- Related Stories
-
Cyberattack in Estonia--what it really means
May 29, 2007 -
Kaspersky ships antivirus tool for cell phones
February 13, 2007 -
Phishing overtakes viruses and Trojans
January 30, 2007 -
Securing consumer-friendly smart phones
October 17, 2006 -
Security firms squabble over mobile threats
July 24, 2006 -
Is your cell phone due for an antivirus shot?
February 24, 2006
(continued from previous page)
You're very close to your domestic market. Is it unfortunate that the few reported outbreaks we have seen have been in Finland and it therefore looks like more of a problem to you?
Alkio: In some instances threats are concentrated on some markets, in this case Scandinavia, because that is one of the most mature markets for smart-phone deployments, so there is a logical connection there.
So if we look back in a couple of years' time and it turns out you were right, and all your rivals are offering mobile malware protection, will you feel any criticism you've received was entirely unjust?
Alkio: We are pioneers. You could argue that we started investing too early but I would say it's a great thing--we have gained the competency and have the products up and running.
When it comes to fighting cybercrime, it helps to understand why attacks happen and what motivates the criminals. How much insight do you have into the criminal world?
Alkio: We have some visibility into these communities, particularly when we are working with governments to help them, which we do. If we have information, for example, on a DDoS attack happening and we can see it, we will share that.
And what trends are you seeing?
Alkio: A lot of threats do come from very definite sources and as I have said we are seeing a lot of activity in emerging markets in particular.
But if you are a talented individual born on the West Coast of the U.S., what kind of career opportunities do you have? How about if you are an equally talented individual but you're born in the slums of Sao Paulo or in Siberia? What's the difference in professional and educational opportunities?
And yet what's the common factor? Access to the Internet.
So the picture you're painting is of cybercrime growing for the same reasons many other crimes do--as a result of socioeconomic factors. Do you think governments and law enforcement have failed to realize this and failed to make the connection that cybercrime is like all other crime and something which needs to be targeted with some urgency?
Alkio: Governments need to very proactively ensure ISPs are offering protection to users--that is the first thing governments must do. One of the best ways to solve these issues is through the ISPs.
Governments should also take a very active and strong role. When things actually take place, the proper actions need to be taken to take people to court.
So what measures need to be brought in and what should the penalties be?
Alkio: I'm the wrong person to answer that question but I think all governments need to talk to one another about how they address this problem. And all governments need to look at this with the same weighting.
Given this is a global problem, do you think we could ever see success going to the Chinese government and telling them Western businesses are annoyed at the amount of malicious code coming out of China, or going to the Nigerian government and complaining about scam e-mails? These aren't issues which will resonate as much as their own local issues.
Alkio: It is right to say that different governments are definitely at different stages. A global initiative should be looked into, but who will take the lead? That is a difficult issue. At the EU level there are some very good developments.
You've recommended that ICANN, the Internet domain name body, introduce a new dot-bank top-level domain and make it prohibitively expensive so only legitimate businesses would register it, as a means of tackling phishing. This sparked some criticism because of workarounds criminals would use such as domain spoofing and DNS hacks. Do you still think dot-bank domains are a good idea?
Alkio: We've done the right thing. We've started the discussion and we've raised the level of the discussion and by speaking to financial institutions, we've learned this initiative is one measure which could help.
But you accept it's far from perfect?
Alkio: It's not the silver bullet. It's not the one thing. But there are practical things which would help immediately. If it cost, for example, $50,000 to register a dot-bank domain name, that would already make it more challenging. While this doesn't stop the problem on its own, and while people could still replicate that URL, a further level of education is still required.
Is it worrying that to date the industry has had more discussions about having a dot-sex domain name and a dot-xxx domain name than it has about introducing something such as dot-bank?
Alkio: Yes, it's very worrying. This is why we've brought up this issue. We've now had good discussions with leading financial institutions and this has raised the discussion. Discussions continue with ICANN also.
See more CNET content tagged:
Kimmo Alkio, distributed denial of service, emerging market, F-Secure Corp., threat
9 comments
Join the conversation! Add your comment (Log in or register)
for every security incident that occurs because of a security researcher disclosing information to the public domain, that security researcher should be held accountable.
supplying the bad guys with the tools to carry out the cyber attack should have the same weight as carrying out the cyber attack its self.
we're not saying full disclosure is banned, but what the government should be saying is, if your vulnerability/exploit code/information/tool is used in a cyber attack by someone, then that someone should be jailed or heavily fined as well as the security researcher who originally made it possible for that someone to carry out the cyber attack/security incident in the first place.
it should be the security researcher who decides how critical his disclosure will be and how many security incidents that dislcosure may result in, and its that security researcher who should decide after that if his potential legal position will lead to him being heavily fined or end up in jail or if he decides his disclosure isn't critical then feel happy about making a full disclosure to the public-at-large.
The massive over-spending on IT security is pseudo-comfort for the IT manager (look at how much money I've spent) and for the practitioners of fear, uncertainty and doubt. You're better of buying more than you need because you'll never know when you can be hit. Indeed! The narrow-mindedness of today's end-to-end technology vendors is stupefying and brazen. No technology can assure 100% security. Rule-based technology can't tell you what it missed. Only by examining what happening can you reasonable assess if incidents are held in check or if the wheels are slowly falling off the wagon.
Stop shooting the messengers (technology vendors) and start doing the job you're paid to do...and do it without exceeding your budget year after year.
You act as the digital "enemy" doesn't research their own for exploits.
quote: GOVERNMENT -- should stop information
don't they already
Nor are software vendors.
The security researchers just make vunerabilities public. It doesn't mean they are the first to know about it. By making the public aware of a PRE-EXISTING flaw allows people to take precautions to defend themselves. If a person chooses not to take adequate precautions, that is their problem. Not the government's. Not the researcher's.
You want a 100% safe guarantee? Then unplug your computer and walk away.
Time to stop playing "victim" and take personal responsibility.