Gallery

Bashin' the bots

Posted on 9 Apr 2008 at 12:05

Davey Winder steps into the murky world of botnets and gets some disturbing results from a routine online health check.

However, after letting these various upgrades and ActiveX controls load and allowing Health Check do its stuff for a minute or two, the results were, frankly, not worth waiting for. First, I was confronted by a big red blob and a warning that a security product immediately required my attention. I clicked on the "more information" link to discover that apparently I don't have an antivirus product installed. Imagine my surprise, considering that Norton 360 had performed its normal scheduled antivirus scan on my test PC just an hour earlier!

Still, thank goodness it presented me with a "solve" button, which surely would get to the bottom of the mystery and reveal that my PC was indeed protected by a well-known, market-leading antivirus product. Well, no, actually. What it did do was tell me I needed to get an antivirus program and suggested, not surprisingly, the 2008 version of F-Secure's Internet Security suite. Look chaps, I don't mind advice, and would hardly expect you to refer me to Norton, Check Point or Kaspersky, but I don't appreciate being told I need something I clearly don't (especially given that one assumes Health Check is aimed not at security-savvy journos but rather at clueless consumers, who might panic when confronted by such a warning and perform a knee-jerk purchase of the software on the spot).

Apart from this hiccup, the Health Check served its purpose by identifying that the Opera web browser I'd installed wasn't the most up-to-date version, likewise the Thunderbird email client and a couple of other apps. Overall, though, I'm not convinced this is any better than using the check-for-updates feature of the applications themselves, scheduling Windows Update to do its stuff as necessary, and keeping an eye on the Windows Security Center or your proprietary equivalent. At least these services don't try to sell you solutions to problems that don't exist.

Should bad IT security be a crime?

It's no secret that the UK Ministry of Justice is considering following the lead of several US states and imposing a legal duty of disclosure in the reporting of data security breaches, and possibly also making it a criminal offence to operate with such poor security that breaches occur in the first place. This might seem like a nonsense approach to the data security problem, but give it some more thought and certain merits become apparent. After all, fines don't seem to have been much of a deterrent when it comes to breaching data-protection rules: if you were a bean-counter for a big business faced with the choice between a potential £10,000 fine for a security breach versus £100,000 of costs right now to implement the necessary security to avoid that breach occurring in the first place, which way would you jump?

To me, anything that can be done to force organisations of any size, be they in the private or public sector, to take the security of their data more seriously is a good thing, even if it means criminalising poor security procedures. A good start would be the mandatory disclosure of security breaches involving personal data, as in the US, which would introduce a potential for serious damage to the brand's reputation as an extra factor on the debit side of the bean-counters' equation, and might just tip their cost/benefit analysis in favour of prevention.