EASTERN EUROPE, CYBERCRIME – AND WHY CODE SIGNING IS VITAL
More and more software developers in the UK and US are looking to Eastern Europe to get their code written. After all, it can be done far more cheaply there, as well as offering an abundance of choice. Indeed, code writing ‘houses’ in Eastern Europe are proliferating in response to this demand – from one-man bands to sizeable operations. So any developer intent on keeping their costs down, and often along with the promise of a quick turnaround, has the perfect scenario for having their software code written there, right?
Not necessarily. Because cheap is not good if the code that’s written becomes compromised in any way. And when you, the developer, are possibly thousands of miles away from whoever is writing your code, you need to be even more sure of those into whose hands you are entrusting this process.
Certainly, there are many highly reputable enterprises in Eastern Europe that provide this service and deliver to the highest standards. But this is also a region where, not unlike other areas of the world, cybercrime has soared with the rapid growth of ecommerce and emergence of a more stable, faster Internet. Software that has not been adequately protected is an irresistible target for them, as indeed it is wherever cybercrime rears its head.
No doubt we can all recall incidents where the cybercriminals have struck hard. There was the ‘Zeus’ virus scam, used to steal around £675,000 from the bank accounts of some 3,000 on-line UK customers, while, earlier this year, US federal authorities charged three men with building and disseminating a virus that crippled NASA computers and brought in tens of millions of dollars for the East European-based cybercriminals.
And then there’s Alexsey Belan, for whom the FBI is offering a reward of up to $100,000 for information leading to his arrest. Belan is alleged to have penetrated the computer networks of three major US-based e-commerce companies, stealing their user databases and the encrypted passwords of millions of accounts, and then selling these on. Only look on the FBI’s website listing of ‘Cyber’s Most Wanted’ and you will find many more such examples of cybercriminals active in the region.
“Global cybercrime is arguably the biggest underworld industry of our times,” said Nir Kshetri, in the report, ‘Cybercrime and Cybersecurity in the Global South’[1]. “Global forces and technologies such as mobile phones, social media and cloud computing are shaping the structure of the global cybercrime industry, estimated at US$1 trillion. Many of the economies in the Former Soviet Union and Central and Eastern Europe (FSU&CEE) have become top cybercrime hotspots.
“Cybercrime rings in these economies have mastered complex tricks and have increased pervasiveness and sophistication of cyberfrauds. Sophisticated frauds, such as cyberextortion, distributed denial-of-service (DDoS) attacks and hijacking users’ searches and clicks, involve a complex fusion of strategy, technology, processes and people,” he states.
“Corruption, the lack of sufficiently high penalties, ineffective, inefficient, inadequate and weak legislation and lax law enforcement have fuelled cybercrime,” Kshetri adds.
So, no matter how compelling your latest application or functionality may be, any vigilant customer will be aware of such dangers and see potential risk in installing your code, fearful that they might be putting malware on their computers, smartphones and other devices. Once unleashed, malicious code can wreak havoc, stealing personal and financial data, damaging files and systems, and compromising confidential information. Malware also poses a serious threat to the mobile environment, slipping into application stores and becoming a threat to anyone who downloads such infected applications.
Fixing the damage can exact a huge toll on those stores – in terms of time, money and disruption. And the damage goes deeper. Because, when application stores lose the trust of their customers, wireless providers and device manufacturers can lose customers, too. The ‘domino’ effect hurts everyone.
So, any developer keen to reap the upsides of Eastern Europe needs to be mindful of the downsides and ensure that the systems to protect their applications are in place. And that brings us to the good news. Software vendors and developers can digitally sign and timestamp the software they distribute over the Internet – known as ‘Code Signing’ – to demonstrate that their applications are safe, secure and trustworthy.
With code signing, everything starts from a position of trust – trust that the apps and downloads that customers install are free from viruses, spyware, or any other alteration or tampering that might compromise or damage their systems. And that isn’t all that’s at stake. Get it wrong and your hard-won brand and reputation could soon be in tatters.
This is where code signing solutions from Symantec come in to play, creating what is essentially a ‘digital shrink wrap’ for secure distribution of code and content over the Internet. Not only does this protect your software, but also it gives customers all the information they need to download and install your software with complete confidence.
Here’s how it works. When you are ready to publish new software and make it available on line, Symantec’s solutions enable you sign and timestamp your code, using a secure private key and digital certificate. The latter includes an encryption hash that allows customers to see all of the information in your digital certificate when they download your application, verifying your identity as the publisher, and confirming the integrity and trustworthiness of your software.
Also, Symantec fully supports multiple computing and mobile platforms, including an EV (Extended Validation) code signing solution that enhances the levels of trust on the latest operating systems, browsers and security software. Another plus for developers is that Symantec has partnered with Microsoft to integrate EV Code Signing certificate status with its SmartScreen reputation services in Internet Explorer and Windows 8. That means programs signed by an EV Code Signing certificate can immediately establish reputation with Microsoft’s SmartScreen, even if no prior reputation exists for that file or publisher; so, potentially there will be fewer warning messages flagged up when a user tries to run your application.
Ensuring that your software has these highest levels of authentication in place protects your brand every time and strengthens the trust relationships that make your business successful.
And with such protections in place, looking to Eastern Europe for the many code writing advantages it promises may well be a move that allows you to sleep that much easier at night.
