daily online news

SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.

Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.

In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.

Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.

After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.


Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)


Among the report's highlights:


• 65% of the new code being released into the market is malicious


• The U.S. was the top country of attack origin in the second half of 2007


• The education sector accounted for 24 percent of data breaches that could lead to identity theft.


• Government was the top sector for identities exposed, accounting for 60 percent of the total


• Theft or computer loss resulted in the most data breaches that could lead to identity theft


• The United States had the most bot-infected computers worldwide

If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.

"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."


DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)

(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)

In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.

Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.

But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.

DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.

Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system

"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.

In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.

The UK is catching up the US as an internet crime hotspot, according to IT security consultancy Global Secure Systems (GSS).

GSS bases its warning on a study of the recently released Internet Crime Report by the Internet Crime Complaint Centre (IC3).

"Despite the fact that the IC3 study is a national US annual report, it concludes that the UK is in second position with 15.3 per cent when it comes to the origin of US internet crime reports," said David Hobson, managing director of GSS.

"This is significantly ahead of other cyber-crime hotspots such as Nigeria (5.7 per cent) and Romania (1.5 per cent). It's also worth noting that internet crime in the US hit an all-time high in 2007, with an almost 20 per cent increase on the fraud reported in 2006."

According to Hobson, reported internet crime losses are only the tip of the cyber-crime iceberg, as there are many more cases that go unreported for various reasons.

He added that the report should act as a "wake-up call" to companies that are not properly securing their networks from attack from the organised criminal gangs who are prowling the web searching for new targets.

"How they achieve their fraud is irrelevant. If they can find a way in, they will," he said.

According to the IC3 report, 90,008 complaints were referred to federal, state and local law enforcement agencies across the US.

According to Hobson: "That's around one complaint every six minutes throughout the year, day and night. If that statistic doesn't make a company IT manager sit up and take note, I don't know what will."

At the end of February Home Office minister Meg Hillier explained the UK ID scheme security system to the Home Affairs Committee. "The National Identity Register, essentially," she said, "will be a secure database; ...hack-proof, not connected to the Internet... not be accessible online; any links with any other agency will be down encrypted links."

Except she didn't, apparently, because by the time the Committee session transcript was published, here, Hillier words had become: "The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will

be down encrypted links."

Spooky? We are indebted to William Heath's Ideal Government blog for spotting the difference between what was actually said (noted at the time by an eyewitness) and what appeared in the official record. We should also explain at this point that Hansard, the UK parliamentary record system, is not intended to function as an entirely verbatim transcript of proceedings. It is largely verbatim, but includes some facility for publishing what the speaker meant to say, or perhaps even what they ought to have said.

Ordinarily, however, changes amount to little more than polishing and seldom materially affect the meaning. Ordinarily...

In this case, the removal of "hack-proof, not connected to the Internet" goes some way beyond minor polishing. Do we understand from this that Hillier's officials think it unwise (which, of course, it is) to claim that the NIR is hack-proof? And are they keen to leave wiggle-room on Internet connectivity? A database that is "not accessible online" is not necessarily the same thing as a database that is not connected to the Internet, depending on what you might mean by "not accessible".

Hillier is relatively new to the ID card brief at the Home Office, and has come up with several improbable and/or unfortunate claims in recent months (e.g., "we should see an identity card, like a passport, in country"). At the Committee session, Ideal Government reports that "the officials present were passing notes to try to get her back on message", which we would guess is just the sort of thing that's likely to prompt the acute observer to take especially careful notes. It's a tough job minding some people. ®

Virginia became the first state this year to require Internet safety courses in its public schools. Illinois and Texas both have laws on the books relating to curriculum and instruction in this area, but Virginia is currently the only state to require such courses according to VNUNet.

As one student in the article pointed out,

James River High School student Maya Towers said: “I thought it was very important because we post a lot of things on the internet. I didn’t know how much information can be exposed.”

This highlights the attitudes of most of our students. While some conceal their identities on MySpace, Facebook, AOL, and other bits of social media, many others blithely post pictures, locations, and even phone numbers and addresses.

Now that my students have discovered Twitter, I’ve had to warn them about being too revealing in their tweets. Few realized that the growing network of followers (particularly for my feed) had access to any information they posted. Fortunately, most of my followers are either students or other folks interested in the educational value of social media. However, even these followers don’t need to know that Ashley and Susie are at the local movie theater alone and will be getting out at 9:45.

The level of naivete among many students is disturbing at best; well-planned curricula in the public schools could go a long ways towards keeping safe as we increasingly live a second life (no pun intended) online.

YOUR COUNTRY NEEDS you, nerd, seemed to be US Homeland Security chief, Michael Chertoff’s message to Silicon Valley in his patriotic keynote speech at the RSA Conference in San Francisco yesterday.

Chertoff even went as far as saying that future cyber attacks could be on the scale of the attacks suffered by the US in 9/11, a desperate strategy attempting to appeal to the nationalism and conscience of Valley workers, as opposed to appealing to their wallets. (But, hang on, aren’t most of them foreign anyway?)

In what sounded more like a military troop rally, the security chief told the auditorium full of Valley workers to stand up and be counted in America’s fight to secure the cyber highway, noting "The human and economic sacrifices from a cyber-attack can be devastating ... on par with what this country experienced on September 11".

Taking out a small onion and with tears of patriotism in his eyes, he begged the private sector to "please send some of your brightest and best to do service in the government", referring to a new inter-agency group (National Cyber Security Center) set up to act as an early warning system for major network attacks that would help the federal government protect its computer networks from organised cyber attacks. He theatrically added that joining up would be " the best thing you can do for your country".

Chertoff thought it best to instill terror in his yuppie audience about the potential chaos that could be caused if cyber attacks were to hit financial or government bodies, melodramatically stating "a single individual, a small group or a nation state can exact damage and destruction similar to dropping a bomb or explosives."

Noting that the US government took threats to the online world as seriously as those in the real world, Chertoff also outlined government plans to develop the equivalent of the "Manhattan Project" to defend US federal networks and national security interests from the big bad boogey man of large-scale cyber-attacks