iTech
Follow us onFollow us on Twitter

Brent MacLean, Security Matters Magazine
Subscribe to Feed
Brent MacLean is the managing director of J.B. MacLean Consulting. He has more than 22 years experience in defending against Internet security threats.

Brent MacLean

2010-07-26
Terrorism and Internet Use

The great and many wondrous virtues of the Internet—its ease of access, lack of regulation, the potential audiences it caters to, and its fast flow of information, among others have been turned to the advantage of groups committed to terrorizing societies to achieve their selective goals. Today, most active terrorist groups have established their presence in some way or another on the Internet. Terrorism on the Internet is an extremely dynamic phenomenon: websites suddenly emerge, frequently modify their formats, and then swiftly disappear—or, in many cases, seem to disappear by changing their online address but retaining much the same content.

Terrorist websites target three different audiences: current and potential supporters; international public opinion; and enemy publics. The mass media, policymakers, and even security agencies have tended to focus on the exaggerated threat of cyber-terrorism and paid inadequate attention to the more routine uses made of the Internet.

Those uses are numerous and, from the terrorists' perspective, invaluable. There are eight different ways in which contemporary terrorists are presently using the Internet, ranging from psychological warfare and propaganda to highly instrumental uses such as fundraising, recruitment, data mining, and coordination of actions. While we must defend our societies against cyber-terrorism and Internet-savvy terrorists, we should also consider the costs of applying counter-terrorism measures to the Internet. Such measures can hand authoritarian governments and agencies with little public accountability tools with which to violate privacy, circumvent the free flow of information, and restrict the freedom of expression, thus adding a heavy price in terms of diminished civil liberties to the high toll exacted by terrorism itself.

The story of the presence of terrorist groups in cyberspace has barely begun to be told. In 1998, around half of the thirty organizations designated as "Foreign Terrorist Organizations" under the U.S. Antiterrorism and Effective Death Penalty Act of 1996 maintained websites; by 2000, virtually all terrorist groups had established their presence on the Internet. A recent scan of the Internet in 2004 revealed hundreds of websites serving terrorists and their supporters.

And yet, despite this growing terrorist presence, when policymakers, journalists, and academics have discussed the combination of terrorism and the Internet, they have focused on the overrated threat posed by cyber-terrorism or cyber-warfare (i.e., attacks on computer networks, including those on the Internet) and largely ignored the numerous uses that terrorists make of the Internet every day.

We turn the spotlight on these latter activities, identifying, analyzing, and illustrating ways in which terrorist organizations are exploiting the unique attributes of the Internet. We have witnessed a growing and increasingly sophisticated terrorist presence on the World Wide Web. Terrorism on the Internet, as has been discovered, is a very dynamic phenomenon: websites suddenly emerge, frequently modify their formats and internal layouts, and then swiftly and quietly disappear. To locate the terrorists' sites, many numerous systematic scans of the Internet have revealed that feeding an enormous variety of names and terms into search engines, entering chat rooms and forums of supporters and sympathizers, and surveying the links on other organizations' websites to create and update our own lists of sites prove invaluable and quite beneficial.

The origins of the Internet, the characteristics of the new medium that make it so attractive to political extremists, the range of terrorist organizations active in cyberspace, and their target audiences is our primary focus. The heart of Internet terrorism is an analysis of eight different uses that terrorists continue to make use of on the Internet. These range from conducting psychological warfare to gathering information, from training to fundraising, from propagandizing to recruiting, and from networking to planning and coordinating terrorist acts. The Internet may be attractive to political extremists, but it also symbolizes and supports the freedom of thought and expression that helps distinguish democracies from their enemies.

Modern Terrorism and the Internet
The very decentralized network of communication that the U.S. security services created out of fear of the Soviet Union now serves the interests of the greatest enemy of the West's security services since the end of the Cold War: international terror. The roots of the modern Internet are to be found in the early 1970s, during the days of the Cold War, when the U.S. Department of Defence was concerned about reducing the vulnerability of its communication networks to nuclear attack. The Defense Department at this time decided to decentralize the whole system by creating an inter-connected web of computer networks. After twenty years of development and use by academic researchers and scholars, the Internet quickly expanded, and emerged slowly and thus changed its character when it was opened up to commercial users in the late 1980s. By 1994, the Internet connected more than 18,000 private, public, and national networks, with this number increasing daily. Hooked into those networks were about 3.2 million host computers and perhaps as many as 60 million users spread across all seven continents. The estimated number of users in the early years of the twenty-first century is over one billion—a surprising and simultaneously mind-blowing statistic in light of today’s events.

As it emerged, the internet was deemed as a triumphant exaltation and viewed as an integrator of cultures and a collective medium for businesses, consumers, and governments to communicate with one another. It appeared to offer insurmountable opportunities for the creation of a forum in which the "world" could meet and exchange ideas, stimulating and sustaining democracy throughout the world. However, with the enormous growth in the size and use of the network, utopian visions of the promises of the internet were challenged by the proliferation of pornographic and violent content on the “world wide web” and by the use of the Internet by extremist organizations of various kinds. Groups with very different political goals but united in their readiness to employ terrorist tactics started using the network to distribute and diversify their propaganda, to communicate with their silent supporters, to foster public awareness and even to execute operations.
By its very essence, the internet is in many ways has become an ideal arena for activity by several terrorist organizations. Most notably, it primarily offers the following benefits:

  • easy access;
  • little or no regulation, censorship, or other forms of government control;
  • huge audiences spread throughout the world;
  • anonymity of communication;
  • fast flow of information;
  • inexpensive development and maintenance of a web presence;
  • a multimedia environment (the ability to combine text, graphics, audio, and video and to allow users to download films, songs, books, posters, and so forth); and
  • the ability to shape coverage in the traditional mass media, which increasingly use the Internet as a source for stories.

An Overview of Terrorist Websites
These advantages have not gone unnoticed by terrorist organizations, no matter what their political orientation. Islamists and Marxists, nationalists and separatists, racists and anarchists: all find the Internet alluring. Today, almost all active terrorist organizations (which number more than forty) maintain websites, and many maintain more than one website and use several different languages.

Content
A potential terrorist site will provide a history of the organization and its activities, a detailed review of its social and political background and supporters, accounts of its notable exploits, detailed but not explicit biographies of its predominant leaders, founders, information on its political and ideological pursuits, fierce criticism of its enemies, and up-to-date news. Nationalist and separatist organizations generally display maps of the areas in dispute.

Audiences
An analysis of the content of the websites suggests three different audiences.
Current and potential supporters. Terrorist websites make enormous use of slogans and offer items for sale, including T-shirts, badges, flags, and multi-media material, all evidently aimed at sympathizers. Often, an organization will target its local supporters with a site in the local language and will provide detailed information about the activities and internal politics of the organization, its allies, and its competitors. International public opinion. The international public, who are not directly involved in the conflict but who may have some interest in the issues involved, are courted with sites in languages other than the local tongue. Most sites offer versions in several languages.
Judging from the content of many of the sites, it appears that foreign journalists are also targeted. Press releases are often placed on the websites in an effort to get the organization's point of view into the traditional media. The detailed background information is also very useful for international reporters.
Enemy publics

Efforts to reach enemy publics (i.e., citizens of the states against which the terrorists are fighting) are not as clearly apparent from the content of many sites. However, some sites do seem to make an effort to demoralize the enemy by threatening attacks and by encouraging feelings of guilt about the enemy's conduct and motives. In the process, they also seek to stimulate public debate in their enemies' states, to change public opinion, and to weaken public support for the governing regime.

Terrorists use of the Internet
We have identified eight different, and potentially overlapping, ways in which terrorists use the Internet. Some of these parallel the uses to which everyone puts the Internet—information gathering, for instance. Some resemble the uses made of the medium by traditional political organizations—for example, raising funds and disseminating propaganda. Others, however, are much more unusual and distinctive—for instance, hiding instructions, manuals, and directions in coded messages or encrypted files.

Psychological Warfare
Terrorism has often been conceptualized as a form of psychological warfare, and certainly many terrorists have sought to wage such a campaign throughout the Internet. They can use the Internet to spread disinformation, to deliver threats intended to distill fear and helplessness, and to disseminate horrific images of recent actions. Terrorists can also launch psychological attacks through cyber-terrorism, or, more accurately, through creating the fear of cyber-terrorism. "Cyber-fear" is generated when concern about what a computer attack could do (for example, bringing down an airline by disabling air traffic control systems, or disrupting national economies by wrecking the computerized systems that regulate economic and financial trends) is amplified until the public believes that an attack will happen. The Internet—an uncensored and powerful medium that captures and carries stories, pictures, threats, or messages regardless of their validity or potential impact—is peculiarly well suited to allowing even a small group to amplify its message and exaggerate its importance and the threat it can pose.

Al Qaeda combines multimedia propaganda and advanced communication technologies to create a very sophisticated form of psychological warfare. Osama bin Laden and his numerous followers concentrate their propaganda efforts on the Internet, where visitors to al Qaeda's numerous websites and to the sites of sympathetic, above-ground organizations can access pre-recorded videotapes and audiotapes, CD-ROMs, DVDs, photographs, and announcements. Despite the massive onslaught it has sustained in recent years—the arrests and deaths of many of its members, the dismantling of its operational bases and training camps in Afghanistan, and the smashing of its bases in the Far East—al Qaeda has been able to conduct an impressive terror campaign. Since the events of September 11, 2001, the organization has embedded its websites with a string of announcements of an impending "large attack" on potential U.S. targets. These warnings have received considerable media coverage, which has assisted to generate a widespread sense of fear and insecurity amongst audiences throughout the world and especially within the United States.

Interestingly, al Qaeda has consistently proclaimed on its websites that the destruction of the World Trade Center has inflicted psychological damage, as well as concrete damage, on the U.S. economy. The attacks on the Twin Towers are depicted as an assault on the trademark of the U.S. economy, and therefore provided remarkable evidence of their effectiveness is seen in the weakening of the dollar, the decline of the U.S. stock market after 9/11, and a supposed loss of confidence in the U. S. economy both within the United States and elsewhere. Parallels are drawn with the decline and ultimate demise of the Soviet Union. One of bin Laden's recent publications, posted on the web, declared that "America is in retreat by the Grace of Almighty and economic attrition is continuing up to today. But it needs further blows. The young men need to seek out the nodes of the American economy and strike the enemy's nodes."

Publicity and Propaganda
The Internet has significantly expanded the opportunities for terrorists to secure their public rebellion. Until the global emergence of the Internet, terrorists' hopes of winning publicity for their causes and activities depended on attracting the attention of television, radio, or the print media. These traditional media avenues have "selection thresholds" (multistage processes of editorial selection) that terrorists often cannot reach. No such thresholds, of course, exist on the terrorists' own websites. The fact that many terrorists now have direct control over the content of their message offers tremendous opportunities to shape how they are perceived by different target audiences and to manipulate their own image and the image of their enemies.

Most terrorist sites do not celebrate their violent activities. Instead, regardless of the terrorists' agendas, motives, and location, most sites emphasize two issues: the restrictions placed on freedom of expression and the plight of comrades who are now political prisoners. These resounding issues resonate powerfully with their own supporters and are also calculated to elicit sympathy from Western audiences that cherish freedom of expression and frown upon measures to silence any political opposition. Enemy publics, too, may be targets for these complaints insofar as the terrorists, by emphasizing the antidemocratic nature of the steps taken against them, try to create feelings of unease and shame among their enemies. The terrorists' protest at being muzzled, it may be noted, is particularly well suited to the Internet, which for many users is the symbol of a free, unfettered, and uncensored conduit of communication.

Terrorist sites commonly employ three rhetorical structures, all used to justify their continuous reliance on violence and fear. The first one is the claim that the terrorists have no choice other than to turn to violence. Violence is presented as a necessity forced upon the weak as the only means with which to respond to an oppressive enemy. While the sites avoids mentioning how the terrorists continue to victimize others, the forceful actions of the governments and regimes that combat the terrorists are heavily emphasized and characterized with terms such as "slaughter," "murder," and "genocide." The terrorist organization is depicted as constantly persecuted, its leaders subject to assassination attempts and its supporters massacred, its freedom of expression curtailed, and its adherents arrested. This tactic, which portrays the organization as small, weak, and hunted down by a strong power or a strong state, turns the terrorists into the underdog.

A second rhetorical structure related to the legitimacy of the use of violence is the demonizing and delegitimization of the enemy. The members of the movement or organization are presented as freedom fighters, forced against their will to use violence because a ruthless enemy is crushing the rights and freedom of their people or group. The enemy of the movement or the organization is the real terrorist, many sites insist: "Our violence is tiny in comparison to his aggression" is a common argument. Terrorist rhetoric tries to shift the responsibility for violence from the terrorist to the adversary, which is accused of displaying its brutality, inhumanity, and immorality.

The third rhetorical device is to make extensive use of the language of nonviolence in an attempt to counter the terrorists' violent image. Although these are violent organizations, many of their sites claim that they seek peaceful solutions, that their ultimate aim is a diplomatic settlement achieved through negotiation, compromise, and international pressure on a repressive government.

Data Mining
The Internet can be viewed as a vast digital library. The World Wide Web alone offers about a billion pages of information, most of it free—and much of it, of interest to terrorist organizations. Terrorists, for instance, can learn from the Internet a wide variety of details about targets such as transportation facilities, nuclear power plants, public buildings, airports, and ports, and even about counter-terrorism measures. They use the Internet to collect intelligence on targets, especially critical economic nodes, and modern software enables them to study structural weaknesses in facilities as well as predict the cascading failure effect of attacking certain systems." According to Secretary of Defense Donald Rumsfeld, speaking on January 15, 2003, an al Qaeda training manual recovered in Afghanistan tells its readers, "Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy."

