Security Q&A: Your questions answered (Part 2)
Holding data to ransom, scaremongering, internet law, spammers making money, the uber-virus, spyware at home - and many more of your concerns addressed...
Last week we asked you to email us questions to put to our panel of security experts.Following yesterday's first instalment of this three-part Q&A, here is the second batch of your questions answered. Click on a question to be directed to the answer or read all the questions and answers simply by scrolling down:
Q. If a company's network administrator leaves the company how can the company ensure that the administrator doesn't still have any backdoor access to the company's network, email and systems?
Q. Who makes the most money out of spam? Is it the spammers or the anti-spammers?
Q. What's the most ridiculous kind of scaremongering you've heard in the antivirus world?
Q. Why aren't ISPs forced to filter spam and porn by law instead of charging extra to carry out this task?
Q. Given that cyberspace can be considered to operate outside the boundaries of our current geographic jurisdictions, how should laws or policing be applied inside this realm?
Q. My domain name was recently hijacked by spammers. I complained to my ISP but was told the spammers were using spoofed servers and they were unable to track them down. Was the ISP right to leave it there?
Q. Why can't we solve the problem of spam by going after those who provide the enabling technology such as the payment systems - PayPal, Visa etc?
Q. What laws currently cover the theft of data from your employer? If a member of staff takes an electronic database with them when they leave a company is this treated as a 'computer crime' or like any other theft?
Q. How can the average home user check their computer for any keystroke tracking program that can lift passwords and PINs used for online banking sites and such like?
Q. Do people actually respond to spam?
Q. Will there come a day when a virus can be created to infect any device or application?
Mark Morris, head of forensics at Logica CMG, answers:
"This is a difficult situation to control with an individual who has had such a level of access to the infrastructure and systems. We have dealt with a case at a travel company where the IT administrator had correctly stored the back-up tapes off-site as instructed. After her resignation, it was realised that the off-site storage was in fact her garage and the tapes were then used as a bargaining tool, as she realised the employer wished to avoid legal action and negative publicity."Depending on the size of the network, there are a number of procedures that the new administrator can undertake, but in particular the enabling of logging can help to identify suspicious activity such as dormant accounts reactivating. We have heard of organisations requiring certain employees to sign undertakings as part of their contract of employment, but the basics such as enforced password changes on all accounts should not be forgotten.
"Careful and thorough vetting of staff is essential in such roles." Back to questions
Lloyds Pople asks: "Who makes the most money out of spam? Is it the spammers or the anti-spammers?"
Enrique Salem, CEO of Brightmail, answers:
"One of the main reasons why spam is such a menacing problem is that unlike many virus writers, spammers actually make money... a lot of money." Back to questionsGraham Cluley, senior technology consultant at Sophos, answers:
"Experts from a well-known security company predicting that 200,000 new viruses may appear on 1 January 2000 to exploit confusion over Y2K." Back to questions "Actually, there are many ISPs that do offer spam-filtering services to their subscribers as part of the regular subscription fee. ISPs recognize that spam is a serious problem - it creates huge costs for ISPs due to increased traffic volumes and also upset subscribers. Offering spam filtering at no additional charge is an excellent way for ISPs to retain customers, who have many more choices in 2004 than they did even four years ago." Back to questionsDavid Naylor, partner at law firm Morrison & Foerster, answers:
"You raise one of the most difficult questions that law makers are grappling with in the cyberlaw arena. There are many 'stakeholders' that would like to see a unified body of cyberlaw that is applied consistently across all jurisdictions. Many businesses, particularly those with international operations, favour such an approach. For them, complying with the different laws in each jurisdiction is costly; they argue that it simply creates a barrier to free trade."Meanwhile, there are plenty of other stakeholders lined up on the other side of the debate. National governments, for instance, tend to be protective about their own sovereignty and the right to set laws they consider appropriate in their own jurisdictions. The more repressive the government, the more hard-line the stance it generally takes. On the other hand, democracies have to perform a more delicate balancing act, since they have to weigh the competing interests, say, of citizens and consumers who typically want to maintain the protections offered by strong national human rights and consumer protection laws, against the interests of the business community, who tend to prefer lighter regulation which is as uniform as possible around the world.
"In the middle of the argument sit politicians, regulators, consumers and consumer groups, free-speech lobbyists, academics, pundits and everyone else who uses the internet and is affected by the laws that govern it.
Paul Wood, chief information analyst at MessageLabs, answers:
"They may well have been able to do more to discover the location of the spammers responsible, however, the reality is that much of the information recorded in the email headers can be forged and is unreliable. Often these trails lead back to insecure, virus-infected computers that the spammers are predominantly using to send their spam."It could also be argued that it isn't really the responsibility of the ISPs to undertake such an investigation, especially since it can actually involve a lot of work. Likewise, if they investigated every spoofed email address, they'd need a huge team dedicated to the task 24 hours per day. This would likely mean an increase in the monthly fees charged by ISPs.
Alyn Hockey, director of research at Clearswift, answers:
"Where do you draw the line in a case like this? Do you go after the banks that allowed the companies that paid the spammers to send the adverts when they deposit cheques from the people who wanted to buy the goods, or even the ISPs who hosted the space on a website where the company was being hosted? "In the UK, there is likely to be a range of legal remedies available to an employer dealing with the theft of data by an employee. The first place to look, however, is generally not the Theft Act. For a start, the courts have been unwilling to treat the Act as giving protection to pure information."Instead, the best place to begin is with the employment contract. If the employer has an appropriate contract in place with the employee, the theft of data would almost certainly amount to a breach of contract.
"Even in the absence of a written contract, the law implies into the relationship of employment an obligation on employees not to disclose or use their employers' trade secrets and equivalently confidential information. This obligation applies both during and after the employee's employment. However, the test for what amounts to a trade secret under the common law is quite stringent, so it is always much better to have a well-drafted contract in place.
"It is also possible that the theft of information could infringe the employer's intellectual property rights, if the database has been structured in such a way as to attract protection under the law relating to database rights, or if the information itself is, for instance, protected by copyright. In addition, if the data consists of personal data then its theft would breach the Data Protection Act. (As a side note, employers should be aware they have a general duty to keep personal data secure. If they fail to do so, the individuals' whose data has been stolen may have rights not only against the thief, but also against the employer.)
"If the employer does want to pursue criminal charges, the theft of data will generally amount to a breach of the Computer Misuse Act. This Act creates a range of offences relating to unauthorised access and unauthorised modification of computer material.
"Of course, every case is dependent on its own facts and so the above information is intended as guidance only - it doesn't amount to specific legal advice!" Back to questions
Simon Janes, international operations director at ibas, answers:
"Perhaps the first thing to stress is that despite being a 'hot topic', the actual occurrences of this type of crime are relatively rare. The home user has a number of options to prevent falling victim to this type of crime."The first is to never, ever reply to an unsolicited 'phishing' email asking for usernames and passwords, no matter who they purport to be from. If you receive such a mail contact the relevant, genuine organisation to determine if they have sent the mail. It would be surprising if they have, but if it was from them then change banks!
"The second is to install a software-based firewall, of which there are many. This will help protect against any unwanted intruders to your system. But remember this is only as effective as the rules it has been set up with so ensure you fully understand how the product works.
Simon Mallett asks: "Do people actually respond to spam?"
"When you consider that it costs virtually nothing to send a million spam emails, if only one in a million recipients are daft enough to respond, the spammer will have made a profit. Large spammers actually do make money, lots of money. As more people employ anti-spam tools, spammers increasingly need to send out more and more spam to maintain similar levels of return." Back to questions "There actually have been some cross-platform viruses. Many Microsoft Word viruses work on both PC and Mac, for instance, and we even saw a couple of years ago the Lindose virus, which could infect both Windows and Linux files. But I don't think you need to start storing up your tins of corned beef just yet as we do not expect to see viruses which are capable of running any kind of device in the near future, because of the intricate differences between operating systems." Back to questions