How safe is the internet from hacking?

2024-05-12 21:47:00, Tech CNA

A chilling revelation shows just how vulnerable today's digital infrastructure is. This is how the Internet can be protected from malicious attacks, writes The Economist

The Internet has been one of the most important inventions in human history and one of the most misunderstood. It was developed not as a centrally planned system, but as a collection of devices and networks connected by improvised interfaces.

Decentralization made it possible to run such a complex system. But from time to time, chilling incidents occur, reminding us that the whole structure is extremely precarious.

On March 29, a security researcher announced that he had accidentally discovered a hidden "backdoor" in the XZ Utils system. This obscure but vital piece of software is included in the Linux operating systems that control the world's web servers.

If the backdoor hadn't been discovered in time, everything from vital national infrastructure to the website where you post cat pictures would have been vulnerable.

This backdoor was created by an anonymous contributor who had gained the trust of other coders by providing helpful assistance for over two years.

This patience and diligence shows that a state intelligence agency is hiding behind this action. Such large-scale “supply chain” attacks, which do not target individual devices or networks, but the very software and underlying hardware they rely on, are becoming more frequent.

In 2019-2020, the Russian foreign intelligence agency SVR penetrated US government networks, compromising a network management platform called SolarWinds Orion.

Recently, Chinese state-owned hackers modified the firmware of Cisco routers to gain access to American and Japanese economic, commercial and military targets.

The Internet is vulnerable to schemes like the XZ Utils platform backdoor. Like many others, this program is open source, which means its code is publicly available.

As in Wikipedia, changes to it can be advised by anyone. People who maintain open source code often give such advice in their spare time.

After the discovery of a catastrophic vulnerability in OpenSSL, a widely used platform for secure communication that had a budget of just $2,000, a 2014 article headline summed up the absurdity of the situation very well: “The Internet is being protected by two guys called Steve".

It is tempting to think that the solution lies in restoring central control, whether by states or companies. In fact, history shows that closed source software is no more secure than open source.

Just this week, America's Cybersecurity Review Board, a federal body, reprimanded Microsoft for lax security standards that allowed Russia to steal an access key, which in the world of cryptography can be compared to "jewelry." a crown, for a cloud service provider”.

This gave Russia comprehensive access to the data. By comparison, open source software has many advantages because it allows for shared review and accountability.

Therefore, the right path is to make the most of open source, alleviating the huge burden placed on a small number of underpaid and overworked individuals.

Technology can also help. Let's Encrypt, a nonprofit organization, has been making the Internet safer for the past decade by using clever software to make it simple to encrypt users' connections to websites.

As it develops over time, even Artificial Intelligence may be able to spot anomalies in millions of codes, with a single click.

Other corrections should be regulatory in nature. America's cyber strategy, released last year, makes it clear that responsibility for failures should not fall on open source developers, but on "the actors best able to take actions that prevent ill effects."

In practice, this means governments and tech giants, who benefit enormously from free software libraries.

Both should expand funding and collaboration with non-profit institutions, such as the Open Source Initiative and the Linux Foundation, which support the open source ecosystem.

The Foundation for New Responsibility, a German think-tank, says governments could allow employees to contribute to open-source software in their spare time and relax laws that criminalize ethical hacking.

They must act quickly. The backdoor in the XZ Utils platform is believed to be the first publicly disclosed attack against a vital piece of open source software. But that doesn't mean it was the first attempt.

And it is unlikely to be the last./ Monitor.al