Who trumps bin Laden as a cyberthreat? Look in the mirror

(Credit: Charles Cooper/CNET News.com)

SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.

Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.

In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.

Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.

After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.

Symantec CEO John Thompson

(Credit: Charles Cooper/CNET News.com)

Among the report's highlights:

• 65% of the new code being released into the market is malicious

• The U.S. was the top country of attack origin in the second half of 2007

• The education sector accounted for 24 percent of data breaches that could lead to identity theft.

• Government was the top sector for identities exposed, accounting for 60 percent of the total

• Theft or computer loss resulted in the most data breaches that could lead to identity theft

• The United States had the most bot-infected computers worldwide

If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.

"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."

DHS Secretary Michael Chertoff

(Credit: Charles Cooper/CNET News.com)

(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)

In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.

Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.

But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.

DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.

Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system

"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.

In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.

[jnnj]

People want me to relive groundhog day---well, for me, this does not happen. You can try and make it happen for me, but, I am getting old, and pay no heed. After what I essentially said in the bank today---reflecting this article---with a bystander saying under his breadth something about me changing the world-----no, I don't want to do that, just listen. Because what I say is right. Don't say I am dumb, then, repeat what I say for yourselves as something smart. Are you people screwed up? probably.....

[cyberbian]

I could not have expressed the problem any better than JnnJ above has so powerfully communicated it.

The computer industry is responsible for the majority of software code produced.
Yet they seem to be blaming the people for the result, and making a tidy stipend in so doing.

Consider who has built the system with so many vulnerabilities and has so eloquently communicated the methods and importance of security to the public.

Here is a hint, when my mother in her 80s sees alarm messages from her antivirus telling her she may be vulnerable, she goes into a panic! The software autoupdates but the committee which designed the interface just felt the irresistable need to keep the user constantly aware of it's importance. I had to uninstall the top of the line security package I bought for her, I will not mention Symantec's name as the author of that fine package.

Why is it that only social engineers seem to engineer with consideration of public needs and behaviors?

[sysopdr]

Yes MS and others could do a better job of making their software less buggy, and I do not agree with the authors pointing the finger at the user. They just want to send email and read stuff on the web.
The real problem is the virus writers and the scammers. Lets not lose sight of the real problem and start blaming all the wrong people.

[GhostAlph]

LOL "Pointing the finger at the user"...
NO ONE is saying that the user is SOLELY to blame...but what IS being said is:
TAKE RESPONSIBLITY FOR YOUR OWN SECURITY.

Damn, how hard is that to understand??

[Kori42]

I agree with cyberbian - there are so many panic messages that the user just ignores all of them. Same with MS software -> "This file may contain dangerous code. Are you sure you want to run it?"

All these spurious "Danger" messages do is to get people to ignore all messages. What else can they do? Turn off the machine?

[knack4]

Never forget that Symantec is the source of a lot of this doomsaying. Symantec doesn't profit from security, they profit from fostering FEAR of INsecurity. Look to other more objective sources for a clear and unbiased picture of the real scene. The same can be said for a large proportion of the sources for this article. That said, it is a fact that individual computer users, by engaging in foolish insecurity and by tolerating their own machines' infestations, are a huge factor in the Net's security problems. Get and keep control of your machines, people!

[captain12pack]

No love for Symantec from me - I use NOD32 from ESET.

But what's with the "65% of the new code being released into the market is malicious" comment? Is Thompson arguing that most developers are trying to **** up their users? Sounds like FUD to me.

[quarky42]

I have 0% respect for anything coming out of Symantec in the way of Antivirus/Security. That is because their latest Symantec Corporate Antivirus failed to prevent or even detect a virus on a computer that I provide support for. When I got to the computer I found that it was running very poorly. After several antispyware and other antivirus products I was able to identify the virus and clean out the infection using automatic and manual methods.

