The factual narrative is enlivened by focusing on the story of two individuals who have battled against the rise in cybercrime. Barret Lyon, a computer whizz who unwittingly became embroiled in protecting legitimate and illegitimate businesses against attacks. Andrew Crocker is a British detective, who in working for the National Hi-Tech Crime Unit in the UK, went to Russia to track down and prosecute hackers and to find out who they ultimately worked for. 

The books offers great insights into how cybercrime works, who is involved and why it is being used. It is truly shocking and thought-provoking, in equal measure.

Zoe Kleinman has brought an interesting perspective to all of this with an article she has written on the BBC News site. In her piece she referes to research to be presented by Dr Kieron O’Hara of  Southampton University, wherein,  he calls for people to be more aware of the impact on society of what they publish online.  Privacy law is driven by a concept of a reasonable expectation of privacy. As more of our private lives have moved online, either intentionally or not, then the expectation of privacy has changed. What is normal now? The bottom line is that, with more people putting ever more private information out there, then we not have the level of legal recourse that we think we have. However, we are part of the community and our actions do ultimately drive the social norm. Hence, the solution is down to us and what we ourselves do on-line.

The Guardian

I am sure that many of you and the public at large would say: ‘about time too’ and ‘ serves them right’.  There is some sense of justice, if it were felt that the bad-guys could be brought to account and punished. The story in The Guardian refers to ‘secret plans’ and un-named senior officials, and generally, ‘people familiar with the topic’. As such, this is when we all have to start to take a sanity check on all of this.

This is an idea that has been around for a long time, and for as long as it has been around, nothing has come to pass. Why? I think it comes down to practicalities and to ethics. If it were that easy to be able to directly target and find the ‘bad-guys’ do you not think, the authorities would not have been doing something already? Exactly, tracking down the bad-guys is a tough and involved exercise. The other issue is that in ‘taking them out’, via denial of service approaches for example, is that you can impact and impinge upon other legitimate users of the internet. This is what is referred to as collateral damage.

The other consideration is ethics and the rule of law. It has long be suggested that in the real world, the Police and authorities know who most of the criminals potentially are. However, in most democracies to convict someone you need to prove cause and provide evidence. It is not just a matter of going along to the houses of known and suspected criminals and throwing them in jail or ‘taking them out’ so-to-speak. I believe that that the authorities who are involved in tracking down the cyber-criminals and ‘bad-guys’ have a very difficult and complex job. However, they need to continue to operate within the confines of what is both practical and ethical. They deserve our thanks and support and all the resources they need to help bring the rule of law to ‘net.

Could I get you to give me money? I came across this interesting article. It basically shows how a hacker who manages to get access to personal information, could then trick you to offer up money. There is a transcript, of a real life example, of an IM exchange that provides a startling insight as to how this could work. Fortunately, for the person involved, the hacker made a mistake in answering a question and then the game was up.

Socially engineered exploits like this are a warning to all of us.  To stop this type of rouse, technology alone will not protect you. You need to be aware that this can happen and you need to made sure that your passwords are safe and secure and that the amount of personally identifiable information on you is limited and controlled – technology does have a role to play here.  So, just because that picture, or avatar, is what you would expect from your ‘friend’, that alone is not enough to identify them.  Maybe, we need to adopt the approach, popularly used in spy movies, when two contacts get together and some obscure code word or phrase is exchanged? Certainly, it would make for more fun at the start of IM sessions! This sort of authentication protocol, or process, is how computers establish a secure communication between themselves. Maybe, it is something we as users need to look at.

It clearly has caught the attention of many people across the world.  The vulnerability was only discovered last week, coming too late to be accommodated within the Microsoft, December patch update cycle.  What really was noteworthy, was the speed with which the vulnerability was then exploited . We noticed and detected this early, but by the end of last week and through the weekend you could see the prevalence of exploits using this vulnerability. It is still out there and being exploited, but with security vendors having released signatures this should start to mark the beginning of the end.

