SAN FRANCISCO -- Children are taught early on that they should never take candy from strangers or mess around with drugs and alcohol. Since they're spending more time online, one security expert says they must also start learning about the evils of the virtual world.
Phishing scams and malicious email attachments are as dangerous to youth as they are to adults, experts at RSA Conference 2007 said during a panel discussion on the rise of crimeware. But while adults can be set in their computing ways, children are probably more open to learning about cybersecurity.
"We need to train children about today's threats and defenses while they are in elementary school, using a program similar to D.A.R.E.," said Jeannette Jarvis, security group program manager for worldwide services at Microsoft and a former security systems product manager at Boeing. D.A.R.E. (Drug Abuse Resistance Education) is a police officer-led series of classroom lessons designed to teach children how to resist peer pressure and live drug- and violence-free lives.
Focusing on children could ultimately improve security among home users who are now the biggest target of digital desperados, she said.
"It's easier to train people in a corporate environment about security, but home users are a bigger problem." Jarvis said. "You can educate people but you have to be able to reach everyone and cater to different learning styles."
That can be a tall order when it comes to adults who may be too busy with work and family to take the time to learn about online security. But children are like sponges, eager to soak up new knowledge, Jarvis said.
Panelists said the bad guys will continue using social engineering tricks to dupe users into visiting malicious Web sites and clicking on sinister URLs and attachments. The number of security savvy users may be growing, but attackers will always be able to ensnare someone. For every user who is tricked, there's money to be made, said David Perry, global director of education for Tokyo-based antivirus vendor Trend Micro.
"Cybercrime is the manifest destiny of malware," he said. "It's all about programs for pay."
Today's malware wants the user's identity and credit card number, Perry said, and attackers know the best way to get that is to prey on user behavior and misunderstandings. Attackers also know that one of the best places to hide malware is on sites where there's creative input.
"If you go to sites like eBay or Wikipedia, you can find malware," he said. "It's trouble waiting to happen."
Alex Shipp, senior antivirus technologist for New York-based MessageLabs, said another indication of the attackers' success is the sheer number of attacks his firm observes each day. Last year the company saw one Trojan horse attack a day. This year it's up to three a day, and two-thirds of the malware come from Microsoft Office and other documents that are not blocked at the perimeter.
The good news, he said, is that Microsoft has spent more time patching Office flaws. Indeed, Microsoft was scheduled to release additional Office fixes as part of its February security update. "These flaws have been around, but we're getting better at detecting them," Shipp said.
Despite that, panelists said, many security vendors still can't detect malware hiding inside flawed Office and Word documents.
Panelists said users must be aware of fake emails that may take advantage of their interest in certain events on the calendar, like Valentine's Day and the April 15 tax deadline. "Expect more attacks leading up to April 15," Jarvis said.
Users should also be aware that the bad guys are focusing more on phishing scams incorporating the names of retailers like Sears and smaller, regional institutions.
Righard Zwienenberg, chief research officer at Norman Data Defense Systems in Norway, said attackers who once sent fake emails from major global financial institutions are now using more local institutions. "This is moving into more regional attacks with smaller targets like the Dutch Postbank," he said.
What can be done to stem the tide?
In addition to teaching children about the perils of cyberspace, panelists suggested that companies do a better job sharing information on new threats so they can put stronger defenses in place while waiting for the patch.
And, Perry said, users should understand that there's no such thing as a free lunch online.
"If you get it for free on the Internet it's suspect," he said.