Thieves Winning Online War, May Be Using Your PC

Malicious software is spreading through computers faster than ever before. Microsoft has measured a 43 percent jump in malware removed from Windows computers in just the last six months, and SRI International now collects over 10,000 unique malware samples from around the world daily.

By the end of this year experts project that 15 percent of Internet enabled computers will be controlled by botnets – an increase from 10 percent in 2007. By these estimates, about 10 million computers are now enlisted in distributing spam and malware, or used to disrupt online services.

Cybercriminals are basking in an underground economy that is not only unhampered by the economic downturn, it is likely to benefit because many companies will slow or stop investments in security as part of their cost cutting efforts.

The underground economy is driven by credit card theft, scams and banking fraud that robs companies and consumers of over $100 billion a year, according to the Organization for Security and Cooperation in Europe.

Cybercriminals are outpacing the most advanced software security companies and law enforcement. Their crimes generate huge resources for reinvestment into innovative fraud technologies, and they are far faster in development and more nimble in deployment than the best security services. Additionally, they base their operations in crime-friendly countries that have well developed Internet connections making prosecution difficult if not impossible.

Perhaps an even deeper impact of the online crime wave is the loss of basic trust in online commerce and services, something Internet executives’ fear will continue to erode now that consumers are becoming cybercriminal’s primary target.

Click to read the full article

My thoughts:

The news on the cyber-warfare front is grim, but not hopeless. This isn’t the first time I’ve blogged on cybercrime nor will it be the last, because you play a large role in your online destiny. (See my last blog U.S. "under widespread attack in cyberspace" Apr. 2008)

Every Internet user should take four actions:

1. Secure every Internet connected device you own. Not only is this an absolute requirement for protecting yourself, unprotected Internet connected devices represent a risk to everyone else. Note: Macintosh users have long been mostly exempt from malware attacks as criminals focused on the dominant Windows products, but as Apple machines increase market share researchers expect these to become larger targets. Learn how to secure your computers. Doing nothing is a guarantee that your computer and your information will be exploited.

2. Apply defensive Internet-use procedures. Your biggest threat, once you have secured your computer, is through your own actions online. Cyber-criminals are masters in fooling unsuspecting computer users into clicking malicious links or providing sensitive information in messages, search engines, social networking sites, forums, and everywhere else imaginable online. Learning how to detect and block spam and phishing, apply defensive browsing tactics, prevent ID theft and to shop safely are 21^st century life skills. You should not go online without them.

3. Refuse to use sites that do not protect you. Your safety has to come first in priorities with the internet companies you do business with.

• This means that companies employ the most stringent standards for data security. Far too often, a single set of credentials is all it takes to breach a security system and put millions of consumers at risk. With the recession forcing cost savings, security measures cannot be among the cuts.

• This means companies take the time to develop features in a way that provides maximum protection instead of racing a feature to market and attempting to patch problems when complaint levels get to high – like many social networking sites are doing.

• This means giving consumers real information so they are able to make fully informed decisions about privacy choices. Few companies adequately explain how to successfully use their products from a safety perspective.

• This means that the terms and conditions respect the user’s ownership of their own content, and that should a problem occur the company will step up and take every measure to rectify the situation to the consumer’s satisfaction.

Unfortunately these protections are not a given. Few websites even test their services for consumer safety. If we want safer products, companies will actually have to build safer products. Security audits frequently find flaws on multiple levels of a service’s infrastructure. Companies as prominent as Facebook claim the rights to your content. As consumers, you have rights, and you need to hold companies accountable for respecting those rights.

4. Support your elected officials in increasing funding for cyber security, law enforcement, and a more secure design for the Internet. No matter how steep the recession, we cannot afford to cut back on cyber-security spending; indeed, we need to increase the efforts in this area as we are losing ground to both cybercriminals and terrorist groups online. The U.S. is not adequately protected today. In January 2008 the National Security Presidential Directive 54, established a national cyber security initiative. It’s a start, but it comes late. The need to protect the government’s computers and systems running critical infrastructure such as power grids, water systems, gas lines etc. is critical, as the Russian cyberattack on Estonia in May 2007 displayed how quickly an entire country could be brought to its knees.

Increase support for law enforcement at the local, state, national and international levels. To date we have miserably under funded, under staffed, under trained aw enforcement agencies in the fight against cybercrime.

Fund the development of a safer, stronger, more secure Internet. The Internet was not developed with today’s capabilities or criminals in mind and it has fundamental flaws that make exploitation relatively easy. While it is essential to fund the defense of the existing infrastructure, it is a mistake to fail to build for the future. The money being spent today both by companies and countries is almost entirely dedicated to patching problems in the leaky infrastructure rather than creating a fundamentally stronger infrastructure. One exception to this focus may be in Japan. In Aug 2007, Japan’s minister of communications announced their intention to build a new version of the Internet that would replace the existing infrastructure by 2020.