Fighting Back Against Cyber-Crime - Page 2

By Dennis Fisher  |  Posted 2004-06-07 Print this article Print

Identrus, whose customer base includes most major U.S. banks, plans to issue "institutional certificates" to its customers and enable those banks to offer client digital certificates to bank customers later this spring. The institutional certificates will allow the banks to prove their identities to their customers digitally and the customers to prove their identities to the banks digitally as well.

For example, a customer of Bank of America would be issued a digital certificate by the bank. That certificate, along with the banks certificate, would mutually authenticate the user and the banks Web site each time the user visits the site. As big a problem as phishing and the resultant identity theft are for consumers, it is orders of magnitude worse for the banks and other enterprises whose reputations and balance sheets absorb the brunt of the hit.

"For the retail side of the house, its absolute panic time. Its a massive problem. Theyre searching for anything they can to fix this," said Karen Wendel, CEO of New York-based Identrus. "They know that most identity theft is related one way or another to the banking relationship. The banks arent telling [their customers] how identity theft typically occurs."

The Identrus system also has the potential to help solve the other major flaw that makes phishing scams so simple: unauthenticated e-mail. SMTP, which is used to forward the majority of e-mail on the Internet, does not require any authentication from the sender. This enables spammers, phishers and other criminals to spoof the sending address of a message and make it appear to be legitimate.

Re-engineering the protocol at this point is not feasible, but there are movements afoot to add unforgeable identifying information to mail headers in order to implement a so-called e-mail caller ID system.

In fact, Microsoft Corp. has developed a technical specification for a proposed system that would prevent spoofing of the senders Internet domain. The Microsoft plan relies on the publication of information such as the IP addresses of outbound mail servers, which would enable the mail gateway at the receiving end to verify that the message actually came from the domain listed in the SMTP header.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. In many ways, the call is similar to the cries for help issued by law enforcement at the peak of the drug problem in the early 1970s. At that time, state and local police forces were overwhelmed by the volume of drug traffic and couldnt handle the cases coming at them.

It wasnt until President Richard Nixon signed an executive order creating the Drug Enforcement Administration in 1973 that the federal government got involved in the drug war in a major way.

That same kind of dedication is needed to address cyber-crime fully, according to experts.

"The government needs a cyber-crime czar. There has to be a recognition that theres a problem," said Jim Melnick, director of threat intelligence at iDefense Inc., in Reston, Va., and a former officer in the Defense Intelligence Agency.

"It has to be on the national agenda," Melnick said. "I just hope it doesnt take a major incident to get it there."

The DEAs budget for fiscal year 2004 is about $1.5 billion, and, as of the end of last year, the agency had more than 4,600 special agents working solely on drug cases.

By contrast, the FBIs budget called for $60 million in funding to fight cyber-crime—a number that is projected to drop to $55 million in fiscal year 2005—and none of the money is earmarked for new agents.

"It just doesnt get the attention it needs. Im not sure what else we can do with what we have right now," said one federal cyber-crime agent, who asked not to be identified.

And even with federal leadership to bolster the newfound focus and the emerging technical solutions, it could—much like the war on drugs—take years before any dent in cyber-crime is achieved.

"We have to be realistic in how long it will take. The threats were facing will get worse," said Amit Yoran, director of the National Cyber Security Division of the Department of Homeland Security, in Washington. "These technology refreshes will take a very long time.

"But weve built an excellent network of allies around this. Were [still] not sharing as much information and data as we could. Were not where we want it to be, but Im hopeful."

Security insiders applaud the growing public-private partnership and the increased attention to cyber-crime issues. What remains, they say, is a need for government leadership to commit to fighting the online menace. Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel