The Latest in IT Security

There are a lot of discussions going on about net neutrality. Kevin Townsend talked about that recently in an answer to my Freedom vs Security blog.

A big concern nowadays is how certain industries, such as the music one, are lobbying governments to protect their particular interests. I’m not going to discuss this topic today (send me your comments if you want to discuss it) but my position is crystal clear:

• A web shutdown has to be done with warrants / legal mandates.

It’s easy, isn’t it? At the end of the day what I want is to be treated as in the “real” life. If a police officer wants to walk into my home without my consent he needs a search warrant.

In the security industry we don’t usually look at copyright violations, but to cybercriminals that want to steal people’s money and information. The fight takes place in a number of different fields, but we shouldn’t forget that we are not police officers even though we are fighting against the same bad guys.

If I find a website used to host phishing, I will:

• Add that URL in our “blacklist” to protect my users.

• Share the URL with the rest of vendors so they can protect their users.

Should I stop here? I could check who is the owner of the site, report it to the police, talk to the ISP hosting that site, etc.

Everyday thousands of websites shutdowns happen with no warrants or legal mandates. And Law Enforcement is not involved. Why? Well, this is just a description on how things happen:

• Criminals are creating thousands of new malicious sites, with the only purpose of infecting users and stealing their personal information.

• Security researchers from private companies try to stop that, as they have customers to protect. We find them, we ask the owner of the hosting place to remove it (showing proof of it.)

• They remove it, and the criminals will look for a new place.

There are a number of variations (for example, there are bullet-proof hosting services created by criminals for criminals where it’s impossible to have removed any malicious content) but this is the main idea. But why Law Enforcement (LE) is not directly involved in this? A number of reasons:

• The malicious site can be hosted anywhere around the globe, while LE has local jurisdiction.

• Even if it is a local crime, it can take ages to have a warrant while people are falling there and the attack can last a few hours.

• It may be not considered a crime in some countries.

• Victims don’t know yet they are victims, so they don’t report it.

• Etc.

There are even companies which main focus is to perform these shutdowns, as there are a number of companies willing to pay thousands to have those sites removed because their brand is being abused to steal their customers’ money. It’s important to note that everything is not black or white: hosting those phishing sites could be a violation of the ISP rules, and in that case it could be perfectly legal for the ISP to remove them.

There are many people supporting the idea that the end justifies the means. Of course this is not my case, but even for those that support it, it’s obvious that here we don’t get to the right end: one of the major consequences we have to face is that as LE is not involved, they can not investigate it and criminals will walk free and anonymous.

Now many of you will tell me that I should come down to earth and that in real life things are not that easy. From the point of view of one of the companies that are continuously targeted, such as eBay, PayPal or hundreds of banks and credit unions, it’s easy to understand that they don’t want to wait, they want to have their users protected ASAP. They could claim that LE has not the resources to have the job done, and because of that changing the way they act nowadays would make things even more profitable for cybercriminals.

Let’s take a look at a different kind of crime that usually appears in the news: pedophilia. The same kind of actors are involved: criminals, illegal material, websites that have to be shutdown… Ask to a security researcher what happens when he finds a compromised site with this kind of material: all of them will report it to LE, and LE will act fast and coordinately. Content will be removed and people will be arrested. Everything is done with judicial oversight, as it should be done with phishing / malware incidents.

My 2 cents: there is no silver bullet, but more and better LE coordination among countries would work.

Thoughts? Should we look the other way? Should we stop shutting down malicious sites? Should we just report it to LE and forget it? Maybe we should all join and remove all politicians and try to make things with common sense?

PS: Many security companies and security researches have been working for years with different LE agencies. That was for example the Mariposa case, where the Spanish Guardia Civil and the FBI were involved when they were contacted by Defence Intelligence and Panda Security. I could name a number of other cases, where companies such as Microsoft are working hard with LE, and that happens on a daily basis. But at the end of the day, we manage a huge number of cases (we are detecting 73,000 new malware samples a day!) and only in certain cases we contact LE.