STE WILLIAMS

Hackers have latched onto a vulnerability in Internet Explorer patched by Microsoft last week as a useful way to spread malware.

The vulnerability is CVE-2012-1875 – which was patched in MS12-037 as part of the June edition of Microsoft’s Patch Tuesday – and it is being exploited in the wild. Attacks are typically delivered by JavaScript code embedded in websites, some of which are actually legitimate. Windows users who visit these sites using unpatched boxes become infected thanks to the JavaScript code, in what industry insiders commonly describe as a drive-by download attack.

The security bug stems from memory mismanagement in Internet Explorer, or more particularly a use-after-free bug. Technologies built into the latest versions of Windows – including DEP (data execution prevention) and ASLR (address-space layout randomisation) – are meant to make this sort of attack harder but have both come up short in this instance.

‘Net users are advised to patch Windows systems to defend against the exploit, if they haven’t done so already. A good write-up of the vulnerability can be found in a blog post by Sophos here.

The flaw in IE is unrelated to the a browser bug associated with news of “state-sponsored attackers” and Google that made the news last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/ie_exploit_goes_feral/

Belfast Health and Social Care Trust has been fined £225,000 by the Information Commissioner’s Office for leaving patient and staff files in an abandoned hospital.

The Belfast Trust became the latest NHS body to feel the wrath of the ICO after it left 100,000 patient records and 15,000 staff records in boxes, cabinets, on the shelves or on the floor of the Belvoir Park Hospital, closed since 2006.

“The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet,” the ICO said.

The Trust was landed with responsibility for the site, which had around 40 separate buildings that treated fever and then cancer patients, when six Trusts amalgamated in 2007. It arranged for the 26 acre site to be patrolled by two permanent security guards and five daily mobile patrols to supplement the CCTV on site.

However, by the end of 2007, faults in the CCTV and fire and intruder alarms meant they were no longer working so the guards were on their own. Vandals and trespassers got into the buildings and photographed records, which they then posted online, but the Trust didn’t find out about it until someone else told it in March 2010.

The Trust arranged for an inspection of some of the buildings, but parts of the site were cordoned off due to asbestos concerns and a lot of the records had been damaged by damp and mould. The Trust upped security and fixed damaged doors and windows, but the Irish News reported in April last year that it was still possible to get onto the site.

The 100,000 patient records, some from as far back as the 1950s, included X-rays, microfiche records, copies of scans, lab results and other paper files. There were also 15,000 staff files, including unopened wage slips, in a building that had been vacated in 1992.

The Trust has now removed all the records from the site and either destroyed them or filed them properly, the ICO said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/nhs_belfast_trust_ico_fine/

Google has denied that it tried to cover up certain aspects of its Street View data slurp as the UK Information Commissioner’s Office reopens its investigation into the incident.

The ICO recently cracked open its cold case files on the Street View cars’ sniffing of data from unsecured Wi-Fi networks. This was a result of the US Federal Communications Commission’s finding that Google had probably done it deliberately.

The UK regulator’s head of enforcement, Steve Eckersley, sent a strongly worded letter to Google demanding answers to seven additional questions, which Google has answered in its own strongly worded letter, seen by The Reg.

The web giant said it was “surprised” that the ICO had decided to reopen its investigation since it thought it had done all the stuff the office told it to do to enhance privacy practices.

Google also denied that the information it sent to the ICO for its initial investigation was “pre-prepared”.

The firm said it had mounted a hard drive used by one of its Street View cars in its data centre in Belgium and sent the data to the ICO remotely, as had been agreed upon with the office. Google claims that the only messing it did with the data was to use a software called the Codex to convert the binary data on the drive to readable text, since the ICO had requested information that could be read or searched using keywords.

Other than through using the Codex described above, the data on the hard drive inspected by the ICO was not “pre-prepared” in any way. Indeed, until the ICO’s inspection, Google had not viewed or analysed the payload data on the hard drive used, and nor has it since.

Google also denied that lots of people at the firm knew that the Street View cars were scooping up extra data as they drove along.

“The FCC Report and recent media coverage suggests that there was widespread knowledge. That is not the case,” the letter claimed.