Like many other Internet users, terrorists have access not only to maps and diagrams of potential targets but also to imaging data on those same facilities and networks that may reveal counterterrorist activities at a target site. One captured al Qaeda computer contained engineering and structural features of a dam, which had been downloaded from the Internet and which would enable al Qaeda engineers and planners to simulate catastrophic failures. In other captured computers, U.S. investigators found evidence that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transportation, and communications grids. Numerous tools are available to facilitate such data collection, including search engines, e-mail distribution lists, and chat rooms and discussion groups. Many websites offer their own search tools for extracting information from databases on their sites. Word searches of online newspapers and journals can likewise generate information of use to terrorists; some of this information may also be available in the traditional media, but online searching capabilities allow terrorists to capture it anonymously and with very little effort or expense.

Fundraising
Like many other political organizations, terrorist groups use the Internet to raise funds. Al Qaeda, for instance, has always depended heavily on donations, and its global fund-raising network is built upon a foundation of charities, non-profit organizations, and other financial institutions that use websites and Internet-based chat rooms and forums. The Sunni extremist group Hizb al-Tahrir uses an integrated web of Internet sites, stretching from Europe to Africa, which asks supporters to assist the effort by giving money and encouraging others to donate to the cause of jihad. Banking information, including the numbers of accounts into which donations can be deposited, is provided on a site based in Germany. The fighters in the Russian breakaway republic of Chechnya have likewise used the Internet to publicize the numbers of bank accounts to which sympathizers can contribute. (One of these Chechen bank accounts is located in Sacramento, California.) The IRA's website contains a page on which visitors can make credit card donations.

Internet demographics allow terrorists to identify users with sympathy for a particular cause or issue. These individuals are then asked to make donations, typically through e-mails sent by a front group (i.e., an organization broadly supportive of the terrorists' aims but operating publicly and legally and usually having no direct ties to the terrorist organization). For instance, money benefiting Hamas has been collected via the website of a Texas-based charity, the Holy Land Foundation for Relief and Development (HLF). The U.S. government seized the assets of HLF in December 2001 because of its ties to Hamas. The U.S. government has also frozen the assets of three seemingly legitimate charities that use the Internet to raise money—the Benevolence International Foundation, the Global Relief Foundation, and the Al-Haramain Foundation—because of evidence that those charities have funneled money to al Qaeda.

The Internet can be used not only to solicit donations from sympathizers but also to recruit and mobilize supporters to play a more active role in support of terrorist activities or causes. In addition to seeking converts by using the full panoply of website technologies (audio, digital video, etc.) to enhance the presentation of their message, terrorist organizations capture information about the users who browse their websites. Users who seem most interested in the organization's cause or well suited to carrying out its work are then contacted. Recruiters may also use more interactive Internet technology to roam online chat rooms and cyber-cafes, looking for receptive members of the public, particularly young people. Electronic bulletin boards and user nets can also serve as vehicles for reaching out to potential recruits.

Networking
Many terrorist groups, among them Hamas and al Qaeda, have undergone a transformation from strictly hierarchical organizations with designated leaders to affiliations of semi-independent cells that have no single commanding hierarchy. Through the use of the Internet, these loosely interconnected groups are able to maintain contact with one another—and with members of other terrorist groups. In the future, terrorists are increasingly likely to be organized in a more decentralized manner, with arrays of various groups linked by the Internet and communicating and coordinating horizontally rather than vertically.

Several reasons explain why modern communication technologies, especially computer-mediated communications, are so useful for terrorists in establishing and maintaining networks. First, new technologies have greatly reduced transmission time, enabling dispersed organizational actors to communicate swiftly and to coordinate effectively. Second, new technologies have significantly reduced the cost of communication. Third, by integrating computing with communications, they have substantially increased the variety and complexity of the information that can be shared.

The Internet connects not only members of the same terrorist organizations but also members of different groups. For instance, dozens of sites exist that express support for terrorism conducted in the name of jihad. These sites and related forums permit terrorists in places such as Chechnya, Palestine, Indonesia, Afghanistan, Turkey, Iraq, Malaysia, the Philippines, and Lebanon to exchange not only ideas and suggestions but also practical information about how to build bombs, establish terror cells, and carry out attacks.

Sharing Information
The World Wide Web is home to dozens of sites that provide information on how to build chemical and explosive weapons. A much larger manual, nicknamed "The Encyclopedia of Jihad" and prepared by al Qaeda, runs to thousands of pages; distributed through the Internet, it offers detailed instructions on how to establish an underground organization and execute attacks. One al Qaeda laptop found in Afghanistan had been used to make multiple visits to a French site run by the Société Anonyme (a self-described "fluctuating group of artists and theoreticians who work specifically on the relations between critical thinking and artistic practices"), which offers a two-volume Sabotage Handbook with sections on topics such as planning an assassination and anti-surveillance methods.

