Hacker Economics 3: MPACK and the Next Wave of Malware

Third in a series. New variants and new methods proliferate in the wake of 76service.

By
Mon, October 08, 2007
Page 2

The Radical New Strategy?
If users are, as one bank CISO said, dumb; and if banks can just write off their losses; and if the Internet is fundamentally insecure; and if vendors defenses can’t keep up; and if law enforcement is overmatched; what happens next?

Don Jackson thinks that the banks will simply transfer more of the risk. “The banks are worried but their answer is not to track these guys down or be more diligent about security,” says Jackson, who says he remembers talking about this with bank security types at last year’s Information Systems Security Assocaition (ISSA) conference. “Their answer is to shift more responsibility on to their customers. They’ll lower fraud limits, the amount of stolen funds they’ll cover. They’ll make it harder for consumers to prove they were defrauded—and easier to say it was the customer’s fault.. You’ll have to prove that you kept your end of the deal by patching your system and so forth. Watch the terms of use for online banking. I think you’ll see changes.”

Like Jackson, Chris Rouland of IBM ISS believes the days of acceptable loss at the banks are numbered, but he has a hard time seeing a “blame the customer” strategy succeed. “These write-offs, this thing about putting it on consumers, it will end. It has to,” he says.

Rouland says that he is rethinking security at a fundamental level, and many others in the industry are as well. “We’re basically telling banks that client security is your problem, not [your customers’] problem. We’re saying all the awareness in the world can not adequately secure client machines. Telling customers to secure themselves will not work. We believe that in order to fix the problem, you have to protect customers’ customers. You have no choice.”

Notice Rouland did not say you have to secure the client. He never says the banks must figure out a way to protect that machine. That’s careful and deliberate, because Rouland doesn’t believe that’s what banks have to do. When it comes to security PCs, Rouland’s advice is radical: Give up.

“In the next generation,” he says, “we will all do business with infected end points,” he says.

He was asked to repeat what he said, just to be sure. So he did: “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”

Next: June—disturbing developments

Continue Reading

Our Commenting Policies