“The documents we produced to the FCC, the salient portions of which which we have provided to you, show that, at most, a few people early in the project could have seen some red flags in a document or an email and inquired further. But that assumes too much. These few individuals are unequivocal that they did not learn about the payload collection until May 2010.

“No project leader asked for or wanted the payload data; and no payload data was ever used in any product or service. That’s the context in which the documents Google has disclosed should be viewed,” the letter insisted.

The ICO’s seven questions to Google were all designed to try to figure out if Google knew more about the data slurp and knew it sooner than it has previously let on.

However, Google dealt with each question and basically summed up that nobody knew anything until May 2010.

The firm said that it hoped its responses would convince the ICO to decide to leave the case closed.

As requested by the ICO, Google has destroyed the data the Street View cars gobbled up, which might make it difficult for the regulator to impose any further sanctions on the firm.

The ICO told The Reg that it had received the letter and it would take it into consideration. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/google_letter_to_ico/

Apple have patented the idea of using data clones to hide from surveillance: data clones that will browse the internet under your name but will look at basket-weaving sites instead of porn.

In one of the stranger Apple patents that we’ve seen in recent months, author Stephen R Carter details a way of stopping eavesdroppers snooping on users by creating user clones. Patent 8,205,265, called Techniques to pollute electronic profiling was awarded by the Patent Office today.

Apple won seventeen patents today, but this one really sticks out: The other sixteen deal with items of smaller scope such as the design of docking stations, power adaptors and techniques for dynamic shading. The electronic profiling is a bit more futuristic.

How a goody two-shoes clone would distract snoopers and let you ogle smut in peace

We’re all getting snooped all the time, says Carter explaining the background to the patent, and it’s impossible to stop people doing it. He uses George Orwell to describe our modern world of data snooping:

Concerns about the government and its knowledge about its citizenry is often referred to in a derogatory sense as actions of “Big Brother” who is omnipresent and gathering information to use to its advantage when needed. The electronic age has given rise to what is now known as thousands of “Little Brothers,” who perform Internet surveillance by collecting information to form electronic profiles about a user not through human eyes or through the lens of a camera but through data collection. This form of Internet surveillance via data collection is often referred to as “dataveillance.” In a sense, thousands of “Little Brothers” or automated programs can monitor virtually every action of users over the Internet. The data about a user can be accumulated and combined with other data about the user to form electronic profiles of the users.

The patent mentions the current technologies for evading tracking including the use of anonymisers and spyware-killers, but argue that they can never completely hide a user on the Internet: “even the most cautious Internet users are still being profiled over the Internet via dataveillance techniques from automated Litter Brothers” Carter says.

How Apple would clone you

Apple’s idea is to create a data clone that would appear believable enough to divert snoopers from the real person’s activities, confusing or “polluting” electronic profiling.

Firstly the patent details the idea of cloning the real person’s digital identity to create a clone configured on a device. Areas of interest would be associated with the clone that may different to those of the actual person. The clone would be able to carry out “actions” in line with those areas of interest.

Secondly the patent details adding genuine identity information to the clone to make it seem more believable to eavesdroppers, such as having the same date of birth and gender as the real person.

And thirdly and fourthly the patent details adding feigned information to the clone including feigned emails and bank details so that eavesdroppers will be diverted from collecting the true information.

The patent explains how this cunning ploy would work in practice:

for example, the cloning service may process an area of interest that is divergent from that of the principal such as an interest in basket weaving. This particular interest may be associated with its own lexicon and actions associated with particular Internet websites, products, services, and/or books. Actions may be defined that permit the cloning service to appear to be the principal [real person] and visit specific basket weaving websites, issue Internet searches related to basket weaving, and the like. This activity by the cloning service may be picked up by an eavesdropper and may be used to generate a polluted profile about the principal that suggests the principal is interested in basket weaving, when in fact this is not the case.

In further details it explains that the clone could be set to never look at porn or engage with pirated material. The cloning system would even be configured not to go online at times when the “real person” would not be online – eg scheduled holidays. This would be in order to prevent the detection of it as a clone.

