Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 440 - 459)



  Q440  Chairman: Welcome everybody to this session of the Science and Technology Select Committee. I would like to particularly welcome our witnesses. Thank you for your time and for what you have submitted to us already. Members of the public who are here, you will be aware that there is a notice which you can pick up about this meeting and the mission we have on the Select Committee in this inquiry. Perhaps I could ask the witnesses first to introduce yourselves and then, if you wish, make an opening statement. Perhaps, Mr Isbell, we could start with you?

  Mr Isbell: Certainly. I am Roy Isbell. I am the Vice-President of Global Government Services for Symantec.

  Mr Chantzos: My name is Ilias Chantzos. I am the Head of Government Relations for Europe, the Middle East and Africa of Symantec Corporation.

  Mr Wood: My name is Paul Wood. I am the Senior Analyst at MessageLabs.

  Mr Sunner: My name is Mark Sunner. I am the Chief Security Analyst, MessageLabs.

  Q441  Chairman: Thank you very much. Do any of you wish to make an opening statement?

  Mr Isbell: My Lord Chairman, I would like to make a statement from Symantec, if I may. Symantec extends its thanks to the Committee for the opportunity to provide oral evidence in this inquiry. We welcome the opportunity to answer your questions and further the position outlined in our written submission to the Committee. In September Symantec published its latest Symantec Internet Security Threat Report from data collected on security attacks between January and June 2006. Our findings showed the UK with the third highest number of bot infected computers worldwide and the third most targeted country for denial of service attacks. The UK is also fourth in the world for spam creation with 4 per cent of the world's spam originating in the UK. The report also confirms that home users are the most targeted online with 86 per cent of attacks aimed at the individual home users. Symantec believes all stakeholders should strive to improve security at all levels given the ever-evolving online threat environment. An effective information security policy relies on a multi-layered defence against attacks. Whilst security remains ultimately users' responsibility, as an increasingly complex of threats emerge Symantec understands users cannot be expected to ensure an adequate level of security on their own. Symantec is committed to developing solutions which help individuals ensure the security, availability and integrity of their information.

  Q442  Chairman: Thank you very much. Would anybody else wish to make a statement?

  Mr Sunner: I would just like to also reiterate and extend our thanks for the opportunity to give evidence here. We ourselves at MessageLabs are an Internet-based security company. The premise is to filter traffic en route to our customers at the Internet level rather than at premises, and for that we filter email, web traffic and instant messaging. During the latter half of 2006 we have observed some interesting trends in trojan and spam-related activity which are unprecedented from a technical perspective and we would like to share some of the trend information which we have with you today.

  Q443  Chairman: Thank you very much. We have quite a long list of questions. I would ask you, if possible, to be succinct in your answers and to speak up because the acoustics in this room are not good. Let me ask the first question, which is a very general question. How much email spam is being sent?

  Mr Sunner: Currently, heading towards the corporate world, 75 per cent of all email now heading towards companies is spam. For the domestic populace that is closer to, conservatively, about 85 per cent.

  Q444  Chairman: 85 per cent of the total is spam?

  Mr Isbell: That is slightly different from the measurements which we made. In our measurements, according to the period in question, spam made up 54 per cent of all monitored email traffic which we were able to monitor, and that was up from 50 per cent in the previous period.

  Q445  Chairman: That leads me to my supplementary question: how accurate do you think these numbers are? We have already had an interesting spread.

  Mr Isbell: I think it depends on the reach of the intelligence network the organisation has which is actually measuring it. Currently we monitor 30 per cent of the global email traffic which goes through the Internet.

  Q446  Chairman: 30 per cent?

  Mr Isbell: 30 per cent of all email traffic goes through our botmail facility.

  Q447  Chairman: Spammers send different amounts of spam to different people and presumably can tell who is being protected by filtering systems and send more or less spam accordingly. Is this so, and if so how does it affect the accuracy of these overall figures?

  Mr Isbell: We are seeing increased targeted attacks of spam, that is definite, if I could answer the question in that way. The effectiveness of their monitoring is unknown to us at this moment in time. The spam we are actually witnessing is; products 26 per cent, adult spam 22 per cent, and commercial products 19 per cent of the total spam make-up. So to directly answer your question, we are seeing a degree now of targeted spam through social engineering, depending on particular events which might be happening. A particular case in point which comes to mind is St Valentine's Day which is now coming up, so we are seeing targeted events around St Valentine's Day to get people to open up that spam.