If the latest Symantec product can't even detect a virus that had been around for weeks, then I have absolutely no use for the product. It is a waste of resources. The user I was supporting would have been better off doing an antivirus scan online through one of the free services a couple times a year instead or by using an open source antivirus product (ClamAVWin)

[Rasputynne]

Society is REALLY screwed up. In the next few days tens of milions of taxpayers will be e-filing their tax returns...if you buy one of the 2 commercially available tax software packages you have no alternative, but to e-file, or at any rate download the updates over the internet. Don't tell me that these two companies are forcing people to put their information on the IT (sorry that is a Bushism)...I strongly suspect they have a backdoor by which they are gathering information on people, which in the past ONLY uncle samme had access to! Why is no one screaming about such practices???That is because I suspect that most people who recognize the danger don't have much money, but those with plenty of money aren't smart enough...back again to our quality of education...

[ralfthedog]

Sorry, but those who have lots of money don't use "Commercially available tax software." If you pay one Million in taxes, you pay a very skilled human to do the work for you.

[GhostAlph]

Actually, I DO use "commercially available tax software" - but thanks for the stereotype.

[inachu]

The truth of this in fact is: Neocons

They intercept police,FBI, CIA radio signals and if any of them try to investigate the interception then their jobs are on the line. Why? Neocons in USA govt.

[Kori42]

I'm a Neocon! Stop telling everyone what I'm doing!!

[bryanwalker]

Personally, I believe the crappy code being created is a DIRECT result of globalization! Take Adobe for example, back in ?The Day? Adobe wrote killer apps, all written right here in the good ole? USA?.today, a very high percentage of Adobe is written in India and their current releases of their popular apps royally suck! Adobe is just one of many, many software companies who sell us expensive software written by foreigners who possess a different set of values and a different culture than Americans and the result is crappy software!
Globalization is good for these third world countries, but it sucks for us Americans, not only does it take OUR good jobs, it leaves us with crappy code and increases our security risks by utilizing their crappy application!
Bring the coding back home and I can guarantee the code will get a lot better & the security risks will diminish!
GLOBALIZATION SUCKS!

[Rasputynne]

you are partially right about globalization (or should I say, I agree partially with you about...) but let me ask you what you have done about it...when did you last refuse to buy a product that was made overseas. You are possibly aware that a good number of our jobs are now in China, and even if we learned Chinese, there are 5 or more Chinese pros (for each American) ready to take the job for pennies on the dollar. The giant is sleeping and his pajamas are getting taken away while he sleeps.

[russ902]

What a load of baloney. I'm supposed to be computer savvy enough to prevent bots, viruses, and trojans from infecting my computer? How?

I'm supposed to only deal with businesses that will protect my personal information from cyber thieves? How?

It is my fault? Not by a long shot!!!

All I want to do is send/receive email, surf the web and make an occasional purchase. The legal folks know of all the problems in the computer world and do nothing. Neither do the legislative folks. They all use the internet the same way I do and face the same hazards I do. Yet they all do nothing. Where is the Sarbanes-Oxley of the computer world?

Should not the folks who write operating systems and browsers be responsible to at least some extent if their product is so fragile that it allows itself to be compromised over and over and over again? A car manufacturer is responsible for defects it the product it sells. Why not the computer folks?

The plain, bald truth of the matter is that the only ones that really care are the ones that can't do anything legally or legislatively about it. Please don't quote Chertoff and Bush about what they are going to do. This has been an ongoing catastrophe for how many years? There are way too many compromised computers out there and the new ones being sold are no better at defending themselves than the ones already out there.

And I (John Q. Public) is responsible? Baloney.

[sysopdr]

Agreed, the user is not the problem. And the Software companies need to do a better job, but the real problem is the scammers and we need to figure a way to get at them.
Instead we spend our time saying one browser is better then another or an OS is better then another or that the software companies are doing it all wrong.
Comparing software to a car is not a good comparison as Ford is not responsible if you leave your wallet in your car and somone breaks the window and grabs it. Yes the car alarm maker should have some responsibility if you have one; the same as a security software company should be possibly, but the real problem is that someone broke into your car and stole your creditcards and that the fault of the person breaking in.
Never blame the victim, all they want to do is surf the net and read email. Blame the thief and go after them. We don't have enough enforcement and prosecution and in the absence of that something else has to be brought in to replace them.

