While Internet security breaches have increased noticeably of late, individual dangers are morphing into risks to entire countries.
The profusion of malware and the sophistication of attacks on personal, business, and now state entities seem to be increasing at a rate and level that is difficult even for security professionals to address.
A friend of mine had her identity stolen recently, and she immediately began getting electronic charges on her bank account from a wide variety of sources within a short period of time. The conclusion by authorities was that a ring of thieves had distributed her personal information to a broad network of people, each of whom tried to buy something quickly before she was aware of the theft. Apparently, once the bank actually transfers the money to a requesting business, it's difficult to recover the loss. In her case, the purchase requests set off the bank's own security control notices, and only a few hundred dollars of the more than $8,000 requested actually were released. How did her identity get stolen in the first place? A disgruntled employee at one of the nation's larger mortgage servicing institutions apparently took thousands of personal files and emailed them to a criminal organization. My other friend who had his identity stolen had it happen in a similar fashion--from an employee at a car dealership who had access to credit reports. That was years ago, and the employee used the information to open charge accounts from which he began making purchases.
Today's fraudsters are far more sophisticated, and the chance of their getting caught and prosecuted is slim, particularly if they're operating from another country. The operations involve large, highly trained rings of thieves who move the information and money very quickly indeed. Even French President Nicolas Sarkozy had his private bank account hacked, allowing criminals to steal small amounts of money. French authorities report that Internet banking security breaches have increased by some 9 percent in the country this year.
Along with cybercrime for financial gain is an emerging trend toward cyber attacks for political ends. The small but highly wired and Internet-savvy country of Estonia incurred the wrath of an unknown group last spring when it tried to move a Soviet-era war memorial out of the center of town in the capital because it reminded people of the former Russian and Soviet occupation. Estonian government and banking institutions were targeted in distributed denial of service (DDoS) attacks involving hundreds of thousands of computers for periods of up to 10 hours. The attacks reportedly began from inside Russia but used a variety of tools and botnets once they got going. The effect was a huge loss to the Estonian economy. Politically motivated denial of service attacks are not new and were involved in disputes between India and Pakistan a few years back as well as in a South Korean issue over an Olympics event.
While Europeans may feel more vulnerable to these types of attacks and thefts than North Americans do, the trend in the U.S. is on the rise as well. What is going on in Europe to counteract these trends is therefore worth noting. To help deal with the rising frequency and number of cyber attacks, an unlikely alliance of users is meeting in Vienna, Austria, next month at the In-Depth Security Conference, or DEEPSEC. The conference that runs November 11-14 is expected to draw both hackers and security specialists alike for four days of seminars and training. Normally, it is the security specialists who fend off attacks from the hackers. But all hackers aren't necessarily motivated by criminal intent. In many cases, they are interested in discovering security flaws in corporate and government networked environments that they then report.
"Despite what is generally believed, hackers are not necessarily criminals," says Rene Pfeiffer, lead organizer of the conference. "Many have made it their goal to point out potentially dangerous security leaks that need to be closed as soon as possible in everyone's interest."
What is of concern to many who will be attending this year's conference is the explosive growth in wireless networks that create increasingly easy access for unauthorized users to obtain sensitive data. Given the magnitude of the challenge, it's all hands on deck, according to Pfeiffer.
"We are a neutral platform that closes the usually existing gap between researchers, businesses, authorities, and the hacker community," says Pfeiffer.
Workshops will be held on issues including "security audit and hardening of Java-based software," "advanced malware deobfuscation," "secure application coding for enterprise software," "design and implementation of security awareness campaigns," and "improving code with destructive data," among others. Speakers are coming from the U.S. (Microsoft, McAfee, Pacific Gas & Electric, Arbor Networks, and LogLogic among others), Germany, Italy, Spain, Israel, the UK, Argentina, New Zealand, Austria, India, and elsewhere. The U.S. Department of Homeland Security is promoting development of a next-generation intrusion detection/prevention software product to which all developers can contribute, and conference attendees will be briefed on the project.
For more information on the conference, or to register, visit DEEPSEC.
Meanwhile, IBM has developed a new device in its Zurich Research Lab that may help consumers avoid getting stung by man-in-the-middle attacks. In these, a piece of malicious code that unknowingly resides on the consumer's computer deceives the user into thinking, say, that he is paying a bill online for $100, when in fact the amount of money being requested of the bank's server is $10,000. The bank's computer also is deceived in the transaction. The hacker inconspicuously intercepts and modifies the messages flowing between the user and his financial institution.
The fix that IBM came up with is called the Zone Trusted Information Channel (ZTIC), which looks like a memory flash card and plugs into the USB port. It creates a direct and secure channel to the bank's online transaction server, thereby bypassing the PC, which might be infected. The solution effectively moves all the cryptographic and critical user-interface processes away from the consumer's PC and onto the ZTIC device. It creates a trusted communication endpoint between the banking server and the user.
The first pilot devices of the ZTIC have now been manufactured and are ready for trial by banks and other financial institutions. A video demonstration of the technology is available at ZTIC device.
While the risks to consumers, financial institutions, and governments appear to be increasing, one can only conclude somewhat wryly that security professionals will be employed throughout this unfolding economic recession for the immediate, and foreseeable, future.