  Mr Sunner: Just to go back to the numbers, we have seen the profile of spam actually change quite significantly in the last three years. Three years ago we were seeing the volumes of spam back then were about 50 per cent. Now we see it at 75 per cent and that is based on us clearing nearly 2 billion emails per week. Within the profile of that spam, again to come back to the targeted nature, what we have seen is that whereas the biggest arsenal of the spammer used to be to just send more of it, now they are attempting to profile who it is heading towards. So we see spam targeting particular demographs or people who use certain banks in terms of phishing, and one of the alarming aspects of this is how they are able to do this. 2006 saw a huge rise in the use of social networking sites. These are websites such as My Space where people willingly key in a lot of information about themselves which the spammers, and more importantly phishers, are then able to plunder this information and make their attacks more focused, which means they are more socially engineered, which means people are more likely to click on these things. That is probably the biggest profile, not just within the growth of the volume we are seeing but the change of behaviour within the messages which are coming out.

  Q448  Chairman: Do you think we are going to win this battle of being able to filter spam, or do you think spammers will just be able to make it invisible?

  Mr Sunner: Clearly this is an arms race, so it will consistently be a moving target, but I think the more we can interweave the detection and the filtering of this content into the fabric of the Internet—and that is not just for email, that goes for web traffic and instant messaging as well—dealing with it "in the cloud" as opposed to at the end point, the same as a utility model—in the same way as you would not expect to have to boil your own water at home before you could use it, clearly that would be mad, but in IT that is what everyone is doing with their email. So if you can get the detection into "the cloud" you can be much more aggressive about how you can filter this stuff out and you are also a stage closer to the source of the problem, which also helps in potentially tracking this down and eliminating the botnets.

  Mr Isbell: I would also agree that a multi-layered defence approach is required. I fully agree with my colleague about getting it into "the cloud", but effective end point security to filter at the end point is also a requirement.

  Q449  Baroness Hilton of Eggardon: How much of all this spam is actually carrying viruses? Have you any idea of the proportion?

  Mr Sunner: I can tell you that currently for January one in every 119 messages on average that we are processing contains a virus that is a trojan of some description. The vast majority, over 90 per cent, are botnet related. So the vast majority of viruses are actually to do with spam. They are essentially the air supply for spammers, where the target is home users rather than business. That number is actually down from January 2006, where the number would have been closer to approximately one in 250 -

  Mr Wood: It would certainly have been a lot lower, I think.

  Mr Sunner: What used to happen was that the volume of viruses was directly linked to the volume of spam, so if we saw more viruses we knew more spam would follow it, and that de-coupled about July 2006. What this means is the bots which are going out there are now much more efficient at sending spam. So the bad guy community, for want of a better word, is interested in sending more discrete viruses which stay under the radar for longer, which go undetected for longer by companies like ourselves, so that they can basically have a longer existence. We believe this trend will continue, that the virus count will actually continue to come down in email but go up inside web traffic, but spam volumes will continue to go up the whole time. That is exactly the trend we are seeing at the moment.

  Mr Isbell: That concurs with our findings, that one of every 122 spam messages is blocked by our botmail system containing malicious code. Our probe network also detected 157,477 unique phishing messages during that period.

  Q450  Lord Sutherland of Houndwood: Can I ask what you mean by "unique"?

  Mr Isbell: These are distinct in their own right. They are all separate and distinct in what they are trying to do.

  Q451  Lord Sutherland of Houndwood: To follow through, you obviously have a huge experience of what the bad guys are doing. You also want to look on the other side at which the consumers, those who have systems, need. Do you think they are getting enough education about the dangers out there on the net? If so, fine—I suspect not—but if not, what would you suggest?

  Mr Isbell: We did think about this and we have had some internal discussion going on about this. Education and awareness is a multi-faceted and multi-targeted environment. I do think there is the opportunity to give more education for our children under the ICT programme for schools. We all know that these are the surfers of the future and we also know that children in our environment teach mum and dad how to use the video recorder remote, so I think that raising the level of education regime and the level of awareness in our children is one way forward to improve overall. Secondly, I think we also need to be aware that we are getting an increased number of what are known as "silver surfers", an ageing population.

