Examination of Witnesses (Questions 440
WEDNESDAY 31 JANUARY 2007
Welcome everybody to this session of the Science and Technology
Select Committee. I would like to particularly welcome our witnesses.
Thank you for your time and for what you have submitted to us
already. Members of the public who are here, you will be aware
that there is a notice which you can pick up about this meeting
and the mission we have on the Select Committee in this inquiry.
Perhaps I could ask the witnesses first to introduce yourselves
and then, if you wish, make an opening statement. Perhaps, Mr
Isbell, we could start with you?
Mr Isbell: Certainly. I am Roy Isbell. I am
the Vice-President of Global Government Services for Symantec.
Mr Chantzos: My name is Ilias Chantzos. I am
the Head of Government Relations for Europe, the Middle East and
Africa of Symantec Corporation.
Mr Wood: My name is Paul Wood. I am the Senior
Analyst at MessageLabs.
Mr Sunner: My name is Mark Sunner. I am the
Chief Security Analyst, MessageLabs.
Thank you very much. Do any of you wish to make an opening statement?
Mr Isbell: My Lord Chairman, I would like to
make a statement from Symantec, if I may. Symantec extends its
thanks to the Committee for the opportunity to provide oral evidence
in this inquiry. We welcome the opportunity to answer your questions
and further the position outlined in our written submission to
the Committee. In September Symantec published its latest Symantec
Internet Security Threat Report from data collected on security
attacks between January and June 2006. Our findings showed the
UK with the third highest number of bot infected computers worldwide
and the third most targeted country for denial of service attacks.
The UK is also fourth in the world for spam creation with 4 per
cent of the world's spam originating in the UK. The report also
confirms that home users are the most targeted online with 86
per cent of attacks aimed at the individual home users. Symantec
believes all stakeholders should strive to improve security at
all levels given the ever-evolving online threat environment.
An effective information security policy relies on a multi-layered
defence against attacks. Whilst security remains ultimately users'
responsibility, as an increasingly complex of threats emerge Symantec
understands users cannot be expected to ensure an adequate level
of security on their own. Symantec is committed to developing
solutions which help individuals ensure the security, availability
and integrity of their information.
Thank you very much. Would anybody else wish to make a statement?
Mr Sunner: I would just like to also reiterate
and extend our thanks for the opportunity to give evidence here.
We ourselves at MessageLabs are an Internet-based security company.
The premise is to filter traffic en route to our customers at
the Internet level rather than at premises, and for that we filter
email, web traffic and instant messaging. During the latter half
of 2006 we have observed some interesting trends in trojan and
spam-related activity which are unprecedented from a technical
perspective and we would like to share some of the trend information
which we have with you today.
Thank you very much. We have quite a long list of questions. I
would ask you, if possible, to be succinct in your answers and
to speak up because the acoustics in this room are not good. Let
me ask the first question, which is a very general question. How
much email spam is being sent?
Mr Sunner: Currently, heading towards the corporate
world, 75 per cent of all email now heading towards companies
is spam. For the domestic populace that is closer to, conservatively,
about 85 per cent.
85 per cent of the total is spam?
Mr Isbell: That is slightly different from the
measurements which we made. In our measurements, according to
the period in question, spam made up 54 per cent of all monitored
email traffic which we were able to monitor, and that was up from
50 per cent in the previous period.
That leads me to my supplementary question: how accurate do you
think these numbers are? We have already had an interesting spread.
Mr Isbell: I think it depends on the reach of
the intelligence network the organisation has which is actually
measuring it. Currently we monitor 30 per cent of the global email
traffic which goes through the Internet.
30 per cent?
Mr Isbell: 30 per cent of all email traffic
goes through our botmail facility.
Spammers send different amounts of spam to different people and
presumably can tell who is being protected by filtering systems
and send more or less spam accordingly. Is this so, and if so
how does it affect the accuracy of these overall figures?
Mr Isbell: We are seeing increased targeted
attacks of spam, that is definite, if I could answer the question
in that way. The effectiveness of their monitoring is unknown
to us at this moment in time. The spam we are actually witnessing
is; products 26 per cent, adult spam 22 per cent, and commercial
products 19 per cent of the total spam make-up. So to directly
answer your question, we are seeing a degree now of targeted spam
through social engineering, depending on particular events which
might be happening. A particular case in point which comes to
mind is St Valentine's Day which is now coming up, so we are seeing
targeted events around St Valentine's Day to get people to open
up that spam.