In the wacky futuristic scenarios sketched out by Carter, attempts to make the clone appear realistic would include your basket-weaving digital clone sending emails, engaging in online chats and even buying things online – in order to appear more believable:

In some embodiments, at 160, the cloning service may perform a wide range of automated actions consistent with the assigned areas of interest. Examples of these actions may include, but are not limited to, performing an Internet search on a given area of interest; activating selective results that when analyzed conform semantically to the area of interest; activating advertisement banners in web pages; filling out electronic surveys; sending an email; engaging in rudimentary online chat discussion by using techniques similar to Eliza (an automated chat engine); activating embedded links within a document that conforms semantically to the area of interest; registering for services associated with the area of interest; purchasing goods or services related to the area of interest, etc.

Apple’s Motivation

Filed relatively recently on 11 October 2011, we note that the patent application comes several months after Apple landed in a load of trouble for tracking – and storing – very detailed information about the location of iPhone users.

It could be that Apple wants to use this patent as a way to protect its users from malevolent tracking outsiders. It could be that Apple wants to track its own users and has now locked down a way that they could use to evade it. Any use of such techniques would potentially violate Cupertino’s new patent.

All we know for sure is that it’s going to be quite weird when basket-weaving kits that your anti-surveillance cloneware has ordered on eBay start arriving at your house. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/apple_data_clone_patent/

The Cabinet Office is to join the Open Identity Exchange (OIX), a US-based non-profit providing “certification trust frameworks for open identity technologies”, to help with the development of its identity assurance programme.

The Cabinet Office’s identity assurance team recently visited the White House, where it met up with OIX for a day of workshops and discussions. It also attended a meeting in London earlier this week with OIX and 50 organisations to discuss how the UK government plans to structure dialogue with interested parties on the subject.

In a blog post on the Government Digital Service website, the identity assurance team says that it has “formalised” its commitment to OIX, which provides certification services to deliver the levels of identity assurance and protection needed by users such as the US government.

According to the blog post, the government will use OIX in two ways:

• To create a UK working group through which organisations can participate in the development of the initiative.
• [To] engage with partners about ongoing small scale alpha projects that experiment with solutions to “real world problems”.

OIX has developed the Open Identity Trust Framework model, a certification programme that allows a party which accepts a digital identity credential (from the relying party) to trust the identity, security, and privacy policies of the party which issues the credential (the identity service provider) and vice versa.

“Joining OIX is a big step forward on the identity assurance mission,” says the blog post.

To participate in OIX, interested organisations do not have to pay, though there is a membership framework should organisations wish to join. Instead it asks participants to sign up to principles, for example, around intellectual property.

Joining OIX is the next step for the government’s identity assurance service, which will be a market of competing private sector identity providers selling ID assurance services to the public sector, enabling organisations to identify who they are dealing with during government transactions.

In March, the government reissued a revamped £25m tender for identity services after recalling it at the end of December last year. It was thought that the original tender for the services, which will heavily support the Department for Work and Pensions’ universal credit and the personal independence payment, lacked a cross-government approach and would have only benefited the DWP.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/cabinet_office_joins_the_open_identity_exchange/

Exclusive A fine “balancing act” is needed to prevent a “clash” between British Home Secretary Theresa May’s controversial plans to bring in a data communications-snooping law and the “rights” of the UK citizen, European Commission vice-president Viviane Reding warned when questioned by The Register.

The justice commissioner laid out her proposals in January this year to overhaul data protection law in the 27 member-states that make up the EU. She has long claimed to be a champion of the rights of the individual.

Speaking on Monday at the Digital Enlightenment Forum in Luxembourg, Reding reaffirmed that intention, although she added that she was trying to remain tuned to the needs of internet businesses which operate across borders but whose spiritual homeland – and data farms – are in the US.

When asked by your correspondent what the commissioner’s views were on May’s freshly tabled draft communications data bill, Reding offered up the following insight:

We do have a treaty which is called the Treaty of Lisbon and in this treaty – and maybe not everyone has understood this – there are no more pillars as there were before, where [for instance] you had a pillar for security and that was completely in the hands of the national states and where the rules of the protecting of the individual, which had to be adapted to this pillar, were a little flexible.

