Archive for the ‘Campaigns’ Category

Should manufacturers pay rewards for malware authors?

Tuesday, February 17th, 2009

So, Microsoft has offered a reward for information on the writers of Downadup worm. Following a tradition going back many years where rewards were put up for murderers, highwaymen and even kings, the IT industry truly is ‘back to basics’. Don’t knock it, it works. Sven Jaschan, the author of the Sasser and Netsky worms, was arrested in May 2004 after a reward of £250,000 was offered. But there isn’t much consistency in how and when rewards are put up. When Storm was at its height, a reward wasn’t offered, and yet it actually went live, whereas Downadup is yet to do so.

I suppose this reflects real life: not every crime has a reward associated with it. However, it is a good indication of our failure to govern this new virtual world, and to learn from real world experience. I am reminded as to why Bonnie and Clyde were initially so successful as bank robbers – they could always dash across a state line and be safe from prosecution. In the end, the US had to amend its laws to close this loophole. This is precisely where we are with Internet crime. Hackers in one part of the world can commit crimes in another, remaining out of reach of the relevant authorities. It is an international problem which needs an international solution, just as the US needed a nationwide solution to catch bank robbers. In the meantime, rewards are the best we’ve got.

Tags: ,
Posted in Campaigns | Comments Off

Scaremongering or informing?

Monday, February 9th, 2009

There’s been a bit of discussion over the last week as to how and when security companies should promote themselves. A couple of the big vendors have been criticised for scaremongering – http://www.itpro.co.uk/609768/sophos-hits-back-at-scaremongering-accusations – in order to generate publicity for themselves.

It can be a fine line to tread. On the one hand, the security industry would be irresponsible if we didn’t take seriously our role to educate and inform users of the very real threats that are out there. On the other, it’s easier to get publicity by throwing a stunt that is designed to frighten, rather than educate, users. And of course some companies have been guilty of this in the past.

But the truth is, there are threats out there. And mostly, they rely on some kind of user participation to work (spam only pays if people buy from it). So informing those users of the threats they face is a good thing.

I actually don’t think that creating a Facebook site to encourage people not to buy from spam is scaremongering. It may not be the most effective tactic to stop spam, but it certainly doesn’t do any harm. Spam is a very real threat. It would have been different if a Facebook site had been created to promote the threats presented by mobile viruses, for example, which aren’t yet a big problem.

But we do need to act responsibly by presenting the facts in an even-handed way, being honest about the scale of the threats we face, and creating a debate about how we can tackle them.

Tags: , ,
Posted in Campaigns | Comments Off

UK government needs to move faster to protect infrastructure

Wednesday, December 24th, 2008

I feel very strongly that government needs to take a tough stand on cyber crime, so it was interesting to learn from Network Box’s recent research that 80 per cent of businesses believe the government is not doing enough to protect our national infrastructure from cyber threats.

Earlier this year, we saw a debate in the House of Lords that followed its 2007 report on Internet Security, calling for increased measures by government to protect the UK from cyber threats. Little seems to have changed since the first report. The thing that is the most worrying to me is the lack of international co-operation on cyber crime. While the UK is working with the EU on a five-year plan in place to fight Internet crime, this isn’t really tackling the problem – the vast majority of threats come from outside the EU, particularly from Russia, the US, China and Brazil.

The other concern I have, and one that is reflected by businesses, is a lack of speed of response by government to these threats. Cyber criminals move fast, and government simply doesn’t respond quickly enough to deal with them.

Our research showed that the majority of businesses (61 per cent) believe that malware downloaded from the Internet is the single biggest threat to security. As we move into 2009, businesses need to ensure that they are providing adequate protection to their employees who use the Internet, in the same way that they have done with email, to prevent malware being downloaded from websites.

But this is still treating the symptom, not the cause. I would be delighted if a new year brings a renewed willingness by governments worldwide to work together to combat the menace of cyber crime. Sadly, I feel that this would be over-optimism on my part.

Tags: ,
Posted in Campaigns | Comments Off

Cyber threats: is the government doing enough to protect us?

Monday, November 10th, 2008

There is much debate at the moment around whether the government is doing enough to protect the UK’s national infrastructure from cyber threats. Concerns were highlighted in the recent debate in the House of Lords on Internet security (www.parliament.uk), introduced by Lord Broers.

Three major issues came out of the debate, that we need to address urgently.

The first is the international nature of cyber-crime. A national e-crime unit, though a good start, is not enough to begin to deal with the scale of e-crime. Many of the cyber-gangs operate out of Russia, China and the US, so we need a much more international approach and improved collaboration between governments. This brings its own problems, of course, for example where we see situations that could be state-sponsored cyber-warfare. While the government is doing considerable work to bring in UK initiatives to tackle cyber-crime, and is looking at ways to work alongside industry and agencies to tackle the problem, it needs to do more to work alongside other governments, not just within the European Council member states.

The second is that we need to address, immediately, the number of data breaches in the UK. Companies who are responsible for data breaches must be held to account, and security standards laid out by government in its report earlier this year must be clear, and legally binding.

And thirdly, the issue was raised in the debate of a kitemark to set a single standard for security systems. It is a really interesting idea, but it cannot be done unilaterally by the UK – it would have to be an international initiative, or it would effectively restrict UK development.

Tags: , , ,
Posted in Campaigns | Comments Off