United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by Paul Winstone

1.  INTRODUCTION AND SUMMARY

  This document summarises a collection of 19 years of personal computer experience using the prevalent Microsoft and Intel/AMD platform.

  In my near 20 years of working on personal computers, I have seen many changes. In 1987, the main threat to most computers was the transfer of data or copying of software between PCs on floppy discs. Virus infections were rare compared to the current epidemic and few computers were connected to the Internet.

  Now we have most home users connected to the Internet, corporate e-mail and other Internet connections and a proliferation of Internet sites on many subjects.

  This has lead to a number of opportunities and also threats. Here is a summary of the main threats posed by simply having an Internet connection:

    —  Spam—e-mail that takes time to download and is the Internet equivalent of junk mail to the home. Very difficult to stop once you start getting it.

    —  Phishing—e-mail often delivered as spam and usually sent at random to a list of addresses. Designed mostly to steal identities or money.

    —  Illegal websites—the proliferation of websites and little control on content has lead to sites supporting child pornography, drug sales, weapons and supporting terrorist groups.

    —  Spyware—while this can be genuinely for the support of free products it can also be intrusive, bring your PC to a halt and expose you to pornography or other unwanted adverts. Usually found from suspect website pop ups or software downloads.

    —  Suspect websites—sometimes from an innocent looking website but usually found on:

    —  pornographic websites;

    —  illegal software download sites;

    —  illegal music or video download sites; and

    —  "cracking" or security "hacking" sites;

    Such a site may without your knowledge be downloading software that compromises data security and your identity;

    —  Direct attack—attacks in the form of denial of service, destruction of data etc gaining access through:

    —  direct connection to networks/computers;

    —  through services such as instant messaging;

    —  file sharing of software that masquerades as something desirable; and

    —  sabotage by employees or visitors.

    —  Virus attack—this could be in several forms but mainly distributed via:

    —  networking—sharing of files and resources over a corporate network;

    —  e-mail—either by spam or an infected PC sending out its own mail; and

    —  trojans—tricking people into downloading a program that offers something desirable.

    —  Abuse—children and adults can be affected in multiple ways:

    —  attempts at grooming children;

    —  threats and abuse by e-mail and instant messages; and

    —  libellous remarks posted unaudited on a website or a person faking another's identity when posting on a website.

2.  DEFINING THE PROBLEM

  The detail in section 1 is but the tip of the iceberg. How do we define the threat to individuals? The following lists users in order of increasing risk:

    —  Home user without Internet connection.

    —  Home user with dial up Internet.

    —  Home user with broadband connection.

    —  Businesses and other organisations with fast Internet and internal network.

  A home user without an Internet connection is not immune unless they never install software from questionable sources and never exchange files with another person. Their data is at risk of destruction perhaps, but the risk of data theft is insignificant.

  Users without Microsoft operating systems may think they are immune but this is also not the case. The risk does tend to be a lot lower simply because Microsoft designed their operating systems to be easy to control and manipulate through user developed programs. Mac OS tends to be very popular and far more secure than Windows as is the also popular Linux and other UNIX clones. They still have risks but the greater risk is not of infection but of carrying an infection. UNIX clones do get hacked but mostly for use as a means of attacking other companies or individuals.

  The problem for those connected to the Internet has changed. Since the popularisation of the Internet in 1993 by the invention of the World Wide Web, Internet use has boomed. Viruses were the only known problem when I started and then you could get away without using any form of protection.

  Over the 13 years since then, we have seen spam appear and a change in focus. Viruses used to be developed for notoriety only, effectively for bragging rights. Imagine a teenager declaring "I wrote that virus that caused the New York Stock Exchange to come to a halt". Your risk then was at first your PC could be damaged beyond repair (in the case of BIOS/CMOS viruses), data destruction requiring repair of operating system or just annoyance.

  The focus changed from this immature attempt to promote themselves, to graduate eventually into a money generating method. The stages can be loosely defined as follows:

    1.  Political hacking eg military, government, campaigns against organisations.

    2.  Spam becomes more than a minor inconvenience when cost to download increases substantially.

    3.  Viruses/trojans target dial up users to extort money by changing dial up number to a premium rate number.

    4.  Viruses released to exploit flaws and gain personal details from organisations.

    5.  Attacks start to use corporate networks and individual computers to launch attacks on websites and individuals.

    6.  Virus releases decrease as phishing becomes more successful at getting access to bank accounts and other websites.

  Viruses are still used to create for organised crime gangs a BotNet of computers that can be used to hack into computer systems or even send out millions of spam messages which may contain phishing attempts. But the scale of this problem has reduced over the past year.

  Phishing and other scam e-mails eg claiming to collect money for charities or pyramid schemes are now the biggest threat to home users. Businesses (and especially government departments) are far more pro-active in reducing this risk. Some will block their staff from accessing banking websites or anything that could lose their staff money through phishing. But there are still companies that do not have a firewall or antivirus software to protect them.

