07:18 PM
Patricia Keefe
Patricia Keefe

Security Is the New Cold War

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to ta

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to take pictures, send email, run movies and even signal your fave rock band for an encore. Pretty soon we'll be using them to pay bills on the go, relegating ATMs, hard cash and physical credit cards to the recycling bin of the 90s.

There is, of course, a dark side to all of this, and if the past few weeks are anything to go by, the speed with which the technology that has so improved our lives is being turned against us seems to be ratcheting up at a frightening pace.This is the new cold war. (It is not, as suggested by SafeCount, the war between consumers and advertisers. Uh, no. That's just a minor skirmish between consumers and advertisers. It can be easily resolved by changes in technology and behavior on the part of the advertising/marketing folks).

Security is the new cold war, and there will be no easy solutions. For one, we don't have a prayer of cooperation from the Forces of Evil. For another, we have been forced to leave a trail of our personal data all over the internet, and it is only going to get worse as automation makes it easier to post manually collected data online and hence easier to find and cross reference, as more and more shopping is consummated and applications are submitted online, as companies clear their physical space of human workers and push as many activities as possible - customer support, technical help, purchasing and payment - all online. The same technology that makes this easy to do, and which makes our lives so convenient, also makes it easy for the bad guys to come right on in and harvest the information they need to rob us blind.

This month alone has seen a jump in the devious cleverness with which thieves are scamming and stealing from us. In a CNN report aired May 26, anchor Paula Zahn reeled off some scary statistics: She cited Federal Trade Commission figures that say 10 million people a year, about 27,000 people a day - or 19 people every minute - are the victims of identity theft, at an average estimated loss of $1,200. While the overall loss to victims is estimated at $5 billion, the numbers leap up for businesses - $33 billion. Zahn added that according to the FTC, in 2003, 3.25 million Americans had their personal information misused to open new credit accounts, take out loans etc.

The onslaught of fraudulent activity from these cyber criminals has become so intense, and increasingly so organized, that we need to start responding with an organized, committed and concerted effort on the part of all the parties involved - consumers, technology vendors, data aggregators, financial institutions, law enforcement and law makers - to try and regain some of the ground we've already lost in this battle, never mind keep up.

While Homeland Security worries about "what ifs" and "what mights," running down vague clues to real fears, the country is caught up in the throes of a very real cyber war waged by people who are determined to drain every cent from our accounts and replicate as many of our identities as they can steal. The collective "We" has to do something concrete and soon. I'm seeing bits and pieces of sensible actions from the data aggregators and banks that were hit - but it's not enough for one bank to institute a two-way authentication scheme or to encrypt sensitive data - all banks needs to do this. It's not enough for one data aggregator to clamp down on who it will allow to access its data - they all need to do this.

In fact, we need to do a lot more than we have been doing. And we have to get serious about it:

* We need to come up with some minimal security requirements - encryption, authentication, tracking of data backups for starters - for the people who hold the keys to our identities and financial information. That has to be the price they pay for the privilege of collecting and using this information. Industry groups, vendors and lawmakers need to get together to hammer out and disseminate these new rules - and they can't be voluntary. Sorry - we are too far behind the bad guys, and there is too much at stake here.

* Internet-based services - all businesses really - have to make security and filtering a core part of every technology they use to handle, collect or store sensitive data. The security procedures have to extend beyond technology into the human and physical realms. Employees can create unnecessary risk, computer equipment with sensitive data is routinely lost and client data is often easily retrievable from the trash.

* We have to take a hard look at the information that is being collected and by whom. What is reasonable for what sorts of processes? Years ago I had to rent a film for a class I was taking - I had to see this film. I went to Blockbuster and was stunned at the level of data their application required. Who cares where I went to high school, and why does a video rental store need my Social Security Number? They didn't and they don't. When you get right down to it, a lot of the data required on a lot of the forms we fill out is not pertinent to the transaction involved. You can probably count on one hand the types of activities that need you to reveal your Social Security Number - yet everyone asks for it. And then they trade it, sell it and store it - with no regard to the initial reason the data was provided for in the first place or for the wishes of the consumers involved. We need to put a stop to this.

* Consumers too need do their part. Stop giving your phone number and other personal data out to every pierced sales clerk who asks for it. Pick up your ATM and credit card receipts and shred unneeded financial documents. Understand once and for all that your bank, Paypal and Ebay are not going to ask you to verify your account status or re input your passwords online. And overrun third-world countries do not have millions of dollars in cash casually lying around waiting to be deposited in your account by people who could not possibly know you. Don't trust, and always verify electronic solicitations. We have no choice but to be vigilant.

* The government needs to get serious on so many levels. It's pretty hard to expect agencies stuck in the 80s or 90s technologically to be on top of cyber crime in 2005. Get these systems updated already. End the inter-agency fighting and get these people working together toward a common solution. Pass laws that severely punish phishers, hackers, virus disseminators, identity thieves etc. Regulate the businesses who hold our cyber existence in their hands: be responsible or you can't play.

I am not a big fan of broadcast news "special reports" - they are often too shallow for my taste. But the CNN report was fascinating. It showed chat rooms in action where scam artists and identity thieves gather to buy, trade and sell stolen account information, even to solicit accomplices. In one five-minute period, supposedly 600 "bad guys" had accessed the chat room. This is serious business, and it goes on 24 hours a day.

There has been some positive activity this year, from various state initiatives, to banks finally joining together to offer victims some help, to the launch this week of the Federal Trade Commission's "Operation Spam Zombies," an international campaign designed to educate Internet service providers about hijacked, or "zombie," computers on their networks. There are other efforts and products underway as well. But again, it's going to take coordination, standardized levels of security and the weight of the government to help push back the tide here. We have to make sure our tools of convenience are not used as the weapons of our financial destruction.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
The Role of KPIs in Incident Response
John Moran, Senior Product Manager, DFLabs,  4/18/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.