Monday, 15 September 2008

Who should fight the botnets and rogue sites?

I know a very cleaver chap in another security business and he posed an interesting question the other day. Who is responsible for protecting companies and individuals against online crime, specifically the threat from botnets? My view is that the answer is rather more complex than it might seem.

The Police? Well yes, clearly they have an important role to play. Which police though. British? American? Belgian? Policing in the real world hasn't fully caught up with the international nature of the internet.

Some have called for more government intervention- though that leaves open the question of which government. Leaving that aside, I can see a role for national action against botnets. Organisations such as the Russian Business Network are able to successfully run phishing sites for months despite all legal attempts to get the operation shut down. Botnet control channels have also been hosted there. Clearly, commercial and civil law are not enough here and political pressure is needed to get action from a government that appears to support such operations. However, imagine a situation where large scale botnets were being run from a failed state that had no government to speak of. Who would you address such concerns toward? In such instances, there is a case for border controls on the internet, cutting links with certain ranges of IP addresses or certain types of traffic at the borders. A scary thought in the free world of the web but there are as many spiders as there are butterflies.

Some have suggested that the operating system and the ISPs should offer more of a solution – block the installation of malware and stop people going to website that could harm them. The argument is that people don’t have the skills to protect themselves online and someone else has to make the decisions. Well, yes, I see the argument. However, anything that limits the ability of people to use the web should be considered most carefully, not least because people loathe external control and would move to products that offered less protection. The price of price of liberty is eternal vigilance if I may quote John Philpot Curran. The controls described above would need to be applied with a light hand.

A senior policeman has suggested that the solution requires a collaboration between industry and the police and quotes the capture of Al Capone as being largely down to the action of business. There is certainly a lot to be said for this – some of the larger corporates have at least as much power as some of the smaller governments. Of course, companies can’t do this by themselves and have to work with law enforcement and some other... well, governmental agencies. Of course, there are carefully defined if not terribly commonly discussed links between the larger vendors and law-enforcement and there is open co-operation between major vendors to combat the botnets – the Virus Information Alliance for one. The Storm Botnet was heavily trimmed by the Microsoft malicious software removal tool but you can never kill a decentralised botnet by killing the bots individually. It can only be a population control method. There is also the question of expertise. The police have some very savvy folks but it is difficult to keep up with what is happening in the industry and the police are always going to be overstretched. Days in court are days when the industry (White hat and Black hat alike) moves on. Collaboration with specialists and organisations that cross borders will always be needed, I think. Since I am in that field, I certainly hope that this will be always be the case :-)

Some say that user education is the key. People must defend themselves against attack and fraud much as they would in the offline world. Well, yes, again I agree that better security and better user education would help a great deal – after all, what is a company but a lot of people and some buildings? People and organisations have a major role to play in protecting themselves by not clicking on that link, not giving their bank details to the lawyer of the late Mr JOHN ADEMOLA and not buying from SPAM emails. However, the only way to do this is by user education and that is quite the trick with home users. If you are reading this, you are almost certainly pretty computer savvy. Your friends often come to you because their PC has broken again and you fix whatever they have done this time. Have they read any instructions? Nope. Did they read the online help? Nope. Will they resist any attempt to educate them? Yup. A couple of weeks back, I was removing yet another fine crop of malware from a PC – friend of a friend deal. They had got it from a file sharing solution that gave them access to free (if illegal) music, pornographic videos and “free” applications. I explained *again* these things were plague pits of malware and should be treated in much the same way as the free hypodermic syringes found in inner city alleyways. It was clear that I was speaking to deaf ears.

As for business, a lot of businesses still seem to think that putting in a firewall and an antivirus solution means that they have solved the problem. Well, those things help but when more than 3/4s of malware is installed by the legitimate users… well, you haven’t solved the problem yet. Against SPAM and phishing, you have done nothing at all.

I believe so strongly in user education that I will be speaking at some schools on basic self protection online.

So, if all these pieces are in place, will we have won? No more than we have won against conventional crime. Each part of the solution will reduce the impact of online crime but we are stuck with some level of crime. All we can do is choose how much – because the more protection we have, the more it costs and the more limiting it is.

I personally think that the costs of defending ourselves against crime will go up as more and more of the third world has access to the web because the disparity in living standards and the cost of living will make us such attractive targets. If you steal $300 from me, I will be very annoyed. That is a good chunk of a day’s work after taxes. If you live in Chad, that is 4 months income. People will go to a lot more trouble to steal 4 months income than you would be willing to expend to protect so little money. It is nearly a month’s income in the Ukraine – still well worth the effort. Oh, and if you were wondering, $300 is 6 month’s income in rural China. Given the distance, conventional industrial espionage, fraud and extortion haven’t worked over such a distance. With the world wide web… well, distance isn’t a factor any more.

To quote the old Chinese curse, we live in interesting times.

Signing off,

Mark Long, Digital Looking Glass

No comments: