The other day I had a chance to chat with Steve Santorelli, director of global outreach at Team Cymru (pronounced kum-ree), a security research and investigation firm that is often privy to some fascinating, granular data on network attacks, as well as fairly unique holistic views about large scale Internet threats.
Santorelli wanted to interview me as part of their ongoing Who and Why Show, and gave me a few minutes to answer the question, “What keeps you up at night?” My answer was basically that I worry what will happen to the Internet as we know it when people start to die in a measurable way because of computer and Internet security vulnerabilities and attacks.
Click the embedded video image below to listen to the short interview.
By the way, the title of this post is an open-ended question: Are there Internet/computer security threats that keep you — the reader — up at night? If so, sound off in the comments.
Yes, agree. I said this to law enforcement in 2003 (DHS & RCMP). Some thought I was nuts (RCMP Sergeant rolled his eyes), at least one DHS guy knew what I was talking about. My only surprise with the London bus bombings was that there wasn’t a cyber component; it would be trivial to rent or buy a localized bonet to overwhelm 9-1-1 systems (already happened in early 200s in Washington state), and hospital C&C systems (already happened in California).
Bob Shaw who formerly dealt with Internet-related policy stuff for the ITU called such an instance a ‘Titanic moment’, referring to government regulation of HAM radio space after the Titanic disaster, wherein unregulated use of radio lead to delays in rescue attempts.
Of course there will be a reactive government approach, likely as ham-fisted and ineffective as TSA is to air travel, should such thing take place.
The ONLY way to avoid that is to have them develop effective policy and laws first, and then allocate sufficient resources to apply them, and then, well, actually apply them.
Botnetters need to be taken out, vigorously, and soon, before the inevitable happens. That means we need to have far greater international cooperation with Eastern European countries.
But I do have to wonder, how effective will diplomacy be, when we saw evidence of botnets being used in conjunction with the initial bombing runs in Georgia. That seems to imply that the two botnetters involved have close relation with the Russian military. Friends of convenience or more??
The Coalition Against Unsolicited Commercial Email
I also worry that the spread of spam and malware will eventually kill the Internet. The good guys are having to play whack-a-mole and yet the problems seem to get worse all of the time.
First of all; Thank you so much for your great work over the past years! I have learned a lot from what you have been writing on those subjects. Pleas keep up the good work which is being read also her in Norway.
Regarding your question I must say I sleep a little less nowadays than I used to! The development the last few days in the matter of China, Google, the sovereign German outrage about MS-IE, EU-US trade protectionism, cyber security- and surveillance, really sends creepy chills down my backbone. The streets of cyber city are really getting significantly “smoggier”, so to speak. More – and more thereof – severe attacks and ditto protectionism. Even between countries that for a long time have been friends and allies.
It’s difficult to see where this ends, but not so hard to imagine where it c o u l d end. It is such a sad story. Freedom sure ain’t what it used to be and that’s an under-statement of raw but hidden power.
As a regular consumer I feel attacked from both sides and almost evry side to the mere facts of it. The crooks are snooking for our c-card credentials and who knows who else (the other crooks) are looking through our machines and our movements around the ‘net nowadays. I feel it’s not going in the right direction.
(Now; pardon my english as I am a Norwegian and my native language is not english. I hope it didn’t get lost in translation!)
Well here is my 2 cents worth:
As long as most users/computer owners treat their computers like toasters/TV’s the bad guys will win. I work in a business with 250 plus employees and 127 workstations (last count), I am asked at least once a week to look at someones personal computer that is acting up.
Almost every computer has had some type of Malware, and almost every computer the 90 day antivirus trial has expired.
Right on spot!
But here’s one thing you probably should concider. Since you clearly are a person who cares about people around you, you really have to think about how it’s affecting you. If it keeps you up at night it’s most likly gonna hurt you some day into the future and bring you some kind of health trouble. Maebye even worse. I’m sure that would be a sad day for your family, your friends and most certainly your colleagues as well. Valuable humans like you need to take care of themselves. Otherwise there’s no hope even for the rest of us “mockertoasters”! And don’t forget to use the word “No” from time to time 🙂
What keeps me up at night is being part of a major corporation that still runs IE6 due to “Oracle compatibility” issues, still runs Adobe Reader 8.1.x because it’s “someone else’s software” and the team can’t be persuaded to update it, still runs Flash Plugin 9.0x. for the same reason, and continues to have ZERO management response to users who are having their machine reimaged for the 9th time after “taking it home for the weekend”.
Looking the other way is a poor defense, something we manage to prove daily…
Oh!,,,,, don’t get me started on Oracle, the software that lost 500 of our orders and put our company behind for months. (1999)
And they STILL haven’t learned? Sheese!!!
You do some great work Brian. Keep at it.
What keeps me up at night? Small businesses that are connected to the Internet.
The last thing that kept me awake was checking a new customer’s application server. The owner and I had a successful meeting. We had discussed getting a network topography created to help me understand his application set. That night, on a dare from my wife, I tried logging into both servers using RDP. Administrator and Password of course. I was shocked when it worked. Both M$ Windows 2003 R2 servers were wide open. No AV/MW protection at all. Just for grins-n-giggles I opened IE 6.x on the app server and checked the history. http://www.auto.ru was the last entry. It was sheer luck that they had just logged on that day. I tripped off the app server and domain controller and then shut down the cable modem (that one was little tougher just admin and blank) I was there at first light to “sell” a few things to the owner. True story.
Most small businesses think they are too small to be noticed. Many more feel they get a poor ROI on AV/MW/Firewalls/site blocking/SSL email or banking/and least-privilege user. Most fail to understand the importance of automatic (and free) updates. Most assume that IE is OK since M$ Office works so well. Most assume that Firefox is only for geeks. I could go on for hours.
Most small businesses cannot afford even a medium level of Internet security from IT consultants. They simply will not prepay for three to four hours of monthly security service. It is tough to change that mindset when all their other costs are soaring.
What keeps me awake at night? The day that I tell a small business owner that I have to re-image all his servers and workstations using dated/suspect/missing backups. (These tapes from Dell cost $40 a piece and you want me to buy 10 of them? Can’t I just use a USB drive for Best Buy?) Can I really charge a client who is dead-in-the-water $3,500 to $4,500 for a 36 hour marathon rebuild session? Can I afford not to?
I feel your pain David! Fortunately my SMBs are so small they don’t even have a server, and couldn’t afford one either.
I use logmein to remote into help them through gateway services. These nifty affordable hardware devices give them cheap third party automatic support, and I can go into their LAN without punching holes in their firewall to give them a hand.
But that is life in the desert. I hope you continue to find solutions for your customers! The small businesses of America will save this country some day, if they haven’t already!
Many years ago, after being promoted to a management position, I asked my boss what his definition was of good, effective management. Without hesitation he replied “good management is anticipating problems before they occur and taking action to prevent them from occurring.”
Clearly this is something that is not happening with regards to the Internet. Current problems were not anticipated or dealt with effectively. Neither are future problems. Considering that the IPv4 address space is expected to be exhausted next year and that IPv6 is projected to have a 25% penetration this year, it’s obvious that solutions are slow to be implemented.
The core issue relating to Internet security is that people who misuse the system are not held accountable for their actions. The only way to resolve this problem is to limit the means by which these people can remain anonymous. Which means we all lose some of the freedoms we have long taken for granted.
Identity and credit card thefts perpetrated against old people with little money and even less computer security knowledge.
Also, your email form uses the same character for 0 and zero…
Just curious: What do you think of the proposals to increase security by making the Internet less anonymous? Certainly the Internet as we know it would change. We would give up privacy but we would have the tools to shut down lots of malware-hosting computers.
My personal opinion is that the Internet will migrate towards less privacy as we increasingly trust it it to handle critical operations. But we most likely will have to go through a catastrophe before we recognize the need.
I think Internet crimes are “free” crimes with no penalty
In my vicinity, a judge sentenced (a hopefully former) nurse to jail today. Her charges stemmed from the theft and use of the identities of nine of her patients — all senior citizens. Her sentence: 2 years. And that’s a sentence that reflects the gathering of physical evidence.
For Internet crimes, I think the culprit will always try because it will take a while to find and charge him or her. By that time, the culprit could move onto something else. Currently, there doesn’t seem to be a good stiff sentence for crimes committed via the Internet. If the only deterrence is a slap on the wrist, people will try it just for the quick thrill. It’s sort of like robo calls, the politicians know it is happening, but they just can’t bring themselves to add any real muscle to the laws.
What keeps me up at night? Thinking of the possibility that a key logger program might exist on my PC or my wife’s Mac.
I use a limited-user account on the PC and a free ZA firewall and two or three free antispyware programs and MalwareBytes Anti-Malware and . . . (you get the point), but I still worry.
I just discovered my brokerage account’s site allows me (or anyone logged on as me) to issue checks to third parties! (I need to ask if that feature can be disabled.)
I often use my wife’s Mac to do sensitive financial stuff (like paying the IRS online), but she is blase about security, so I wonder if the Mac is any safer.
Bottom line, I wish you Brian were still on Security Fix Live to address our needs and concerns and to give us neophytes information we can actually understand and use.
I also fear your audience will now be limited to professionals and, thus, the content will be directed to them.
Thanks for all you’ve done to help us sleep at night.