Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/27/2005
07:18 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Security Is the New Cold War

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to ta

Electronics, technology and ubiquitous computing have made the world a far more convenient and efficient place to live. The speed with which the things we can now do, get done, is as mind boggling as is the rate at which they quickly become obsolete, or melded with yet another cool, useful technology. Just look at the speed with which cell phones have been turned into the Swiss Army Knife of personal technology. Nevermind calling, it's fundamental use. How 80s.You can use cell phones today to take pictures, send email, run movies and even signal your fave rock band for an encore. Pretty soon we'll be using them to pay bills on the go, relegating ATMs, hard cash and physical credit cards to the recycling bin of the 90s.

There is, of course, a dark side to all of this, and if the past few weeks are anything to go by, the speed with which the technology that has so improved our lives is being turned against us seems to be ratcheting up at a frightening pace.This is the new cold war. (It is not, as suggested by SafeCount, the war between consumers and advertisers. Uh, no. That's just a minor skirmish between consumers and advertisers. It can be easily resolved by changes in technology and behavior on the part of the advertising/marketing folks).

Security is the new cold war, and there will be no easy solutions. For one, we don't have a prayer of cooperation from the Forces of Evil. For another, we have been forced to leave a trail of our personal data all over the internet, and it is only going to get worse as automation makes it easier to post manually collected data online and hence easier to find and cross reference, as more and more shopping is consummated and applications are submitted online, as companies clear their physical space of human workers and push as many activities as possible - customer support, technical help, purchasing and payment - all online. The same technology that makes this easy to do, and which makes our lives so convenient, also makes it easy for the bad guys to come right on in and harvest the information they need to rob us blind.

This month alone has seen a jump in the devious cleverness with which thieves are scamming and stealing from us. In a CNN report aired May 26, anchor Paula Zahn reeled off some scary statistics: She cited Federal Trade Commission figures that say 10 million people a year, about 27,000 people a day - or 19 people every minute - are the victims of identity theft, at an average estimated loss of $1,200. While the overall loss to victims is estimated at $5 billion, the numbers leap up for businesses - $33 billion. Zahn added that according to the FTC, in 2003, 3.25 million Americans had their personal information misused to open new credit accounts, take out loans etc.

The onslaught of fraudulent activity from these cyber criminals has become so intense, and increasingly so organized, that we need to start responding with an organized, committed and concerted effort on the part of all the parties involved - consumers, technology vendors, data aggregators, financial institutions, law enforcement and law makers - to try and regain some of the ground we've already lost in this battle, never mind keep up.

While Homeland Security worries about "what ifs" and "what mights," running down vague clues to real fears, the country is caught up in the throes of a very real cyber war waged by people who are determined to drain every cent from our accounts and replicate as many of our identities as they can steal. The collective "We" has to do something concrete and soon. I'm seeing bits and pieces of sensible actions from the data aggregators and banks that were hit - but it's not enough for one bank to institute a two-way authentication scheme or to encrypt sensitive data - all banks needs to do this. It's not enough for one data aggregator to clamp down on who it will allow to access its data - they all need to do this.

In fact, we need to do a lot more than we have been doing. And we have to get serious about it:

* We need to come up with some minimal security requirements - encryption, authentication, tracking of data backups for starters - for the people who hold the keys to our identities and financial information. That has to be the price they pay for the privilege of collecting and using this information. Industry groups, vendors and lawmakers need to get together to hammer out and disseminate these new rules - and they can't be voluntary. Sorry - we are too far behind the bad guys, and there is too much at stake here.

* Internet-based services - all businesses really - have to make security and filtering a core part of every technology they use to handle, collect or store sensitive data. The security procedures have to extend beyond technology into the human and physical realms. Employees can create unnecessary risk, computer equipment with sensitive data is routinely lost and client data is often easily retrievable from the trash.

* We have to take a hard look at the information that is being collected and by whom. What is reasonable for what sorts of processes? Years ago I had to rent a film for a class I was taking - I had to see this film. I went to Blockbuster and was stunned at the level of data their application required. Who cares where I went to high school, and why does a video rental store need my Social Security Number? They didn't and they don't. When you get right down to it, a lot of the data required on a lot of the forms we fill out is not pertinent to the transaction involved. You can probably count on one hand the types of activities that need you to reveal your Social Security Number - yet everyone asks for it. And then they trade it, sell it and store it - with no regard to the initial reason the data was provided for in the first place or for the wishes of the consumers involved. We need to put a stop to this.

* Consumers too need do their part. Stop giving your phone number and other personal data out to every pierced sales clerk who asks for it. Pick up your ATM and credit card receipts and shred unneeded financial documents. Understand once and for all that your bank, Paypal and Ebay are not going to ask you to verify your account status or re input your passwords online. And overrun third-world countries do not have millions of dollars in cash casually lying around waiting to be deposited in your account by people who could not possibly know you. Don't trust, and always verify electronic solicitations. We have no choice but to be vigilant.

* The government needs to get serious on so many levels. It's pretty hard to expect agencies stuck in the 80s or 90s technologically to be on top of cyber crime in 2005. Get these systems updated already. End the inter-agency fighting and get these people working together toward a common solution. Pass laws that severely punish phishers, hackers, virus disseminators, identity thieves etc. Regulate the businesses who hold our cyber existence in their hands: be responsible or you can't play.

I am not a big fan of broadcast news "special reports" - they are often too shallow for my taste. But the CNN report was fascinating. It showed chat rooms in action where scam artists and identity thieves gather to buy, trade and sell stolen account information, even to solicit accomplices. In one five-minute period, supposedly 600 "bad guys" had accessed the chat room. This is serious business, and it goes on 24 hours a day.

There has been some positive activity this year, from various state initiatives, to banks finally joining together to offer victims some help, to the launch this week of the Federal Trade Commission's "Operation Spam Zombies," an international campaign designed to educate Internet service providers about hijacked, or "zombie," computers on their networks. There are other efforts and products underway as well. But again, it's going to take coordination, standardized levels of security and the weight of the government to help push back the tide here. We have to make sure our tools of convenience are not used as the weapons of our financial destruction.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...