Security Efforts Aren't Making the Web Safer

Despite all the antivirus software, all the extra security features in your computer's operating system, and all the government regulations intended to make the Internet a safer place, your PC and your personal data are as threatened as ever.

If you couldn't already tell that from the latest e-mails offering to enlarge certain parts of your anatomy or — congratulations! — saying you won millions in a Netherlands lottery, consider some statistics released last week by tech security company Symantec Inc.:

— The amount of spam flowing over the Internet grew by 16 percent in the second half of last year and now makes up more than 70 percent of all e-mail traffic. (Other Internet security companies put the proportion at 95 percent.)

— The number of computers used for "phishing" Web sites — designed to trick users into giving up sensitive financial or personal data — more than quintupled in the second half of last year from a year earlier.

— The amount of "malicious code" — computer-speak for viruses or other software designed to take over, shut down or steal data from computers — more than quadrupled last year. Symantec predicts there will soon be more bad software than good software in the computing world.

"It's a constant black-hat, white-hat sort of game that's never going to end," said Neal Hartsell, vice president of product marketing for Austin, Texas-based computer security company TippingPoint Technologies Inc.

"I don't think anyone would suggest that there hasn't been a lot of progress made ... in addressing the kinds of threats we dealt with three or four years ago," Hartsell said. "However, there's a whole class of newer threats that hackers are using that are more sophisticated than ever."

No longer is the typical hacker a teenager trying to deface Web sites or shut down a government network for just for fun, Hartsell and others said.

Today, the biggest threats come from criminals aiming to make money through Internet scams, stealing and reselling personal data, or blackmailing corporations with lost or stolen data.

Finding them is tough, shutting them down can be tougher, and protecting every computer user is next to impossible.

"Right now, the problem is unbounded," said Chris Rouland, chief technology officer for Atlanta-based IBM Internet Security Systems.

"There's basically an infinitely small chance that these guys will ever get caught (and) the amount of revenue they generate is unlimited," he said. "It's really the perfect crime today."

Some of the rise in computer threats is related to the fact that there are simply more computers than ever — not just desktops and laptops but also handheld devices, "smart" cell phones and other gadgets.

And while computer security companies have a history of hyping problems to sell more products and services, the problems are clearly increasing, especially as companies and consumers rely more and more on the Internet to store, sift and swap data.

"The front lines have in fact shifted," Symantec Chairman John Thompson told attendees at a computer security conference in San Francisco last week. "The battleground for security no longer revolves around the infrastructure, it now revolves around the information. And this wide-open world is full of confidential information everywhere."

About 71,000 Georgia families are learning that first-hand. WellCare Health Plans Inc. said last week that private insurance records of about 71,000 members in Georgia were accidentally made available on the Internet for several days.

Other recent disclosures of data breaches highlight the problem facing consumers, businesses and public agencies of every kind.

— Advance Auto Parts recently announced that hackers may have tapped into the financial information of some 56,000 customers who bought goods from stores in Georgia, Ohio and other states.

— MTV Networks said an outside hacker tapped into the Internet connection of a laptop to access confidential data on 5,000 employees.

— Texas A&M University said it accidentally posted Social Security numbers of 3,000 students online.

— ChildNet, the child protection service in Broward County, Fla., said a stolen laptop contained the personal records of some 12,000 applicants.

According to the nonprofit Privacy Rights Clearinghouse, major data breaches now occur almost on a daily basis, often because outside hackers tap into corporate databases, or lost or stolen laptops or storage devices fall into the wrong hands. More than 223 million data records of U.S. citizens have been exposed because of security breaches since January 2005, according to the group.

Computer security companies now advocate that companies and individuals do more than just install and update virus software, passwords and firewalls to protect themselves and their data.

"What's good enough today isn't going to be good enough in the future," Jim Bidzos, vice chairman of security company VeriSign Inc., said at last week's RSA conference. "We're still trying to fix things with Band-Aids, ... and there are consequences of that that aren't very pleasant."

For starters, access to data should be limited only to people who need it, security companies say. Unneeded data should be destroyed immediately. Access points to the Internet should be limited.

At the same time, they say, portable devices such as laptops or handheld computers ought to be more secure. Use of devices like portable USB memory drives should be limited. And public wireless networks, many say, should be avoided.

Some say the government needs to get more involved, too. Trade groups for security vendors are beginning to lobby Congress for regulations that would force companies nationwide to implement data protection policies. Such a law would replace different data protection rules in about 40 states.

"What we really need is a federal law that will set one very high standard to protect consumers," said Thompson of Symantec. "Right now too many businesses are leaking information just like a rusty bucket."

Of course the government has passed laws (remember the Can-Spam Act?), and security and software companies have advocated changes and introduced new products before.

Yet today, your PC and your personal data are just as threatened as ever.

HOW TO BE WEB-WISE

— Use Internet firewalls and regularly update and install antivirus software. Check for and install software security updates.

— Don't put credit card numbers or other sensitive information in the body of e-mails. Instead, use the telephone or a secure Web site.

— Don't provide personal and financial information, especially on Web sites and in e-mails, if it's not absolutely needed.

— Type the names of Web sites instead of using links provided in e-mails.

— Click on the little "lock" icons on Web sites to display the digital security certificate for the site. The address and organization listed on the certificate should match the name and address in your browser. If not, don't use the site.

— Eliminate online accounts you don't use.

— Don't open or reply to "spam" even if it appears to be from someone you know. Don't open or reply to e-mails from senders you don't recognize.

— Limit the use of public wireless networks and don't sign on to public "hot spots" you don't recognize. They could be bogus sites set up by hackers.

— Frequently change passwords, and use security codes for home wireless networks.

— Limit the number of access points to the Internet in your home or business.

— Turn off computers when not in use.

Source: Privacy Rights Clearinghouse; Internet Crime Complaint Center, FBI, Anti-Phishing Working Group.