Cyberspace still a dangerous neighborhood
- By William Jackson
- Oct 01, 2007
The Federal Trade Commission this morning kicked off National Cyber Security Awareness Month by announcing a settlement in a case against a distributor of spyware that will cost the company $330,000.
The case, against an outfit called ERG Ventures that bundled malware with seemingly innocent software such as screensavers or video files, was one of a number of actions involving online fraud and data breaches pursued by the FTC in the past two years, FTC Chairwoman Deborah Platt Majoras said at the opening of the National Cyber Security Awareness summit in Washington.
The summit, hosted by the National Cyber Security Alliance, marks the beginning of the fourth annual awareness month, intended to raise public awareness of the need to protect ourselves online. The alliance is a nonprofit coalition of information technology companies and agencies including FTC and the Homeland Security Department.
The need for awareness remains despite improvements in IT security in government and in the private sector, improvements in security tools and enforcement of fraud and anti-hacking laws, said Gregory Garcia, assistant Homeland Security secretary for cybersecurity and communications.
'In spite of our best efforts, cyberspace is far from secure,' Garcia said, and there is 'no foreseeable end' to the threats faced by government, the commercial sector and consumers.
Both Garcia and Majoras cited estimates that worldwide cybercrime has become a $100-billion-a-year business, eclipsing the illegal drug trade in revenue. The settlement announced today was one of three that have been brought by FTC against spammers or malware distributors under federal laws against unfair and deceptive trade practices. In the ERG Ventures case, FTC alleged the company secretly loaded its Media Motor program onto as many as 15 million PCs.
'This software changed consumers' home pages, tracked their Internet activity, altered browser settings, degraded computer performance and disabled anti-spyware and antivirus software,' FTC said. Under the agreement the company and its principles will give up ill-gotten gains and stop secretly loading the malware on computers.
Majoras said FTC also has brought actions against 14 businesses for failure to provide adequate security against data breaches. The violations alleged are not the data breaches themselves, but the inadequate precautions taken against 'reasonably foreseeable threats,' she said.
Not every data breach results in an FTC action, Majoras said, but 'none of these cases was a close call.' The agency has another two dozen similar investigations now open.
Results from a survey conducted by NCSA and McAfee show that although the message on online security is getting out to the public, much work remains to be done.
'There is a heightened sense of awareness' among online consumers interviewed for the survey, said Bari Abdul, McAfee's vice president for worldwide consumer marketing. But although 87 percent said they had antivirus software installed on their computers, only 51 percent updated the programs regularly. 'What they say they have on their PCs doesn't match what they really have.'
Based on online computer scans, only 22 percent of those surveyed had the basic triad of PC protection in place: Updated antivirus software, a personal firewall and anti-spyware software. Surprisingly, the survey found computer users over 45 were slightly more likely to be fully protected, with 25 percent using all three elements compared to 18 percent of younger users.
On the government side, Garcia said plans now are underway for a second national cyberexercise to be held in March 2008. Cyber Storm II will build on a similar exercise held in 2006 in which industry, government and academia participated in cyber war games.
FTC will hold a workshop in December on the use of Social Security numbers. One of the recommendations made in April in a report by the president's identity theft task force co-chaired by Majoras was that government and the commercial sector should reduce their use of Social Security numbers as identifiers because of their use by identity thieves in accessing and confirming personal information. A directive from the Office of Management and Budget ordered agencies to review their use of the numbers, and to eliminate them when not necessary. However, no completely suitable substitute as a unique identifier has been developed.
'We'll explore ways to make Social Security numbers less valuable to thieves,' until a replacement as a unique personal identifier can be developed, Majoras said.
William Jackson is a Maryland-based freelance writer.