  Spam in January 2005 reached an unbelievable 93% of incoming mail traffic according to Mail-Filters.com so the scale of the problem is beyond epidemic proportions. While the average computer user will just ignore messages trying to sell them Viagra, porn or body enhancement creams or pills there are more sinister spam messages. These are the real threat but how do the spammers get our e-mail addresses? The following are the most popular:

    —  Retrieving addresses from news groups.

    —  Virus infected computers sending all "harvested" addresses to spammers.

    —  Software used to retrieve addresses from websites.

    —  Software used to retrieve addresses from website registrars.

    —  Selling of e-mail lists.

  There is little evidence to show that users understand the threat or how to minimise the risk to themselves and to others. By leaving their computers or networks unprotected or insufficiently protected, they are putting not just themselves but anyone who interacts with them by e-mail at risk.

3.  TACKLING THE PROBLEM

3.1  What can be done to provide greater security?

  Legislation to make spam illegal or specifically unsolicited e-mail illegal has been completely ineffective. Tracking down the individuals that are the biggest cause of spam will only have a slight impact. To reduce the impact of spam (which should also reduce the impact of phishing and virus spread) the only effective method is likely to be limiting e-mail.

  To explain this, how long will a spammers e-mail address last once they start sending out junk? At most I would expect 3-5 days. Although they hide their e-mail addresses to the best of their ability (most of the time at least) there are usually ways of finding it. I suggest that the best method of bringing about a substantial reduction in spam is to enforce a limit on all new e-mail accounts. I suggest that the following is implemented for all new accounts for a minimum of two weeks from creation:

    —  A maximum of 10 e-mails to be sent per day.

    —  Maximum attachment size of 500Kb.

    —  No more than five e-mail recipients per message.

    —  Users able to bypass this by placing £1,000 bond with provider which is taken if mail traffic exceeds specified limits.

  While virus traffic is substantially reduced compared to 2004, this is simply because of organised crime and virus writers being paid to write specific viruses to harvest passwords etc and phishing e-mails. Forcing ISPs to deny Internet access (as opposed to access to their network) unless operating systems have appropriate updates, antivirus software and firewall software may help. However this could force a move to broadband Internet for all users which would not necessarily be a bad thing anyway.

  We are unlikely to ever be able to eradicate virus attacks or phishing attempts and spam as for every method we use to fight it, criminals and those time wasters we call spammers, will attempt to bypass it. All we can do is reduce the risk.

3.2  What is the level of public awareness?

  There has been plenty of publicity by nervous banks about phishing and quite rightly so. But there are still people being affected by it. At least now banks are doing far more to make their Internet banking far more secure.

  But education of the public is the only way this is ever going to be brought to an end. Effectively this needs co-operation of ISPs or we are not going to get anywhere. Perhaps by filtering all e-mail and looking for known bank names eg Halifax, HSBC or NatWest and warning users that this may be a phishing attempt we might get somewhere. Relying on the simple education of users is not going to work. It seems horrible to say it but basically people are stupid. Many of us will believe an authentic looking e-mail without question when asked to "confirm our details" without thinking "Why would the bank ask us this when they already know?"

  Many are ignorant of the risks of virus attack or direct hacking of their equipment. A simple free antivirus program downloaded from free.grisoft.com was tested as far more reliable than the often expensive Norton/Symantec antivirus products. So there is no excuse for the public to say they can't afford the software.

  There is even a decent free firewall available from www.zonelabs.com. The best is claimed to be Black Ice Defender available from www.iss.net but this is not too expensive for a one off investment.

  The reason for a lack of public awareness is partly an apathy or technophobic reaction. People just aren't interested in anything computer related. They just see the PC, Mac etc as a means to an end to send e-mails, video chats to relatives, write letters, banking etc. This kind of person can only be dealt with by the help of the ISP. There may be a backlash from them at the thought of more work but then this will if implemented right actually reduce their workload.

3.3  What factors prevent sensible precautions?

  Money, user apathy and technophobic reactions are the main reasons for sensible precautions being avoided. Making such essential security software free may help but then what will that cost the government? I would suggest that denying access to the Internet unless at least a free antivirus and firewall package are installed and maybe antispyware and antispam software as well is the best policy to pursue.

3.4  What role can software or hardware play in reducing the risk?

  Perhaps a simple "box" to provide the needed security will be the answer but how much will this cost? Software as discussed can be provided that will reduce the impact but certainly in the case of antivirus software, this will only be as effective as how often it is updated.

  Perhaps bringing an end to dial up Internet connections will be the only answer, with the being allowed only as a backup to those that have a broadband connection at home? For this all to work a partnership is needed between government and Internet providers or we will just keep being over run by spam and virus attacks.

