By Simon Moores, 21 December 2004 14:50
COMMENT With phishing scams, viruses, worms and hacker attacks on the rise, Simon Moores looks at what can be done to make the internet a safe place to communicate and do business.
I'm annoyed. Over the past weeks, I've been receiving a constant flow W32-Sober virus attacks, ostensibly from the server of an international hotel chain based in Germany.
After several tries, I managed to reach to the head of IT at the hotel and speak to him about the virus attack problems I am having. They are aware of the issue and believe someone has hijacked their domain to spread viruses. It's a huge problem for them and they don't know what to do about it other than respond to angry customers.
Along with angry customers, the damage to brand and reputation remains a concern.
This month, I chaired the first e-Crime Solutions seminar in London. It's a spin-off series from the annual e-Crime Congress and is supported by the National Hi-Tech Crime Unit. If I'm honest, the content gave us very few reasons to be cheerful about 2005. As the police work overtime to identify and convict the people responsible for a growing barrage of internet fraud, extortion and vandalism, for every one suspect arrested, here or abroad, another two appear to be ready and willing to step in and take their place.
To illustrate this growing enthusiasm for online fraud, the Anti-Phishing Working Group reported there were 6,597 new, unique phishing email messages in October 2004, compared to 2,158 such messages in August. According to Gartner, the financial services industry is now feeling the pain. In the year to April 2004 phishing scams cost banks and credit card companies £5.4bn and I would expect this might double by the time the next set of figures are released.
Of increasing concern to businesses are signs of a growing loss of confidence in the internet as a safe transactional medium. Tens of thousands of people may be using the web, as I do, quite safely and happily. But at Christmas thousands more rush out to stores to buy what has become just another home entertainment commodity - the personal computer - and many of them have every reason to worry over plugging in a broadband connection.
A recent series of tests showed that a broadband PC with Windows XP SP1 was compromised in less than four minutes with an average of 341 attacks per hour. Put Windows XP SP2 with a ZoneAlarm firewall on a system and this drops to an average of two break-in attempts per hour, so best upgrade as quickly as possible.
From personal experience, home PC users appear to fall into two categories: those like my father-in-law, who is so worried by the possibility of fraud that he's not going to risk connecting his brand new Hewlett-Packard system to the internet; and those, like my immediate friends, teachers and other professional people, whose machines are so riddled with malware (frequently caused by their teenage children) they have no real idea of what they can do, other than take them to a local dealer who has a healthy business cleaning up the damage.
In February, we will see the launch of Project Endurance, an initiative that brings the UK government, banks, business and industry together in an attempt to educate and inform the consumer on the dangers of life on the broadband superhighway and how best to avoid being infected by a virus or having one's computer turned-into a zombie. Endurance should be welcomed but the very scale of the problem now means that it's two years too late.
Two years ago, I warned government that as many as five per cent of the UK's broadband-connected PCs might be compromised and today I believe the true figure may be well in excess of 10 per cent.
How do you convince millions of people to run the latest antivirus checker on their computers and put a firewall between their computer and the internet?
I don't know but over the past weeks, I've been begging an old friend to check her PC because I'm being battered by regular virus attacks which I suspect are coming from her machine. Last night she responded: "I'm really busy at the moment; no wonder my PC is not working properly. I'm getting all kinds of strange messages and cannot open WWW pages. Next year I'll take care of all!"
If I can't name one friend working outside IT who has a properly working and secure PC, then 2005 may well become the year that many people decide the risks of an online existence are now greater than the benefits. What do you think?
Comments
There are 9 comments. Join the discussion
1. anonymous
Many of my friends have already given up their ISP connections because of mentioned issues.
I use both a PC and two Mac's at home, keep the software up to date, use a router with NAT and the included Firewalls of SP2 and Mac OSX, avoid free software, P2P networks and ISP provided e-mail.
Keeping software and Virus DAT files up to date is now a simple task for users of one or two computers and just requires a little discipline.
I have little or no SPAM, no malware, spyware etc and not a single virus has yet gotten through.
If readers are unable to provide this discipline, the safest route is to buy a Mac and subscribe to a .Mac account for e-mail and a whole bunch of other goodies including Virex which will look out for PC virus files as well as anything Mac specific that come up from time to time. Some of my friends have done so and are amazed at the result and ease of transition. They are also much happier for their children to use a Mac.
If readers make online purchases try to use a bank such as Lloyds TSB who provide secondary on-line personal verification associated with card(s) used (Clicksafe). At a minimum these services will defy fraudsters who use automated techniques and hopefully prevent much else.
PS
(I usually permit the display of my name. In this instance I prefer to be someone else).
2. anonymous
I work in the IT industry securing our office network amongst other duties. In addition I am frequently involved in helping friends out with securing and often cleaning their PCs of viruses etc (Teenagers are the worst offenders in my experience). Although my efforts are a drop in the ocean I see it as a favour to my friends (which most return in some fashion or other) and some protection for me as they all have my email address which spammers could use.
Another problem is educating them to use BCC instead of CC on mass emails to friends. Sadly I am now receiving spam at home which is probably as a result of my address being CC'd to hundreds of their poorly protected friends.
