The panel discussion revolved around the already defined project WGs:

• Smart environments
• Critical systems
• Malware & fraud

The discussion started with a talk on smart systems, which mainly focused on the threats introduced by the advent of smart devices. Smart-phones and other such mobile smart-devices are slowly replacing the older mobile phones greatly increasing the offered functionality. A smart-phone can be used for accessing email, online banking, e-commerce, etc same as with a PC. Furthermore, new location based services (via GPS) are offered, and plans are made to turn these devices to e-wallets. Also, since a phone is considered highly personal, users tend to store personal items such as photos, PIN and credit card numbers. All the above turn these devices to very attractive targets for attackers, while at the same time users are not even aware of the existence of threats against their new device. Applying already developed security solutions to mobile devices is not always possible, because of their inherent limitations such as limited battery life, and hardware resources. As such additional research is needed to address security in such devices.

Critical systems were discussed second in the panel. Such systems include telecommunications infrastructure, transportation, energy production and distribution, etc. These systems have been using computers for a long time, but in the future there are many plans to allow their management over the Internet. Extending their connectivity can leave them open to a multitude of attacks, if security is not considered early in the design and implementation. Unfortunately, in this case as well, people involved with critical systems are not always aware of the new threats and challenges they will be facing.

A very interesting example from the car industry was brought up. Cars today already include 40-50 computers connected via LAN. Security has not been an issue till today, but with plans to interconnect cars with each other,  or even with the Internet it is made obvious that security will be a prime concern. Failure to introduce security mechanisms could prove catastrophic, not in this example alone but on all critical systems.

The final subject of the panel was malware and fraud. The discussion centred on the new incentives and modus operandi of malware writers today. Malware is no longer written “for fun”, but for profit. One can easily be made aware of this by considering the very successful worms of the past such as CodeRed, Blaster, and Sasser. Even though millions of systems were infected, the damages inflicted were relatively small. Today on the other hand, malware writers are driven by profit, and form groups that resemble traditional crime organisations. Botnets such as the renowned Storm botnet are used to circulate spam e-mail, which is either directly providing income to the botnet “owners”, or is used to perform fraud. Botnets have even been observed being rented out in the cyber underground through IRC channels and web pages. To better understand this new generation of criminals, traditional investigation is needed to provide warning of new attacks and frauds, while at the same time more research is needed on disrupting malware operation and propagation.

The conclusions extracted from the panel discussion can be summarised into that: a) additional security research is needed to address future threats on new technologies, and b) well established industries need to be made aware of the new threats they will be exposed to, because of the interconnection of previously unconnected components.

The FORWARD paper seemed to spark interest in the conference which was mostly  dedicated to analyzing the benefits and applications of Trusted Computing. An interesting proposal posed by the audience was to move beyond technical analysis of future threats into investigating the economy and motives underlying the various malicious activities.

Apart from FORWARD’s paper, we found of particular interest Symantec‘s Richard Archdeacon presentation of today’s malware landscape. An interesting finding on their latest Internet Security Threat report is that the malware market has become much more streamlined than we imagine. Symantec identified trust chains between malware-suplier and malware-users which in some cases are formalized by means of End User Licence Agreements (EULAs), just like mainstream software is. They also hinted for a future switch from blacklisting to whitelisting for protecting from malware.

Overall, the conference was an interesting experience and we hope that FORWARD’s paper has managed to attract the interest of the very active trusted computing community for the project.