3.5  Who should be responsible for ensuring effective protection from threats?

  The ultimate responsibility does lie with the users but how do we make sure that the protect themselves? Legislation to force the co-operation of ISPs if they don't do so voluntarily may work but it's only any good if all work together. Perhaps a licensing scheme which means that those ineffective at providing security are shut down would be the answer?

3.6  What's the standing of UK research in this area?

  Research does not appear that easy to find when searching the Internet. Publicity is more common through sites such as www.theregister.co.uk. As an example, an article from Sept 2006[35] shows that 3.8% of 1,835 UK adults quizzed said they would still respond to an unsolicited e-mail asking them to follow a link to re-enter personal security details. This is little better than banking organisation APACS discovered two years ago. At that time 4% indicated they might respond to such an e-mail. More people than before will now check message validity with their bank before responding with 39% now compared to 28% in 2004.

  Even more worrying was the news that only 46.3% of people surveyed regularly update their antivirus software and just 10% have antispam software. They complain that 35% of users write a password down by their computer but this is far more secure than recording it on a file on the computer. 62.5% of those surveyed also never change their password. The frequency of password changes may not be important. If you have a secure password that is effectively nonsense then as long as you take adequate software precautions, you should be ok. Though changing a password periodically or using different passwords for different things is still a good idea.

4.  GOVERNANCE AND REGULATION

4.1  How effective are initiatives on IT governance in reducing security threats?

  There is little evidence to suggest any initiatives are having an effect. The apparent reduction in virus attacks is down partly to a shift in focus to fraud by using phishing attacks.

4.2  How far do improvements in governance and regulation depend on international co-operation?

  National co-operation with ISPs would make a substantial difference and if implemented correctly by all concerned may even be all that we need. However the major spam attacks come mostly from USA, Russia and China. To tackle spam at the source, international co-operation is absolutely essential.

4.3  Is the regulatory framework for Internet services adequate?

  In some cases there is too much regulation which is ineffective. RIP act could be an example of this. Has it been effective in reducing organised crime? Probably not if you consider that phishing attacks are the result of organise crime. There is not enough regulation to reduce the opportunities for attack and this is where we have an opportunity to be world leaders rather than followers.

4.4  What, if any, are the barriers to developing information security systems and standards and how can the barriers be overcome?

  Multiple parties being involved and the multinational nature of the Internet are clear barriers to development of security systems. Speed of Internet access is also a factor. Someone on a dial up connection may not be able to download updates very quickly to the antivirus software or operating system but they can still be attacked.

  International co-operation would be the best way to tackle spam and phishing. My idea of limiting new mail accounts should have an impact if companies throughout the world co-operate in implementing it. This requires government legislation and support as there is no hope of implementing such an idea by communication with providers especially the less scrupulous ones.

5.  CRIME PREVENTION

5.1  How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  The Government has done what it can but this is clearly not sufficient. A lack of knowledge may be part of the problem and enforcement agencies ignore the opportunities that present themselves to tackle some offenders claiming it is impossible to track them down. Whatever happened to old fashioned detective work?

  I have received an e-mail previously where I was being sold child pornography, weapons and illegal drugs. When I complained to police, this was ignored saying "We have no hope of finding out where this is coming from". From reading the e-mails, I had worked out that the sender was a native English speaker and had support of their provider in Russia. This should have enabled agencies such as Interpol to track down the perpetrator of the crime.

  Prevention is an important part of reducing such a problem but it can only be done by national co-operation encouraged by the Government and international co-operation perhaps through the United Nations.

  The solving of the crimes is going to be much harder but a police apathy insisting that detection is not possible is caused partly by a lack of knowledge. High tech detection teams where civilians work with police officers and intelligence agencies is essential to reduce the impact of these crimes.

5.2  Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  Yes criminal law is probably sufficient but it is no good unless there are suitably experienced investigators to deal with reports. It also needs to be backed by legislation or pressure from the government to make absolutely sure that ISPs implement recommendations to reduce the impact of spam, virus attack, denial of service and other attacks.

  Perhaps this should come under the control of the Information Commissioner's office? It needs to be lead by someone and perhaps detection and reduction of impact should be dealt with by one organisation rather than splitting the skills between multiple organisations.

5.3  How effectively does the UK participate in international actions on cyber-crime?

  We are no better than any country. The USA perhaps leads the world in attempting to cut spam but it was a spectacular failure. The European Union tried the same thing with perhaps marginal success but has failed to provide anything with "teeth".

  The Internet Watch Foundation (http://www.iwf.org.uk/) is hopelessly ineffective because it does not follow up on many complaints saying it is beyond their remit. This I cannot blame on them but something further definitely needs to be done.

  A national task force on such matters may be a good start and co-operation with other such organisations in other countries, taking the ideals of the IWF further would show that the UK is serious about international actions on cyber crime.


35   http://www.theregister.co.uk/2006/09/25/banking_security_survey/ Back


 
previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007