We need to monitor information security grifters, too

A new report from the Anti-Phishing Working Group is yet another reminder of the information security threats we all face. This latest publication states that the number of compromised URLs used to distribute malicious code nearly tripled in the 12-month period from July 2007 through July 2008.

This data, along with similar research from McAfee, RSA Security, Symantec, and Trend Micro, demonstrate that the bad guys are taking advantage of the global recession with an increase in attack volume and sophistication. Certainly, security professionals recognize this unsettling trend, and according to ESG Research data, security remains a top IT priority for 2009. Based upon recent activities, it appears the federal government also sees the need for countermeasures.

While insiders seem to see the storm approaching, however, I'm worried about the Internet everyman--"Joe the Online User," if you will. Information security tends to be an esoteric topic sure to bore the pants off friends and neighbors at upcoming holiday parties, but there's more in play than ignorance alone.

I am starting to see a whole bunch of no-name security grifters pitching second-tier products and services with Chicken Little, "the sky is falling" scare tactics. You tend to find these guys are on drive-time radio and entertainment Web sites. I'm not alone in this observation. This week the U.S. District Court in Maryland ordered two fly-by-night companies to stop promoting "scareware" through online advertisements. These pop-up ads would warn Web surfers that their systems had been compromised by viruses, spyware, and even "illegal pornographic content." They were even so brazen as to suggest that users could be investigated or outed as some type of degenerate porn addict. Of course, they were happy to sell you software and services to alleviate the problem.

Unfortunately, there will always be a population of low-down dirtbags willing to take advantage of people's fears and hardships. After September 11 they pitched gas masks; they sold bottled water for $10 a piece following Hurricane Katrina. Given the cybersecurity activity out there, we are bound to see more and more of these security scams. The difference here is that security con artists are preying on fears that users really don't understand. Consumers may get scammed or become cynical--neither of which is good.

We need a focused effort to pull together as a security community, educate consumers, and push for strict punishment of these flimflammers. If not, things can only get worse.

[skswave]

We need a new paradigm for securing everyone's access to web services and we need to look back to find it. In the late 1980's there was this cool new device called a cellphone. It was big and you could use it to defend youself in NY but it had a systemic flaw. The flaw was that on the FDR drive in NY there were hackers with radioshack equipment that could steal your phone account and then make calls on your account. The industry response was a modification to the Cell phone architecture to require a Password for every long distance call. This password would be required after you heard the BEEP BEEP tone and could be auto-entered by pressing send a second time. This Consumer risk and service failure was then eliminated in the transition to digital handsets. Every phone got a security chip that used Cryptography to secure the phone to the network and Vitually eliminated the stealing of phone accounts.

Today we have the opportunity to ask every internet service provider to do the same. Enroll our PCs with a hardware security chip on the motherboard. The chip is already shipping. Over 300 million PCs now have a TPM but the service providers have not invested in their side of supporting the technology. We need to Demand that they support hardware security on the PC and we need to ask goverment for regulations if they do not. Registering your PC with a service provider is not complicated or difficult and will dramatically reduce our reliance on USERID and PW as the core authentication mechanism.

We do not have to be vunerable, It is not all microsofts problem, The service providers who want our loyalty should protect our Identities and enable us as users to leverage the security tools we already own!!


Steven Sprague
CEO
Wave Systems Corp

[pgp_protector]

Why the (*$$

[pgp_protector]

An EDIT Feature would be nice.
But I want to know why would I need to register a PC That i Built with anyone ?

[BarkerDigital]

<sarcasm> And I'm sure since you and your firm stand nothing to gain from all this yours is an unbiased opinion. </sarcasm> Are you seriously suggesting that if I take my notebook to a friend's house I shouldn't be able to access the Internet since it's not registered with his ISP?

And by the way, I'm not the least bit worried about my supposed 'vulnerability.' I use best practices for safe surfing - beyond that I have bigger things to worry about.

[Penguinisto]

I already have a "new paradigm" for securing my "access to the web", thanks. It's called Linux. And - wait! I have another one as well - it's called a Macintosh. They're both bound by... well whaddya know - a home firewall.

Screw your chip. *I* own these machines, not you. I will gladly hazard the risks in exchange for that freedom.

"We do not have to be vunerable"

I'm not vulnerable. Kindly take your fear-mongering and choke on it, please.

"It is not all microsofts problem"

True - they only own the vast majority of the problem.

"The service providers who want our loyalty should protect our Identities"

No - the service provider who gives me a solid, fast connection at a fair value will get my loyalty. Anything else is pure intrusion on their part. I'll protect my identity on my own, thanks much.

"...to leverage the security tools we already own!"

I already do that just fine, thanks. I don't need or want your help in doing so.

Now kindly take your spam and bugger off, please.

/P

[tm_anon]

If I live in an apartment and, every day while I'm at work, someone else is coming into my place of residence, checking my mail, using my power, using my water, I would bring this to my landlord and the problem would be monitored and resolved. If my landlord could see directly into my apartment and was not stopping the person from using my rented property, I would refuse payment and the law would be on my side. However, even though I am renting my current IP address, I have no faith that the same can be said for my ISP. Even if my address is used illegally and I bring this to the attention of my ISP, they can legally say that it is my own problem and not theirs. I would switch, but every ISP I am currently aware of treats customers in the same way. Until rental law has been changed to include services as well as actual physical property, consumers who are tied to those services in ever increasing numbers are unable to have any legal recourse.

[frasercrane]

It appears from your knowledge of the law relating to apartments, you've never lived in one. Your landlord has only to provide you with a dwelling that is reasonably secure--lock and key and adequate door. If you leave your door unlocked (you never said anything about securing your residence), if you give your key(s) to others, if you experience constant break-ins in spite of lock, key and adequate door AND you do nothing more but expect your landlord to monitor your situation...you are not living in the real world. It is up to you--knowing that you are constantly being burglarized--to add greater security (more locks, don't give out keys, etc.) and then if necessary, contact the cops. If you refuse to pay rent, the law would not be on your side based on your scenario and you'd be out on the street for non-payment. Then, to make matters worse, you try to tie in "rental" law with Internet law? Apples and oranges. Did you take a paralegal course, or something?

IMHO, an ISP (A), unless it provides the means for the various malicious attacks, does not owe anything to its subscribers. If an ISP(A) is the base of operations for malicious acts, the subscribers to ISP (B) could get the government to go after the bad guys using ISP (A) but ISP B subscribers can do nothing on their own to ISP A...as far as I know.

[SenorFrog]

Forget about this hardware security chip. It's another half-baked solution to a problem that needs to be fixed at the root. One day, when we've actually transitioned to IPv6, we'll have a shot at a very secure internet. Until then, I'll take my chances as is. And as for any loyalty to any ISP, wasn't the world's top spammer located here, in the good ole U.S. of A? What did the ISPs do to stop that crap? Are they going to contact their customers and let them know that their computers are zombies and that they've been infected by a virus that potentially allows access to all their personal and financial data? Why isn't the government forcing them to contact their customers? Loyalty and trust is earned and the ISPs have done nothing to deserve either.