Thursday, May 28, 2009

Stupidity Can't Be Patched



Evil intended people can't get what they want most of the time if their victims where aware enough about the risk of what they are doing. clicking a link is way more dangerous that it looks.

Being a security professional, always talking about security, vulnerabilities, malicious websites, all this stuff made my family kind of aware about some of the risks involved with cyber-space. A couple of days ago, my little ten years old brother came along and asked me "Did you leave me an offline message with a link?" I was really proud of him! he does nothing on the computer except playing games and chatting. However, he didn't open the link because it had nothing proving that it's from me. Actually I am the one who sent him this link about the newly announced "Thief 4" game because I thought he'd be interested in the pictures!

Usually when i send a link to someone i add a couple of words that identifies me like "hey jimmy, remember out talk last night about thief 4, i found this, check it". James now is confident (to an extent) to click the link because i called him Jimmy (which i usually call him that) and I told him about something that we did last night (our talk about Thief 4). It depends of course on the link also. If the link says gamespot.com/blablabla then it makes sense. But if its atyk.123.msnet.com/index.php?james%20hotmail.com , that would definitely raise James' suspicion. But when I sent my brother the pic, I didn't think that he'd think like that. Seems that he's security skills are better than I thought! good for him.

Tuesday, May 12, 2009

Cybercrimes and Law



All what we have been talking about to prevent cybercrimes has nothing to do with the real criminals themselves!!. All this geeky technical stuff is good but cyber crimes are really very easy to commit! and very tempting!, because the punishment is not imminent. Usually, when cyber criminals are doing their attacks they have this feeling that they are safe, because they are sitting at home or at a cyber café physically way far from the "crime scene". Why is cybercrime numbers raging while physical crimes are coming to a settlement? The answer of this question cannot be answered directly. However, one can argue that usually cyber criminals do not have a visualization of what can happen to them if they were caught and usually they think that they will not get caught at all! We have to have more strict laws that define cyber crimes and its penalties. Some countries have some laws, others have few laws and others do not have laws concerning cybercrime at all! Even countries that have laws, do not spend much effort on tracking and hunting down criminals. Also trials of cyber crimes have to be more publicized. People have to know that playing around the cyberspace is not a game anymore and there are strict laws that are well applied.

The United States is taking good steps in that direction. We have John Schiefer, a botmaster, sentenced for four years prison and fined $20,000 and earlier in 2007. Also Microsoft has announced in February 2009 that it is offering a reward of $250,000 to anyone who can provide information that can help arrest the creator of the Conficker worm (i.e. the botmaster of the Conficker botnet). “Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack,” a Microsoft statement said. This is actually a good start.However, this is not enough. The cyber world is so small that countries cannot be separated in cyber space. In order to teach the cyber criminals a lesson, we need this spirit to propagate to the Far East, Middle East and Russia as well and get well established through national and international laws.