Listen to this article
The case of Gary McKinnon illustrates that computer crime is an international problem.
Mr McKinnon, 39, appeared before a court in London this month, accused of hacking into computer systems run by the US military and Nasa in 2001 and 2002. He will return to court on July 27, where he faces extradition to the US. The US authorities claim that his actions cost them $1m.
His case, however, is unusual: few hackers face criminal proceedings, let alone extradition. Often, companies that fall victim to cyber crime prefer to avoid the negative publicity that a prosecution would bring.
None the less, the threat posed to businesses by hackers and cyber-criminals is a significant one. Estimates by Symantec’s Security Response Lab suggest that the number of mass e-mailer and “blended” threats increased by 400 per cent last year. Symantec’s labs receive between 200,000 and 250,000 submissions of suspect code from customers every month.
Businesses, though, need to be wary of letting the fear of cyber crime act as a barrier to technological innovation. According to Gartner, the technology market research company, the risks associated with a number of new technologies are being greatly exaggerated. In turn, this is deterring companies from using innovations that could help them enter new markets, or help them become more efficient.
Gartner researchers John Pescatore and Lawrence Orans have identified five “over-hyped” threats: voice over internet protocol; mobile malware; Warhol worms that make the internet unreliable for traffic – named because they give their designer their 15 minutes of fame; regulatory compliance and mobile hotspots. In each case, the hype surrounding the threat is not backed up by reality, the researchers say.
■IP telephony is unsafe: Gartner says that security attacks on internet-based phone systems are still very rare. “There have been a number of articles in the trade press about evesdropping on IP calls, but that is highly unlikely,” says Mr Orans.
Listening in on a voice over IP call means having access to the local area network, either because they are physically in the building or because they have hacked into the local area network.
“It is unnerving to think of someone listening in, but of course they could also snoop on e-mails,” says Mr Orans. Moreover, the hacks that allow a criminal to evesdrop on an IP call, usually by spoofing an IP address, are detectable. Picking up a wiretap on an analogue office phone system is rather harder.
■Mobile malware will cause widespread damage: With the number of mobile phones in use worldwide heading towards 2bn, the potential impact of mobile malware could be enormous. But mobile anti-virus and anti-malware software represents a huge opportunity for the anti-virus industry.
Mr Pescatore says that developing software for mobile devices is a way for these companies to gain sales outside a PC market that is now relatively flat.
But chief information would be wrong to invest heavily in local, mobile antivirus software, Gartner says. The number of smart phones and GPRS-connected PDAs – considered the most vulnerable devices to PC-style malware – remains small. Gartner estimates that just three per cent of consumers and knowledge workers have such devices. The smartphone market is also fragmented: researchers do not expect to see a large increase in malware unless one software platform accounts for half the market.
Gartner argues that the best place to deal with mobile malware threats is in the network, not on the device itself. Furthermore, CIOs should demand that their wireless providers offer such protection. In the meantime, the malware risk should not deter companies from deploying smartphones.
■Warhol worms will make the internet unreliable for business traffic: “This is an example of where you don’t want to delay or can a project because of an overhyped threat,” cautions Mr Orans. “We have seen examples, such as the SQL slammer that infected computers every eight and a half seconds and did most of its damage in the first 10 minutes. But even then, the internet didn’t collapse.”
Gartner says that there have been no live Warhol worm outbreaks since. Companies should continue to switch their wide area network traffic from private circuits such as MPLS and frame relay to internet VPNs, with the switch driven by lower costs and greater flexibility. “Don’t stay away from the net for business purposes,” says Mr Orans. “There were problems a few years ago, but we now know how to respond to threats and how to take appropriate precautions.”
■Regulatory compliance equals security: Gartner sees the pressure to spend on regulatory compliance as a potential problem for companies, because compliance with legislation – such as the US Sarbanes-Oxley Act – does not automatically equate to better security. Companies risk looking at compliance as an IT security issue when in reality it has more to do with how the company is run. “Regulation oftentimes leads to increased reporting, but that is not the same as increased security,” cautions Mr Orans. He points out that Senator Paul Sarbanes himself has criticised the way some companies use the Act as a scapegoat for all manner of IT problems.
Regulations, Gartner says, will only rarely address the detail of how IT works, and will also reflect reality only at the point when legislation was drafted. In practice, IT security threats are constantly changing. “Focus on building a secure system and then document the process to show regulatory compliance,” advises Mr Orans.
■Wireless hotspots are unsafe: Some wireless hotspots are undoubtedly unsafe, the report’s authors concede. But this is not news. Threats such as spoof hotspots, used by hackers to collect personal information, have been around some time. It is only when someone coins a neat name for the phenomenon that the threat makes the headlines and moves up the corporate agenda. In this case, “evil twins’ trips off the tongue far more easily than “spoof wireless hotspot”.
Corporate users can protect themselves, by using VPN technologies and hotspots that support encryption and the 802.11x security standard. “Businesses want to encourage people to use hotspots, but to use them smartly,” says Mr Orans. In short, don’t believe the hype.