Sasser arrest seen as small step in cybercrime fight

Computerworld - Despite the speed with which the alleged perpetrator of the recent Sasser outbreak was nabbed, the security community is still doing too little to bring malicious attackers to justice, several experts said today.
Sven Jaschan, an 18-year-old German man who had just graduated from vocational school, was arrested Friday in connection with the Sasser worm (see story). Jaschan was nabbed following a tip to Microsoft Corp. from a group of individuals in his home state of Lower Saxony in Germany. Microsoft passed the information to German authorities, who arrested him near the German town of Rotenberg.
The speed of the arrest is "encouraging," said Ken Dunham, a director at iDefense Inc. in Reston, Va. "This is a big improvement over the arrests never seen of yesteryear. The more arrests that are made, the more malicious code authors are likely to avoid the release of malicious code into the wild."
"I am very impressed with the international cooperation in law enforcement and with the FBI's effectiveness" in going after cybercriminals in general, said Alan Paller, director of research at the SANS Institute. "I am equally impressed with the Justice Department's success in getting other countries to implement laws that make such attacks crimes."
The problem, though, is that such arrests are few and far between, said Bruce Schneier, chief technology officer and co-founder of Counterpane Internet Security Inc., a managed security services provider in Mountain View, Calif. In fact, a majority of malicious attackers aren't caught, he said.
The arrests only "tend to happen with stuff that is high-profile," Schneier said. Much less effort is put into pursuing perpetrators of less visible and targeted attacks, he said.
Doing so can be a hard and expensive task, experts said.
"To date, the virus writers who have been caught [have been] mostly amateurs," said Andrew Plato, a consultant at Anitian Enterprise Security, a Beaverton, Ore.-based consultancy. "They were caught using traditional means of law enforcement, such as tips from friends -- not high-tech analysis of the worm or attack vectors," he said.
When it comes to such issues, "far more should be done to ensure that logs exist to allow tracing back originating traffic to its actual source," said Russ Cooper, editor of the NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp. "ISPs continually fight these attempts by law enforcement, presumably because they feel the burden of having to comply will be too heavy."
Fear of retribution is another reason many victims have been unwilling to go after attackers, even