Security Q&A: Your questions answered (Part 1)

Last week we asked you to email us questions to put to our panel of security experts. You duly obliged with a virtual sack-full of emails. The response was so overwhelming we've picked the best questions, put them to the panel and will be running the answers in three separate articles over the coming days.

Here is the first instalment. Click on a question to be directed to the answer:

The Questions:

Q. How can company directors ensure their emails remain private and confidential from the administrator?

Q. Why can't every computer sold to the public have a warning about viruses that appears when it is turned on - much like a health warning on a packet of cigarettes?

Q. Is there a quick and easy way to disable access to USB storage devices?

Q. How would you characterise the threats from within the organisation - particularly those posed by staff?

Q. I have never understood why email is free. This is the root cause of spam. If only a tiny micropayment regime were in place it would be stopped dead. Can you explain?

Q. Cybercrime appears to be becoming a lot more serious for today's businesses. Is it a situation security firms are on top of or is it spiralling out of control?

Q. How do spammers get my email address?

Q. Why have websites where cracks and hacks are available been allowed to operate for years without being shut down?

Q. Why is it most of the spam I get is so obviously spam, yet the email service providers, such as Hotmail, can't nail it as soon as it enters their system?

Q. With the massive increase in spyware, why are antivirus companies not jumping on this opportunity to help us all with a one-stop solution to malware?

Andrew Partridge asks: "How can company directors that have a network administrator with full access rights ensure their emails remain private and confidential from the administrator?"

Mark Morris, head of forensics at LogicaCMG, answers: "We have investigated a case where the managing director had higher privileges on one of the company's servers than the administrator. However, he is currently on bail and this would indicate that the reason behind his privacy was rather improper!

"There are a number of desktop encryption packages available that integrate into mail clients, and of course attachments can be password-protected, but this may in turn cause a problem with filtering or control software. I think it has to be said that if a director is concerned about sensitive data being intercepted or compromised by the network administrator, then this may be a staffing issue as opposed to an IT issue." Back to questions

Roy Evans asks: "Why can't every computer sold to the public have a warning about viruses and porn that appears when it is turned on - much like a health warning on a packet of cigarettes? Surely then every parent is going to become aware of these things very quickly indeed."

Graham Cluley, senior technology consultant at Sophos, answers: "It certainly wouldn't do any harm to have, for instance, a message on boot-up or change your wallpaper to remind you of the dangers that can lurk on the internet. But I wonder if a message which warns you that 'email attachments can seriously damage your PC's health' will soon become as invisible to a PC user as a tobacco warning on a packet of fags is to smokers.

"What's really needed is for everyone to play their part in raising awareness of virus issues. That means not just the antivirus vendors and the PC manufacturers, but also the ISPs and web email providers. How many broadband vendors are really putting enough effort into explaining the importance of a personal firewall and antivirus to their home users right now?" Back to questions

Thomas Janacek asks: "I am wondering if there is a quick and easy way to disable access to USB storage devices. I am concerned that with the large storage available on very small USB devices it is easy to dump a lot of data within a few minutes on such a device without anyone noticing."

Simon Janes, international operations director, ibas, answers: "This is the age-old problem for company security. The same issues apply to CD, DVD and floppy drives. The issue, as highlighted, is that USB devices are easily concealable; they can also now hold substantial amounts of data. You could of course physically disable the USB ports, or through BIOS and then password-protect the BIOS. The problem here is that any acceptable USB device cannot then be used, such as mice and keyboards.

"The most practical response is to ensure that the IT Security and Acceptable use policies are kept up to date and regularly tested. If there is any suspicion that data has been removed from the system illegally then it is important that an investigation is conducted into who removed it, how it was removed and why." Back to questions

James Morgan asks: "How would you characterise the threats from within the organisation - particularly those posed by staff?"

Mark Morris answers: "Staff can become disgruntled for many reasons. A poor appraisal, new working practices or even a takeover can create resentment in a previously dedicated and loyal employee. If one considers that an illegal act has three factors - opportunity, ability and motivation - then it can be seen that a member of staff who already has access to your premises and network can become a very real threat if they decide to damage or steal from the organisation.

"The effective management of your security also covers dealing with staff who, for whatever the reason, are leaving the organisation. We have dealt with some horror stories at our clients, including one company that allowed staff that had just been made redundant to keep their laptops for 3 months, with unrestricted dial-up access to the organisation's network.

"It is difficult to identify the threat sometimes, but the risk is obvious and needs managing, especially during periods of downsizing or restructuring." Back to questions

Peter Excell asks: "I have never understood why email is free - maybe someone could explain? This is the root cause of spam. If only a tiny micropayment regime were in place it would be stopped dead."

