Spoutin' Off: Speak out for stronger anti-malware laws

By Michael Rau

March 10, 2008

In this column, I want to share a quick anecdote with you, after which I'll provide some context.

So, about a month ago, I'm sitting at my work desk. On my desk are 4 monitors for three computers (my main workstation has dual displays). To my left is a very powerful computer used solely for compressing and encoding video. I had decided that I wanted to set up a VNC (virtual network connection) pipeline to this computer so I could access it from home.

Using VNC is becoming increasingly common as work follows us home, and in some cases, workers are allowed, and even encouraged, by employers to telecommute.

I simply wanted to be able to start an encode off-hours without having to drive 30 minutes from home to work.

Using VNC does have unique security risks that have to be addressed on a case-by-case basis. I always set up password protection for VNC access.

In this particular instance, I had opened up the VNC port and left it open while I configured the application, but had to bounce back and forth between working on that and performing other timely duties.

About two hours after I had started working on this, some motion to my right caught my eye, and I glanced over at the encoder's monitor, only to see Internet Explorer open and a certain amount of furious activity going on.

I watched in fascination for a minute or two as someone, in an exceptionally quick and efficient manner, installed one after another after another piece of malware on this computer. Finally, I regained control with my mouse, and the application immediately slammed shut (out IT guy said the person on the other end probably physically yanked the connection to avoid being traced).

In the two hours this computer was vulnerable, the only way this cretin could have known he had access was for some sort of active search system to be running, pinging various IPs to discover such security weaknesses.

I ran malware detection software on this computer and found 178 instances. Since this computer is never used for Web access, all of these were installed by the invader. I also had to scrub the registry to clear all of this guy's mess out of my system.

I share this story with you here to illustrate just how easily your computer can become vulnerable, as well as to demonstrate just how pernicious purveyors of malware have become. The guy who got on my system was as brazen as I can imagine. And let's face it - I'm relatively savvy about such things and this guy got past me.

As I've argued for years, I believe these criminals represent a clear and present danger to our economy and national security, and I believe our government is utterly failing to protect us from them by aggressively targeting such operations.

Yes, you can cite the successful conviction of spammer Jeremy Jaynes, as well as the upcoming trial of spammer Robert Soloway, as examples of law enforcement going after these people. But the laws under which these creeps were prosecuted are extremely weak - so much so that spam volume on the Internet was up 100 percent in 2007, jumping to 120 billion unwanted messages per day (Soloway continues to brag that he'll never spend a minute in jail or pay a penny in fines or settlements).

But spammers aren't the biggest risk. Their activities interrupt commerce causing some economic hardship, and violate our right to personal and professional privacy as enumerated in the fourteenth amendment of the Bill of Rights, while sucking up bandwidth.

But purveyors of other malware such as viruses, worms, Trojan horses, keystroke loggers, and other such beasts, are the real risk, and our government is still doing virtually nothing to interdict their activities.

(Ironically, the military is currently running a recruiting commercial where they speak of foiling millions of cyberattacks a day on the Pentagon, but the rest of the government can't seem to get their arms around the bigger picture that ALL of their citizens are at risk.)

As we head more deeply into this year's political decision-making process, we have an opportunity to have a profound impact on this dereliction. Every seat in the House of Representatives, as well as a third of those in the Senate, is up for grabs, and I am personally committed to rejecting any candidate who can't grasp the gravity of this risk.

What will it take? Someone infiltrating a nuclear plant via computer, causing the reactor to scram and throwing millions into darkness? An attack on our air traffic control system causing all airborne aircraft to suddenly be unable to communicate? Maybe something as simple as crashing a major banking company's servers causing that institution to be unable to conduct any transactions?

What would personally scare you enough to speak up?

You can engage in an act of true patriotism by forcing our elected officials to confront this risk before we all have to deal with the ramifications of a devastating cyberattack.

Michael Rau is a mass-communications consultant in Virginia Beach. To send feedback or view past columns, go to http://dailypress.asoundidea.com.

Copyright © 2008, Daily Press