Attack on Consumer Security Education Throws FTC, DoJ on Defensive

The millions that eBay spends on education about phishing is “going to waste” because the effect on behavior is negligible, Winkler said eBay employees have told him. Consumer education has “been proven ineffective at this point, unfortunately,” he said. The unidentified eBay employees think that only “integrating security into the infrastructure” will work, Winkler said.

The law should make ISPs responsible for the viruses, spam, spyware and other attacks they “are allowing on their networks,” Winkler said, to applause. Mandatory attack tracking by ISPs could have prevented the attack Tues. on the Internet root servers (WID Feb 7 p9), he said. Winkler also called for a law targeting botnets, much stiffer penalties for convictions of cyber crimes generally, and increasing “10-15 times” the resources given law enforcement. Current efforts are “a drop in the bucket compared to a big problem,” he said, again to applause.

“It does make sense to educate the consumer,” replied Christopher Painter, principal deputy chief of DoJ’s Computer Crime & Intellectual Property Section. Consumers have responded by taking cyber threats more seriously than they had, he said: “It’s an ongoing process.” Robert Maynard -- who was ID theft victim and is founder and COO of prevention vendor LifeLock -- compared taking security measures to “eating vegetables": People know they should do it but don’t. Most users are willing to take the step of paying someone to deal with security, but then they want to be able to forget about it, he said.

DoJ is working with search engines and ISPs on technical ways to keep people from collecting information online for fraud, Painter said without elaborating. He said the Dept. also is attacking the criminal networks that distribute and exploit such data, which often are different people from the information gatherers.

Botnets have become the “Swiss army knives” of online attacks, used for spam, ID theft, denial of service attacks and putting sniffers on PCs, Painter said. They're especially insidious organizations because they're often spread across multiple countries, they're adopting “new channel control techniques, and “you can’t just cut the heads off these networks” to put them out of business, because when the bosses are taken out, others can readily replace them, he said. DoJ is collaborating against botnets with law enforcement around the world, Microsoft and others, Painter said. -- Louis Trager

RSA Notebook…

The chief of DoJ’s Child Exploitation & Obscenity Section endorsed a Senate bill that would broaden the category of companies required to report child pornography to the National Center for Missing & Exploited Children and would impose harsher criminal penalties on ISPs and other Internet companies for violations. It’s the Senate counterpart to HR-837 (WID Feb 7 p1). “We support anything that would help, and this would help,” the DoJ official, Andrew Oosterbaan, said of the bill by Sens. McCain (R-Ariz.) and Schumer (D-N.Y.). A pitfall in monitoring is that altering pictures can prevent them from being detected by matching them against images in a database, he said on an RSA Security conference panel late Wed. about the Internet and sexual dangers to young people. Oosterbaan called the whole issues a “tough, tough problem” because pedophiles are “a highly motivated group. They're going to find a way to do what they want.” He appealed to the “smart people” in the audience to help create useful technology tools. Oosterbaan, who has a 12-year-old son, said: “I'm not the expert on how to raise a child safely. I'm as scared as anybody else.” Sharon Cooper, CEO of Development & Forensic Pediatrics, said technology is needed to block live online transmissions of sex acts involving minors. Facebook tries to prevent exploitation of young people by tying the connections its site creates into “real-world networking,” said Chief Privacy Officer Chris Kelly. Those under 18 must be members of a Facebook high-school network, to keep out sub-teens as well as protect those who can join, he said. Members are accountable for imagery they post, through links to their profiles, so “there’s not a place to hide on Facebook if it’s illegal,” Kelly said.

--

The U.S. Computer Emergency Readiness Team’s watch & warning staff will be housed with the communication sector’s Information Sharing & Analysis Center (ISAC) and representatives of the IT industry starting this month, the top U.S. cyber security and communications-protection official said Thurs. This will increase preparedness to fend off attacks on the converging communications and information networks and targets beyond, said Greg Garcia, asst. secy.- cybersecurity & telecom in DHS. He said at the RSA Security conference in San Francisco he expects the collaboration to be extended across additional industries. Garcia also said his office will bring in DoD counterparts to help “refine written documentation” for how US-CERT and industry representatives combine forces in responding to cyber attacks. He urged companies to join their industries’ ISACs and sector coordinating councils for preparedness and response.