Microsoft themselves are planning that a patch will be issued later today. This is the second time in as many months, that they have had to issue and emergency, or as it is called, an out-of-band update. It is once again, a very public embarrassment for them. This year has been the year of the browser. We have seen new releases and new entrants (Google Chrome). We have seen all the browsers improve upon their security features and all of them come up short in some way with vulnerabilities and exploits. We are seeing security vendors, such as Symantec, continuing to develop and invest in additional browser protection techniques to help shield browsers from attacks. I think we are signing off 2008, with a view, as to what may well be the drumbeat accompaniment of 2009.  Now, I really must go and change the PowerPoint slide…..

What is clear is that the Underground economy is becoming more sophisticated. We are seeing both the selling of ill-gotten goods and requests for assistance e.g. ‘I need someone to write me a Trojan’, ‘I need a bot-herd’ etc.  If everything we detected was sold at the asking prices requested, then the total comes to $275M.  This is a large sum. Now, that being said, if you look at the amount of money traded through legitimate on-line resellers, then this runs to the many hundreds of billions of dollars. So, the ‘legitimate economy’ wins out against the ‘underground economy’. What this research reminds all of us, is that we do need to be careful. In taking some sensible and simple precautions we can ensure that our identities and finances do not come to be traded in the underground economy.  We have created a short video, the latest in our series of ‘guides to scary internet stuff’, specifically on the underground economy.

Research, such as this, helps Symantec. It provides us with an insight as to what the bad-guys are interested in, how they get it, what they do with it etc. In turn, that helps us focus our efforts in designing our security products to mitigate this. Additionally, it also reminds the bad-guys that they are being watched, tracked, and that they cannot count on having things all their own way.

Now, no sooner have the Beijing Olympics started to pass into memory than we start to see the London 2012 Olympics start to be exploited by the spammers. We detected a lottery scam around London 2012, wherein the recipient is informed they have won £950K. All they need do is contact the ‘paying agent’ and provide details to collect their ‘winnings’.  And so, with that, the countdown to London 2012 begins in terms of scams, and socially engineered malware attacks.

Instant messages, social networking sites, forums, blogs and old fashioned email – in the ever expanding maze of communication methods Internet security is often a tough and confusing subject for parents to broach with their children. We recently conducted a survey into children and parent’s online behavior and  found that many parents are still in denial over the varied dangers on the Internet and are ignoring the sampling their children are doing. Only four in 10 online parents in UK have spoken to their child on safe Internet practices despite 87 per cent of children feeling comfortable talking to their parents about their online experiences. *

Cory encouraged readers to ‘Give your children honest, useful privacy information’ and to try and help combat this disparity between parent and child. That’s what we have been advocating in a recent initiative, called ‘The Talk’ as part of our Norton Family Online safety Initiative.  Remember ‘The Talk’ your parents had with you? Those uncomfortable conversations with our parents on sex education? Well, we’ve been encouraging parents to adapt this for talking to their children about the Internet. A mutually beneficial discussion, it will allow the child to appreciate both the important role the Internet can play in their lives for learning as well as the potential dangers. The end goal of this is for parent and child to come to a mutual agreement outlining the ‘rules of engagement’ regarding the child’s behaviour online.  

Getting one’s child to describe their experiences, with honesty, may be difficult, particularly if the parent is not an Internet expert or as skilled as their children.  But that is OK, because it’s not necessary for a parent to be an expert to help their children enjoy the Internet safely.

Taking this initiative will hopefully enable parents to develop their knowledge of what their child does on the Internet whilst encouraging the child to interact safely and learn how to value and protect their personal privacy and identity online.

Phishing

To help contain phishing and as a precursor to ultimately managing and defeating it, requires effort and activity on many fronts. We have seen the popular browsers being updated to have ‘anti-phishing’ capabilities built into them. Many of the internet security suites also build in additional levels of anti-phishing protection. This is all necessary and effective. However, what is still vitally important  is to continue to educate people about phishing. We need to keep it front of mind, provide practical information to help combat it and to provide reassurance that the ‘phishers’ do not,  and will not, have it all their own way.

If you follow this link you will see an new and updated educational piece we have created on ‘Phishing’. I hope you like it and importantly find it useful. If you do like it, please help do your bit to push back against ‘phishing’, share it with friends, family and colleagues.

The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint.

In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network.  It will be interesting to see (or maybe not) what the strain will be on your ISP as well. 

Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not. 

So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.