VSJ – September 2005 – Sounding Board

Robin Jones plans a major heist…

In one of the ‘Saint’ books, Leslie Charteris’ hero says “If everyone in the country gave me sixpence, nobody would miss it and I’d be a millionaire”. The logic of this statement is impeccable, provided you remember that he was talking about 6d not 6p. And the population’s risen, so today, you’d net a cool 1.5 million for everybody’s two-and-a-half pence stake. The fly in the ointment was the absence, at the time, of any mechanism for the transfer of funds that did not entail an outlay at least comparable with the resulting income. Today, we have the answer to that problem. It’s called the Internet. And we still have plenty of crooks, con men and fraudsters, like Mr Templar, prepared to relieve us of whatever negotiable tender they can get away with.

So far, it seems, the bad guys have understood half the equation. They know, for instance, how to turn tens of thousands of computers into zombies that will, on command, generate an avalanche of traffic at a Web site, bringing it down until a ‘ransom’ is paid. They have targeted big companies that stand to lose a lot of money, so, the argument goes, why not charge them a lot for allowing them to continue trading?

That question invites the answer “Because they’ll fight back”, as indeed, they have. Traditional protection rackets adopt a business model in which the ‘subscription’ is low enough to avoid it being worth combating. Maybe we’ll start to see this approach used in DDoS attacks. “Give us a hundred nicker, Guv and we’ll go and annoy someone else.” Or, more precisely, thousands of someone elses.

So it’s only a matter of time before someone puts together a scheme in which very little is taken from very many sources on the basis that “nobody will miss it”. That way no one will be chasing him. How might this work? Well, for instance, most current accounts pay interest. You may check your bank statements regularly but I bet you don’t calculate how much that interest should be. I don’t. I don’t even know the algorithm employed. All I know is that it works out as a few pounds every month and that this is roughly right, given the quoted interest rate. But if it should be £8.27 and it’s actually £8.15, no warning bell would ring. And something hiding in my machine could be creaming the difference off somewhere. There’s already a Trojan in the wild (Misifid.A) specifically designed to harvest bank passwords. A blended attack combining this with a spoof bank Web site to which users are directed and which displays the subtly altered statements is pretty much all that’s needed.

I don’t think that’s happening to me because my computers are locked down pretty tight. But it could be happening elsewhere. Ciphertrust (www.ciphertrust.com/resources/statistics/zombie.php) reported last May that, across the world, over 172000 computers were being compromised every day. More than 5000 of them were in Britain. Clearly, that relationship can’t be linear with time but, even so, someone who controls 150000 computers (May’s UK haul) and defrauds their owners of 10p every month makes an enticing £180000 per annum.

How can we combat this threat? I am, of course, preaching to the converted here. I don’t imagine that anyone reading this article is remiss in downloading OS patches, updating virus signatures, configuring firewalls correctly and so on. But, demonstrably, Joe Public is. And, to some extent, he can’t be blamed. Well over half of home users still use dial-up connections and downloading even a few megabytes of virus signatures over a poor phone line is a real pain. So maybe he doesn’t do it regularly. And why should we expect him to know the arcane details of TCP ports? Or even where he can find software to test his defences? How many users do you know who have heard of Gibson Research’s (www.grc.com) ‘Shields Up’ for example?

So this has to be a job for the industry and, given the threat, it’s in the industry’s interests to address it. And only the ISPs have the relevant communication channels. It cannot be said that they have taken this responsibility very seriously to date. Many of them seem to think that a few articles on their portals about phishing, free virus checkers and firewalls are adequate. To be fair, some are beginning to wake up. NTL, for instance, is offering all its customers a free anti-virus service from Radialpoint. It plans to include anti-spyware, parental control and firewall modules later. It’s a start but it’s nowhere near enough.

[Something you’d like to get off your chest? Email me (Robin Jones) at eo@iap.org.uk.]

Comments are closed.