Shameful spin

Shameful spin

Technology managers have more to fear from serious financial scams than from hijacked trophy lists used to frighten potential customers.

There's been a lot written in the past few years about the declining state of internet security that has been aimed at firmly entrenching a permanent state of fear into the minds of executives and the public at large. You know the stuff: horror stories about corporations crippled by digital nasties because they forgot to buy the right product. Five years ago it was viruses, worms and denial of service attacks that could bring any network to its knees. Three years ago it was locking down networks against penetrations that could compromise sensitive information and bring disgrace on technology managers.

Today, if you tune into the concerns of security experts, it's a range of rootkits, web-borne trojans and spyware that can compromise a customer's home computer and deliver criminals the most sensitive of details for credit cards, bank accounts and securities trading.

Sure, some of it is true, like the fact that the Sydney Opera House's website was attacked and remodelled to serve out malicious code that you'd usually pay the price of a ticket to a night of Wagner to avoid (I'm not sure which is worse: Wagner's Ring or the malware).

So it was with heightened interest last month that I received an invitation from a security software company imploring me to attend an exposé that would name and shame victims who'd had their websites hacked from a security software vendor.

Normally this would have been appealing if only for the thrill of ogling at how teenagers in Brazil can wreak havoc on otherwise boring council websites.

Some of the names on this great sheet of shame looked very familiar. For starters, there was an over-representation of local government websites that had seen their home pages redesigned by drunken cyber-schoolies.

What bugged me was the neat order of the list of shame. Names, web addresses, dates and operating systems (mostly Microsoft's IIS) ... all were promoted as the research of this security company.

In reality it was nothing of the sort. This piece of PR spin was lifted from the hacker's trophy cabinet of the Zone-H website that archives all manner of internet security faux pas. There is debate about the interests that run Zone-H, but the best bit about its website is the ability to search for web defacements by location, operating system and the hacker. You can get a chuckle out of the "artwork" used to deface public property.

Justified cynicism

But what is really disturbing is that a security vendor would try to pass off such material as its own research without first acknowledging its source. It's for reasons like this that many people, myself included, remain highly cynical about security vendors and the threats they use to push their products.

I'm not going to name the company involved, not because we are scared of legal comeback, but if they want any free publicity they will need to try harder. These sorts of publicity tactics are the lowest ebb that security vendors will stoop to, short of developing malicious code themselves.

For starters, glorifying the exploits of script kiddies for what would have been a mere blip in the existence of an otherwise economically inconsequential website is akin to telling chief information officers there is a graffiti problem on trains. Yes, we care that our trains are defaced, but we care more when they don't run. People who get ejected from trains on the Sydney Harbour Bridge and told to walk home really, really care.

So creating a public catalogue of great graffiti crimes for the alleged benefit of public infrastructure doesn't really help anyone.

It's against this sort of self-serving mischief that large financial institutions, especially banks and payment services companies, are permitted to continue to obfuscate the real risks the public face in doing commerce online.

There is still no official or public statistic on the volume or value of financial transactions compromised by crooks through scams far bigger than a bit of graffiti. This is the sort of information the public needs when considering which online offerings they are going to trust with their mortgages and life savings.

Large banks in Australia recently quashed a push by smaller deposit-taking institutions to shift some liability for online fraud to the customer if it could be determined there was inadequate security on home computers.

After some robust debate, a more sensible approach to minimising harm prevailed. Many banks will now offer heavily discounted security software to customers via referrals from internet banking websites.

Notably, some of the world's biggest security software companies that have commonly used fear, uncertainty and dread to promote their products have been given the cold shoulder by local financial institutions in favour of less conspicuous products.

That's a sure sign that there's little appetite for using childish scare tactics to frighten customers into purchases just so that they can go about their daily affairs online.

As many technology companies learned after the dotcom bubble, sooner or later you realise that you are no longer a teenager, stop spray-painting trains and just grow up.

© Fairfax Business Media

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags spywarevendor managementtrojas

Show Comments