Monday, December 15, 2008

Cyber(in)security roundup

Producing the Macafee VCR makes you more than normally aware that every vendor and their (robo)dog , plus apparently most NGOs, produces a report on some aspect of online spam, crime, fraud etc in that vital run up period to Christmas when apparently our minds are focused on fun, festivity and, er, fraud:

My esteeemed co-author Blogzilla helpfully summarises a few from the US and international organisations:

"Securing Cyberspace for the 44th Presidency — the Center for Strategic and International Studies argues that President Obama should create a comprehensive national security strategy for cyberspace, echoing many of [the Macafee] recommendations.

Financial Aspects of Network Security: Malware and Spam — the International Telecommunications Union develops a framework for assessing the financial impact of malware.

The OECD calls for a global partnership against malware, and a move from reactive responses to proactive threat reduction and mitigation."

But there's also been some more local offerings:

The Garlik UK Cybercrime Report 2008 - which, like our report, top-lines the credit crunch and its effect on cyberfraud. Despite the name the figures appear to relate to 2007. For the UK, it is claimed,we have seen
  • Overall cybercrime has risen by 9% from 2006
  • Online financial fraud is up by 24%
  • Online card fraud is up 45%
  • 84,700 cases of online identity fraud
  • 40% of all identity frauds are facilitated online
  • "More than two million victims suffered abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet, up from 1,944,000 in 2006." Much of this apparently tookplace on social network sites. Pangloss is curious where they got this figure - must go print out the whole report.
ENISA, the EU's security agency, also produced in early December a rather underlooked report ENISA - Photo Sharing, Wikis, Social Networks –Web 2.0 and Malware 2.0.
This has an interesting analysis of risks primarily to *systems* from the hard technical viewpoint, as opposed to the emphasis most the other reports place on risks to *users* (though of course the two are connected.) The risks of cross - scripting exploits in multi-origin environments like SNSs are highlighted, along with typically weak control of authentication and access privileges. The policy recommendation to governments are interesting:

"Policy incentives for secure development practices such as certification-lite, reporting exemptionsand the funding of pilot actions. These incentives are needed to address the large number of, eg,cross-site scripting vulnerabilities caused largely by poor development practice.
• Address/investigate Web 2.0 provider concerns about conflicts between demands for content
intervention and pressure to maintain ‘mere conduit’ or ‘common carrier’ (US) status. This is
considered a very important problem by Web 2.0 providers because of the strong user-generated
content component.
• Encourage public and intergovernmental discussion on policy towards behavioural
marketing (eg, by the Article 29 Working Party)."


Perhaps unsurprisingly in light of all this, the EU has just announced (9/12/08) its plans to continue funding its Safer Internet Programme to the tune of 55 million Euros:

"The EU will have a new Safer Internet Programme as of 1 January 2009 (to 2013) . ..While 75% of children (aged between 6 and 17 years) are already online and 50% of 10-year-olds have a mobile phone, a new Eurobarometer survey published today shows that 60% of European parents are worried that their child might become a victim of online grooming (when an adult befriends a child with the intention of committing sexual abuse) and 54% that their children could be bullied online.. The new Safer Internet Programme will fight grooming and bullying by making online software and mobile technologies more sophisticated and secure."

The money is to go to:

  • Ensure awareness of children, parents and teachers, and support contact points that are providing them with advice on how to stay safe online.
  • Provide the public with national contact points for reporting illegal and harmful content and conduct, in particular on child sexual abuse material and grooming.
  • Foster self-regulatory initiatives in this field and stimulate the involvement of children in creating a safer online environment.
  • Establish a knowledge base on the use of new technologies and related risks by bringing together researchers engaged in online child safety at European level.
So more media literacy, more research, more IWF style hotlines, but no apparent endorsement of the ISP or mobile coms sectors being required to impose mandatory "upstream" filtering: either of the IWF-lead UK Cleanfeed inititiative or the disputed new Ozzy variety. Interesting..