[kyrka]

Common Sense Rules the Game

The old guard has oft been ridiculed by the Gen-X and later generations, viewed as stiff, unchanging, inflexible and even at times, myopic. The Internet in turn, despite the advantages of so many powerful and innovative technologies, receives the moniker of Wild Wild West. There are truths to be found in both statements and I believe we can consider some great steps toward a more secure information security posture within our organizations if we but change the perspective of each.

We?ve got to draw a line in the sand.
The line between business and personal use of computer information systems has been blurred by the Internet. We?ve opened the door to a flood of content from the ?everyone? of the Internet, and thousands of semi tractor trailers full of un-inspected cargo cross our border every moment of every day. We?ve made huge capital investments in technology designed to improve performance, streamline processes and enhance profits, yet they?ve introduced so very many liabilities.

Least Privilege
This machine was purchased to provide functions X, Y, and Z. All other features and functions should be completely disabled.

It?s Their Market Bill, Let Them Have It
We don?t need the kitchen sink features that you?ve thrown into Vista to make us drool. Windows XP is being retired. Many are unhappy about it, particularly in the business owner. It?s yet one more semi truck full of cargo we didn?t ask for. Our best option, if we?re genuinely interested in maintaining control of our own information systems, is to install this new OS with the fewest new options enabled possible. Send a clear message to Redmond that the business market wants their money providing solid business solutions. Folks at home who want eye candy can have all the junk. If they?re graphics folks, let them go with a Mac, they?ve clearly been leading you in that arena for years anyway.

Speed is the Enemy
We?re told we have to live on Internet time to compete. This is complete and utter nonsense! This is what lends Suzie to insist her computer absolutely must have the Weather Bug software installed on her employer provided workstation because she uses it on her home computer. Seriously? Why do we allow this sort of behavior? If Suzie can provide a bona-fide business justification for using the software, great, let her have it. The complaint is that forcing her to follow this course of action is too slow, and erodes the advantage technology is to provide. What we enjoy on the other hand is a slowing of feature-creep and its associated security impact on our information system as a whole. The speed at which new functionality that lacks proper validation and testing enters our system, left unchecked, provides huge opportunities for attackers to introduce malicious processes.

[Martial_Artist]

Charles Cooper wrote "Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream."

To which the appropriate response is "Maybe, maybe not." If you measure it in terms of the total value of cyber-security line items in the budget, you might believe that it is. If, however, you consider just how much of that total is, to put it into polite terms, being voided from the ballder by the federal bureaucracy, you might come to quite a different conclusion. I am only aware of this because I am currently employed in federal civil service and am in a position to have some appreciation for the magnitude of this excretion at first hand, as well has having been previously employed in a variety of consulting engagements in the private sector.

[GhostAlph]

Wait, did I just read that right?
First of all, no one saying that the user is "at fault" but what IS being said is:
YOU are responsible for your own security.
As to the sysopdr's comment of "...comparing software to a car is not a good comparison as Ford is not responsible if you leave your wallet in your car and someone breaks the window and grabs it. Yes, the car alarm maker should have some responsibility if you have one..."
WHAT?
So if YOU are too lazy to lock YOUR car and/or set the alarm on YOUR car, how the hell is it the car alarm maker's responsibilty? How YOUR ineptitude and lack of common sense THEIR problem? If you're too lazy to secure your computer (or more to the point, too lazy to learn how or even too lazy (or cheap) to get someone to do it for you), how is that a software company's responsibilty?
If someone breaks into your house, what's the first question asked you by the cops?
"Did you lock up?"
If you say "no", there's not a lot they can (or will) do for you, and that...well, that's kinda expected. If you can't keep track of your own crap, there's no reason for anyone else to, either.


