Risk
5/27/2005
07:18 PM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Security Is the New Cold War

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to ta

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to take pictures, send email, run movies and even signal your fave rock band for an encore. Pretty soon we'll be using them to pay bills on the go, relegating ATMs, hard cash and physical credit cards to the recycling bin of the 90s.

There is, of course, a dark side to all of this, and if the past few weeks are anything to go by, the speed with which the technology that has so improved our lives is being turned against us seems to be ratcheting up at a frightening pace.This is the new cold war. (It is not, as suggested by SafeCount, the war between consumers and advertisers. Uh, no. That's just a minor skirmish between consumers and advertisers. It can be easily resolved by changes in technology and behavior on the part of the advertising/marketing folks).

Security is the new cold war, and there will be no easy solutions. For one, we don't have a prayer of cooperation from the Forces of Evil. For another, we have been forced to leave a trail of our personal data all over the internet, and it is only going to get worse as automation makes it easier to post manually collected data online and hence easier to find and cross reference, as more and more shopping is consummated and applications are submitted online, as companies clear their physical space of human workers and push as many activities as possible - customer support, technical help, purchasing and payment - all online. The same technology that makes this easy to do, and which makes our lives so convenient, also makes it easy for the bad guys to come right on in and harvest the information they need to rob us blind.

This month alone has seen a jump in the devious cleverness with which thieves are scamming and stealing from us. In a CNN report aired May 26, anchor Paula Zahn reeled off some scary statistics: She cited Federal Trade Commission figures that say 10 million people a year, about 27,000 people a day - or 19 people every minute - are the victims of identity theft, at an average estimated loss of $1,200. While the overall loss to victims is estimated at $5 billion, the numbers leap up for businesses - $33 billion. Zahn added that according to the FTC, in 2003, 3.25 million Americans had their personal information misused to open new credit accounts, take out loans etc.

The onslaught of fraudulent activity from these cyber criminals has become so intense, and increasingly so organized, that we need to start responding with an organized, committed and concerted effort on the part of all the parties involved - consumers, technology vendors, data aggregators, financial institutions, law enforcement and law makers - to try and regain some of the ground we've already lost in this battle, never mind keep up.

While Homeland Security worries about "what ifs" and "what mights," running down vague clues to real fears, the country is caught up in the throes of a very real cyber war waged by people who are determined to drain every cent from our accounts and replicate as many of our identities as they can steal. The collective "We" has to do something concrete and soon. I'm seeing bits and pieces of sensible actions from the data aggregators and banks that were hit - but it's not enough for one bank to institute a two-way authentication scheme or to encrypt sensitive data - all banks needs to do this. It's not enough for one data aggregator to clamp down on who it will allow to access its data - they all need to do this.

In fact, we need to do a lot more than we have been doing. And we have to get serious about it:

* We need to come up with some minimal security requirements - encryption, authentication, tracking of data backups for starters - for the people who hold the keys to our identities and financial information. That has to be the price they pay for the privilege of collecting and using this information. Industry groups, vendors and lawmakers need to get together to hammer out and disseminate these new rules - and they can't be voluntary. Sorry - we are too far behind the bad guys, and there is too much at stake here.

* Internet-based services - all businesses really - have to make security and filtering a core part of every technology they use to handle, collect or store sensitive data. The security procedures have to extend beyond technology into the human and physical realms. Employees can create unnecessary risk, computer equipment with sensitive data is routinely lost and client data is often easily retrievable from the trash.

* We have to take a hard look at the information that is being collected and by whom. What is reasonable for what sorts of processes? Years ago I had to rent a film for a class I was taking - I had to see this film. I went to Blockbuster and was stunned at the level of data their application required. Who cares where I went to high school, and why does a video rental store need my Social Security Number? They didn't and they don't. When you get right down to it, a lot of the data required on a lot of the forms we fill out is not pertinent to the transaction involved. You can probably count on one hand the types of activities that need you to reveal your Social Security Number - yet everyone asks for it. And then they trade it, sell it and store it - with no regard to the initial reason the data was provided for in the first place or for the wishes of the consumers involved. We need to put a stop to this.

* Consumers too need do their part. Stop giving your phone number and other personal data out to every pierced sales clerk who asks for it. Pick up your ATM and credit card receipts and shred unneeded financial documents. Understand once and for all that your bank, Paypal and Ebay are not going to ask you to verify your account status or re input your passwords online. And overrun third-world countries do not have millions of dollars in cash casually lying around waiting to be deposited in your account by people who could not possibly know you. Don't trust, and always verify electronic solicitations. We have no choice but to be vigilant.

* The government needs to get serious on so many levels. It's pretty hard to expect agencies stuck in the 80s or 90s technologically to be on top of cyber crime in 2005. Get these systems updated already. End the inter-agency fighting and get these people working together toward a common solution. Pass laws that severely punish phishers, hackers, virus disseminators, identity thieves etc. Regulate the businesses who hold our cyber existence in their hands: be responsible or you can't play.

I am not a big fan of broadcast news "special reports" - they are often too shallow for my taste. But the CNN report was fascinating. It showed chat rooms in action where scam artists and identity thieves gather to buy, trade and sell stolen account information, even to solicit accomplices. In one five-minute period, supposedly 600 "bad guys" had accessed the chat room. This is serious business, and it goes on 24 hours a day.

There has been some positive activity this year, from various state initiatives, to banks finally joining together to offer victims some help, to the launch this week of the Federal Trade Commission's "Operation Spam Zombies," an international campaign designed to educate Internet service providers about hijacked, or "zombie," computers on their networks. There are other efforts and products underway as well. But again, it's going to take coordination, standardized levels of security and the weight of the government to help push back the tide here. We have to make sure our tools of convenience are not used as the weapons of our financial destruction.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.