There’s none of this anymore since December 2009. Now the rules are horizontal.

You always have to weigh the rights to obligations of the state: one is to preserve the rights of the individual and the other one is to preserve the rights of the society. This is a balancing act; you cannot make them clash.

Reding added that the proposed Data Protection Directive, which is currently winging its way through the European Parliament as well as being pored over by the Council of Ministers to allow EU member states to scrutinise the bill, had “flexibility” built into it for the sake of national security against terrorists and organised crime as long as the charter has been “preserved”.

“But there is no way that in those policies the rights of individuals are eliminated,” she warned.

But the commissioner had earlier noted, in a speech to a small audience of internet players and experts, a contradiction has come into play between satisfying the businesses that serve European citizens versus advocating for Europe’s citizens themselves around their concerns about privacy and the growing level of personal data now residing online.

Reding described data as “the currency” of the internet and added that she will be meeting with her US counterparts to discuss issues of trust, which she said was “on the wane” in Europe – where 70 per cent of citizens on that continent are worried that their data might be misused.

Undoubtedly, the commissioner is struggling to negotiate between two distinct groups with typically different and occasionally symbiotic needs when it comes to making transactions on the internet.

She accepted that the notion of the so-called “right to be forgotten” online – a proposal advocated by the commissioner in her draft bill on overhauling the 1995 data protection law in Europe – will never lead to “total privacy”.

What Reding and some of her supporters want is to create an “open market with legal certainty and the same rights for all.”

But as Britain’s Home Secretary has recently demonstrated, it’s seemingly impossible to satisfy the needs of individuals who do not wish to have their privacy invaded – as many have already argued in opposition to the Communications Data Bill – when it comes to responding more urgently to terrorist threat warnings from national security services.

It will be interesting to see if May’s proposals, if passed through the UK Parliament, end up becoming a model for other member states in Europe, as the rewrite of data protection law in Europe continues – and possibly ends up being watered down to satisfy the businessmen of Silicon Valley. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/viviane_reding_on_uk_communications_data_bill/

Japanese computing giant Fujitsu is claiming a world record after successfully breaking a 278-digit (978-bit) pairing-based cryptography system, providing useful data on how far this next-generation encryption system can be trusted.

The company’s RD arm, Fujitsu Laboratories, worked with Japan’s National Institute of Information and Communications Technology (NICT) and Kyushu University to crack the code in 148.2 days.

Their work smashes the previous record of a 204 digit (676 bit) system which Japan’s Hakodate Future University and NICT managed in 2009.

Fujitsu claimed that today’s record required several hundred times the computational power of the 2009 effort – in effect this amounted to 21 PCs, or 252 cores.

The firm explained its methods for cracking the code as follows:

We were able to overcome this problem by making good use of various new technologies, that is, a technique optimising parameter setting that uses computer algebra, a two dimensional search algorithm extended from the linear search, and by using our efficient programing techniques to calculate a solution of an equation from a huge number of data, as well as the parallel programming technology that maximises computer power.

With pairing-based cryptography being lined up as the standard for next generation encryption, Fujitsu believes the breakthrough is key to understanding how secure it actually is in applications such as identity-based encryption, keyword searchable encryption, and functional encryption.

“This result is not just a new world record of cryptanalysis, it also means the acquisition of valuable data that forms a technical foundation on which to estimate selection of secure encryption technology or the appropriate timing to exchange a key length,” the firm said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/19/fujitsu_encryption_cryptography_world_record/

Canada asked Google to remove a video of a Canadian flushing his passport down the toilet and the US police wanted a blog that defamed a cop in a “personal capacity” taken down.

Google has published the censorship requests that it received from governments and government agencies worldwide in the six months from July to December 2011.

In most cases, Google does not detail the nature of the requests or the content it removed. But several of the requests where Google does sketch out the detail reveal the odd preoccupations of different governments. Often this includes the sensitive egos of officials:

We received a request from the Government of Pakistan’s Ministry of Information Technology to remove six YouTube videos that satirized the Pakistan Army and senior politicians. We did not comply with this request.

