Report on Ed Gibson’s talk – Fostering Security in the Workplace
e-Security – 18 June 2008
This was a “tour de force”, with three talks being given by Ed Gibson in three different venues in the course of one day. The Business Matters Trust is very grateful to Microsoft, Biggart Baillie and Baillie Gifford for their hospitality in providing the venues and refreshments.
Iain Archibald welcomed those attending this, the fourth talk in the series on Fostering Security in the Workplace, and introduced Ed Gibson, Chief Security Adviser to Microsoft Ltd, UK. It is almost impossible to do justice to the three wide-ranging, stimulating, humorous and, in some ways, unsettling talks which Ed gave, but the following summary draws on information from all three sessions and hopefully covers the main points.
Ed started by giving us a little background – his own history and career. Having grown up on a farm in Michigan, served in the US Army during the Vietnam era, completed a law degree and practised corporate law with a multinational corporation in the US, he found himself at the age of thirty-two embarking on a career in the FBI. It lasted twenty years and Ed said it was not a job, more like a vocation, since it had been his life’s ambition to be an FBI agent. He served for fifteen years in the US, specialising in the detection and prevention of espionage and money laundering, and then spent five years working for the FBI at the American Embassy in London. Here, Ed became very much involved in the detection of crime perpetrated through the Internet, be that e-crime, e-fraud or crimes against children. Following his retirement from the FBI, Ed was head-hunted by Microsoft and now spends his time travelling and liaising with a large number of Microsoft’s clients, but also being an adviser to his new employer in areas such as the use of the Internet by organized crime, and protecting young people from being targeted by paedophiles or miscreants who harvest the Internet for personal details. In explaining what he meant by this, Ed gave us examples of how, having been involved in the investigation of crimes against children in the UK which have involved the Internet and also having seen the way in which the technology can be used for ill, he has been able to spot potential pitfalls in plans, marketing campaigns, product attributes, etc. which others without his experience may not be able to see. A happy result of the perspective he has been able to bring to bear is that in several instances the final product from Microsoft is less susceptible to misuse.
Spam
Moving to his first topic, Ed talked about spam emails. MSN Hotmail processes 1.5 million emails per second or 4.4 billion per day. Of these, Microsoft filters out 3.8 billion as spam and we are just not aware of them at all, for they never reach our inboxes. Despite Microsoft’s efforts, the amount of spam is growing almost daily and we are all, no doubt, familiar with offers of great mortgage deals, various would-be medical and pharmaceutical remedies, chances to win holidays abroad and even the offer of some easy money for acting as a conduit for the transfer of funds from one country to another. Why do people still send these? Is it because they want us to take up these offers? The answer, by and large, is emphatically no! Most of this traffic is propagated by organised criminals with one aim in mind: to gain access to our PCs. They want the access, not so that they can get hold of our bank details and clean out our accounts, although that does occasionally happen, but so they can get access to our computer passwords, plant some software into our PC and gain access to our bandwidth. What does this actually mean? Ed described how, with the advent of broadband and extremely fast computing speeds, most of us only use a fraction of the bandwidth which is available on our networks. In the old days (just a few years ago!) we could tell if our bandwidth was being compromised because our PC would slow right down. Nowadays, we may not notice and so be unaware that someone else is using our computing power. Over 60% of PC users in the UK are on broadband and so the opportunities for organised crime to piggy-back on our bandwidth are extensive. We are not very vigilant about checking our computers properly. Result: according to a study conducted by Symantec, in this country we have the highest rate of compromised PCs in the world.
Furthermore, many PC users make use of wireless technology and some do not operate a secure network, which means that anyone, for example sitting in a car outside your house, can very easily access and compromise your system. Ed suggested readers take a look at the UK Government’s Internet safety campaign http://www.getsafeonline.org/, for easy-to-follow steps to make wireless Internet secure.
