Risk
5/27/2005
07:18 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Security Is the New Cold War

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to ta

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to take pictures, send email, run movies and even signal your fave rock band for an encore. Pretty soon we'll be using them to pay bills on the go, relegating ATMs, hard cash and physical credit cards to the recycling bin of the 90s.

There is, of course, a dark side to all of this, and if the past few weeks are anything to go by, the speed with which the technology that has so improved our lives is being turned against us seems to be ratcheting up at a frightening pace.This is the new cold war. (It is not, as suggested by SafeCount, the war between consumers and advertisers. Uh, no. That's just a minor skirmish between consumers and advertisers. It can be easily resolved by changes in technology and behavior on the part of the advertising/marketing folks).

Security is the new cold war, and there will be no easy solutions. For one, we don't have a prayer of cooperation from the Forces of Evil. For another, we have been forced to leave a trail of our personal data all over the internet, and it is only going to get worse as automation makes it easier to post manually collected data online and hence easier to find and cross reference, as more and more shopping is consummated and applications are submitted online, as companies clear their physical space of human workers and push as many activities as possible - customer support, technical help, purchasing and payment - all online. The same technology that makes this easy to do, and which makes our lives so convenient, also makes it easy for the bad guys to come right on in and harvest the information they need to rob us blind.

This month alone has seen a jump in the devious cleverness with which thieves are scamming and stealing from us. In a CNN report aired May 26, anchor Paula Zahn reeled off some scary statistics: She cited Federal Trade Commission figures that say 10 million people a year, about 27,000 people a day - or 19 people every minute - are the victims of identity theft, at an average estimated loss of $1,200. While the overall loss to victims is estimated at $5 billion, the numbers leap up for businesses - $33 billion. Zahn added that according to the FTC, in 2003, 3.25 million Americans had their personal information misused to open new credit accounts, take out loans etc.

The onslaught of fraudulent activity from these cyber criminals has become so intense, and increasingly so organized, that we need to start responding with an organized, committed and concerted effort on the part of all the parties involved - consumers, technology vendors, data aggregators, financial institutions, law enforcement and law makers - to try and regain some of the ground we've already lost in this battle, never mind keep up.

While Homeland Security worries about "what ifs" and "what mights," running down vague clues to real fears, the country is caught up in the throes of a very real cyber war waged by people who are determined to drain every cent from our accounts and replicate as many of our identities as they can steal. The collective "We" has to do something concrete and soon. I'm seeing bits and pieces of sensible actions from the data aggregators and banks that were hit - but it's not enough for one bank to institute a two-way authentication scheme or to encrypt sensitive data - all banks needs to do this. It's not enough for one data aggregator to clamp down on who it will allow to access its data - they all need to do this.

In fact, we need to do a lot more than we have been doing. And we have to get serious about it:

* We need to come up with some minimal security requirements - encryption, authentication, tracking of data backups for starters - for the people who hold the keys to our identities and financial information. That has to be the price they pay for the privilege of collecting and using this information. Industry groups, vendors and lawmakers need to get together to hammer out and disseminate these new rules - and they can't be voluntary. Sorry - we are too far behind the bad guys, and there is too much at stake here.

* Internet-based services - all businesses really - have to make security and filtering a core part of every technology they use to handle, collect or store sensitive data. The security procedures have to extend beyond technology into the human and physical realms. Employees can create unnecessary risk, computer equipment with sensitive data is routinely lost and client data is often easily retrievable from the trash.

* We have to take a hard look at the information that is being collected and by whom. What is reasonable for what sorts of processes? Years ago I had to rent a film for a class I was taking - I had to see this film. I went to Blockbuster and was stunned at the level of data their application required. Who cares where I went to high school, and why does a video rental store need my Social Security Number? They didn't and they don't. When you get right down to it, a lot of the data required on a lot of the forms we fill out is not pertinent to the transaction involved. You can probably count on one hand the types of activities that need you to reveal your Social Security Number - yet everyone asks for it. And then they trade it, sell it and store it - with no regard to the initial reason the data was provided for in the first place or for the wishes of the consumers involved. We need to put a stop to this.

* Consumers too need do their part. Stop giving your phone number and other personal data out to every pierced sales clerk who asks for it. Pick up your ATM and credit card receipts and shred unneeded financial documents. Understand once and for all that your bank, Paypal and Ebay are not going to ask you to verify your account status or re input your passwords online. And overrun third-world countries do not have millions of dollars in cash casually lying around waiting to be deposited in your account by people who could not possibly know you. Don't trust, and always verify electronic solicitations. We have no choice but to be vigilant.

* The government needs to get serious on so many levels. It's pretty hard to expect agencies stuck in the 80s or 90s technologically to be on top of cyber crime in 2005. Get these systems updated already. End the inter-agency fighting and get these people working together toward a common solution. Pass laws that severely punish phishers, hackers, virus disseminators, identity thieves etc. Regulate the businesses who hold our cyber existence in their hands: be responsible or you can't play.

I am not a big fan of broadcast news "special reports" - they are often too shallow for my taste. But the CNN report was fascinating. It showed chat rooms in action where scam artists and identity thieves gather to buy, trade and sell stolen account information, even to solicit accomplices. In one five-minute period, supposedly 600 "bad guys" had accessed the chat room. This is serious business, and it goes on 24 hours a day.

There has been some positive activity this year, from various state initiatives, to banks finally joining together to offer victims some help, to the launch this week of the Federal Trade Commission's "Operation Spam Zombies," an international campaign designed to educate Internet service providers about hijacked, or "zombie," computers on their networks. There are other efforts and products underway as well. But again, it's going to take coordination, standardized levels of security and the weight of the government to help push back the tide here. We have to make sure our tools of convenience are not used as the weapons of our financial destruction.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.