Despite the speed with which the alleged perpetrator of the recent Sasser outbreak was nabbed, the security community is still doing too little to bring malicious attackers to justice, several experts said Monday.
Sven Jaschan, an 18-year-old German man who had just graduated from vocational school, was arrested Friday in connection with the Sasser worm. Jaschan was nabbed following a tip to Microsoft Corp. from a group of individuals in his home state of Lower Saxony in Germany. Microsoft passed the information to German authorities, who arrested him near the German town of Rotenberg.
The speed of the arrest is "encouraging," said Ken Dunham, a director at iDefense Inc. in Reston, Va. "This is a big improvement over the arrests never seen of yesteryear. The more arrests that are made, the more malicious code authors are likely to avoid the release of malicious code into the wild."
"I am very impressed with the international cooperation in law enforcement and with the FBI's effectiveness" in going after cybercriminals in general, said Alan Paller, director of research at the SANS Institute. "I am equally impressed with the Justice Department's success in getting other countries to implement laws that make such attacks crimes."
The problem, though, is that such arrests are few and far between, said Bruce Schneier, chief technology officer and co-founder of Counterpane Internet Security Inc., a managed security services provider in Mountain View, Calif. In fact, a majority of malicious attackers aren't caught, he said.
The arrests only "tend to happen with stuff that is high-profile," Schneier said. Much less effort is put into pursuing perpetrators of less visible and targeted attacks, he said.
Doing so can be a hard and expensive task, experts said.
"To date, the virus writers who have been caught (have been) mostly amateurs," said Andrew Plato, a consultant at Anitian Enterprise Security, a Beaverton, Ore.-based consultancy. "They were caught using traditional means of law enforcement, such as tips from friends -- not high-tech analysis of the worm or attack vectors," he said.
When it comes to such issues, "far more should be done to ensure that logs exist to allow tracing back originating traffic to its actual source," said Russ Cooper, editor of the NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp. "ISPs continually fight these attempts by law enforcement, presumably because they feel the burden of having to comply will be too heavy."
Fear of retribution is another reason many victims have been unwilling to go after attackers, even when their identity is known, Schneier said. "We built a forensic capability so that we could go after the bad guys. But surprisingly, very often companies don't want to do that. They don't want to make waves because they are very afraid of retribution," he said.
Stronger penalties are also needed against those who launch such attacks, Cooper said. "For far too long, it seems as if society treats the act of infecting or taking over someone's computer as 'cute,' " he said.
"Someone willing to cause billions of dollars of cost and millions of man-hours of effort clearly needs to be locked away to prevent us from being abused by them in the future," Cooper said.
But prosecuting cybercriminals can be difficult, said David Endler, a director at TippingPoint Technologies Inc. in Austin. "The standards of electronic forensic evidence have yet to catch up to the same standards" used for more traditional crimes, Endler said.
The lack of standard international cyberlaws is also a problem, he said. "If a resident of Germany unleashes a worm from a compromised computer in Russia, do extradition laws apply?" he said.
(With reports from Reuters news service.)