Sign up to our newsletter
This is part two of a recent email interview with a Turkish web site, with part one made available here for the benefit of those of us who don’t speak Turkish.
I’ve done a little editing on parts one and two, primarily for cosmetic reasons.
Question (4): What the golden rules for using the Internet with peace of mind?
If I find any such golden rules, I’ll let you know. :)
If there is one golden rule, it’s "Don’t take anything you’re told for granted." There are plenty of people out there – hackers, crackers, scammers, spammers, phishers, 419-ers, botherders, hoaxers – who have no compunction about lying to you in order to get your money, your identity, your World of Warcraft avatar, or just to prove to themselves that they’re cleverer than you are. There are others who have something to sell to you – a product, a service, a web site, subscription to a magazine, a blog – who may not intend to mislead you, but don’t know enough not to mislead you.
This, of course, begs the question "so how do you know whose advice to trust?" which I suppose takes us back to that list of resources I need to update. Even then, of course, you might not want to take my word for what defines a good resource. :)
Question (5): What are the main reasons there is so much more cybercrime than there was?How can we prevent these crimes?
There are some obvious answers to this question and at least one that isn’t so obvious. Of course, I don’t guarantee that any of them are correct answers. ;-)
One of the obvious answers is that cyberspace is where more and more of us work (and indeed spend our leisure time). So there’s more money there than there used to be when comparatively few commercial transactions were carried out online.
Then there’s the fact that some facets of internet usage are fundamentally insecure, in the sense that there are all sorts of insecure protocols that allow technical attacks. Also, there are very many transactions that entail no physical encounter and so facilitate some form of masquerading or identity theft, or even an interception attack.
The less obvious answer is that for some people, it’s easier to make a victim out of someone you never see. Not (only) because they don’t get the chance to check you out in person (face-to-face gives you clues and cues that simply aren’t available online, or so attenuated – eg by webcam – that they’re even less reliable than the hunches you get when you meet someone). Not (only) because if they don’t ever meet you, the chances are they won’t be able to identify you after the crime has been committed. But because unless you’re an out-and-out sociopath, it’s easier to do something nasty to someone when you never see them, or have to think about what they’re like (deindividuation or depersonalization). To me, the psychology of cybercrime is in some ways far more interesting than the technical aspects. Which is why I’ve moved further and further away from hands-on analysis, I guess.
So how do we prevent cybercrime? Well, the only way to prevent it altogether is to change human nature. Crime is crime, and it’s inherent in human nature (at least in a world of economic inequality and mental instability). You can attenuate it by education and nurture, by teaching scepticism to the unwary, and by deploying technical solutions. Many security professionals believe that the technical approach is the only one that works, but that isn’t so. None of them work 100% but they all work some of the time. In my experience…
Question (6): Finally, can you provide some illustration of your advice on the strength of your personal experiences?
Now there’s a question… I didn’t actually intend to get into this area at all. In the 1960s I went to university to read social sciences and psychology, then went on to work in all sorts of areas, from music to the building trade to healthcare. By 1989, I was working in medical informatics/administration and doing a degree in computer science and had suddenly become a de facto information resource on malware. By the end of the ’90s, I actually knew something about malware, and now I actually work in that industry rather than on the fringes of anti-malware research, where I’ve been working for the past 20 years (nearly: I consider my entry into the computer security industry to date from the 19th of December 1989, for reasons that I plan to blog on nearer the time).
But I’m not at all sure how I got here!
David Niven said something in one of his autobiographical books (I think it was "The Moon’s a Balloon", but it might have been the other one) about how he never got over the feeling that at some point someone was going to tap him on the shoulder and say something like "OK, Niven, we’ve sussed out that you don’t know what you’re doing: you can go home now." I know exactly how he felt: I’ve had the privilege of working with some incredibly talented people, and I sometimes wonder why they give me the time of day, let alone such frequent opportunities to open my mouth in public. I guess it’s because I’ve made something of a career out of trying to bridge the knowledge gap between them and the rest of us.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET