IT companies have to protect public, say experts

Consumers, government and technology companies have to step up to the plate to thwart increasingly sophisticated cyberattacks, experts on a security panel said on Wednesday.

In a discussion before a group of Silicon Valley business people organised by the Churchill Club, a panel including representatives from Cisco Systems, Microsoft and the US Department of Homeland Security discussed recent changes in cybercrime and what can be done to fight it.

A grim picture was painted of reality. Hackers were once perceived to be teenagers testing computer security for fun. But over the past 18 months or so criminals, spammers and teen hackers have joined forces in online crime rings, said Marcus Sachs, deputy director of the Cyber Security R&D Center for Homeland Security.

"It is a business. There is prosperity... and unfortunately the public is not well protected," Sachs said. Cybercriminals engage in activities such as selling access to networks of hacked PCs to send spam or launch attacks, or selling details of new security vulnerabilities so systems can be compromised, he said.

There will always be people who are up to no good, said Scott Charney, a vice president at Microsoft who heads up the company's Trustworthy Computing Initiative. "The key thing to remember, the Internet is a phenomenal medium for committing crimes. It is global, anonymous and untraceable."

Standing up to cybercrime is a shared responsibility of users, vendors and the government, the panellists said. For consumers, it is about awareness, said Brad Boston, chief information officer at Cisco. Everyone needs to care about and understand their responsibilities when it comes to using technology, he said.

While organisations have trained professionals such as CIOs to care about training their users, general consumers don't, noted Microsoft's Charney. Internet service providers should step in to fill that gap, he suggested.

"Users can not completely abdicate security... The access providers have to help with protection and quarantine and diminish consumer responsibility to a point that they can handle," Charney said. "We are not quite there yet."

Microsoft is doing its bit by strengthening the security of the Windows operating system, Charney said. The company is also readying an antivirus, antispyware and firewall product called Windows OneCare, a test version of which is due out later this year.

Sachs stressed that technical tools such as antivirus and firewall software are not enough to protect users. Education on using the Internet and identifying threats are also part of the solution, he said.

Then again, the attacks keep getting smarter. Attackers are now hosting their own DNS, or Domain Name System, servers to route victims to fraudulent Web sites. These DNS servers continuously appear in different places on the Net, Sachs said. The different locations would make it harder to shut down the servers.

"It is one of these emerging threats and we don't quite know how to stop it," Sachs said.

Also, in an apparent attempt to trick even security experts, Sachs' researchers found malicious code that would act differently when it was run on a virtual machine or on an actual PC. Researchers often use virtual machines, or virtual instances of a PC, to test what malicious code does without actually harming their systems.