As for russ902, he says, "I'm supposed to be computer savvy enough to prevent bots, viruses, and trojans from infecting my computer?"
Yes. Your computer = your responsiblity.
"How?"
Maybe read a book or two like the rest of us did.
"I'm supposed to only deal with businesses that will protect my personal information from cyber thieves?"
Maybe not "supposed to" but it's highly recommended.
"How?"
Use a brain cell, or two.
"Is it my fault?"
Is it your fault that there are cybercrimials out there? No. Is it your fault if you leave your computer unsecured? Yeah, that IS your fault.
(oh, and this one's good):
"The legal folks know of all the problems in the computer world and do nothing."
Really? Wow...I work SPECIFICALLY with software designed for law firms and I know firsthand that, unless EVERYONE in the firm is a technological noob, they take ALL MANNER of steps to protect themselves.
And THEN he goes on to say:
"There are way too many compromised computers out there and the new ones being sold are no better at defending themselves than the ones already out there..."
See, that just exemplifies my point - the reason this continues is b/c ppl like him expect everyone one else to take care of the problem w/o doing anything himself or taking any responsibilty for his own security.
I mean, I'm assuming you lock up your house when you leave or your car when you're not in it...don't you? Oh wait, no - you probably don't - after all, that's not YOUR responsibility, that's the alarm company's bag to hold.

[disagreeabletoday]

Typical scare tacktics from someone running a company paid to "protect " us from ourselves. This is all hogwash. The problem is with companies like his, and microsoft that put out shoddy products, shoddy code, and have it in use before it is ever tried and tested, and is thusly so easily thwarted. Theft of identities usually happens because the people that have access can't be trusted, and / or there was no oversight. Or stupidity. Don't buy what this guy is selling ... literally and figuratively....

[mikemiracle]

Puleeeeze. We know that PC's have been a boon to the entertainment of kids for video games since War Craft was networkable over IPX. (my start in networking ;)).

I knew at that time that opening a PC up over a then blazing fast 28 or 56k would be a compromise waiting to happen, and no one at my Software Company would listen or say gee, the sky is falling.

Then with aplomb the computer industry, while driving the biggest money machine on the market in the 90's got its way where ever it went. We were sold defective equipment and sometimes refunded, we were sold defective software and told that if we opened it we bought it without any return, we were told we would get rebates for floppies etc. that would mysteriously get lost in the mail and would only be paid if you could somehow come up with ANOTHER original receipt to send. And we were told that if that software somehow melted my PC it is not their fault.

What a cushy business model, no wonder Bill is filthy rich, him and his ilk.

What we knew was this: The PC was NOT ready for prime time and neither were its users.
What we knew also was that it was being pushed on us as the new way to do business while the perpetrators were fully aware of its inherent weaknesses.

Blinded by record profits in getting their business done quickly and now by our underpaid counterparts in politically and environmentally irresponsible countries; the lure was too great.

Someone has to pay for this foolish foray into insecure transactions and the guys with the money taken from us are not about to stand up and say yes we rushed this to market and yes it is not ready for full blown financial/business/personal use without serious risk.

If we were to be fair we should ask for and get a BIG WARNING LABEL on each PC that says: If you are inexperienced with PC's etc. please do not connect to the internet until you have obtained some sort of training in how to protect your financial data and behavior of PC's. This warning would kill the market or at least make their bottom line suffer because Bobby and Judy would not just buy their DELL/Gateway/HP/IBM Laptop and hook it up to go shopping at AMAZON/EBAY/Overstock/etc..

Consequently, it is our fault for believing that our taxes are being paid to someone that would protect us from this instead of throwing us to the lions for profit.

Our food, Our jobs, Our country have all been sold to the highest bidder while we pay the way with our taxes. We are no longer protected by this regime, we are blamed like the Osama of the west.

thank you
Miracle Mike

[jackfrostx]

>> Who trumps bin Laden as a cyberthreat? Look in the mirror

I don't know who that is I'm looking at ---- But he sure is handsome!

[dmm]

1. Treat computer hacking as the serious crime that it is. Seize assets and give jail time.
2. Deny MFN status to any country that refuses to cooperate in fighting this crime.
3. Impound compromised PCs; make owner pay for cleansing or else lose the PC.
4. Fine compromised web sites; prosecute operator if it is purposeful.
5. Require all PCs to have an easily-accessed hard-wired "internet on/off" switch.

[dandv]

"65% of the new code being released into the market is malicious ". That is just outrageous ********.