Heads of state seemed touchy about their portrayal on YouTube: Thai King Rama IX asked Google to remove 149 YouTube videos that allegedly insulted the monarchy: Google restricted 70 per cent of them from view in Thailand. The Turkish government asked for vids satirising Ataturk, the founder of the Turkish state, to be removed.

But there was a “troubling” trend in the removal requests, said Google’s senior policy analyst Dorothy Chou, highlighting the increase in requests for political speech to be removed:

[J]ust like every other time before, we’ve been asked to take down political speech. It’s alarming not only because free expression is at risk, but because some of these requests come from countries you might not suspect — Western democracies not typically associated with censorship.

In the UK it was videos threatening terrorism that authorities asked Google to remove, Google complied and took down 640 videos and deleted five users.

Requests to Google from the US government and agencies had more than doubled compared to the six months before, Google said. The requests mainly came from courts or law enforcement agencies asking for the removal of content deemed to be harassing or defamatory. One American law enforcement agency asked for 1,400 YouTube videos to be removed for alleged harassment. Google did not comply with the request.

Requests for user data

Google also revealed the number of requests for user information that it had received per country: a total of 18,257 requests that pertained to 28,562 users. Governments asked for info that could include search history, Gmail correspondence, or YouTube viewing history.

The rise in data requests was partly due to increased requests from the police who want the information for criminal investigations, Google explained. The American government and associated agencies made the highest number of requests for user data – 6321 requests about over 12,000 people – and Google complied with 93 per cent of them: the highest rate of compliance for any country.

UK authorities requested user data on 1,764 people: Google complied with 64 per cent – coughing up private info for 1,128 Brits.

After the US, India and Brazil, the UK was the country that made the fourth-most total number of user data requests. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/18/google_censorship_and_data_requests/

The cybercrooks attempting to defeat CAPTCHAs are no longer just traditional junk-mailers who want to get around the test to send spam. In a recent study, security researchers have discovered that criminals are also using circumvention techniques in attacks that harvest financial or personal data.

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is commonly used to distinguish human users from computer automated applications, thus helping to prevent automated tools from abusing online services, such as webmail accounts. Hackers have developed numerous methods to bypass CAPTCHAs, including computer-assisted tools and crowd-sourcing, creating a cat-and-mouse game between miscreants and CAPTCHA providers such as Google and others.

Junk mailers, for example, are interested in defeating CAPTCHA challenges in order to establish webmail accounts for subsequent spam runs. Last weekend spammers managed to spam the UK’s open data website by circumventing its CAPTCHA gateway in a slightly more sophisticated variant of the same play.

How do they do it?

Hackers are using computer-assisted tools based on optical character recognition or machine learning technologies as well as tools which outsource CAPTCHA-breaking to modern day sweatshops, typically located in India. More recently miscreants have begun hoodwinking naive users into being a part of the crowd sourced for CAPTCHA solutions. These crowd-sourcing techniques sometimes pose as CAPTCHA-busting games that reward players. Some CAPTCHA-busting sites offer free porn as an incentive.

Not just about spam anymore

However hackers might also be interested in circumventing CAPTCHAs as a means to collect financial or personal details, according to the new study by data security firm Imperva.

Attacks based on CAPTCHA-busting have now been used to access a system for filing financial status reports maintained by one of the central banks in Argentina. Criminals have also launched attacks designed to obtain tax details associated with a Brazilian social security number. Hackers have also targeted the website of an agency in charge of the voting process in Brazil. All three sets of attacks are likely one important part in a more elaborate set of scams, most likely involving ID theft.

In response, CAPTCHA providers need to step up their game to make life harder for miscreants. Approaches on offer include delivering more difficult CAPTCHAs to potentially suspicious users or integrating simple riddles and contextual semantics to beef up challenges. Approaches such as traffic-based automation detection, behavioural analysis, content analysis and blacklists can help distinguish suspicious parties from genuine surfers.

Improvements to the security of CAPTCHA can be made without making life too difficult for legitimate users, according to Imperva.