Mr Sunner: Just to go back to the numbers, we
have seen the profile of spam actually change quite significantly
in the last three years. Three years ago we were seeing the volumes
of spam back then were about 50 per cent. Now we see it at 75
per cent and that is based on us clearing nearly 2 billion emails
per week. Within the profile of that spam, again to come back
to the targeted nature, what we have seen is that whereas the
biggest arsenal of the spammer used to be to just send more of
it, now they are attempting to profile who it is heading towards.
So we see spam targeting particular demographs or people who use
certain banks in terms of phishing, and one of the alarming aspects
of this is how they are able to do this. 2006 saw a huge rise
in the use of social networking sites. These are websites such
as My Space where people willingly key in a lot of information
about themselves which the spammers, and more importantly phishers,
are then able to plunder this information and make their attacks
more focused, which means they are more socially engineered, which
means people are more likely to click on these things. That is
probably the biggest profile, not just within the growth of the
volume we are seeing but the change of behaviour within the messages
which are coming out.
Do you think we are going to win this battle of being able to
filter spam, or do you think spammers will just be able to make
Mr Sunner: Clearly this is an arms race, so
it will consistently be a moving target, but I think the more
we can interweave the detection and the filtering of this content
into the fabric of the Internetand that is not just for
email, that goes for web traffic and instant messaging as welldealing
with it "in the cloud" as opposed to at the end point,
the same as a utility modelin the same way as you would
not expect to have to boil your own water at home before you could
use it, clearly that would be mad, but in IT that is what everyone
is doing with their email. So if you can get the detection into
"the cloud" you can be much more aggressive about how
you can filter this stuff out and you are also a stage closer
to the source of the problem, which also helps in potentially
tracking this down and eliminating the botnets.
Mr Isbell: I would also agree that a multi-layered
defence approach is required. I fully agree with my colleague
about getting it into "the cloud", but effective end
point security to filter at the end point is also a requirement.
Q449 Baroness Hilton of Eggardon:
How much of all this spam is actually carrying viruses? Have you
any idea of the proportion?
Mr Sunner: I can tell you that currently for
January one in every 119 messages on average that we are processing
contains a virus that is a trojan of some description. The vast
majority, over 90 per cent, are botnet related. So the vast majority
of viruses are actually to do with spam. They are essentially
the air supply for spammers, where the target is home users rather
than business. That number is actually down from January 2006,
where the number would have been closer to approximately one in
Mr Wood: It would certainly have been a lot
lower, I think.
Mr Sunner: What used to happen was that the
volume of viruses was directly linked to the volume of spam, so
if we saw more viruses we knew more spam would follow it, and
that de-coupled about July 2006. What this means is the bots which
are going out there are now much more efficient at sending spam.
So the bad guy community, for want of a better word, is interested
in sending more discrete viruses which stay under the radar for
longer, which go undetected for longer by companies like ourselves,
so that they can basically have a longer existence. We believe
this trend will continue, that the virus count will actually continue
to come down in email but go up inside web traffic, but spam volumes
will continue to go up the whole time. That is exactly the trend
we are seeing at the moment.
Mr Isbell: That concurs with our findings, that
one of every 122 spam messages is blocked by our botmail system
containing malicious code. Our probe network also detected 157,477
unique phishing messages during that period.
Q450 Lord Sutherland of Houndwood:
Can I ask what you mean by "unique"?
Mr Isbell: These are distinct in their own right.
They are all separate and distinct in what they are trying to
Q451 Lord Sutherland of Houndwood:
To follow through, you obviously have a huge experience of what
the bad guys are doing. You also want to look on the other side
at which the consumers, those who have systems, need. Do you think
they are getting enough education about the dangers out there
on the net? If so, fineI suspect notbut if not,
what would you suggest?
Mr Isbell: We did think about this and we have
had some internal discussion going on about this. Education and
awareness is a multi-faceted and multi-targeted environment. I
do think there is the opportunity to give more education for our
children under the ICT programme for schools. We all know that
these are the surfers of the future and we also know that children
in our environment teach mum and dad how to use the video recorder
remote, so I think that raising the level of education regime
and the level of awareness in our children is one way forward
to improve overall. Secondly, I think we also need to be aware
that we are getting an increased number of what are known as "silver
surfers", an ageing population.