Planning and Coordination
Terrorists use the Internet not only to learn how to build bombs but also to plan and coordinate specific attacks. Al Qaeda operatives relied heavily on the Internet in planning and coordinating the September 11 attacks. Thousands of encrypted messages that had been posted in a password-protected area of a website were found by federal officials on the computer of arrested al Qaeda terrorist Abu Zubaydah, who reportedly masterminded the September 11 attacks. The first messages found on Zubaydah's computer were dated May 2001 and the last were sent on September 9, 2001. The frequency of the messages was highest in August 2001. To preserve their anonymity, the al Qaeda terrorists used the Internet in public places and sent messages via public e-mail. Some of the September 11 hijackers communicated using free web-based e-mail accounts.

Hamas activists in the Middle East, for example, use chat rooms to plan operations and operatives exchange e-mail to coordinate actions across Gaza, the West Bank, Lebanon, and Israel. Instructions in the form of maps, photographs, directions, and technical details of how to use explosives are often disguised by means of steganography, which involves hiding messages inside graphic files. Sometimes, however, instructions are delivered concealed in only the simplest of codes. Mohammed Atta's final message to the other eighteen terrorists who carried out the attacks of 9/11 is reported to have read: "The semester begins in three more weeks. We've obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering." (The reference to the various faculties was apparently the code for the buildings targeted in the attacks.)

In a briefing given in late September 2001, Ronald Dick, assistant director of the FBI and head of the United States National Infrastructure Protection Center (NIPC), told reporters that the hijackers of 9/11 had used the Internet, and "used it well." Since 9/11, terrorists have only sharpened their Internet skills and increased their web presence. Today, terrorists of very different ideological persuasions—Islamist, Marxist, nationalist, separatist, and racist—have learned many of the same lessons about how to make the most of the Internet. The great virtues of the Internet—ease of access, lack of regulation, vast potential audiences, fast flow of information, and so forth—have been turned to the advantage of groups committed to terrorizing societies to achieve their goals.

First, we must become better informed about the uses to which terrorists put the Internet and better able to monitor their activities. As noted at the outset of this report, journalists, scholars, policymakers, and even security agencies have tended to focus on the exaggerated threat of cyber-terrorism and paid insufficient attention to the more routine uses made of the Internet. Those uses are numerous and, from the terrorists' perspective, invaluable. Hence, it is imperative that security agencies continue to improve their ability to study and monitor terrorist activities on the Internet and explore measures to limit the usability of this medium by modern terrorists.

Second, while we must thus better defend our societies against terrorism, we must not in the process erode the very qualities and values that make our societies worth defending. The Internet is in many ways an almost perfect embodiment of the democratic ideals of free speech and open communication; it is a marketplace of ideas unlike any that has existed before. Unfortunately, the freedom offered by the Internet is vulnerable to abuse from groups that, paradoxically, are themselves often hostile to uncensored thought and expression. But if, fearful of further terrorist attacks, we circumscribe our own freedom to use the Internet, then we hand the terrorists a victory and deal democracy a blow. We must not forget that the fear that terrorism inflicts has in the past been manipulated by politicians to pass legislation that undermines individual rights and liberties. The use of advanced techniques to monitor, search, track, and analyze communications carries inherent dangers. Although such technologies might prove very helpful in the fight against cyber terrorism and Internet-savvy terrorists, they would also hand participating governments, especially authoritarian governments and agencies with little public accountability, tools with which to violate civil liberties domestically and abroad. It does take much imagination to recognize that the long-term implications could be profound and damaging for democracies and their values, adding a heavy price in terms of diminished civil liberties to the high toll exacted by terrorism itself.

Terrorists fight their wars in cyberspace as well as on the ground. However, while politicians and the media have debated the dangers that cyber-terrorism pose to the Internet, surprisingly little is known about the threat posed by terrorists' use of the Internet. Today, terrorist organizations and their supporters maintain hundreds of websites, exploiting the unregulated, anonymous, and easily accessible nature of the Internet to target an array of messages to a variety of audiences. This not only analyzes how the Internet can facilitate terrorist operations but also illustrates the point that many specific details can be derived exclusively from the information publically advertised via extensive exploration of the World Wide Web.

2010-06-13
Virtual Wild West, darkest vices, hackers, victims
Living life on the Internet

They're all still down there, out of sight and all but out of mind -- hundreds of millions of miles of hair-thin strands of glass, uniquely strung beneath the streets of every city, under our homes, suburbs, deserts, and strewn across the ocean floor. It's enough optical fibre to wrap around the earth 4,000 times (scary statistics), with each strand capable of blasting library stacks of information across the globe at the speed of light. And almost all of it sits empty, dark and idle -- an unseen monument to every unfulfilled promise of the Internet. A statistical reality people can't even begin to comprehend.

All the experts said we needed all of it and more because once we discovered the power of the World Wide Web; there would be no stopping it. Billions would flood into cyberspace, changing everything about the way we communicate, educate and entertain, and ultimately a force that changes and controls the very essence of our lives.

