On-line safety: It’s a family thing

When you get prime-time national TV covering issues such as on-line predators, you can’t but assume that the item is important.  The BBC’s Panorama (‘One click from capture’) returned to the issue of how a simple experiment of putting a young girl’s details onto social networking websites ended with the arrest of an online predator. This was a follow-up piece in response to the overwhelming interest that Panorama had to this topic when they first covered it in January of this year.

The programme managed to bring attention to the issue of family on-line safety and also dispense some good and practical advice. This time the advice was directed at the children and then made the call to parents to ‘get involved and know what your children are up to’.  However, we’ve found that while the vast majority of parents are concerned about what their children get up to online, only half of less of the parents we surveyed worldwide (37 per cent in UK) have taken steps to set parental controls on the family PC www.norton.com/uk/familyresource and only four in 10 have spoken to their child on safe Internet practices . We discovered that one in five children we surveyed worldwide admitted to conducting activities online that they know their parents would not approve of and 24 per cent of UK online children spend ten times or more time online than their parents think they do. So, there appears to be a real disconnect between what children are doing online and what parents actually know they are up to online. This has got us thinking as to why this should be the case?  We think we need to give parents a tool that is flexible and allows them to implement the parenting style that is appropriate to them and to their children. We think they need a tool that builds trust and dialogue between the parent and the child. We think they need a tool that spans the new frontiers of where their children are going on-line: social networking, IM, search etc.

So, we have lots of thoughts: now it is time for action. I spent last week giving a ‘sneak-peak’ of some Alpha code of what we think our new ‘Family on-Line Safety’ application could or should be. I hope that I can extend an invitation to all of you to take a look at it…in the next couple of months.

 

May 28, 2008 | Filed Under Family Online Safety, Security | Leave a Comment 

Bosses most at risk of Identity Theft?

The media has been quick to cover the story from Experian, the credit reference agency, of the rise in reports of identity theft.  Many covered the story under the headline of ‘Bosses most at risk of ID theft’.  What was notable in this news release was the profiling of reported victims and the ability to show ‘hot-spots’ for identity theft in the UK.

But why is it company directors or bosses who run their own businesses are most prone to identity theft?  Of course criminals go where the money is, and by and large, ‘Bosses’ have more money than other mere mortals.  I can see some logic there. Given the growing sophistication of identity theft attacks and the ancillary capability to gather more information on people, the criminals can start to separate the ‘bosses’ from the ‘non-bosses’.

Then again, it may simply be that given the legal and reporting requirements of being a ‘Boss’ there is more publicly available information out there if you a company director.  Is it time to look back into this to assess if there is a potential risk?

Or, it may just be a lifestyle issue.  If you are a ‘Boss’ then maybe you rely on others to help you with some of the admin that goes with being in charge and trying to organise a hectic lifestyle. This plays in the risk of personal identifiable information being shared amongst the boss and maybe an admin assistant PA etc. You see the picture; shared logins, shared passwords, weak passwords so that a number of people can remember what it is etc. The other reality maybe that many of these people are just so busy building and running their businesses, they do not have time to focus on ‘security’?

So, my messages to the ‘Bosses’ is hopefully something they can appreciate - do the basics well and do them all the time. So, use strong passwords. We found that 50 per cent of people still use really weak passwords (http://www.symantec.com/norton/theme2.jsp?themeid=nol). Use some sort of anti-phishing tool in your browser and ensure you have good anti-spam tool for your email.

May 28, 2008 | Filed Under Identity theft, Miscellaneous, Security, Spam | Leave a Comment 

When Malware becomes Crimeware

Now, without wanting to necessarily start an official book club – there are enough in the world without me getting into the act. I have had the opportunity in the past few weeks to read a couple of security focused books that I thought you may well be interested in and benefit from.  They both focus on the evolution of ‘malware’ into ‘crimeware’.  ‘Crimeware – understanding new attacks and defences’ is by Markus Jakobsson and Zulfikar Ramzan (www.informit.com/aw).  It is very comprehensive in its scope and helps the expert, and not so expert, understand and prevent specific crimeware threats.  What is does well is to explain how, from a technical standpoint, malware can and is used for the purposes of crimeware.  Zulfikar Ramzan is a colleague of mine here at Symantec and he has also roped in some other members of the team to help with some of the chapters. 

‘Zero Day Threat’, by Byron Acohido and Jon Swartz (www.sterlingpublishing.com), provides a further insight into the developing world of crimeware.  The authors are journalists with USA Today and they neatly manage to intertwine a narrative of a real-life ‘bust’ of an author of crimeware in Canada, whilst outlining the failures of Banks and Credit Bureaus to keep people save from crimeware.  It provides a good and thought provoking overview of what is and potentially could happen, without descending into the realms of deep technical analysis.

May 28, 2008 | Filed Under Data loss, Market trends, Security, Spam | Leave a Comment 

Social networking: the age of innocence is over.

I had the opportunity to see the excellent BBC ‘Click’ over this past weekend on BBC World.  They covered the viewer, and on-line reaction, to their story of a few weeks back, on writing a rogue Facebook application. The Click team wrote a ‘skimming’ application that in effect was able to go around and harvest data from the profiles in a ‘friends’ list.

