Friday, 3 August 2012

Computer attack statistics

Did you know that global cost of cyber crime is $1 trillion?

Or that buying counterfeit software DVDs is likely to contain malware?

The great $1 trillion scandal

$1 trillion is a lot of money, especially considering that the United States makes around $14 trillion a year.

It is possible, of course, that this figure is not accurate. In fact, it is very likely that this amount is wrong.

This has not stopped the media, leading politicians and other high-profile figures from quoting it.

Notable persons include US President Obama and NSA director General Keith Alexander. And security firm McAfee, which dropped the figure into a report it published last year.

Wired has published an insightful article that investigates the origin of the $1 trillion figure for money lost to cyber crime.

It found that a number of researchers and other experts had contributed in one way or another to the report, and that few of them recognised the veracity of the figure.

Here are some of their comments when asked about it:

Ross Anderson, security engineering professor, University of Cambridge
“I would have objected at the time had I known about it. The intellectual quality of this [$1 trillion number] is below abysmal.”
 Jackie Rees Ulmer, associate professor, ProPublica
"I expressed my concern with the number as we did not generate it... It is almost certainly the case that I would have told them the number was unsupportable."
Sal Viveros, a McAfee's PR person who oversaw an older McAfee report, said that the figure was calculated as a result of a survey. The company took the total lost revenue that was reported and "multiplied it by the number of similar companies in the countries we studied," according to Viveros.

Does pirated software put you at risk of identity theft?

In October 2007 I met with Michala Alexander, then Microsoft's UK head of anti-piracy. I was news editor of Computer Shopper.

She claimed to have research that found, depending on which country you visit, that there was a good chance pirated software on physical media would be infected with malware.

Alexander told me, "People who buy pirated software are putting themselves at risk of cyber crime and identity theft."

The research did not appear to be available from Microsoft, though, and I discovered that the figures came from an IDC report called The Risks of Obtaining and Using Pirated Software. This seemed promising because, although the report was sponsored by Microsoft, IDC is both respected and independent.

However, IDC's report was based on research that involved software downloads. It explicitly did not address physical disks on sale abroad.
"IDC did not test physical media. We did, however, review the work Microsoft conducted earlier in the year analyzing disks obtained by Microsoft employees who purchased mid-grade counterfeit software in various countries around the world."
And so we return full circle to Microsoft, which provided some data for the same IDC report that it had sponsored.

Microsoft's own research does not support its own headline conclusions of heavy malware infections. In fact it does not mention malware at all, although it does refer to additional program files and tools used to bypass copy protection controls.

Microsoft placed research on physical counterfeit media into a report otherwise wholly dedicated to the malware threat of downloading counterfeit software. This made a close association, causing Microsoft to make incorrect conclusions in its press releases and press briefings.

Today Microsoft's anti-piracy web page states things a little more clearly:
"In an IDC study, 25% of web sites studied that offered counterfeit or pirated software also attempted to install spyware or Trojans... In studies conducted on counterfeit versions of Microsoft software... more than 40% of the... counterfeit disks installed contained additional programs or binaries with known vulnerabilities."
It's interesting to note that installing any version of Windows, even from trustworthy media, will install programs with known vulnerabilities.