They're still selling the same old line. On Oct. 9, Google bought YouTube -- an Internet site used primarily for the unauthorized distribution of copyrighted material and minute-long clips of people singing karaoke in their basements. This titan of new media, we're told, is worth US$1.65 billion. It's just the latest step in our long descent into cyber-madness. After 15 years and a trillion dollars of corporate investment, just about everything we've been told about the Internet and what the information age would mean has come up short. The numbers will just get worse and more terrifying.

The idealists, engineers and programmers who conceived, pioneered, and engineered the Web described a kind of enlightened utopia built on mutual understanding, a world in which knowledge is limited only by one's curiosity. Instead, we have constructed a virtual Wild West, where the masses indulge their darkest vices, pirates of all kinds troll for victims, and the rest of us have come to accept that cyberspace isn't the kind of place you'd want to raise your kids. The great multinational exchange of ideas and goodwill has devolved into nothing more than cyber-terrorism. And the virtual marketplace is a great place to get robbed. The answers to the great questions of our world may be out there somewhere, but finding them will require you to first wade through an ocean of misinformation, trivia and human sludge. We have been sold a bill of good.

Let's put this in terms crude enough for all cyber-dwellers to grasp. The Internet is becoming a very dangerous medium that needs all aspects of divine and human intervention for us to stay stable.

Right from the beginning, experts competed with one another to see who could come up with the best form of technology and human intervening medium. This competition is far from being over. It was the most important breakthrough since the personal computer, no, since the telephone -- or rather the telegraph, or maybe the printing press. Bill Gates, in a famous editorial for the New York Times, called the Internet a "tidal wave" that "will wash over the computer industry and many others, drowning those who don't learn to swim in its waves." You are either with it or will drown in it, simplistically put.

But it was John Perry Barlow, former lyricist for the Grateful Dead turned Internet visionary and co-founder of the Electronic Frontier Foundation, who set the gold standard for sweaty-palmed exuberance back in 1995 when Harper's magazine asked him to take part in a four-person discussion on the future of the Web. "With the development of the Internet . . . we are in the middle of the most transforming technological event since the capture of fire," he said. What's perhaps most telling is not so much that Barlow would make such a monumental claim, but that nobody on the panel cracked up laughing, or even so much contested the claim.

We've tempered our rhetoric in recent years, but only slightly. This year, the National Academy of Engineering released its list of the 20 greatest engineering accomplishments of the past 100 years. The Internet ranked 13th, but even that ranking seems generous. For instance, it came in just ahead of imaging technologies like the X-ray, MRI and radar -- breakthroughs that have allowed us to look inside the human body without breaking the skin, to predict the weather, and to see things invisible to the human eye. Has the Internet achieved anything remotely comparable? Next on the list are household appliances. Try going back to doing the family's laundry by hand for one week, and then see if you'd gladly trade your Internet connection to get your washing machine back. There is a humorous and honest statement.

Robert Gordon, an economics professor at Northwestern University, is one of the few who've consistently argued that the Internet is a useful tool, but not a revolutionary one. The inherent trouble with the Net, he says, is that it has produced precious little that is really new. Just about everything that's accessible through the Web was available through other means before. Email is fine, for instance, but it pales next to the achievement of the telegraph, which shortened the time required to communicate over vast distances from weeks to minutes. The internal combustion engine, refrigeration, even air conditioning, had profound impacts on our lives, making the impossible practical. The Web does nothing of the sort. Emails have replaced faxes and phone calls. Online shopping replaces sales that used to be made through a catalogue. And, for all but the most socially isolated, every hour spent trolling through chat rooms replaces an hour that might otherwise have been spent in real, live one-on-one conversation.

Even in the research and academic communities, which always had the most to gain from the Internet, Gordon says, the advantages should be kept in perspective. "It has made collaboration and communication faster and more efficient, but we're still doing the same things," he says. "The great works in my field were all written before the Internet. It didn't make possible a great improvement in quality, it just made it possible to get things done more easily."

That's important, because if the Internet was only ever about convenience and finding quicker ways of doing the same old things, then all those lofty claims that drove the Internet into the mainstream were little more than an isolated hype. But, as history has shown many times, hype has proven to be a very lucrative and successful form of business.

In the late 1990s, just as the dot-com gold rush was reaching manic proportions, Jack Welch, chairman and CEO of General Electric and perhaps the most respected executive in the world at the time, described the Internet as "the Viagra of big business." Welch is known for his colourful analogies, but rarely did he hit the bull's eye so precisely as he did that day. Just like America's favourite little blue pill, the Internet produced in business a rush of extreme excitement, which temporarily interfered with normal brain function. It was manifested in one of the most impressive market climbs in modern history between 1998 and mid-2000 -- a euphoric ride, followed by an equally astonishing collapse. Like Viagra, it sure was fun while it lasted.

