Team to Quash Hackers, Expert Says

[InfoSec News <isn () C4I ORG>]

http://www.pcworld.com/pcwtoday/article/0,1510,17334,00.html

by Douglas F. Gray, IDG News Service
June 21, 2000, 3:58 p.m. PT

LONDON -- The simple act of reporting hackers to authorities is one of
the most effective weapons businesses can use to fight cybercriminals,
but it is also among the most rarely used.

"Companies are naturally resistant to tell the world they have been
victims of fraud. They are afraid people will laugh at them," says
Pottengal Mukundan, director of the International Chamber of
Commerce's Commercial Crime Services division.

Of course, companies are also worried about the negative effects of
such an admission on customer relations and stock prices, Mukundan
says, speaking here at InfowarCon 2000. But the victims' reluctance
has a price.

"In the absence of actual meaningful information coming from
corporations, it is difficult to stop the crime," he says.

Various studies find 90 percent of respondents detected computer
security breaches in 1999. Of those surveyed, 74 percent report
financial losses because of security breaches, Mukundan says.

The Computer Security Institute and the FBI's computer intrusion squad
have surveyed large companies and U.S. government agencies. A survey
conducted in England for the Department of Trade and Industry shows
that 60 percent of respondents suffered a computer security breach in
the last two years, he adds.

Emulate the Enemy

Mukundan says the "bad guys" are collaborating while the "good guys"
are going it alone.

"It is important for these companies to portray a good image, so the
good guys end up keeping the information to themselves," he says. "The
baddies, on the other hand, are out there freely sharing information
with each other on the Web."

Kits to create Trojan horses or viruses are widely available on the
Internet. Consider the recent "ILOVE YOU" worm that jammed e-mail
servers, Mukundan says.

"The software was not sophisticated, but what the authors lacked in
technical expertise, they made up for in guile. It brought the e-mail
systems of some governments to a halt," he says.

But the worm depended on unprepared humans, he says. "There is no
reason for people sitting in an office to open an e-mail which is
clearly suspicious and definitely not work-related."

Bottom Line: Human Error

The human angle in Internet security is too often ignored, Mukundan
says.

"Take the physical office building, for example. There is very little
use in spending millions on software security if you don't have decent
security on the premises," he says.

Government agencies have sustained stolen laptops, and people have
unwittingly sent insecure e-mail using PCs containing classified
information.

"The Internet is fundamentally insecure," Mukundan says. "Internal
networks should be physically removed from the Web, and it makes sense
to run static Web sites from a CD-ROM instead of a server."

Software filters help, he adds. "But there is no point in having this
system if the IT manager is too busy to actually look at the logs."

Mukundan also advocates international laws related to cybercrime so
criminals don't slip through gaps in the legal system. Online crimes
can be as damaging as their physical counterparts, he notes.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".