07:18 PM
Patricia Keefe
Patricia Keefe

Security Is the New Cold War

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to ta

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to take pictures, send email, run movies and even signal your fave rock band for an encore. Pretty soon we'll be using them to pay bills on the go, relegating ATMs, hard cash and physical credit cards to the recycling bin of the 90s.

There is, of course, a dark side to all of this, and if the past few weeks are anything to go by, the speed with which the technology that has so improved our lives is being turned against us seems to be ratcheting up at a frightening pace.This is the new cold war. (It is not, as suggested by SafeCount, the war between consumers and advertisers. Uh, no. That's just a minor skirmish between consumers and advertisers. It can be easily resolved by changes in technology and behavior on the part of the advertising/marketing folks).

Security is the new cold war, and there will be no easy solutions. For one, we don't have a prayer of cooperation from the Forces of Evil. For another, we have been forced to leave a trail of our personal data all over the internet, and it is only going to get worse as automation makes it easier to post manually collected data online and hence easier to find and cross reference, as more and more shopping is consummated and applications are submitted online, as companies clear their physical space of human workers and push as many activities as possible - customer support, technical help, purchasing and payment - all online. The same technology that makes this easy to do, and which makes our lives so convenient, also makes it easy for the bad guys to come right on in and harvest the information they need to rob us blind.

This month alone has seen a jump in the devious cleverness with which thieves are scamming and stealing from us. In a CNN report aired May 26, anchor Paula Zahn reeled off some scary statistics: She cited Federal Trade Commission figures that say 10 million people a year, about 27,000 people a day - or 19 people every minute - are the victims of identity theft, at an average estimated loss of $1,200. While the overall loss to victims is estimated at $5 billion, the numbers leap up for businesses - $33 billion. Zahn added that according to the FTC, in 2003, 3.25 million Americans had their personal information misused to open new credit accounts, take out loans etc.

The onslaught of fraudulent activity from these cyber criminals has become so intense, and increasingly so organized, that we need to start responding with an organized, committed and concerted effort on the part of all the parties involved - consumers, technology vendors, data aggregators, financial institutions, law enforcement and law makers - to try and regain some of the ground we've already lost in this battle, never mind keep up.

While Homeland Security worries about "what ifs" and "what mights," running down vague clues to real fears, the country is caught up in the throes of a very real cyber war waged by people who are determined to drain every cent from our accounts and replicate as many of our identities as they can steal. The collective "We" has to do something concrete and soon. I'm seeing bits and pieces of sensible actions from the data aggregators and banks that were hit - but it's not enough for one bank to institute a two-way authentication scheme or to encrypt sensitive data - all banks needs to do this. It's not enough for one data aggregator to clamp down on who it will allow to access its data - they all need to do this.

In fact, we need to do a lot more than we have been doing. And we have to get serious about it:

* We need to come up with some minimal security requirements - encryption, authentication, tracking of data backups for starters - for the people who hold the keys to our identities and financial information. That has to be the price they pay for the privilege of collecting and using this information. Industry groups, vendors and lawmakers need to get together to hammer out and disseminate these new rules - and they can't be voluntary. Sorry - we are too far behind the bad guys, and there is too much at stake here.

* Internet-based services - all businesses really - have to make security and filtering a core part of every technology they use to handle, collect or store sensitive data. The security procedures have to extend beyond technology into the human and physical realms. Employees can create unnecessary risk, computer equipment with sensitive data is routinely lost and client data is often easily retrievable from the trash.

* We have to take a hard look at the information that is being collected and by whom. What is reasonable for what sorts of processes? Years ago I had to rent a film for a class I was taking - I had to see this film. I went to Blockbuster and was stunned at the level of data their application required. Who cares where I went to high school, and why does a video rental store need my Social Security Number? They didn't and they don't. When you get right down to it, a lot of the data required on a lot of the forms we fill out is not pertinent to the transaction involved. You can probably count on one hand the types of activities that need you to reveal your Social Security Number - yet everyone asks for it. And then they trade it, sell it and store it - with no regard to the initial reason the data was provided for in the first place or for the wishes of the consumers involved. We need to put a stop to this.

* Consumers too need do their part. Stop giving your phone number and other personal data out to every pierced sales clerk who asks for it. Pick up your ATM and credit card receipts and shred unneeded financial documents. Understand once and for all that your bank, Paypal and Ebay are not going to ask you to verify your account status or re input your passwords online. And overrun third-world countries do not have millions of dollars in cash casually lying around waiting to be deposited in your account by people who could not possibly know you. Don't trust, and always verify electronic solicitations. We have no choice but to be vigilant.

* The government needs to get serious on so many levels. It's pretty hard to expect agencies stuck in the 80s or 90s technologically to be on top of cyber crime in 2005. Get these systems updated already. End the inter-agency fighting and get these people working together toward a common solution. Pass laws that severely punish phishers, hackers, virus disseminators, identity thieves etc. Regulate the businesses who hold our cyber existence in their hands: be responsible or you can't play.

I am not a big fan of broadcast news "special reports" - they are often too shallow for my taste. But the CNN report was fascinating. It showed chat rooms in action where scam artists and identity thieves gather to buy, trade and sell stolen account information, even to solicit accomplices. In one five-minute period, supposedly 600 "bad guys" had accessed the chat room. This is serious business, and it goes on 24 hours a day.

There has been some positive activity this year, from various state initiatives, to banks finally joining together to offer victims some help, to the launch this week of the Federal Trade Commission's "Operation Spam Zombies," an international campaign designed to educate Internet service providers about hijacked, or "zombie," computers on their networks. There are other efforts and products underway as well. But again, it's going to take coordination, standardized levels of security and the weight of the government to help push back the tide here. We have to make sure our tools of convenience are not used as the weapons of our financial destruction.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-05-21
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information suc...
PUBLISHED: 2018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
PUBLISHED: 2018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
PUBLISHED: 2018-05-21
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.