Computer Crime Research Center


ON THE RECORD: Stratton Sclavos

Date: January 14, 2005
By: Chronicle Staff

Note: This is excerpt from full interview from SFGATE :


In 1995, Stratton Sclavos and RSA founder Jim Bidzos created VeriSign as a spin-off that issued digital certificates, acting as an Internet notary public. Today, VeriSign secures online transactions and is branching out into handheld entertainment, radio frequency ID tags and other up-and-coming technologies. As VeriSign's chief executive officer, Sclavos has an unparalleled view of the Internet, its strengths and weaknesses. We talked with Sclavos about the rising sophistication of online crime, his company's squabbles with the Internet oversight authority and the challenges of being a parent in the digital age.

Q: VeriSign is in a lot of businesses now. Is there is a vision that ties all these things together?

A: What we have really been about over the last five years is assembling a set of assets that all plug together to make what we call intelligent infrastructure.

If you look at the Internet, we're through the first 10 years of this massive growth, (with) more people getting on and more messages being sent. We think we're at an inflection point where there's too much complexity and too much usage to do things just by adding more pipes. So the intelligent infrastructure we do sits above the pipes and below the applications and the services and makes things more efficient.

We route .com and .net addresses 14 billion times a day. We secure 400,000 Web sites so people can communicate with their customers. We process credit cards for those same Web sites so they can take the money and put it in a bank account.

Five years from now, whether it's radio frequency ID tags on Gillette razors or Web addresses for .com and .net or phone numbers that have become voice-over IP as opposed to traditional telecom switches, we'll have those big directories running inside VeriSign data centers that make all that stuff connect and interoperate.

Q: Why should such important infrastructure be handled by the private sector?

A: We are a regulated business in .com and .net service. We have over the last five years invested $200 million in research and development and capital equipment to completely rebuild that network. You need to fuel innovation to keep this infrastructure growing, and I don't think the government would be well suited to that.

We were here before the Internet explosion. We're here after the burst of the bubble. And in those nine years, the machines have never been down, and we've taken the systems from being able to handle about 20 billion interactions a day to now, (when) our top capacity is north of 200 billion a day.

There are people at VeriSign who will work 24 hours a day if even one bit of the database that we manage gets corrupted. And we will do anything in our power to fix it within seconds if we can and minutes if we can't.

We have shared our technology and our software-monitoring tools with the Department of Homeland Security since almost its first days. They can see the network the same way we do. We just agreed to the same kind of provisions with the European Union to give their new security-monitoring center these kinds of tools. We're probably five to six years ahead of where these governments would be in thinking about how to monitor the network. And we're trying to bring them all up to that same level of visibility.

Q: What is your role in the Department of Homeland Security and are you involved with the war on terrorism?

A: We are an avid participant in their information-sharing private-public partnership. We provide them tools that we have designed so that they can see the network and its trouble the same way we can, and then we're involved in certain forensic activities on an as-needed basis.

Q: What would something like that entail?

A: If we process 35 percent of North American e-commerce, we manage 14 billion Web connections a day. We manage the firewalls and intrusion detection centers for some of the largest financial service companies in the world. We see all the network traffic and all the network problems. So we've become an early warning system in many respects for a lot of what governments as well as commercial interests are looking for.

Q: Is this about cyber-terrorism or helping the government when they're looking for the source of terrorist money?

A: It's really all of those things. You are looking at the digital equivalent of money laundering and espionage and commercial competitive information. All those things that we talk about in terms of physical terrorism or just criminal financial activity we are now seeing on the network.

We're in the very earliest stages of understanding just how much of that activity can be found quickly enough to do something about it.

Q: Can you talk about the rise of common scams like phishing (scam e-mails that trick people into revealing financial information)? Doesn't that dwarf any other kind of crime online?

A: It's a very real threat. It tends to be small economic value multiplied by potentially millions of people. So it's a big deal, and it undermines confidence in going online. The thing I'm actually more interested in watching is the fraud (we are seeing) on these networks at an escalating rate. From what we can tell, (they) are coordinated attacks. If you watch what's going on, the number of fraudulent transactions that are programmed and automated from the Eastern Bloc, from Indonesia, from these various places, it's just mind boggling. It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime.

Q: Can you explain how an automated fraud attack works?

A: These guys are very clever. They will go out on the network and find machines that are sitting there always on, generally broadband connections, and they will deposit code that sits dormant. Then they will build an application that tries credit card numbers. It's very easy to build a program that knows that a Visa card has 12 digits. You start at 000 for all the digits, and then you move it up incrementally. And you attack Web sites that have low-value digital goods and services. These guys would attack the Web sites from the robotic machines they would take over, and then they'd hit on a number that's good. Every time there's a successful transaction they immediately use that number on some high-value site. You can actually find Web sites that teach you how to do this stuff.

Q: What do you mean by coordinated attacks?

A: We didn't realize until we started doing some work that our credit card transaction-network service and our .com and .net service were actually seeing the same fraud.

They attack these machines on the network and take them over as robots, and then those (computers) start sending tons of spam out. Then you start to see credit card fraud. And lo and behold, there is a one-to-one correlation between the IP addresses where the spam is coming from and the IP addresses that are sending out the attacks.

Q: What's the protection for that? Aren't there patterns you can detect? Or do they just route it through so many machines there is no pattern?

A: I actually thought we were going to be able stop it like this (snaps his fingers). That we would be able to detect enough of what was going on and through education and monitoring, we'd be able to see it.

These guys are much better than I thought. One clue might be, you're told to go to and you click on a link in your e-mail, but the Web browser address bar actually has some other string in it. We've seen them write Java code that superimposes a string on top of the actual address.

Q: How new is that?

A: Six months.

Q: What's your profile of the person doing this?

A: I'm sure there's a lot of different types. In the Eastern Bloc and some Southeast Asia countries (there are) trained technicians from economies that are no longer state sponsored, and legitimate economic activity or criminal economic activity is probably a decision they make daily. There's probably plenty of opportunity to be drafted into a black or gray market. Not to be dramatic about it, (but) some of it is terrorism looking to raise money. I would say that's a lesser percent of what we see today, but something that we're certainly monitoring.

Q: One of the most direct implications of this would be less money spent online. What kind of role are major retailers from Wal-Mart on down taking in addressing this, and are they doing enough?

A: What we see the sites doing is promoting the security more effectively, more prominently displaying our (security) seal or others, and more prominently talking about it in the purchase process. And the stats (on online shopping) are way up again this year. Convenience, price and availability are winning out over security concerns. The question becomes, are we just one major event away from undermining all that confidence?

Q: And what would your answer be?

A: I think we probably are.

Q: What would that major event look like?

A: It's probably some site with multimillions of registered users, having that credit card information or those user profiles stolen.

I am not the fear monger. I am a huge believer that the amount of risk we are facing on the digital side is manageable versus the rewards we...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo