(In)Security: Be Afraid, Be Very Afraid

August 13, 2006

This year marks the 25th anniversary of the PC, and the 20th anniversary of the appearance of the first PC virus. the first was Brain, which used floppy disks to infect PCs. Things have moved on a bit since then. There are now thousands of known viruses and we have a vast catalogue of other ‘malware’ to contend with, for which the preferred delivery mechanism tends to be the Internet.


The possible consequences of IT security breaches for a firm are well known: loss of critical data and modification of software, with consequent damage to the functioning of the firm and its profitability; loss of reputation and resulting impact on attracting future work; compromise of third-party and client data and subsequent legal and regulatory liabilities. These consequences are not further considered here. This article seeks to raise awareness and to outline the perilous nature of the environment in which we all now work, to suggest what you can do to protect yourself and to comment on what others are doing and what is available to enable you to undertake that self preservation.


The article assumes that the computer operating system firms use is Microsoft Windows. It is often said, with some accuracy, that by switching to a different operating system, eg Linux or MacOs, many of the security vulnerabilities to which Windows users are exposed would evaporate. This might be true but the reality is that most lawyers use Windows and are unlikely to move in the near future.


How bad is the current situation?


My overall impression is that the security industry is (just about) keeping itself ahead of the relentless attacks on IT systems and exploitations of vulnerabilities, in all their manifest forms. This impression is nicely encapsulated by the title of a recent report on the findings of one of the security surveys carried out this year: Controlled Chaos. However, one of the most worrying aspect of the current situation is the changing nature of IT-related wrongdoing. It is no longer being perpetrated largely by the archetypal disaffected, spotty teenage hacker in his bedroom, who overtly displays and trumpets his exploits for the sole prize of some kudos from his peers. It is increasingly committed by (organised) criminals – covertly, meticulously and ‘professionally’ – whose goal is financial gain.


This is a (perverse) result of the Internet’s success and its increasing use by business. The more businesses and consumers move online, encouraged by the widespread availability of cheap broadband, the more profitable it becomes to invest time in determining how to exploit these users. For the villain as well as the law-abiding citizen, the Internet is increasingly a ‘good place to do business’, and recent reports illustrate just how worryingly ‘sophisticated’ the approach of the crooks to their activities is.


For example, according to security company McAfee in its ‘Global Threat Report’ for 2006, malicious software writers are increasingly using open-source methodologies and tools to share and modify source code when developing their tools. This includes distributing the code with documented explanations and annotations of how it works, to help others adapt it. McAfee says that malware now has a long-term development cycle, with code developers and debuggers, betas and final versions and other aspects that mimic the techniques used in legitimate open-source communities. Indeed, almost all the elements of a business are present: financiers, someone to provide host sites, beta testers, quality assurance.


What menaces are out there?




Of all the current malware, viruses have been with us the longest. The threats they pose are fairly well known. They continue to be the single biggest cause of the worst security incidents.




Phishing usually consists of a fraudulent e-mail sent to an individual in an attempt to extract personal/confidential information which the perpetrator can use for financial gain. Security research firm Sophos Labs claims that 58% of people receive at least one phishing e-mail every day. Recent statistics from the Anti-Phishing Working Group (APWG) supports this evidence, noting 15,244 unique phishing reports in December 2005, up from 8,829 in December 2004. This would seem to provide evidence of the increase in financially motivated computer crime.  In the light of this trend it is concerning to note that a recent survey report by the portal Get Safe Online noted in particular that UK Internet users are ill-prepared to spot and avoid malicious e-mail scams.




A particularly insidious threat is posed by Trojan horse software. Such a program appears to serve a legitimate purpose, but performs some undesired activity when it is run. It may be used to locate password information or otherwise make the system more vulnerable to future unauthorised entry, or simply destroy programs or data on the hard disk. It may allow somebody from a remote site to take control of the computer. Trojans are often attached to free games, other utilities and unscrupulous Web sites. In one recent Trojan, an incident in the World Cup Final was used as bait to entice people to a sham Web site and to install malicious code onto their PCs. Trojans may be combined with Rootkits.


Rootkits (Trojans and Spyware)


Rootkits are used to make system changes to hide software, including themselves, which may be malicious – eg to hide a Trojan horse that opens a backdoor on an infected system, putting it at the beck and call of an attacker. On such a compromised system an attacker could then install or modify components or use the machine for illegal activities without the user’s knowledge.


A rootkit might be used to hide spyware, such as a keylogger, to steal critical personal information that may not even be stored locally on the computer; for example a user’s credit card number or passwords. McAfee believes that one in seven malware incursions currently use rootkit technology to obfuscate their actions. By 2008 it expects over 84% of malware to be disguised by rootkits.




Ransomware is software that encrypts some user data, making them unusable, so that money can be extorted in return for their decryption. In a typical ransomware attack, a computer earlier breached by a Trojan is remotely accessed, files are encrypted and then the victim is sent an e-mail demanding money in return for the encryption key that will unlock the frozen files.


Recently security experts have observed that the established security companies could be reaching the limits of the succour they can offer in this context. Although at present they can decrypt the keys that tend to be used in these attacks within a reasonably short space of time, keys of greater length (330- and 660-bit) are already pushing the boundaries of modern cryptography. Anti-virus companies might find themselves unable to reverse the encryption in the future.


Where do the greatest security threats lie?


All the threats we have discussed usually originate as external threats. Along with others such as hackers, worms, botnets and (distributed) denial of services attacks, they have a high profile. But other vulnerabilities which receive less media attention might be more easily exploited and may result in greater loss.


Portable  devices


Removable media, such as USB memory sticks, and mobile devices, such as phones and MP3 players, are all in themselves innocent enough. However they are also easily connectable, concealable, and increasingly capacious data stores on which intellectual property, financial data or confidential documents might ‘walk out’ of an organisation.


An amusing illustration of the seriousness with which those in the know treat this danger comes courtesy of Ki-Tae Lee, CEO of Samsung, who apparently believes his company’s latest phone to be such a security risk that he has banned employees from using it in the office. Lee said that its 8GB of in-built memory “is more than enough to steal all confidential data about our company”.


Customer/client networks and partner networks


Such networks contribute to the creation of a somewhat paradoxical situation. Businesses in the legal field and beyond are forever being implored to employ more client-facing IT services and to open up their resources and networks to clients and third-party collaborators. Often this exhortation is framed as a prerequisite to survival rather than a mere aspiration. However, such an act seems to run contrary to received wisdom regarding IT security, which recommends keeping things as closed as possible. (The only secure network is one that is down, the only safe computer is one that is off.)


One might have solid security in place for one’s own computers but the individuals and devices on the customer and partner networks with whom one is obliged to interact are outside one’s control. Hence the paradox: by opening up to survive one might be exposing oneself to greater potential for one’s demise (or at least severe damage). If you consider this speculation fanciful, recall the recent LexisNexis incident and note the comments made in its aftermath on the difficulty of maintaining security when one has to consider networks beyond one’s own. Would a smaller organisation have survived the damage to its reputation, let alone any data loss?




What security experts often cite as the biggest threat to any organisation, and the one most often and most easily overlooked, is that from those working within the organisation. It is neatly summed up in the following phrase: “No matter what security you have in place, it’s probably not enough to protect your network from one of your own.”


Indeed some reports, commenting on the incidence of corporate espionage in this context, note that using people in a company is often a cheaper method of accessing a rival’s intellectual property (or other data) than hacking.


What can you do to protect yourself?


Adopt the maxim “prevention is better than cure”. To that end get defences in place and try to anticipate insecurities. The following are some suggestions.


Try to keep your computers from being compromised in the first place


Implement this standard, but ever essential, advice:

·                     use current versions of the Windows operating system and Office software

·                     keep them up-to-date with patches, particularly critical security ones – the simplest method will be to run Windows/Microsoft Update ; the service costs nothing and also provides a Malicious Software Removal Tool which attempts to identify and delete such software from PCs (such a tool is not a substitute for antivirus software but helps)

·                     deploy up-to-date antivirus software and configure it to automatically check for, download and install updates to ‘signature’ files at least daily

·                     use a (personal) firewall

·                     deploy anti-spyware and anti-adware software

·                     apply all this guidance regarding the use of up-to-date, supported products and patching to all (not just Microsoft) items of software you use.


Do such points need to be reiterated (yet again)? Undoubtedly they do. A survey of over 200 information security professionals at Infosecurity Europe 2006 found that a fifth of firms had no endpoint security protecting their desktops, half did not use firewalls, a fifth did not use antivirus software and over a third did not keep their desktop operating systems up to date with the latest patches. Disappointing but unsurprising.


When considering the checklist, remember to check not only your own computers and devices but also to remind your colleagues. One compromised machine in an organisation is a threat to everyone.


Think ahead


Think about the vulnerability of your data when leaving your environment, either intentionally or unintentionally. Use encryption to protect confidentiality when possible. That way, hopefully, the intercepted email, the laptop left in a taxi or the handheld device for which you are mugged will not hold any usable information.


Educate your users – nurture a culture of secure working


Rootkits often enter an organisation by being secretly bundled with free software downloads or by exploiting an application vulnerability in Web browsers or e-mail. Instructing people how to use software, and what not to do, can lessen the likelihood of a security breach. Additionally, emphasising the threat to them personally as well as to the firm, and having well known and enforced policies and procedures in place, can all contribute to safe computer use.


People inside a firm can easily be victims of ‘social engineering’. While it is usually thought of as profiting from more negative human characteristics such as naivety (revealing your password in return for a chocolate bar at a railway station), social engineering can also involve exploitation of more laudable human traits such as kindness (politely holding the door open for a smart, well dressed person laden with a stack of documents). This needs to be thought about and education (and technology) employed to prevent and mitigate negative possibilities and their consequences.


Consider the overall picture – try to see the wood and the tree


People and processes, as well as the systems/technology, all need to be considered. Moreover, it is important not to lose sight of the bigger security picture which affects IT as much as other important firm assets. For example, physical security (locks, passkeys, alarms, etc). Additionally, be aware that your particular firm might be more at risk from older forms of technology than those related to cybercrime.


Make the best use you can of the technology available


There are plenty of products available that claim to address particular security issue (eg to control what USB devices can be connected to which computers and what they can do once connected) and plenty of advice on how to configure, deploy, and use them.


The problem is having the time and people/expertise to test, evaluate, implement and integrate the products, not to mention the cost (although cheap and free products are available). For example, it is well known that, as regards wireless networks, WEP is a weak encryption protocol and that there are tools freely available on the Web to enable WEP keys to be discovered in a matter of minutes. WPA2, preferably using AES, should be implemented. However, whereas the version of the WPA2 specification called ‘Personal’ is easy to set up, it is less secure than the ‘Enterprise‘ version which “could be almost impregnable but is far harder to implement.”


Likewise, if you have remote workers, one of the most secure ways for them to access your corporate network over the public (and inherently insecure) Internet is via a VPN (Virtual Private Network). A VPN ensures that all traffic (e-mail, file transfers, Web access) between a remote VPN client and the VPN endpoint on the corporate network is encrypted (it creates a secure tunnel through which communications between these two points travel). However installation, configuration and management of the endpoint will be required, as may additional client software and set-up on the connecting devices.


Keep reading, keep prepared


Finally, on preventative security and equally relevant to recovery from a breach, continually educate yourself. Be prepared.


Insecurity in the security market?


IT security is vital, should not be considered a part-time activity, can be difficult (to comprehend let alone attempt to implement), can involve disparate, possibly incompatible, products and can be expensive (but usually no more so than insecurity).

Given all the time, effort and difficulty involved in managing IT security (particularly for the smaller concern which may lack dedicated IT staff), what if any relief is there on the horizon?


Over the past 12 months the security market has been slightly stirred due to Microsoft promising integrated, easy to deploy and manage security products, for consumers and small businesses on the one hand and enterprises on the other.


Whatever one’s view of the possibility of Microsoft once again exploiting its monopoly position to undercut and destroy rivals in yet another area of IT, its move has undoubtedly acted as a spur to the established players such as Symantec, McAfee and Trend Micro to develop (or improve) similar offerings. One can only hope that the customers of the security vendors will benefit from the competition.


Microsoft’s consumer and small businesses product, Windows Live OneCare (currently available only to US residents), comprises antivirus, Trojan, worm, and spyware elements and firewall, backup and performance tuning capabilities. It is subscription based. Its other development, Forefront, will comprise client and server protection for larger concerns.


In the wake of the OneCare announcement, all major security companies have said they will release similar products, and some have secured alliances with major ISPs/portals in an attempt to deflect the Microsoft threat to their business. For example McAfee has recently released a beta version of McAfee Total Protection, offering a complete suite of security and system-maintenance tools.


AOL is testing a new security software bundle that it will market not just to subscribers, but to the general public, called Total Care. It includes security and PC health and tune-up tools and backup features. McAfee provides the security basics: firewall, virus shield and spyware protection. The final release of Total Care, due later this year, will also include protection against identity theft and phishing. Pricing for the product has not yet been determined.


Also, Symantec and Yahoo have unveiled a joint consumer Internet security service.


While the increased competition among security product providers triggered by Microsoft’s entry might on first impression seem good for the customer, on reflection it may not be so. In the past, when not rivals, Microsoft and the likes of Symantec and McAfee have shared insights they had into software vulnerabilities to ensure the resultant products were as effective as possible. As (potential) competitors there is already evidence of a reluctance to be so open. Additionally, for the established players, there will always be the obvious suspicion that Microsoft will try to keep APIs and other inner workings of its products to itself (whatever anti-trust obligations it may have agreed to) in order to ensure that its own security products are more effective.


All this is obviously unfortunate as reluctance of either side to share knowledge with the other can only have a detrimental result on the level of protection afforded by security products available to the user.




The battle between those attempting to breach security and those trying to maintain it is relentless. It seems likely to become even more intense. According to McAfee, the tally of viruses, worms, and trojans is climbing so fast that today’s total will double in the next two years. “It’s remarkable that it took 18 years for our database to reach 100,000 malicious threats, and just under two years to double to 200,000,” said Stuart McClure, senior vice president of research and threats. “Hackers are releasing threats faster than ever before, with 200% more malicious threats per day than two years ago.”

And just in case you thought that you have enough to contend with given all that has been mentioned thus far, I thought I would leave you with this snippet.


Many of you will be aware of the current ‘buzz’ surrounding Web 2.0, which is touted as the next generation of the web. Supposedly it will be a great enabler of the online collaborative working and sharing of information culture that lawyers, amongst others, are being increasingly urged to embrace. Few doubt that, whether or not the actual phrase ‘Web 2.0’ serves any useful purpose, the underlying technologies will become pervasive. Unfortunately security (as always) has become an afterthought and malicious code is already taking advantage of the enhancements to computer interaction that Web 2.0 offers. Recent high profile attacks have been on Yahoo Mail and the hugely popular social networking Web site MySpace.


Still not scared?


Alastair Morrison works in IT at Strathclyde University: alastair.morrison@strath.ac.uk.