C'est la vie!
In my opinion, ISPs should offer additional spam and email filtering as part of their services. Maybe even user-configured web-based firewalling as well. For a small fee I think a lot of people would go for this. Some ISPs already offer some of these services for free - the firewalling is the trickiest one.
I also wish to remain anonymous!
3. Richard
How will ID Cards help this?
As usual, this Government is going for the wrong target, with the wrong weapons.
Everyday crime and fraud are far more significant to most people, especially now that they have spread worldwide via the Internet and cheap international phone rates.
We badly need a way for individuals to verify the identity of other individuals during phone calls or emails.
The Government's expensive ID card scheme will do nothing to help this because it is designed to help only the State. However it will wreck our liberty.
Parliament really needs to do something useful for once.
4. Mark Hosey
We need firewalls and anti-virus software, sufficient to maintain some minimum acceptable level of security, preinstalled on all new machines. This responsibility is the manufacturers .
We need free updates and upgrades to security software available from all service providers. The software must install easily and automatically.
We need free software with free upgrades and updates for older machines available from all service providers.
Manufacturer of said software must ensure it is user friendly and idiot proof.
Users should be educated about virus's fraud etc via their service provider.
Security should be a part of the service that providers provide. The cost should be covered by service provider charges and it should be legislated for. That is, all service providers must provide a minimum level of security with tutorial pages on relevant aspects of security. (Of course more sophisticated levels of security could be charged for at a premium).
I believe that the service providers and personal computer manufacturers should be made responsible for internet security and that legislation is needed to enforce that responsibility.
5. anonymous
I too work in IT Security and am constantly being asked by friends to sort our their "slow PC" issues.
A full patched machine running a firewall, antivirus and anti-spyware products together with utilities such as Hijack-This almost eliminates all the risks and costs less than £30 a year. However, nearly all the tools available require some technical awareness in order to configure them properly.
Unlike the tarmac highway, the information superhighway is unregulated - you don't need to pass a test before putting your PC on it. Education is the primary tool - but is will need the government, OFCOM, ISPs, and online banks and eTailers to be co-ordinated to deliver it.
Sadly, I can't see it happening.
I'm paranoid like most of the people who work in IT security. Therefore, I too wish to remain anonymous.
6. John Bramble
Re: the mac user,
I of course also use a Mac and have mac.com email address. Purchased my first mac in 1986, have never lost a single file since 1986.
However, as good as this is for us (Mac Users) this does nothing for the 95% of the people who believe that they have to use a PC.
So, after several years of research and experiments. After following thru and developing a full proof mod (antiviruse combined with online backup) on current computers, which would require some input from the subscriber. http://the-datavault.com
But that is last years news.
ToDay's news:
I have created a mod of the hardware that will simply prevent the computer from getting a Virus, Worm and/or spyware problems etc.
Yes, the software needed to run a business is now safe period.
Each companies cost for startup is in the low 4 figures, NO worms, No Virus.
Bullet Proof.
All PC's are normal priced and With the plans provided to member firms, are available even from local suppliers.
7. anonymous
I have worked in IT so I am not really a good test case. However, I had only a virus checker on my own machine, which is on broadband. I became concerned about whether the virus checker was enough and installed a firewall package.
The moment I could see the incoming traffic I was shocked by the amount of attempted contacts. Without a word of exaggeration there were ten a minute during some minutes. Trying to view the list was impossible because each new call took you back to the top- I ended up reversing the sort order just to view it.
Once the firewall had been in place a few days the contacts dropped off - probably they are now down to one every three minutes. There are still some very sinister ones amongst them - PCAnywhere as an example. Does anybody know a valid reason for PCAnywhere to be trying to log on to a strange computer?
There is a paradox here. You only see how bad the situation is after you have done something about it. There really is no-one trying to convince the general public of these dangers, so it will not get better in a hurry.
8. Steve Wind-Mozley
A radical solution?
As many banks, retailers and other industries now rightly view the internet as a cost effective place to migrate business transactions to, it would seem to make sense that they treat security online in the same way that they treat it off line.
Stroll into your local bank, shopping mall or trade fair - chances are the commercial organisations running the venue have provided some sort of access control, security guards, CCTV and scanners. All this serves to protect the business and the customer.
Online, steps like Endurance are to be welcomed, but accelerated. The "online" industry should be working with government agencies to provide free anti-malware for their customers and offsetting the cost against the current fraud losses.
If I where a customer presented with the choice of better rates and prices online because I had installed a free firewall and virus scanner, or higher rates and prices if I remained unprotected, I know what I'd choose. Do you?
9. anonymous
Yes, I fix a lot of friends machines too; I work in IT and have lost count of how many evening I have spent sorting out technical problems and the odd virus on friends machines. This evening I am giving a talk (along with two IT business friends) at our local church about internet security, hacking and virus protection. If it goes well, we are considereing offering to give the talk at local schools in the evenings to inform parents about what their kids may be doing on the home PC. The problem is how to teach people enough in one evening without totally overloading them!