Wednesday, May 10, 2006
Stop Right There
Stop! Unplug your wireless card, disconnect your computer from ADSL, time to go back to paper and pen. Stewart Baker, an Assistant Secretary of State at the Department of Homeland Security believes that “technology threats [such as viruses] are growing faster than IT security can handle.” We’ve already lost. Even if we had a technological Domestos, it’s not the known germs that would kill us but the unknown ones that emerge too rapidly for us to deal with. Home computers have been with us for 25 years, the Internet for about 12, broadband for about 6. Short periods of time in the bigger context of life. The techniques we’ve learned to deal with security in our own lives – lock the door before we leave the house, shut all windows, wear a seatbelt in the car, don’t leave our valuables on display, don’t write down your PIN number for your bankcard – are not yet routine for most of us when translated to their technology equivalent. Our computers are infested with all kinds of nasties. The UK has 25% of the world’s total number of hijacked PCs, more than the USA and China, both of whom have five times the number of online users. Security issues tend, like government press releases, to come with big numbers. Perhaps that puts us off. And, as we tend to with government statistics, our eyes glaze over when we hear that 66% of email is rubbish (i.e. spam); or that there were 1.5 billion attempts to steal banking details through fake emails and associated websites last year; or that the FBI estimate that dealing with security costs just USA corporations over $67 billion annually; or that 1 in 20 emails has a security threat within it? When we couple big numbers with odd, meaningless words: phishing, pharming, bots, Trojans, dialers, backdoors I imagine understanding recedes further. Maybe we assume that these problems only “happen to other people”? Why is that? Perhaps it’s because we get so little feedback from the technology we use? Last month, Gilette launched the “five bladed razor” (personally, I’m still a two-blade kind of guy) – you can buy one of these, shave with it and right away tell whether you prefer it to your old one (whether that has 1,2,3 or even 4 blades). When you buy the new washing powder (one that washes whiter of course), you’ll quickly decide whether you like it more than your usual one. But, install the latest firewall and what do you get? For the most part, absolute silence. Both the Apple and Microsoft firewalls that come with systems by default never utter a peep. Are they working? Who knows? How could you tell? Can you apply the “Ronseal Test” (does it do what it says on the tin?) to your anti-virus product, to your firewall or to your intrusion detection system? Unless you have an army of security and technology experts at your disposal, probably not. Another reason could be that we just assume whatever we have installed is doing its stuff. We install something and forget about it. Is it up to date? Have you downloaded the latest version? Have you got so used to clicking on peculiar, jargon-laden messages from your software that you ignore the crucial one that says your subscription has expired? Did you install a trial version and forget to take it on permanently? Did you accidentally block the software from talking to the Internet so even if it wanted to, it couldn’t get the latest updates? How would you know where to look to find out what had gone wrong? The government campaign “Get Safe Online” – the result of several years hard work inside government – seems to be getting traction. Big online companies, such as eBay, know that confident consumers who trust the environment they’re operating in will buy and sell more online and so support the initiative. Separately, government is pursuing the CCTM (CSIA Claims Tested Mark) approach – a badge of honour for equipment that passes the Ronseal Test – but it has yet to make it into the consumer product space. ISPs – the folks that connect you to the Internet - have been pretty silent though; it baffles me still why they would let you connect to their own network without being sure you weren’t infected. Likewise, they should be doing more to prevent the more than 30,000,000,000 (according to Yahoo) spam emails that circulate daily from being carried around their expensively built networks. In the end though, it’s the simple rules that have stood us good stead for years that we need to go back to. We know that in nasty neighbourhoods we have to take more care. The Internet is a global nasty neighbourhood. Stepping into it you are confronted by thousands or millions of threats. Lock the door, close the windows, wear a seatbelt, keep your valuables hidden. Keep your operating system up to date, install a firewall from a trusted source, ensure you have a regular subscription to an anti-virus and anti-spam service and don’t read email from people that you don’t know. But, don’t forget, people still get burgled, cars still get broken into – so don’t rely on the technology at every stage. So, if you do get an email from a bank or a company that “wants to check your details” or that believes there’s a problem with our account, don’t click on the link in the email, no matter how plausible it all sounds – just go straight to their homepage and navigate from there. This way you have a fighting chance of being able to ignore all the techno-babble and keeping pace with the threats whilst staying as secure as you can be.
Posted by Alan at Wednesday, May 10, 2006