Friday, December 5, 2008

Punishment vs. Prevention


Recently, F-Secure released a report titled, "Growth in Internet crime calls for growth in punishment". The article and the associated report cite F-Secure's research and several specific incidents to make the case for creating an 'Internetpol' to fight cybercrime. It is their conclusion that "against a background of steeply increasing Internet crime, the obvious inefficiency of the international and national authorities in catching, prosecuting and sentencing Internet criminals is a problem that needs to be solved."

The data that is used to reach this conclusion is tenuous at best. The primary fact cited is that the number of signatures used in the F-Secure detection database has increased three times over a year ago. This could be explained in many ways, with one of the main ones being that exploit creators have adapted to signature based detection by automatically generating variations of the original, which requires many more signatures to detect a single basic exploit. Numbers alone do not tell the story.

As a side note, this is one of the strengths of the Realeyes IDS. While the rules include specific characters to be matched, they can be detected in any order and then correlated with an Action. At the next level, multiple Actions can be correlated with an Event. This allows many variations of an exploit to be defined by a single Event rule.

F-Secure's anecdotal evidence of outbreaks is even less convincing. It is just as easy to conclude that attacks are more targetted than a few years ago, when a single worm could infect millions of systems, and infer from this that software development has become at least good enough to deter the easy attacks. Yet, neither scenario is absolutely supported by the evidence.

But even if the problem were defined correctly, the solution presented is not. First and foremost, what is a cybercrime in international terms? Most countries have not updated their own laws to meet the conditions presented by the Internet. The thought that Brazil, Russia, India, China, the UK, the US, and all the other countries with Internet access could agree on a common set of laws to govern Internet usage is a stretch, to say the least.

Then there is the issue of prosecution. The situation of a perpetrator who is in a different country from the computers attacked would probably not be any different from how that is handled today. And it is all too common for bureaucratic agencies to use quantity instead of quality to prove success. This initiative would very likely result in many low-level 'criminals' and even some innocent people being swept up in the new dragnet.

Finally, I find it extremely simplistic to suggest dumping society's problems on law enforcement. A huge question is how this internetpol organization would be staffed, especially considering that existing law enforcement agencies are finding it challenging to enforce existing laws in the Internet environment. Between jurisdictional issues and competition for the qualified candidates, the new agency would certainly create inefficiencies. And where is the funding to come from?


I believe that legislatures need to update laws to define what is cyber crime. The recent case on cyberbullying has produced potentially bad precedents that need to be addressed, and soon. But most of this effort should focus on adapting current law to the Internet and only creating new laws where they are justified by a unique situation.

The truth is, much of the problem is technological. SQL injection attacks are an example. Currently, every application programmer is expected to parse input for this. But many application programmers hardly know what a database is, much less how to protect against all the possible variations of SQL injection. The ones who do know that are the database developers. Therefore, the security community should be calling for all xDBC libraries to include methods to validate input for applications.

The F-Secure report cited botnets as one of the primary security concerns. The root cause of botnets is spam Email. If this were not such a lucrative business, it would not be such a problem. One of the solutions is to force strong authentication in Email protocols. And this is just one example. The security community should support an organization that could act as consultants to protocol committees to define strong security solutions for Internet protocols. That organization could also focus on convincing vendors and users to implement those solutions.

There are many guides on secure programming, but how many application developers have studied them? This should be mandatory, because if exploiting vulnerabilities were hard, there would not be nearly as many attacks. The security community could help produce more secure applications by establishing a certification program for secure programming.

Realistically however, the biggest part of the problem is unaware users. We in the industry talk about best practices, but that is meaningless to most users. We need to convince management to ensure that users get adequate training about good security practices and we need to be specific about what that training includes.

Finally, I feel compelled to issue the warning, "Be careful what you wish for, because you might just get it." If the government takes over Internet security, there is sure to be a large amount of new regulation imposed. And this could mean security companies like F-Secure would have to devote a lot of resources towards compliance. I think it would be much better for us to take responsibility for finding solutions ourselves.

Later . . . Jim