Alyn Hockey, director of research, Clearswift, answers: "Micropayment for email has been discussed for years within the internet bodies, however it requires various changes to happen. Firstly a cultural change. As individuals we have become used to sending messages rather than using the phone or writing letters. This communications technology works even better because it is essentially free.

"The second change would be to try to determine just how the system would work in terms of money transactions. If the complex net of bank transactions was to be replicated to deal with the huge mesh of mail servers, who would run it? Maybe you would have to have a central body, but then who would fund it? I guess the people using email, so the cost per message doubles - once for the actual micropayment and the once for the admin fee.

"The last change would be the requirement to change every single piece of email infrastructure on the planet. If you didn't how would you deal with a server that does not send micropayments?" Back to questions

Adam Monks asks: "From the bored kid in his bedroom to organised gangs in Eastern Europe, the problem of cybercrime appears to be becoming a lot more serious for today's businesses. Is it a situation security firms are on top of or is it spiralling out of control?"

Graham Cluley answers: "I think virus writing and hacking are here to stay, but that doesn't mean all hope is lost for businesses trying to defend themselves. Antivirus companies are putting more resources than ever before into developing more sophisticated solutions and tracking new threats as they emerge. Furthermore, common sense steps such as blocking executable code from entering your company from the outside world can dramatically reduce the threat of both current and future viruses." Back to questions

Ashish Gadkari asks: "How do spammers get my email address?"

Paul Wood, chief information analyst at MessageLabs, answers: "Six months ago I'd have suggested that they harvested it from somewhere on the internet, such as a website or newsgroup posting. I would also have advised you to treat it like your phone number and circulate it as sparingly as possible to try to avoid being spammed. Unfortunately, this isn't often the case anymore.

"Much of the spamming software in circulation will not only provide the harvesting tools to collect email addresses from the internet, but also the facility to manufacture email addresses seemingly at random, by combining variations of words, letters and numbers from particular dictionaries.

"Spammers will often select a few target domains and then buy up capacity on 'bot-nets' - networks of virus-infected home broadband machines, often controlled by criminal gangs. These mercenary zombies can be hired for as little as $60 for six hours, or $2,000 per week. These bot-nets provide enough combined computing power and bandwidth for them to be able to spam almost every email address imaginable. For example, if they pick mydomain.com they will likely be able to spam every combination of letters and numbers @mydomain.com." Back to questions

Liam Devaney asks: "Anyone with a modicum of understanding of the web can easily identify websites where cracks and illegal software are available for easy download. My question is why have these sites been allowed to operate for years without being shut down?"

Mark Morris answers: "The multi-jurisdictional and global reach of the internet is both its good side and its bad. The opportunity that is afforded to human rights and free speech will always project a shadow in which those with less good intentions may lurk.

"One of the vicissitudes of life on the internet is the lack of physical association between an individual and the server hosting a website. Indeed, the two may be many miles apart. In addition, the ease with which a site can be moved or mirrored can lead law enforcement on a dance.

"Even supposing the offence alleged is also an offence in the country where the site or suspect is residing, the likely cost of the investigation can place it down the list of policing priorities.

"However, do not be too despondent, in recent years there have been a number of arrests and convictions of hackers and virus writers, although there will always be a ready supply of misguided teenagers trying to become the next infamous super-highway bandit. With the proliferation of affordable IT into emerging countries, the computer detective will not be short on new challenges." Back to questions

David Batup asks: "Why is it most of the spam I get is so obviously spam, yet the email service providers, such as Hotmail, can't nail it as soon as it enters their system?"

Alyn Hockey answers: "The spammers do try to make their messages more like the kind of messages that people actually send, typically short and snappy with a meaningful enticement for you to open the message, with normally a single URL for the site/product they are promoting.

"Hotmail does use a number of anti-spam features, but they simply receive so much that the odds of getting a 100 per cent perfect score is in practise very hard to achieve. If you imagine that Hotmail receives in excess of 100 million mails per day, even if they get 99 per cent correctly detected that's still one million messages that get through to the users." Back to questions

Stuart Cooper asks: "With the massive increase in the amount and types of spyware, why are antivirus companies not jumping on this opportunity to help us all protect the corporate environment with a one-stop solution to malware?"

Mike Small, director of security strategy at CA, answers: "Good question. This is actually a very hot area at the moment and nearly all the suppliers of desktop protection software are working to include spyware detection in their offering, even as we speak." Back to questions