  Q452  Lord Sutherland of Houndwood: I think you have some around the table in front of you!

  Mr Isbell: I do not think we are actually doing enough to target that demographic because they need more help, I believe, than somebody in their mid-term.

  Q453  Lord Sutherland of Houndwood: I can follow that. There is a bit of tension here because clearly one of the things one wants to do is encourage more people, not least the potential silver-surfers, to use this capacity to enlarge their lives, but if at the same time you frighten the wits out of them—is there a tension there which you are noticing or experiencing?

  Mr Isbell: I think there is a danger that we could go too far down the fear, uncertainty and doubt route (the FUD factor, as it is called), but I think if the awareness and training is done in a sensitive manner at an early age that will filter through and show people that it is not something to be feared but it is something which could be managed.

  Q454  Earl of Erroll: I found the best education for my sons was when they got a whole lot of viruses as a result of being very careless on peer to peer networks and after "Daddy" spent some time clearing them off they started to wake up to it, and maybe you should contaminate schoolchildren's computers deliberately so they can learn how to remove them!

  Mr Isbell: That can be a very hard lesson to learn and very time-consuming for the parent, as I am sure you are aware.

  Mr Sunner: If I could make one comment relating to that point, I think education is certainly important and I think initiatives like Get Safe Online have been very useful at raising awareness, but we have to be realistic. The technical nature of these problems now is very, very carefully engineered and it reaches a point where the primary solution now has to be a technical one rather than education, unfortunately. I think education is useful, but treating it with individual powers is a very specialist task and the bad guys are very aware that the weakest link in all of this stuff is actually the human at the other end, and that is why social engineering is so powerful. So whilst education is definitely useful, I think the focus should be a technical one.

  Q455  Lord Sutherland of Houndwood: I am sure that is a wise comment, but equally a very basic thing if you are new to the business is about what looks like a suspicious email. You do learn the more you do it, but if you are starting and you get something from Robert—well, I know dozens of Roberts, so how do I know that this is not one of the bad ones?

  Mr Isbell: That is certainly where the targeted attacks are coming in. They are using that social engineering to try and get you to open up the emails and to click on the link, so to speak.

  Mr Sunner: Worryingly, thanks to social networking, these emails can now be addressed to you with your actual address, possibly even referencing your siblings, depending on what you have keyed into these certain sites. That really has not happened in anger yet, it is very early days, at an embryonic stage, but that is what we are dealing with. So educating against that—it is such a moving target that the emphasis has to be on the lines in these protocols themselves, first and foremost.

  Mr Isbell: Just to add to that point, there is another thought that as we get down the road of more mobile phones, multi-purpose PDAs, et cetera, then the user awareness and the user environment also has to take care of those evolving threats which are going to come with our new technology.

  Q456  Earl of Erroll: Were there any instances in fact last Christmas with some of the greeting cards, particularly ones which were hosted on websites, containing anything like that? Certainly I had two that I did not go and visit because I was not certain about the organisations they came from. Were there any cases of that?

  Mr Wood: That is quite a common technique, especially around holiday periods like Christmas, where you can have a high number of those types of attacks where they will use the social engineering of being able to receive a greetings card. You are not going to necessarily know who sent that or whether it is from somebody you do know. The inclination is to click on the link and that is where they transfer the attack from the email scenario over to the web and then they can use exploits on your browser to then infect your machine through a different channel.

  Q457  Lord Mitchell: Just before I ask my question, just for my own knowledge, what percentage of domestic laptops or computers actually have anti-virus software on them?

  Mr Isbell: That is a very good question. I do not think we have the detailed analysis.

  Q458  Lord Mitchell: What would you guess?

  Mr Chantzos: Globally?

  Q459  Lord Mitchell: Let us just take the UK to start with.

  Mr Isbell: One thing I can say is that there are 318 million customers who launch our live update every day, that is globally. Does that help give you the size?

  Lord Mitchell: Well, sort of.

  Chairman: There are 2 billion cell phones in the world at the moment and about 600 million PCs.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007