Desperation is a strong motivator when it comes to cyber crime, warns Ed Gibson.
This month, our journey into the world of cyber crime takes us to Ukraine, a country emerging from the political and commercial constraints of the former Soviet Union. If you have not been to its capital, Kiev, I encourage you to visit what is often described as a "city within a park".
It is beautiful, as are its people - well, at least most of its people, as we shall see. In many big cities on this planet, there is an underbelly of organised crime activity. Ukraine is no different. And as with many emerging countries, there are hundreds, if not thousands, of highly educated young people in greater supply than demand.
They are often breadwinners for the family, but likely as unemployed or underemployed as their parents. With an empty belly and no job in sight, it is not a stretch to understand why a talented young person - let's call him Josef - might find it enticing to "accept" a position with someone who appears successful, offering promises of food and a good wage.
At first, it's just a matter of breaking into local company websites or systems. Then a bank or two. And soon Josef is ordered to hack into a major financial institution in another country to steal intellectual property rights, customer and employee account data. Josef now recognises he is working for organised crime, and has two choices: hack and live or refuse and face physical harm. He hacks and steals, and suddenly you, in the UK or wherever you may be, are contacted by the bank's fraud department inquiring if you have just made credit-card purchases totalling hundreds or thousands of pounds.
Josef doesn't care if you are using Linux, Unix, Open Source or a Microsoft operating system. He just wants to clean you out, and live. And if you forgot to, or simply chose not to update your software, firewall, and anti-spam/anti-virus software, all the better for Josef.
Who do you report the loss to? Do we really want the police to be investigating £5,000 frauds? Just recently, you were advised by government officials that effective from 1 April 2007, banks are the first port of call if our credit cards or bank accounts are compromised, not the police.
However, this should not cause immediate alarm, because financial institutions employ specialist trained fraud investigators who have as their focus the deterrence and investigation of fraud committed against their customers.
But, as we have seen before (SC February 2007), if the perpetrator resides in a country that does not recognise the UK politically or judicially, there is little that can be done to identify, locate, extradite, or prosecute. By the way, who actually cleaned out your account? Was it Josef? Or an automated script that Josef wrote and put into the wild? Even if Josef admitted he took your money via the internet, would it make any difference on UK law enforcement's ability to arrest or extradite him? If I told you that Josef is not the least bit concerned about being identified, would you know why?
But this is short-lived gratification. At the coal face, there are people who are working just as hard, to make your computing experience as safe as possible. I don't want you to be deterred from using the internet. Just take a few reasonable precautions, and don't treat the web as if it's a toy. It is an aeroplane, and you are learning to be the pilot. Learn, explore, and control the choke and throttle to a safe flight.
We must never forget that IT security exists because there are people who want to steal whatever you hold of value inside your IT systems. We must remember not to leave the forecourt doors wide open. Make sure your firewall is turned on, and your anti-phishing and virus software are up to date. Josef will continue to increase his understanding of technology, and hopes you don't.
Next stop on our cyber journey will be London. We will take a look at the state of cyber crime in the UK, and certain ideas being discussed to tackle the problem.
Ed Gibson is the chief security adviser to Microsoft UK. Prior to this, he was a special agent with the FBI. You can contact him at EdGibson@Microsoft.com.