed. The ubiquity of the internet has opened up a new channel for people with financial and criminal motivations that we weren’t aware of a couple of years ago. People have talked about the advantages of broadband, but they aren’t necessarily aware of the implications. The landscape has changed fundamentally.”
So does Project Endurance have a clear end point? No, but it might take two or three years to reach a “satisfactory” state. A war whose end point isn’t clearly defined and in which the adversaries are shadowy and hard to track down. Sound familiar?
How to protect yourself
– Ensure you have antivirus software. It’s never very expensive – some products are even free – and you might find that your computer already came with it.
– Make sure your virus software is kept up to date. This can be automated, and needs updating at least once a week.
– If you have a firewall, turn it on. The latest versions of most operating systems have firewalls built in, but if you’re on an older computer, you can obtain firewall software very cheaply – and again, in some cases, free.
– Most importantly, use your common sense. Don’t open suspicious e-mails or attachments. Don’t click on pop-up adverts. When you’re online, remember: if it looks strange, dodgy or too good to be true, it probably is.