“CAPTCHA security, like many other security segments, is a battle of innovation between hackers and security professionals,” said Amichai Shulman, CTO of Imperva. “CAPTCHA security must be balanced against a positive user experience, but can readily be improved by deploying anti-automation solutions to help prevent hackers from employing anti-CAPTCHA tools.”

The June edition of Imperva’s Hacker Intelligence report, A CAPTCHA in the Rye explaining the threat in greater depth, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/18/captcha_buster_study/

The UK government should be spending more on catching cybercriminals instead of splurging taxpayers’ money on antivirus software, tech boffins have said.

Blighty goes through around £639m a year trying to clean up after attacks or prevent threats – including £108m it spends on antivirus – but the country is only spending £9.6m on techy law enforcement, a University of Cambridge study found.

“Some police forces believe the problem is too large to tackle,” Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, said in a canned statement.

“In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software.”

The Cabinet Office said it welcomed “this latest contribution to the debate on cybercrime”.

“The government believes the threat is serious and needs to be tackled and that is why we have rated cyber as a Tier 1 threat. Raising awareness and building capacity to resist threats continues to be our focus,” a spokesperson told The Reg in an emailed statement.

“That includes investing in law enforcement capability to detect and apprehend cyber criminals. But we also think it is important to make sure people have the information they need to take steps to protect themselves.”

The study, which was started after a request from the Ministry of Defence, also said that the amount of money the UK was losing as a result of cybercrime was being exaggerated.

“For instance, a report (PDF) released in February 2011 by the BAE subsidiary Detica in partnership with the Cabinet Office’s Office of Cybersecurity and Information Assurance suggested that the overall cost to the UK economy from cyber-crime is £27 billion annually,” the research said.

“That report was greeted with widespread scepticism and [was] seen as an attempt to talk up the threat; it estimated Britain’s cybercrime losses as £3bn by citizens, £3bn by the government and a whopping £21bn by companies. These corporate losses were claimed to come from IP theft (business secrets, not copied music and films) and espionage, but were widely disbelieved both by experts and in the press.”

Using figures ranging from 2007 to 2012, including some which are “extremely rough estimates” based on data or assumption for the reference area, the study reckoned that all the costs of cybercrime both direct and indirect came out at around £11.7bn.

UK.gov – Cybercrime is expensive

The Cabinet Office spokesman said that Detica was best placed to explain its own methodology, but still disagreed somewhat with the study’s conclusions.

“The Cyber Security Strategy was clear that a truly robust estimate would probably never be established, but that the costs are high and rising,” he said.

“That said, we think there are grounds for believing that the true cost is higher than the £11bn quoted by Cambridge University.

“For example, the authors say that they can’t find any hard evidence of the cost of IP theft and have therefore concluded this doesn’t impose any costs beyond the defensive measures they refer to elsewhere in the paper. However, there are suspected cases of IP theft in the public domain and the costs are not nil.”

Aside from differing opinions on the cost of cybercrime, the research team also reckoned that some existing meatspace crime was moving online and being tallied up as part of the cyber cost.

The study pointed out that fraud in the welfare and tax systems, which now often takes place online, is probably costing Brits a few hundred pounds a year on average while card and bank fraud cost a few tens of pounds a year per citizen.

However, what they call ‘true cybercrime’, scams that completely depend on the internet, are only costing a few tens of pence a year, while the cost of antivirus software can be hundreds of times that.

Basically, the indirect costs of folks trying to protect themselves from cybercriminals actually end up costing them more.

“Take credit card fraud,” said Richard Clayton, expert in the econometrics of cybercrime in Cambridge’s Computer Lab. “Direct loss is clearly the monetary loss suffered by the victim.

“However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society.

“Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these,” he explained.

The research team concluded that there should be less spent on antivirus and firewalls and other preventative measures and “an awful lot more” on catching and punishing the perpetrators.

The study (PDF, 346KB) is due to be presented at the 11th annual Workshop on the Economics of Information Security (WEIS), which takes place in Berlin on 25 and 26 June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/18/catch_more_cybercriminals_uk_gov/