When it comes to fighting traditional crime, tipsters play an integral role in reporting suspicious activities, questionable characters and true confessions. But while few people question the existence of Crime Stopper hotlines or highway billboards, Microsoft’s recent plan to offer a bounty for information leading to the arrest of malware authors brings tip lines into the digital age.
Since it was founded in the mid-1970s, the Crime Stoppers organization has helped clear more than 1 million cases, been responsible for more than 500,000 arrests and paid nearly US$65 million in rewards, according to the group’s Web site.
In contrast, Microsoft launched its Anti-Virus Reward Program with $5 million in its coffers. The program is designed to help the FBI, U.S. Secret Service and Interpol identify and arrest individuals who write and release malicious viruses and worms on the Internet. The Redmond, Washington-based industry giant has set aside two rewards of $250,000 each for information that leads to the arrest and conviction of those responsible for launching the MSBlast.A and Sobig worms.
“This is another aspect of Microsoft’s program for trusted computing,” said Hemanshu Nigam, a corporate attorney in the Digital Integrity Group, Microsoft Law & Corporate Affairs, in an interview with E-Commerce Times. “[Virus writers] are victimizing lots of people. Security, for us, is a priority, and it’s our responsibility to do it the best we can.”
Although the bounty program initially is limited to attacks on Microsoft products, it is receiving high marks from some industry organizations, such as the Business Software Alliance.
“BSA applauds [Microsoft’s] announcement to establish the new Anti-Virus Reward Program, as it is one more example of increased public-private partnerships needed to promote cyber security around the globe,” Robert Holleyman, BSA president and CEO, told the E-Commerce Times. “Many cyber crimes are not yet perceived as real crimes. Collectively, we need to raise awareness globally that computer viruses, worms and denial-of-service attacks are not clever acts of mischief, but serious crimes that can cause major economic damage or worse.”
The reward program, plus efforts by Microsoft, developers and IT organizations to eliminate the configuration errors that frequently create network vulnerabilities, are part of an overall effort to reduce damage by malware writers. And the IT community continues to invest heavily in security: In an October survey by the Software & Information Industry Association, 34 percent of senior IT executives polled said they plan to focus new spending on security.
That is a good thing, as there will have been more than 180,000 digital attacks worldwide by year’s end, resulting in economic damage of $80 billion to $100 billion, according to UK research firm mi2g.
However, some security industry executives think Microsoft’s move may not be the slam-dunk the Redmond titan would like to achieve.
“This is my personal opinion — not CA’s — and I think that, while something like this [bounty] probably doesn’t hurt, it would probably only impact some of the fringe elements that write viruses,” Stephen Gohres, vice president of marketing for Computer Associates’ My eTrust, told the E-Commerce Times. “Something like this reward would deter a certain percentage at the margin — the script [kiddies]. I’d question whether it would have a real impact on the real serious type [of virus writer]. They already know it’s against the law, right?”
On the positive side, if virus writers continue to brag about their exploits, as they are notorious for doing, the reward could encourage “witnesses” to come forward. On the other hand, the bounty could drive malware creators further underground, Gohres cautioned.
In lieu of the age-old bounty concept, some people believe new paradigms are necessary for the digital medium.
For example, instead of offering a reward for those who already have launched worms and viruses, the industry should consider preventative measures, said Mark Rasch, a former head of the Justice Department’s computer crime unit who currently is senior vice president and chief security counsel at Omaha, Nebraska-based managed security service provider Solutionary.
“You’ve got a lot of people out there who are gray-hat hackers,” he told the E-Commerce Times. “The vast majority of the things they’re finding are configuration problems. There’s no mechanism for them to do anything with that vulnerability [information].”
Indeed, hackers who find a vulnerability often do not know who to contact at an enterprise or software developer to pursue resolution of the issue. Even if a hacker is taken seriously, developers or IT executives have no way of gauging the veracity of the vulnerability information, which can be a problem if they are being asked to pay for it. For their part, gray-hat hackers — who have only discovered, not leveraged, the vulnerability — face the possibility of arrest if caught, according to Rasch.
“Some of these people want to get, at a minimum, compensated for the work they’ve done finding this vulnerability,” he said. “There’s no good way to do this. Let’s come up with a mechanism for reporting these vulnerabilities.”
Although such an endeavor would be fraught with complicated questions and logistical concerns, Rasch recommends creating an Information Sharing and Analysis Center that would let gray-hat hackers provide information on vulnerabilities to corporations and ISVs. “The problem with my solution is someone’s got to build it, someone’s got to operate it, someone’s got to fund it,” he said. “You’ve got to be independent and, at least in the short-term, self-financed. If we really want to put our money where our mouth is, let’s do it.”
At present, even as Microsoft continues to explore other anti-crime avenues, the company hopes to spend the $5 million in its antivirus war chest, said Nigam. “If, at some point, the $5 million has been expended, we’ll be celebrating,” he added, noting that the software developer then will consider adding more capital to the fund. “Historically, rewards work. This idea of moving them into the cyber world is new and unique.”
Let’s face it, the likelihood of the current spammer-crackers bragging about their ‘victories’ is as about as likely as me actually being Usama.
While I remain hopeful that Microsoft money will pry open the mouths of some people in the know, I am not holding my breath. The spammer-crackers behind Jeem, Sobig, et al, purpose-built spam facilitators are not the cliche pimply-faced kids in their parent’s basement, and we need to dispel that distracting image. They are hired guns (guns quite possibly unemployed due to the dot bomb I might add).
Bragging rights are not behind the current round of viruses. It is the venal motivation: MONEY. Personal gain. Wealth.
The criminal scum behind the spamming organizations may have gone a step further to ensure the silence of their hacking counterparts. Imagine, if you will, how the Russian mob (who have been linked to many of the bank phishing expeditions in Australia and elsewhere), would treat a link back to them, for instance the hacker who wrote their malware, their website …
I’d suggest that rather than dining in Moscow’s finest restaurants, these hackers-for-hire more likely might find themselves lying at the bottom of the Moscow River.
I wonder: does the reward apply to dead hackers, too?