Once access has been achieved, what are the likely uses of this by the criminal fraternity? They can “link” hundreds of thousands of compromised PCs together into a virtual “supercomputer” with phenomenal processing power which can then be used to target businesses who depend on the Internet for their survival. Ed was quite blunt about this and indicated that the old-fashioned crimes of extortion and blackmail are, in this virtual world, still very much to the fore. However, in the modern high-technology version, the threatening letter arrives in the form of an email and the threat is not physical violence but rather the prospect of a business having its website completely shut down by being overloaded with spam. For a gambling website with a turnover of £100,000 per hour, a demand for £50,000 to prevent the website being shut down for the next three months, whilst unwelcome, may be “economically attractive”. Once a business has acceded to such a request it is very unlikely to publicly acknowledge the attack, and so the crime wave goes on. A scary question: does your office know exactly what to do in the event of such an email arriving?
e-Fraud
Ed gave us an example from his own recent experiences of selling two cars online through a reputable car auction website. He achieved a quick, straightforward sale on one of the vehicles and then was contacted a few days later via email by someone who offered full price for his second vehicle but with a little catch. The buyer said that they had another debt to pay to a third party and so they would send Ed a cheque to cover both the price of his car and also the amount of the debt – if Ed would only forward the latter debt amount to a bank account for which they gave him details. A cheque duly arrived in the name of a small business based in Northern Ireland and when Ed called them up to check they immediately responded with “Oh yes, we have had a bundle of pre-signed business cheques stolen.” Clearly, the intent was for Ed to wire transfer the “debt-clearing sum” to a bank account owned by the criminals who had set up the scam and for the criminals to rub their hands and pocket the cash. An obvious scam? Perhaps, but one which many people fall for each year.
Ed then asked us to think through who the loser was here. Ed? – even if he had sent through the cash? No. Ed’s bank perhaps? No. The cheque was a good cheque and the bank would honour it, with the loss eventually arriving at the doorstep of the small business who had had the cheques stolen. Unfair? Maybe, but it was then that Ed revealed some surprising and, to my mind, very concerning information. A former Home Secretary stated that if your credit card or your bank account is depleted by fraud you should not bother reporting it to the police as it is the bank’s responsibility to investigate the situation. Ed furthermore informed us that if you have a laptop stolen and report it to the police, they will give you a crime number and you will be able to claim a new PC from your insurance company; but if you report a data theft from your laptop, the police do not have sufficient resources to conduct what are usually international and complex investigations.. These statements in themselves are concerning. Then came Ed’s real bombshell statement which gave rise to some very surprised looks around the room: according to a Conservative Party MP, the UK Government has apparently recently withdrawn all funding to police forces for the tackling of e-crime. Let me just restate that claim: all funding has been withdrawn. E-crime is simply not a priority in Government eyes and Government does not wish to allocate expenditure to police it. Ed emphasised that our Constabularies are doing the best they can overall with the resources they have, and that rather than complain about the police not doing this or that we should write to our MP or MSP. Legislators are the people to contact.
In similar vein, Ed drew attention to the debate currently going on and based on the House of Lords Science and Technology Committee reports from 2006 to the present. It has raised significant concerns about the Internet and the degree to which it is, or rather, is not regulated. The Government’s response to this report has been that it is up to the individual to ensure that they are safe online. This conclusion has been refuted by the Lords and discussion and debate are still ongoing. A link to the official House of Lords, Government and other documentation generated by this debate is here. The main point is clear: Government does not see this as a priority and so we as individuals had better ensure that we do.
Social Networking Sites
Ed moved on to talk about the proliferation of social networking sites, for example Bebo, Facebook, Myspace etc. His message to us was crystal clear:
- Not one of these sites is private – by default
- Information placed on these sites stays on the Internet forever, even after an account is closed or taken down
- Such information is accessible to, and trawled for by, many Internet search engines
In short, there is no such thing as a private Internet space.
What are the implications? Firstly, there is an issue here for young men and women to consider and take stock of. Ed told us that he often addresses students during career tours and fairs. One of the points he makes to them is that they will eventually be looking for employment and what may they have put up onto the Internet by then? An employer will often trawl the social network sites looking for prospective employees’ entries. As Ed said, “That picture of the drunken Saturday night party may have been funny when it was placed on the site but may, in fact, be a reason why an employer chooses not to offer you an interview, far less a job.” Thinking through the consequences of the use of these sites is required and if we are parents, we need to talk to our children (of any age) who may use them.
On an equally serious and perhaps more disturbing note, Ed outlined an example of how easily marketing personnel may produce what appears to be a very appropriate and innocuous ad, only for it to contain really problematic features. For example, an initial idea for an e-marketing campaign had been based around a teenage girl and how she would be able to talk easily to her friends across towns, cities, even countries. However, the background imagery used actually inadvertently gave away sufficient detail such that the girl used in the campaign could have been tracked down by paedophiles. Needless to say, the campaign was never used. Vigilance and the ability to think out of the box are absolutely essential in our interactions with the Internet.