Q452 Lord Sutherland of Houndwood:
I think you have some around the table in front of you!
Mr Isbell: I do not think we are actually doing
enough to target that demographic because they need more help,
I believe, than somebody in their mid-term.
Q453 Lord Sutherland of Houndwood:
I can follow that. There is a bit of tension here because clearly
one of the things one wants to do is encourage more people, not
least the potential silver-surfers, to use this capacity to enlarge
their lives, but if at the same time you frighten the wits out
of themis there a tension there which you are noticing
Mr Isbell: I think there is a danger that we
could go too far down the fear, uncertainty and doubt route (the
FUD factor, as it is called), but I think if the awareness and
training is done in a sensitive manner at an early age that will
filter through and show people that it is not something to be
feared but it is something which could be managed.
Q454 Earl of Erroll:
I found the best education for my sons was when they got a whole
lot of viruses as a result of being very careless on peer to peer
networks and after "Daddy" spent some time clearing
them off they started to wake up to it, and maybe you should contaminate
schoolchildren's computers deliberately so they can learn how
to remove them!
Mr Isbell: That can be a very hard lesson to
learn and very time-consuming for the parent, as I am sure you
Mr Sunner: If I could make one comment relating
to that point, I think education is certainly important and I
think initiatives like Get Safe Online have been very useful at
raising awareness, but we have to be realistic. The technical
nature of these problems now is very, very carefully engineered
and it reaches a point where the primary solution now has to be
a technical one rather than education, unfortunately. I think
education is useful, but treating it with individual powers is
a very specialist task and the bad guys are very aware that the
weakest link in all of this stuff is actually the human at the
other end, and that is why social engineering is so powerful.
So whilst education is definitely useful, I think the focus should
be a technical one.
Q455 Lord Sutherland of Houndwood:
I am sure that is a wise comment, but equally a very basic thing
if you are new to the business is about what looks like a suspicious
email. You do learn the more you do it, but if you are starting
and you get something from Robertwell, I know dozens of
Roberts, so how do I know that this is not one of the bad ones?
Mr Isbell: That is certainly where the targeted
attacks are coming in. They are using that social engineering
to try and get you to open up the emails and to click on the link,
so to speak.
Mr Sunner: Worryingly, thanks to social networking,
these emails can now be addressed to you with your actual address,
possibly even referencing your siblings, depending on what you
have keyed into these certain sites. That really has not happened
in anger yet, it is very early days, at an embryonic stage, but
that is what we are dealing with. So educating against thatit
is such a moving target that the emphasis has to be on the lines
in these protocols themselves, first and foremost.
Mr Isbell: Just to add to that point, there
is another thought that as we get down the road of more mobile
phones, multi-purpose PDAs, et cetera, then the user awareness
and the user environment also has to take care of those evolving
threats which are going to come with our new technology.
Q456 Earl of Erroll:
Were there any instances in fact last Christmas with some of the
greeting cards, particularly ones which were hosted on websites,
containing anything like that? Certainly I had two that I did
not go and visit because I was not certain about the organisations
they came from. Were there any cases of that?
Mr Wood: That is quite a common technique, especially
around holiday periods like Christmas, where you can have a high
number of those types of attacks where they will use the social
engineering of being able to receive a greetings card. You are
not going to necessarily know who sent that or whether it is from
somebody you do know. The inclination is to click on the link
and that is where they transfer the attack from the email scenario
over to the web and then they can use exploits on your browser
to then infect your machine through a different channel.
Q457 Lord Mitchell:
Just before I ask my question, just for my own knowledge, what
percentage of domestic laptops or computers actually have anti-virus
software on them?
Mr Isbell: That is a very good question. I do
not think we have the detailed analysis.
Q458 Lord Mitchell:
What would you guess?
Mr Chantzos: Globally?
Q459 Lord Mitchell:
Let us just take the UK to start with.
Mr Isbell: One thing I can say is that there
are 318 million customers who launch our live update every day,
that is globally. Does that help give you the size?
Lord Mitchell: Well, sort of.
Chairman: There are 2 billion cell phones
in the world at the moment and about 600 million PCs.