Net security author gives thumbs up to iCode

Author Joseph Menn has investigated the murky depths of the multi-billion dollar cybercrime business and believes Australia’s latest attempt at an industry solution could prove a key means of protecting victims.

Menn [pictured], who will visit Australia to address the Internet Industry Association's Gala Dinner on February 17, was the author of "Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.”

His third book explores a world of secretive global cyber cartels and their hidden multibillion-dollar business, proving cybercrime does pay and pays well. 

iTnews' Canberra correspondent John Hilvert caught up with Menn on the eve of his trip.

John Hilvert, iTnews: What prompts your interest down under?

Joseph Menn: I am familiar with the IIA's industry code of conduct - aka the icode. I find it very interesting. More countries will be looking at it.

A lot of people need a lot more power. ISPs individually and collectively need to step up. It's less an obvious good thing these days, that no-one is in charge of the Internet. But an industry association setting out rules of the road and what should be good practice would be very helpful.

The code as I understand it is - if we see your computer is acting like a bot, then we a) let you know and b) try to help you remediate it and if that doesn't work, we may consider having to quarantining you temporarily from the net.

That makes a heck of a lot of sense to me. It's something that's much easier to do if the entire industry is pulling together.

iTnews: Is there anything you hope to do in Australia?

Joseph Menn: I'm hoping to meet with senior Government officials as well as industry folk and find out how the industry code works in practice. How many folks are getting notified that their computers are bots and what they are doing about it? Has there been a push-back from the folks or are they happy?

If your computer is being used to attack other people then you are responsible for that and most people recognise that. They need to have those things pointed out to them. That hasn't happened in most of the world yet.

If this is the way forward, I want to see how it is working.

iTnews: One of themes of "Fatal System Error" is the little understood role of organised crime in both Eastern Europe - as well as the West being responsible for a lot of cyber-mischief. Is this role weakening now that there is better understanding of their influence?

Joseph Menn: It's definitely getting bigger. There is nothing to stop it. In many of these countries, particularly in Eastern Europe, organised crime is very powerful. Even legitimate businesses are often forced to turn towards organised crime as a patron or protector from other mobsters or Government authorities. That is not changing.

It is not as if the Russian Mob woke up one day and said, "I think we should open a cyber division." It's a more organic process where these hacker groups, once they get big enough, will naturally need to ally with established mobs for protection and coordination. Nothing will stop that at all.

Western law enforcement is working very hard to get better cooperation from places like the Ukraine and Russia with at best mixed results.

For example, with the Zeus crackdown of a few months ago, it was genuinely exciting. Five Ukrainian masterminds were picked up by the authorities there as part of the investigation. But those people were not charged with the crime. They were picked up. Their computers were taken in - and they were released. The Ukrainian authorities said they would investigate and there would be charges within a week. But it's now been three months and as far as I know nobody has been charged.

That sort of thing happens over and over again. One of the greatest ATM related rip-offs in history was the Royal Bank of Scotland WorldPay where hundreds of people went to ATMs in a 12-hour period and went through $US10m.

Amazingly, in Moscow the FSB (ex-KGB) arrested the Russian brains behind the operation. He got convicted and everybody was very happy. But it then emerged he had been sentenced to probation.

We have some serious geopolitical legal problems that are not really being dealt with in the open.

iTnews: What do you make of the emergence of Anonymous in this Post-WikiLeaks environment? How will that factor in the issue of cybersecurity?

Joseph Menn: It means the continuing development of technology is putting more power lower down to the end-user for good or evil. It is kind of amazing that you don't need a botnet anymore. You don't need to be a crime lord.

It's all so user friendly now. To use Zeus, for example, you don't need to know how to code. To participate in denial of service attacks you can just download one of these handy things from [the internet].

Anonymous is mostly teenagers, not terribly well organised but a lot of people even if they sympathised with the attack on a given target will disprove of their methods. But it is having some impact on major companies from your arm chair. That's a new thing.

iTnews: We are seeing a lot of reports of the so-called Internet off-switch that occurred during the recent Egypt demonstrations. Is this likely to catch interest with more westernised digital economies? I saw a report that the issue is provoking interest in the US, for example.

Joseph Menn: I'm actually going to write a little bit on that, today. It certainly has brought attention to the fact that this proposal is live in Congress. It was taken off before because it alarmed civil libertarians and it was probably not that critical in the final analysis. The President has a lot of authority. It would just make it explicit.

For that matter - I don't think it would work. There would be international dial-up alternatives or other ways to get online.

The Bill was initially presented as something to satisfy those most paranoid about the bad things that can happen on the Internet.

Now that we see that one of first countries to do this nationally is a leadership without a lot of sympathy in our country, this has already stirred up folks that normally wouldn't be paying attention. They're saying - "Oh the only people that seem to need to do this are dictators." That taints its initial appeal and does not help the Bill's chances at all.

iTnews: There were moves in December in the UN to increase its oversight of the Internet. It has been framed by some as the States trying to reduce the multi-sectoral ownership and control of the Net. Are we likely to see more UN moves of this kind?

Joseph Menn: It's an alarming development. The problem is that the countries that have been pushing this are talking about representation for the poorer States. But they are not talking about representation from consumers or industry or anyone else.

I can see an argument why the UN should take more of a leadership role. But if it doesn't include people from any other sector except Government, then it will be pretty lop-sided.

Unfortunately we are seeing lots of Governments, individually, assert more control for a variety of reasons. It could be to keep an eye on dissidents. It could be to protect their citizens from crime. But it is definitely the way things are going.

I know I said lots of people need more power. But I don't think Governments should be the only ones to exert that power.

iTnews: Where do you see the role of security providers such as Symantec, McAfee, Sophos etc at this time?

Joseph Menn: There's a problem in that people are much better protected in the enterprise than they are at home. Consumers have already lost, Howard Schmidt (US Government's IT Security Czar) told me. Some products are better than other products. But people at home are nowhere near as safe as they are in an office that has gateway monitoring and other fancy services.

I'm much more likely to do online banking or something like that from my office than my home. And I'm a fairly sophisticated user.

There are several structural problems here. A lot of these anti-virus companies don't really play well with each other. It's hard to have more than one running on your machine at the same time. There is no-one solution that catches everything.

Even from a small or medium sized business perspective, it's very hard to know whether you are spending your money in the right place. There's some fancy stuff in the market available to the biggest companies - and I'm glad they are taking advantage of it. But it's not trickling down fast enough to medium-sized businesses.

iTnews: What will be the impact of the market interest in cloud computing to cyber security trends?

Joseph Menn: We have the potential to make it better. Particularly if you are a smaller business, you are leaving a lot of security in the hands of a lot of people that are extremely good at it.

But regulation makes this all very messy. We are still quite a way from the point where folks with personally identifiable sensitive information - such as health care providers, financial institutions and the like are going to plunge into this. It's more a good thing for small and medium sized businesses that are not in that sort of hyper-regulated environment.

But there is a lot of security work that has yet to be done - and it gets tricky when you cross borders. That'll take a while to work out.

John Hilvert if a former policy advisor to the IIA.