Miscellaneous “bits and pieces”
Ed’s talks were so full of examples and anecdotes, so I make no apology for this section and hope that it will be useful:
- Email addresses can now be “spoofed” so that you have no idea who is contacting you
- The security “padlock” and https: url used to indicate a secure website can be spoofed
- It is no longer always possible to track back the IP address from which a website originates if proxy accounts and compromised servers are used
- Web-hosting companies in other countries are not necessarily subject to UK law
- In order for emails to be tracked they have to be sent; this is perhaps self-evident, but the latest ploy is for someone to create an email, save it to the draft folder in Outlook and then for someone else, using another computer but with the correct access password, to access that draft folder and read the text thus acquiring the information without an email ever actually having been sent
- The highest percentage of leakage from a company’s IT systems comes in actual fact not from mischievous people outside the company but from people within it – either deliberately or by carelessness
- Does your company allow the use of mp3 players and mobile phones at work? Remember they can often be used as data storage devices and are now of a capacity to download the entire contents of a PC hard drive
- If, on eBay, you are asked to use Western Union rather than PayPal as a payment method, it is almost certainly a scam. Note, this is not a criticism of Western Union, but rather to highlight why someone would not want you to use a service that provides a guarantee, e.g. PayPal.
So what is the answer?
Ed referred to one of the more recent cases under the Computer Misuse Act – a case of an ex-employee who sent five million death-threat emails to his former employer causing them severe business problems due to the volume of traffic on their system. When the case first came to court, the judge ruled that there was no case to answer since the employer had clearly not had a large enough email server! On appeal the defendant was found guilty and sentenced to a two-month order confining him to his house between the hours of 7pm and 7am – where his PC, the tool used in the crime just committed, was sited?!? Ed used this example to indicate how difficult it is for the legal system and Government as they attempt to deal with e-crime.
Ed posed a question. Who is ultimately responsible for keeping the Internet safe and as crime-free as possible? Is it Microsoft? Is it the Internet Service Provider? Is it the hosting company? Ultimately, it is all of those, plus us as individuals.
So what can we do?
- Be vigilant. If we receive a suspicious email, do not open it. If we are presented with a link in an email which we do not trust, then do not click on it. If we receive an email purporting to be from a bank and asking for account details, then do not respond but instead report this to the bank. (Said Ed: “Your bank will never send you an email asking you to confirm your details. They already have your details!” )
- Only deal with large reputable companies if trading on the Internet. This is not foolproof but represents the greatest degree of protection
- Secure any wireless networks which we use and be careful about revealing passwords and confidential information when using non-secured networks in public places
- Indeed, when taking a laptop from one place to another, remember it may contain confidential or proprietary information (customer, employee, personal) and it most certainly contains photographs and information personal to you that you certainly would not want found in a public place
- Keep virus protection and firewalls up to date. If you have a six month free trial version on your new PC and experience no problems, then don’t assume that you are not being targeted; rather assume that the protection is doing its job and be sure to purchase / renew the subscription
- Keep your software up to date. Ed referred to the Microsoft “second Tuesday of the month security updates” which some people regard as an unwarranted nuisance. In fact, they are an essential way of maintaining as good a protection on your PC as possible. Ensure that automatic updates are activated on your PC and that they are actually happening
As Iain Archibald thanked Ed for his contribution at each of the three venues, it was obvious that those attending had been captivated by Ed’s delivery, amused by his humour, fascinated and educated by the content of his talks and almost certainly unsettled and prompted to think seriously about the issues facing users of the web today and how we deal with these as individuals and companies. There was much animated discussion and a definite feedback of “I’m glad I attended this.”
Further Information
Ed has supplied a further link which you may find interesting and useful:
Microsoft UK’s monthly Microsoft UK Security Newsletter which includes a monthly column written by Ed. Sign up by going to this link first: http://www.microsoft.com/uk/security/newsletter_signup.mspx and click on “Microsoft Security Newsletter. Sign up today”. This will take you to a sign-in page. If a subscriber already has a LIVE, Hotmail, or other Microsoft related email address, enter it here along with the relevant password; if not, then the subscriber can use any valid email address and associated password he/she has.
Sign in.
Click on “Security Newsletter” and that is it.
Eric Smith
Consultant to business matters