Microsoft turns bounty hunter to fight IT crime

While the internet is providing new opportunities for businesses and consumers, its success is also making it a lucrative ground for criminals.

Organised crime syndicates and individual hackers are exposing flaws in IT products and consumer knowledge to steal money, costing UK businesses £2.4bn last year.

Microsoft, the world’s biggest software organisation, is a prime target for criminals trying to exploit vulnerabilities in its technology to launch viruses, compromise computers and plant money-stealing trojans.

Scott Charney, chief security strategist and vice president of Microsoft’s Trustworthy Computing initiative, is the person responsible for combating this growing threat.

‘We are seeing more organised crime activity. As the internet becomes more mainstream it is not surprising that criminals are targeting it. We are seeing the growth of botnets and spyware, which both have huge implications for businesses,’ he says.

‘Once criminals become involved you are no longer dealing with isolated script-kiddies, but rather with a growth in profit-driven crime. From spam and phishing to more sophisticated botnets, it is clear that companies are being extorted.’

Charney joined Microsoft in April 2002. His career includes roles as chief of computer crime in the US Department of Justice’s criminal division and assistant district attorney at Bronx County in New York State.

His aim at Microsoft is to reduce successful computer attacks and increase consumer confidence in online security.

Since Charney’s appointment Microsoft has launched a multi-pronged attack against internet criminals, working on new technologies and consumer campaigns to limit criminal activity.

Through participation with law enforcement agencies and by putting bounties on the heads of virus writers, the company is looking to make criminals think twice before launching their attacks, he says.

‘The only way to stop this type of crime is to deal with it in the same way as any other crime: you need to vigorously pursue and prosecute people,’ he says.

‘You can bed in systems to prevent a successful attack but you can’t stop people from launching the attacks. This is where the government comes in.’

Last year, Microsoft and the FBI scored a major success by tracking down teenage virus writer Sven Jaschan after two of his school friends were tempted by the $250,000 (£141,000) reward for information, which eventually led to his arrest.

Jaschan, who cost businesses millions of pounds by creating the Sasser and Netsky worms, received 30 hours’ community service for his crimes.

‘People who write and distribute viruses often talk. It is hard to identify the source of a virus using technical means because of the way they propagate, so we want to offer incentives to encourage people to come forward and report them,’ says Charney.

But law enforcement agencies also need to commit more funds to tackling cyber crime if prosecutions are to succeed, he says.

‘Computer crime units have to build capacity. It is not because they are not trying. The problem is that resources are limited, officers are trained up and then private companies come along and snatch them away,’ he says.

International co-operation can also help tackle the boundary-less nature of internet crime.

‘In the physical world people need to visit the scene of the crime, but it is different on the net. The internet breaks all these rules; there is a lot of transnational crime, and that poses huge challenges to law enforcement,’ he says.

‘Governments need to work together more closely if they are to be more successful in their prosecutions.’

To tackle this issue Charney is urging countries to sign up to the Council of Europe’s Convention on Cyber Crime, which is aimed at formulating a global approach and framework against internet crime.

But Microsoft and the IT security industry also need to share a large part of the responsibility. This is why the software firm is making security its main investment priority this year, adding new features to forthcoming Internet Explorer and Vista products, and working with systems developers to design out the flaws in programs, he says.

Charney argues that ISPs that provide consumers with access to the web should also provide greater levels of security and filtering. This could drastically reduce spam, phishing and denial-of-service attacks, he says.

‘We should not push the responsibility of security on to the consumer, but at the same time this does not mean you should stop public education, because there are still virus emails that will trick people into doing things,’ he says.

Microsoft initiatives for UK computer users

Microsoft wants to educate home PC users and businesses in a number of ways.

Last week, alongside the National Hi-Tech Crime Unit and other public and private organisations, Microsoft launched Get Safe Online, a UK initiative aimed at helping people to secure their computers.

The company hopes this will reduce phishing and the number of compromised home PCs that can be used by criminals to launch denial-of-service attacks.

Microsoft’s latest internet browser has been designed to provide consumers with greater information about the web sites they are about to access, and pop-ups highlight the potential dangers of downloading untrusted data.

‘Even though we build in a lot of technology protection, internet users still have choices to make in terms of what they download or sites they access. We want to make that an informed choice,’ says Charney.

‘We want to provide just-in-time education so that people can make an informed decision rather than simply reading something in a manual that they will need to remember three months later.’