[ISN] Privacy Lost

[InfoSec News]

http://www.cbsnews.com/stories/2006/06/07/opinion/main1690428.shtml

By Tom Kellerman
CBS 
June 7, 2006

In today's age of digital everything, one can reminisce about the days 
of true privacy. Much of the discussion of late has centered upon the 
NSA's domestic spying program. Americans from the deep red states to 
the blue have felt betrayed by Uncle Sam as a result of his 
anti-terror efforts. The naiveté exhibited by privacy advocates 
everywhere stems from a lack of appreciation that the world is truly 
flat - privacy has been traded for convenience. True privacy has 
become pure nostalgia in this age of digital everything. All the 
fretting about the National Security Agency's domestic spying program 
is understandable, but it misses one spectacularly big point: domestic 
privacy in America simply does not exist anymore. Those who use 
e-commerce most are at greatest risk. The Privacy Rights Clearinghouse 
reported that more 80 million Americans have had their personal 
information jeopardized by data breaches since Feb. 15, 2005. A more 
recent study conducted by IBM claimed that three times more Americans 
thought they were more likely to be victimized by cybercrime than 
physical crime. 

Most Americans are unaware that government Big Brother no longer has a 
monopoly on domestic spying. There are in fact thousands upon 
thousands of Big Brothers in cyberspace and on the digital airwaves. 
These Big Brothers are intent upon criminal gain rather than national 
security. These Big Brothers exist in the underground hacker 
community, among other places. Since the wide spread adoption of 
e-commerce and e-finance the burgeoning hacker community has evolved 
into a force to be reckoned with on the world stage. 

An entire subculture of highly educated and sophisticated cyber 
criminals exists. Much as the Italian Mafia in the U.S. moved into 
narcotics trafficking in the 1970's, other organized criminal 
syndicates have realized that identity theft, funds transfer and 
extortion are the most lucrative business models in the information 
age. A recent FBI study determined that 9 out of 10 American 
businesses fell victim to cyber crime last year. The FBI Director, 
Robert Mueller, declared cyber crime his number one criminal priority. 
According to the Organization for Economic Cooperation and Development 
one in three computers is compromised — remotely controlled by someone 
other than you. 

The virtual takeover of Americans' privacy has been largely due to the 
proliferation of Trojan Horse programs. Trojan Horse programs are 
smaller, digital, and far more prolific than in the days of Troy. 
Trojans cloak malicious code by appearing as innocuous attachments in 
order to gain access inside a user's computer system. Once a Trojan 
Horse has been introduced into a user's computer system, it plants a 
program that listens for a variety of user communications and secretly 
installs secret passageways into a user's computer. Through these 
backdoors, remote hackers can launch malicious code and vandalize, 
alter, steal, move, or delete any file on the infected computer. They 
can also harvest sensitive user information such as financial account 
numbers and passwords from the data in local files, and then transmit 
them through backdoors. 

Most Americans think that one must be very technical to invade someone 
else's privacy in this fashion. That belief is dangerously misguided. 

Much as one need not understand the inner workings of a handgun to use 
one, you don't need to be a sophisticated programmer to be an adept 
cyber crook. By merely running query in a search engine for Trojan 
horse programs or keyloggers one will find tens of thousands of 
relevant downloadable programs at their fingertips. One merely needs 
to comprehend the lexicon associated with hacker tools to launch cyber 
attacks. The Internet has become a virtual arms bizarre. The free 
distribution of cyber weapons takes place millions of times every day. 
Underground Internet Relay Chat rooms and Web sites like 
http://astalavista.box.sk have mirrored the American gun shows; the 
only exception being that all the guns and ammo are free. 


Some examples might shock you: 

Did you know that the Pentagon the most secure infrastructure in the 
world was hacked for over eight months by a network of Chinese 
computers named Titan Rain? These computers were implanted within the 
DOD's internal networks so as to steal our aeronautical specifications 
for advanced jets and space craft. 

Did you know that the greatest threat facing our banks is not armed 
robbers but cyber thieves stealing your identity and setting up 
fraudulent lines of credit in your name? Only 2 percent of mounting 
bank crime losses are from physical robberies now. Today's bandits now 
hide safely in a hotel room halfway around the world while they steal 
your financial futures. 

Did you know that the 202 deaths of foreigners in Bali in 2002 were 
financed by cyber crime? Imam Samudra was convicted of engineering the 
devastating Bali nightclub bombings four years ago. Samudra published 
a jailhouse autobiography that contained a chapter titled "Hacking, 
Why Not?" Samudra urged fellow Muslim radicals to take the holy war 
into cyberspace by attacking U.S. computers, with the particular aim 
of committing credit card fraud online. 

Today's' digital world has become a boon to an illegal underground 
economy that trades in our secrets. Governments no longer have a 
monopoly on technology and thus no longer have a monopoly on being Big 
Brother. Indeed, the proliferation of criminal, digital Big Brothers 
far exceeds the government's ability to protect citizens in 
cyberspace. 

A good place to begin reclaiming privacy and real cyber security in 
vital areas of life and commerce is with the banks and corporations 
that we do business with. Just as some corporations do a better job at 
protecting the environment there are those who do a better job at 
ensuring our privacy and cyber security. There is no way government 
can do the job itself; the resources and resourcefulness of the entire 
private sector are necessary. 

In cyberspace privacy cannot exist without cyber security. You might 
attempt to protect your computer and the information on it. But you 
can't protect the security of every institution that holds information 
about you. Much like the concept of "rewind" the concept of personal 
privacy is becoming ancient history. 

-=-

Tom Kellermann is a cyber security consultant who formerly held the 
position of Senior Data Risk Management Specialist for the World Bank 
Treasury Security Team. He was responsible for cyber intelligence and 
policy management within the World Bank treasury and regularly advised 
central banks around the world. He is a Certified Information Security 
Manager (CISM).

©MMVI, CBS Broadcasting Inc. All Rights Reserved.