X

Customers squeezed, as ISPs close in on viruses

Broadband providers turn up the heat on customers, as the spread of spam viruses such as Bagel reignites the debate over just who should be in charge of Internet security.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
6 min read
High-speed Internet service providers are increasingly putting their customers in the security hot seat, as they try to fight recent virus attacks that turn computers into spam factories.

News.context

What's new:
High-speed Internet service providers are increasingly putting their customers in the security hot seat, in a bid to fight recent virus attacks that turn computers into spam factories.

Bottom line:
The problem has gotten so bad that broadband companies are considering whether it's time to substantially beef up policing on their networks--something they've avoided in the past, due to concerns over costs and potential privacy violations.

More stories on this topic

Broadband companies have said they routinely monitor customer accounts for signs of abuse and take action when it's appropriate. Although such policies have been in place for years, they're now being invoked more than ever, due to the spread of viruses that allow spammers to spew out millions of junk e-mail messages under victims' noses.

The virulence of these virus attacks has sparked a fierce debate over countermeasures, security experts said. The problem has become so bad that broadband companies are considering whether it's time to substantially beef up policing on their networks--something they've avoided in the past because of the cost and potential privacy concerns involved.

"Nowadays, a person sending spam is Granny, and she has no idea she's doing it," said Joe Stewart, a senior security researcher at Lurhq, a corporate security company. "(ISPs) can pull the plug, but it's hard and time-consuming to spend time on each user on tech support."

High-profile viruses such as Sobig, MyDoom and Bagle have preyed on available bandwidth, lax security and ignorance among ISPs and consumers alike to turn unknowing Net users into bulk e-mailers. The problem has prompted broadband ISPs, such as cable and Baby Bell phone companies, to step up network scanning and enforcement of security policies. These policies include the use of account suspensions to prod customers into using better security practices.

The debate touches on far-reaching questions about the direction of Internet security policy and about the roles of ISPs and individuals in maintaining safe networks. Should the primary responsibility for security fall to broadband ISPs or subscribers?

A sweeping report on Internet security the White House issued in September 2002 concluded that the best antidote for security lapses is to better educate and motivate people into adopting better security practices, such as installing firewalls and keeping antivirus software up-to-date.

Since then, however, changes in the nature of virus attacks have made that model increasingly untenable for broadband ISPs, and some are beginning to rethink their historically hands-off policies, antispam experts said.

"Their attitude was: 'We can't possibly be monitoring everything going on in customers' computers,'" Ray Everett-Church, chief privacy officer at antispam software company TurnTide, said about broadband ISPs. "But they found they had to participate when those activities had negative consequences for their entire network."

Finding the right balance
Viruses such as Sobig and Bagle disguise themselves as cleverly worded e-mails that can install exploits on a PC, once their attachments have been downloaded. Once these "Trojan horse" programs are installed, the viruses create a hole that lets spammers relay bulk e-mails, using the victim's address--adding another layer of anonymity for the spammer.

The spread of these Trojan horse viruses has caused considerable damage and annoyance. ISP networks and user in-boxes have become clogged with higher levels of spam, and more work is needed to fix exploits in networks and in PCs. One study found that this year, North American ISPs will spend up to $245 million in dealing with these viruses.

Broadband ISPs are taking different approaches to the problem. Many have implemented policies that identify, quarantine and sometimes suspend or shut down accounts that have been infected. Others leave it up to their customers to keep their antivirus software up-to-date.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


These policies are by no means foolproof. Virus writers are usually one step ahead of software fixes and can still find a way to get viruses to high-speed Net users. Broadband ISPs are caught in an endless cat-and-mouse game that often translates into greater costs, as they increase efforts to educate users and disinfect PCs.

Comcast, the nation's largest cable operator and broadband ISP, is considered by some e-mail watchers to be one of the biggest virus targets. The cable giant said it has implemented antispam software on its network and that it continually monitors activity to find potential victims, or purveyors, of spam viruses.

"Most customers who send spam are doing so unknowingly," Jeanne Russo, a Comcast spokeswoman, said in an e-mail statement. "Once identified, the accounts are quarantined and contacted to resolve the issue. After the problem has been resolved, the customer is restored to full network access."

Cox Communications, which also runs a cable ISP, scans for potentially compromised accounts and then suspends or quarantines accounts until the owner patches the security hole. The company forces people to send e-mail through internal mail servers rather than to set up their own servers. Spammers often use such servers to piggyback on a network's bandwidth, thereby sending more e-mails at a faster rate.

Audiocast
arrow Unwanted e-mail isn't going away anytime soon.
play audio
But Cox also tries to mix in publicity campaigns aimed at pushing users to update their PC operating systems and patch weak points.

"ISPs need to encourage users to enable automatic patch updates for their Windows systems, evangelize weekly visits to www.windowsupdate.com and www.officeupdate.com, and offer crosslinking or bundles with the latest antivirus and firewall software vendors," Jeff Hartley, a manager of security and abuse for Cox, said in an e-mail statement.

Local phone giants, which are the largest suppliers of digital subscriber line (DSL) access, also face similar problems. Verizon Communications, the largest local phone company in the United States, takes a more user-centric approach. It suspends subscriber accounts only in "egregious" instances of spam abuse but mainly tries to prod its users into taking action.

"We can't sit there and say: 'You're spamming--we're going to knock you off the wire,'" said Scott Lebredo, a senior technical manager at Verizon Online. "It's your access. You're responsible for it, but you must be educated about how to combat it."

Whose fault is it, anyway?
Still, the question remains whether the techniques broadband ISPs are implementing are enough. Some say the onus is on ISPs, which should play a role in protecting their networks for the greater good of their subscribers and the Internet at large. Critics say ISPs should manage their networks to ensure that all users are safe.

"I wouldn't expect to boil my own water; I expect it to treated upstream," said Mark Sunner, the chief technology officer at MessageLabs, which sells a virus detection service for corporate networks. "The correct groundswell needs to be focused on the Internet level, where you can be proactive rather than reactive."

ISPs point out that excessive monitoring could have damaging consequences for their business. To stop viruses from spreading, they could take the extreme measure of scanning their subscriber in-boxes and PC hard drives to make sure that users are not unknowingly harboring malicious viruses. However, ISPs fear that taking this tack would jeopardize user privacy.

"It would be very unfriendly to scan customers' machines," said Mary Youngblood, the manager of the abuse team at ISP EarthLink. "It would be deemed by some people as a privacy violation."

America Online, the nation's largest dial-up ISP, has dealt with virus and spam issues for many years and has used different methods to battle the problem. AOL frequently suspends accounts that may have been infected and forces subscribers to call customer service to fix the problem. It also restricts the amount of outgoing mail each member can send, among other techniques.

"It should not be our responsibility, but AOL has been a good Netizen," said Nicholas Graham, an AOL spokesman. "It's a joint responsibility between providers and consumers."

Where the balance of that responsibility falls will continue to shift, as new variants of viruses continue to emerge and wreak havoc. Right now, it seems that virus writers have easily exploited a loophole substantial enough to keep everyone pointing fingers.

"You can't expect (ISPs) to take on the task of keeping everyone virus-free, because if they did that, their costs would skyrocket," Lurhq's Stewart said. "It really falls on each individual user to be responsible. But unfortunately, people aren't up to the task, technically."

CNET News.com's Robert Lemos contributed to this report.