This story set off a lot of reaction from viewers and users of the site.  Facebook did point out that it has a code of conduct that it asks and expects developers to abide by: limit the collection, use, storage of data etc. They also have a team of people dedicated to helping weed out application developers who do not follow the rules.

In reading the responses to this story from people I was struck with a numbers of things.  First and foremost the sense of outrage, that such a respected and well thought of site could, somehow, have been violated in such a way.  Users of Facebook care about it in a personal way. There was a palpable sense of indignation. However, this is an example of how social networking sites can be vulnerable to the people who would want to invade it. That very sense of trust that binds the many millions of people who use social networking sites, such as Facebook, can also be the Achilles heel.  Trust begets respect. However, what this incident shows is that potentially malware authors, who have no respect for anything or anyone, could use this as a new ‘fertile’ marketplace for their endeavours.

Facebook and other social neworking sites will learn from this I am sure.  There was an effective way to stop this type of rogue application, but it is buried within the Privacy settings (privacy/applications/other applications), where you can select the option of ‘ Do not share any information about me using the Facebook API’.  Well, I think they need to bring this option much closer to the attention of the user and in simpler language that means something to someone.

Does it mark the end of the age of innocence for  social networking? Well, I think so and in the long run it may not be a bad thing.

For more information on the story, go to http://news.bbc.co.uk/1/hi/programmes/click_online/7375772.stm

May 24, 2008 | Filed Under Uncategorized | Leave a Comment 

UAC: the hero of silent security?

There has been a lot of comment since Microsoft stated at RSA that it set out to make User Access Control (UAC) ‘annoying’.  There seems to be general consensus that they achieved their goal.

UAC is an interesting approach. Interestingly, at the very heart of it, it uses the metaphor of asking a user to make a decision to allow an application to run.  On the face of it, you would think there is nothing wrong in that: or would you? We have seen a veritable avalanche of attacks that are all promulgated on getting a user to ‘click’ on something.  So, people view UAC as irritating and not effective given today’s threat landscape.

Users I talk to, on the whole, tell me one of two things in relation to how they want to interact with security programs: “ can you keep that security stuff out of my face” and/or “you are the expert - you solve it for me”. Now, if you line up UAC against these criteria you can see how it scores well it the ‘annoy’ category.

If I were to take a slightly contrary view, what UAC has helped bring focus to is the latent desire from users for smarter and more silent security products.  In going after this request from users (and as Symantec, this is very much the philosophy and direction we are following with the Norton products), we can also help the on-going battle to reduce the attack surface. So, perversely, the current and new generation of smart, silent security products have much to thank UAC for.

May 16, 2008 | Filed Under Security, Technology | Leave a Comment 

Is Hector the new Tufty?

The early seventies started to see growth in ownership in cars here in the UK. I was aware as a kid in the seventies what a big deal it was that my Dad had acquired our first family car, a Morris. Please don’t laugh. It was a lovely battleship grey from memory.

Just about the same time, at Primary School, the ‘Tufty Club’ became a big focus for all us little ones. I have a memory of sitting cross legged in the assembly hall and being sombre as the penny started to drop that ‘cars’ could be bad and we really needed to be careful on crossing roads and walking to and from school. However, the colouring in books and a guest appearance by ‘Tufty’ himself soon lifted my mood.

However, Tufty did keep me safe and I have something to thank him for. Well, here in the new millennium any households have family computers and I was intrigued to read that ‘Hector the dolphin’ is to be used to help teach young children how to keep themselves safe on line. Who say’s good ideas go out of date?

The cynics may sneer, but I wish Hector every success. To meet Hector yourself use this link http://www.thinkuknow.co.uk/5_7/hectorsworld/

May 15, 2008 | Filed Under Family Online Safety | Leave a Comment 

An Apple a day keeps the malware away?

I had the pleasure of presenting at the Apple Store in London the other day. Now, most of the time when I present, I and the people I am talking with, start from the same standpoint: they have security issues and are looking for answers or reassurance. With the Apple users, there was, and is, a healthy dose of scepticism. So, coming from Symantec, I wasn’t really ‘singing to the choir’ with respect to my audience. Well, we all like a challenge.

In terms of the actual numbers of Mac specific malware, there is no doubt, there is an awful lot less. From that standpoint you are safer and there is a benefit. The game changer that Mac users need to be mindful of, is that bad guys are now attacking the individual and not the PC. Malware is morphing into crimeware. Increasingly, the attacks are financially motivated. This gives a simple focus for the bad guys. They care not for the merits of Windows versus or the Mac, or hold any particular view on Bill Gates or Steve Jobs: it is all about the money. We are seeing attacks, whereby, the code determines what OS or browser you have and then simply adjusts itself accordingly.

At the end of my pitch, some of the audience wandered up to ask some additional questions. They seemed assured in their investment in the Mac and respectful of the bigger picture that I shared with them. The questions they asked of me at the end were interesting and insightful. They tended to be about personal experiences of being phished, spammed or duped into visiting web sites etc. They are getting drawn into the world of malware and crimeware, albeit, from a different standpoint.

May 15, 2008 | Filed Under Events, Security | Leave a Comment