Sasser arrest 'encouraging', but more should be done, say experts

The security community is still doing too little to bring malicious attackers to justice, several experts have claimed, despite...

The security community is still doing too little to bring malicious attackers to justice, several experts have claimed, despite the speedy arrest of the alleged perpetrator of last week's Sasser outbreak.

Sven Jaschan, an 18-year-old German who had just graduated from vocational school, was arrested on Friday in connection with the Sasser. Jaschan was caught following a tip to Microsoft from a group of individuals in his home state of Lower Saxony. Microsoft passed the information to German authorities, who arrested him near Rotenberg. 

The speed of the arrest is "encouraging", said Ken Dunham, a director at iDefense. "This is a big improvement over the arrests never seen of yesteryear. The more arrests that are made, the more malicious code authors are likely to avoid the release of malicious code into the wild." 

Alan Paller, director of research at the SANS Institute, agreed. "I am very impressed with the international co-operation in law enforcement and with the FBI's effectiveness. I am equally impressed with the Justice Department's success in getting other countries to implement laws that make such attacks crimes." 

The problem, though, is that such arrests are few and far between, said Bruce Schneier, chief technology officer and co-founder of managed security services provider Counterpane Internet Security.

The arrests only "tend to happen with stuff that is high-profile", Schneier claimed, adding that much less effort is put into pursuing perpetrators of less visible and targeted attacks. 

Experts admitted that doing so can be a hard and expensive task. 

"To date, the virus writers who have been caught [have been] mostly amateurs," said Andrew Plato, a consultant at Anitian Enterprise Security. "They were caught using traditional means of law enforcement, such as tips from friends - not high-tech analysis of the worm or attack vectors." 

"Far more should be done to ensure that logs exist to allow tracing back originating traffic to its actual source," said Russ Cooper, editor of the NTBugtraq mailing list and an analyst at TruSecure.

"ISPs continually fight these attempts by law enforcement, presumably because they feel the burden of having to comply will be too heavy." 

Fear of retribution is another reason many victims have been unwilling to go after attackers, even when their identity is known, Schneier said.

"We built a forensic capability so that we could go after the bad guys. But surprisingly, very often companies don't want to do that. They don't want to make waves because they are very afraid of retribution," he said. 

Stronger penalties are also needed against those who launch such attacks, Cooper said. "For far too long, it seems as if society treats the act of infecting or taking over someone's computer as 'cute'. " 

"Someone willing to cause billions of dollars of cost and millions of hours of effort clearly needs to be locked away to prevent us from being abused by them in the future," Cooper said. 

But prosecuting cybercriminals can be difficult, said David Endler, a director at TippingPoint Technologies, who added that the standards of electronic forensic evidence have yet to catch up to the same standards used for more traditional crimes. 

The lack of standard international cyberlaws is also a problem, he said. "If a resident of Germany unleashes a worm from a compromised computer in Russia, do extradition laws apply?"

Jaikumar Vijayan writes for Computerworld

Sasser release points to more than one author >>

Sasser and Phatbot arrests co-ordinated, but not linked >>

Read more on IT risk management