That much is well known. But what most people still don't realize is that much of the global Internet mania that transpired in the late 1990s was driven by a myth, willfully propagated by a handful of corporate executives, several of whom are now in prison. The magic number of the dot-com boom was that, between 1997 and 2000, Internet traffic was doubling every 100 days. It was a stunning statistic that seems to have begun with WorldCom Inc., the telecom company run by Canadian Bernie Ebbers, which collapsed amidst the scandal in 2002. That one statistic suggested the world was in the midst of a stampede to the Web, and it became one of the most immutable truths of the new economy, repeated in casual conversation by CEOs, analysts, day traders and taxi drivers. Whenever anyone would suggest that dot-com market valuations were getting out of hand, or pose a skeptical question, executives would simply pull out that jaw-dropping statistic.

According to professor Andrew Odlyzko of the University of Minnesota, Internet traffic was doubling every year between 1996 and 2002 -- still impressive, but a far cry from the more than 1,300 per cent annual growth implied by WorldCom officials and others. This was more than just an innocuous urban myth -- it was the seed of one of the most devastating and economically distorting episodes in modern history.

When the dot-com bubble finally burst in mid-2000, the losses ran into the trillions of dollars, and crushed the retirement dreams and career aspirations of millions. Where did all that money go? Some of it went to lay all that unused fibre optic cable. Some of it went to buy computer equipment for a thousand doomed Internet start-ups. And billions went to pay the bonuses of investment bankers and analysts, and to build vacation homes in the Caymans for the CEOs of dot-coms that no longer exist.

Google's purchase of YouTube suggests we're eagerly preparing to repeat our mistakes. MySpace, a money-losing social networking site, was similarly sold to NewsCorp almost a year ago for US$580 million. Speculation is now rampant. Yahoo! Inc. bought another nascent site, Facebook, for north of US$1 billion. All this for companies that did not exist a few years ago, and which have yet to prove that they can translate large traffic into even meager profits. Some analysts estimate YouTube is currently losing as much as US$1.5 million every month. One may ask why?

The Internet works like Viagra for big business, all right. But the list of those who get screwed goes far beyond just investors and pension plans.

In 1995, the U.S. government's top copyright officer, Marybeth Peters, called the Internet "the world's biggest copying machine." She didn't know the half of it. At the time, slow connection speeds and weak processing power meant the Web was still essentially a print medium. Within a couple of years, however, the full force of the Web's assault on intellectual property rights would come under the microscope and clearly into focus.

As we all remember, the real trouble commenced with Napster, the little company run by a 19-year-old named Shawn Fanning, who figured out a way to let users swap files stored on their hard drives over the Web. Within a year of its creation, Napster offered 200,000 songs available for free download. By February 2001, the site had more than 26 million users. The music industry sued for US$20 billion and eventually managed to put Napster out of the stolen-music business. But by the time the industry won, it had already lost. Napster was responsible for spawning dozens of copycat sites that continue to operate in the Web's legal grey zone, in which copying and distributing music and video for free is not really allowed, but isn't prevented either such as Limewire, Ares, Warez, etc.

The music industry partially solved the problem by giving in to it. All major record labels struck deals with legitimate online retailers like iTunes to make songs available for one dollar a track and albums for around $10. It won't stop most of the pirating, but at least now fans that are inclined to buy their music legitimately have a means to do so. At Christmas 2005, the burgeoning online music industry sold $20 million in digital music over the Web in a single week, and the popularity of such services continues to grow.

Still, illegal downloads from sites like Ares, Warez, Kazaa, Limewire, Acquisition and BitTorrent continue to outnumber legal ones by a significant margin. Music is now, for all intents and purposes, sold strictly on the honour system. And as connection speeds and computer storage capacity improve, the same is increasingly true for movies, television programs and sporting events. Despite the objections of major publishers, Google is pressing ahead with a project to scan and store digitized copies of millions of books that would be searchable on the Web. It will undoubtedly be an amazing research tool. It's also a potentially crippling blow to publishers whose businesses depend upon selling books to thousands of libraries around the world.

Some will undoubtedly find ways to make a virtue out of this new digital world. It will expose small artists to greater audiences than the old record company model. And it has already proven to be a ‘high' to consumers, who get almost unlimited choice and lower prices. But that benefit has arisen out of the fact that it has never been so easy and consequence-free to pilfer an exact copy of someone's work -- be it music, film, writing or research. To suggest the arts are ultimately better off thanks to Internet file sharing is to suggest that entertainers would've been better off to hand out CDs for free and live on donations from fans.

The whole system of ascribing an economic value to works of art has been thrown out the window. And artists aren't the only ones suffering from the sudden glut of cheap product being slung around the Web.

