Sometimes, anti-virus vendors are accused of crying wolf, they rush out with press releases about the latest highly destructive virus which quickly turns out to have affected almost no-one. The recent VBS/SST-B (a minor variant of VBS/SST-A, better known as the Anna Kournikova worm) and W32.Naked@mm (the “Naked Wife Trojan”) are examples of this. The press are quick to follow-up on such releases; massive virus outbreaks bringing businesses and countries to their knees are good copy. Users get tired of the repetitious warnings, until they fall victim to a real epidemic, such as Melissa or LoveLetter.
Here I must declare my own interest, I am somewhat in the middle of all this. My company distributes anti-virus software, and we send out press releases in Hong Kong, sometimes the press call me, sometimes they even quote me. Therefore it would be unfair for me to point an accusing finger, I will not be naming companies in my examples, you should judge your suppliers actions yourself.
Anti-virus developers have, to some extent, a split personality. There are the techies, who analyse and deal with the new viruses – their concern is to serve the company by giving the customers the protection they paid for. Then there are the marketers – their concern is to serve the company by getting the maximum favourable publicity. When a new threat is discovered, particularly if it has the capability to spread very fast, they both want to get a warning press release out as quickly as possible.
However, in some companies, the marketers appear to have a bit too much influence. If things are quiet, they will release a warning about a months-old virus that is no longer causing problems. Or they release a warning about a virus that, for technical or social reasons, it is clear will not spread very far or fast. Even worse, some have issued warnings about viruses that no one else could confirm even existed.
Some cases are less clear – at one point, reliable statistics from one vendor showed that VBS/SST-A (the “Anna Kournikova worm”) was spreading twice as fast as LoveLetter, so a major alert was justified. Only hindsight could show us it would be less successful overall. However, some companies also made a worldwide press release for VBS/SST-B, even though its German message made it unlikely to spread outside of German-speaking countries.
Good Security is Boring
System administrators and information security staff have a similar problem to anti-virus vendors when trying to get the message out to users. So much of computer security depends on users, from choosing good passwords to not indiscriminately clicking on email attachments, but the message is not exciting. I can think of any number of films where breaking a security system or a security system failing has been a central feature of the plot, but none which prominently feature a successful security system. The reason is obvious, successful security is boring – you take care of all the tedious details, and nothing happens, no dramatic break-ins, no chases, no explosions.
Therefore, the big security failure is often the only chance we have to get the message to users and managers. Managers are the more important target: to be effective, the security culture of an organisation has to come from the top. Use the statistics from vendor press releases and internal organisation data to present how much money good security is, or could be, saving. But avoid the hype which can undermine your case – LoveLetter was certainly a major, worldwide incident, but the figure of US$10 billion for damages is highly speculative.
Government Attention
Information Security has been getting quite a lot of Government attention in Hong Kong recently: this includes HKCERT, Hongkong Post CA, expansion of the Police Computer Crime Unit, plans for a Smart ID card, and a recent Interdepartmental Report on Computer Related Crime. Some of these are reflections of changes and initiatives in other parts of the world – the report recommends some legislation similar to that in the USA and UK.
Time for Forgetting
One of these legal recommendations is to jail people for forgetting their passwords! This is probably the dream of all systems administrators and helpdesk staff. In fact, this is broadly similar to the UK Regulation of Investigatory Powers (RIP) bill discussed previously in this column. Lawyers may discuss the “reversing the burden of proof” but it is easier to understand that jail or a large fine for a memory lapse at the wrong time is excessive. There are even worse possibilities; it makes a criminal record an advantage. We all know about public key cryptography: you publish a public key, and then anyone can send you messages that only you can decrypt. Someone who received an encrypted file from a known criminal might be required to decrypt it, but suppose it was not encrypted using one of your public keys? There is no way to prove that you do not have a key to decrypt a file. Therefore a criminal could blackmail you by threatening to send you a file that you cannot decrypt. I think it is a bad idea to make a law that opens up such an opportunity for criminals.
HKCERT
The Hong Kong Computer Emergency Response Team was launched at the end of February with HK$10.7 million from the government's Innovation and Technology Fund and will be operated by the Hong Kong Productivity Council. Similar to CERTs in other countries, the organization's mission is to collect information relating to computer security such as the latest viruses, security weaknesses and counter-measures, and disseminate them to the public. It will focus on the needs of the small and medium-sized enterprises (SMEs), which include over 90% of the companies in Hong Kong.
It is absolutely necessary to have a CERT in major IT centres; it provides a vital coordination role and will act as a trusted source of information and alerts for the Internet using public and organizations. This move fits well with the Governments plans to make Hong Kong a regional IT hub. Large organizations can also form CERTs for their internal needs.
Port Scanning
Anyone who runs a firewall, or personal firewall software, will be familiar with port scanning: crackers using programs to attempt to connect to many services on a computer, or a service on many computers. We can compare this to a criminal who walks down a line of parked cars, trying every door-handle – he’s looking for one that is open and can be robbed. The problem on the Internet is, even though legislation in many countries makes unauthorized access to a computer a crime, attempting to connect and failing, or “casing the joint” is not. We see the firewall logs where he fails, but we do not see where he succeeds. Even though the attempts are failing, a cleverer cracker can use the sheer volume of the log files to try to hide the successful attacks.
I think it would be useful to make port and host scanning a minor crime, so that the perpetrator’s computer can be searched for further evidence, and so that the Police can use their discretion to impress on “script-kiddies”, and their parents, that they are doing something wrong before they get too deeply involved. Unfortunately, the report on computer related crime did not address this. I would be interested to hear of attempts to address this in other jurisdictions, or opinion on if it could work.