<i>Simon Hendery</i>: Information sharing only way to reduce security worries

John Stewart's speech at Cisco's annual Networkers event in Australia last week must have made the company's public relations people and its lawyers a little edgy.

Stewart is a Cisco vice-president and is responsible for overseeing security issues around the huge infrastructure underpinning the technology company's business.

In a refreshingly candid move for someone in his role, Stewart used his keynote speech to share a few of the security nightmares Cisco has encountered recently.

There was the almost Keystone Cops-style tale of receiving a tip that someone was running a peer-to-peer movie server from one of Cisco's engineering data centres.

"The engineering guys are just having a great time watching whatever movies they've probably copied, pirated or illegally downloaded," Stewart explained.

"By the time we got to the building the server was gone. The rack was still there, with lots of cables, and the plate that it was sitting on was still warm."

Despite the initial fruitless chase, this story ended well for Stewart's security team. Within an hour of arriving at the just-vacated crime scene they received an email from an anonymous Hotmail account revealing where the dubious server had been stashed.

Next on Stewart's list was the HR staffer who, after compiling a juicy spreadsheet of staff members' salary information and bonus structures, accidentally dispatched it to every Cisco email address in Europe rather than just to the one colleague it was intended for.

"Microsoft Outlook is a great tool and it can be incredibly helpful - overly helpful at times," Stewart dryly observed.

"The good news was they sent a note out immediately afterwards and said please don't read this."

Another Cisco staffer was "invited to seek alternative employment" when a day after being ticked off for storing the entire second series of The Sopranos on their PC - in breach of the company's code of business conduct - they were again caught downloading unauthorised material.

But why parade these botch-ups? Stewart told journalists after the speech security issues could only be addressed by sharing information. The reality was that all businesses had security skeletons in their closets but if Cisco wanted its customers and business partners to be candid with it, it had to first be open with them.

The context for this more open approach is the changing profile of the computer hacker. The geeks who used to break into systems just for the challenge of doing so have been replaced by cyber criminals whose motivation is making money.

"We used to break into each other's computers because we thought it was funny. It was like capturing the flag - you were just proving a point," Stewart said.

"Nowadays you're actually got a crime component in this."

That observation is backed up by a Symantec report released last week which confirmed what has become obvious to anyone with an email account: there's a growing movement aimed at trying to dupe us into giving up our personal information.

Symantec's latest Internet Security Threat Report says "phishing" emails - the hub of identity theft scams - were up 81 per cent in the first half of this year.

Admittedly, Symantec sells security solutions, so it's in the company's interest to fuel the public's identity theft paranoia with publicity like this.

Another security company, McAfee, came up with a variation on the PR theme last week, releasing the findings of a survey it says shows internet users exhibit poor judgment when it comes to sharing their email address.

McAfee asked the 7000 respondents to its survey to judge which websites they could confidently share their email address with if they wanted to avoid being deluged with spam. The company concluded that web users only got it right 55 per cent of the time, and the cost of getting it wrong could mean a flood of up to 2000 spam emails a week from some disreputable sites.

Ironically, some of the cautionary noise being generated by the security companies has to do with a development that should soon make home computing safer.

Microsoft has beefed up the security elements within its much-delayed but soon-to-be-released Vista operating system.

This has raised the hackles of those companies that have made millions selling protection to users of Microsoft's earlier, less security-focused operating systems.

Last week Symantec was murmuring about taking legal action against Microsoft over the planned configuration of Vista's Security Centre which it claims will make it more difficult for users to opt for third-party protection such as Symantec's.

This is further evidence that internet security is a high-stakes game where attention and effort can easily be diverted away from the core task of fighting spammers and criminals.

As Cisco's Stewart observed last week: sadly it's often the case that the hackers are better at communicating with each other than are the major corporates who they regularly target.

* Simon Hendery travelled to Networkers as a guest of Cisco