< Ready For The Next Big Internet Crisis

Transcript

Friday, September 23, 2011

[MUSIC UP AND UNDER]

BROOKE GLADSTONE:

Our website this week is devoted to hacking and hackers, but we don't want to leave out our non-digital listeners. This concerns you too. So listen on.

BOB GARFIELD:

Last month Hurricane Irene reminded us that nothing excites cable news like a big storm.

MALE JOURNALIST:

This thing could be anywhere as a Category 2, 100-mile-per-hour storm.

FEMALE JOURNALIST:

Preparations underway in Virginia ahead of the monstrous storm.

MALE JOURNALIST:

Possibly a Category 4 hurricane in the northern Bahamas...

BOB GARFIELD:

But hurricanes aren't the only storms that sweep across our landscape. There are also destructive storms on the Internet. That's where the Internet Storm Center comes in. This elite group of übergeeks monitors their monitors 24/7 on the lookout for dangerous viruses, insidious worms and relentless bots, lest they make landfall on your computer or on somebody else's that really matters, like the bank or the Army.

Alan Paller, director of research at SANS Institute, the home of the Internet Storm Center. What is the Internet Storm Center, after all?

ALAN PALLER:

It's a collection of people and sensors, sensors that are watching for traffic that is unexpected, so that, when a spike happens, we pick it up and say, wow, that  might be a new worm.

And the other side is a group of volunteers called handlers: full time employees of large organizations, or small organizations, who 24 hours a day are on duty to respond when somebody finds something really bad on their computer. They'll put a notice out to the 200,000 people who are part of the SANS community and they can find out within a few hours whether there's a lot of it or a little of it.

BOB GARFIELD:

Is there any way for you to describe in plain English what a typical threat might be like and how the Storm Center reacts?

ALAN PALLER:

A simple example is a program that makes a file, like a music file, and when you open it the file may play the music, but in addition to the playing music it also takes over your computer, so that whenever that malicious person wants to he can use your computer to attack other computers or to send out spam or to look for data about you or your company.

We find that software and we take it apart, and then we write programs that will find it and get rid of it.

BOB GARFIELD:

And you're doing this all of your own volition, right? Aren't there official organizations that are doing similar things just as an ordinary course of business?

ALAN PALLER:

What's different about the Storm Center is it responds immediately. When things go to any of those organizations, in general, unless you're paying a lot of money to them, you don't get anything back for a month or two.

When you send something into Storm Center, you'll hear something about it the next morning. Think of us as the emergency room and them as more the deeper hospital services.

BOB GARFIELD:

If I were a Hollywood screenwriter, I would be doing a story about a group exactly like yours, infiltrated by some malign individual hell-bent on undermining the world's computers by essentially being a worm in your organization and going out from there.

ALAN PALLER:

A few years ago, one of our people worked undercover for the Naval Criminal Investigative Service and found that the worst of the hackers who were doing malicious things at night in the Boston area was during the daytime the chief security officer for a Boston company.

There's a risk for any organization that is trusted that they might distribute a piece of code that people think is going to just look for something, when it actually does something malicious. This is a problem, but whenever we distribute a piece of code, it gets vetted through a whole bunch of people.

BOB GARFIELD:

Tell me, Alan, how does this movie end? Are you ever-vigilant and ever- successful? Or does something catastrophic slip through with who knows what toll?

ALAN PALLER:

It ends with a pair of scenes. The first one is the catastrophic attack because once something catastrophic happens, a whole lot of people who didn't think it mattered much change their mind.

And then, there's a radical shift, interestingly, that will put us out of business, for the most part.

What we have been trying to do for almost 20 is get the people who manufacture software and hardware to manufacture it with security baked in. Right now it's impossible to keep systems perfectly secure. And that's because the people who manufacture it manufacture it with a bunch of holes in it.

BOB GARFIELD:

And the manufacturers of software do this, why?

ALAN PALLER:

The answer is fascinating. The colleges teach people how to write programs but don't teach them how to write them securely. The companies that hire the programmers allow them to write programs but never test them to make sure that they're writing them securely.

We can’t get the schools to start teaching this stuff until somebody says, shoot, I’m not gonna hire a programmer who can't write secure code. It would be like hiring a pilot who doesn’t know how to fly in a storm.

BOB GARFIELD:

So now I know how your volunteers are organized. Why do they do it? If they – if they’re not getting paid, what's in it for them?

ALAN PALLER:

Because they want to be part of the solution, and they like the idea of doing that in an organization that has a big impact, rather than one where they're just impacting their own organization.

And for personal pride. When you’re chosen to be an Internet Storm Center handler and you wear the leather jacket that you get when you've been doing it for a year, people notice. They talk to you –

[OVERTALK]

BOB GARFIELD:

Wait, wait, wait, wait – you really get a leather jacket?

ALAN PALLER:

Oh yeah.

[BOB LAUGHS]

They don't get paid anything, so a leather jacket is a –

BOB GARFIELD:

Spurs, chaps, badge, gun, what?

ALAN PALLER:

Just a leather jacket.

BOB GARFIELD:

Alan, thank you very much.

ALAN PALLER:

[LAUGHS] You’re welcome.

BOB GARFIELD:

Alan Paller is director of research for SANS Institute, which is the organizing body of the Internet Storm Center.

[MUSIC UP AND UNDER]