On Wednesday, July 5, Ken Lay, the former chairman and CEO of Enron Corp. died in Colorado. The news first hit the wires around 10 a.m., and at 10:06 Wikipedia, the online encyclopedia that allows users to update and modify entries, proclaimed that Lay had died "of an apparent suicide." Two minutes later, somebody changed the entry to say Lay had died "of an apparent heart attack or suicide." Less than a minute later, some cooler head intervened and corrected the entry to say the cause of death was "yet to be determined." At 10:11 the entry was changed again, this time asserting "The guilt of ruining so many lives finally led him to suicide." A minute after that, someone cited a news report that "according to Lay's pastor the cause was a 'massive coronary heart attack.' " Then, at 10:39, one of the Internet's anonymous, self-taught cardiologists wrote: "speculation as to the cause of the heart attack lead [sic] many people to believe it was due to the amount of stress put on him by the Enron trial." Finally, a few hours later, the entry was set straight, noting simply that Lay had died of a heart attack in Aspen. This example is a clear direction of how fast the internet is altering the truth of simple incidents but more importantly of “who” want to be on the top of the leading story. Don't be deceived by the speed of technology.

But other lies are not so easily set straight. Conspiracy theories, conjecture and outright fabrications masquerade as fact on the Internet, and often, nobody seems to notice the difference. The problem is rooted equally in the nature of humans and the nature of cyberspace. It does not dismiss the notion that facts must be supported and properly substantiated before being printed. The designers of the Internet put their deepest faith in the wisdom of the masses to establish truth and value by consensus. Google ranks search results based on how many others link to a particular site. Digg.com is a site organized according to users' ratings on what's interesting and what isn't. And Wikipedia, of course, is based upon the notion that hundreds of thousands of anonymous contributors, all acting as freelance fact checkers, can produce a reliable reference document. Unfortunately, the masses have proven themselves truly unworthy of that trust.

The real problem is that, with the spreading influence of the Internet, we are trading in authoritative and accurate for cheap and convenient. Wikipedia is only one example. Millions of people continue to flock to the Net for information on their health, their bank balances despite what we know about its certified fallibility according to security advisors and consultants across our globe. Studies by the American Medical Association and World Health Organization have found that the quality of medical information on the Web ranges from spotty to dismal. Whether you're after stock tips, or parenting advice, or movie reviews, it's all out there, free of charge, and generally worth exactly what you pay for it.

It'd be easy to just dismiss the Web, if not for the impact it has had on the so-called "old media." And the effects it is directly having on today's society. Terrified of being left behind in the rush online, newspapers and magazines simply dumped the contents of their publications onto the Internet for free. Meanwhile, aggregator sites like Google and Yahoo!News troll the Web and post headlines, photos and lead paragraphs from publications all around the world, eating into the audience for traditional newspapers and collecting a share of the ad revenue. The sudden shift in the economics of newsgathering has exerted huge pressure on the traditional news gatherers, and major outlets from the New York Times to London's Daily Telegraph have responded by paring back their news staff. And so, in an era in which we're supposed to have universal access to more information from more varied sources around the world, there are fewer and fewer reporters on the ground digging up original information. And the companies in the business of providing credible, original reporting are finding it more and more difficult to survive.

In the place of hard information, the ‘World Wide Web' has ushered in the era of the amateur commentator. Rather than reporting the news, the Internet actually excels at allowing millions to analyze the news of the day on their blogs and message boards. "It is no exaggeration to conclude that the Internet has achieved, and continues to achieve, the most participatory marketplace of mass speech that this country -- and indeed the world -- has yet seen," George Will, Newsweek's revered columnist, wrote a few years back. Sounds spectacular, but what's the great value of a participatory marketplace of mass speech if so few have anything to say that's worth buying?

Andrew Keen, a former Internet entrepreneur turned heretic, argues that this "digital utopianism" is playing havoc with our economy and politics. His forthcoming book, titled The Culture of the Amateur, is based on the idea that the onslaught of blogs, and social networking websites is primarily destroying our culture by celebrating mediocrity and devaluing talent. "The cult of the amateur is digital utopianism's most seductive delusion. . . It suggests, mistakenly, that everyone has something interesting to say," he wrote earlier this year, ironically, on his own blog.

Google News, Craigslist and the world army of bloggers have devalued journalism just as surely as Napster poisoned the market for recorded music. According to the PEW Internet and American Life Project, there are now more than 12 million bloggers in the United States alone, and more than a third of them consider what they do a form of journalism, even though little or no reporting is involved. There are certainly some interesting and insightful blogs, on a wide range of topics. But, in general, the more substantive the subject matter, the less reliable the commentary is. The vast majority of political blogs are deeply ideological and partisan, attract a core of like-minded contributors, and tend to devolve into vitriolic screeds or sophomoric insults. They feed on their contempt for the so-called mainstream media, which is derisively referred to as the "MSM," and is derided by both left and right as hopelessly biased and manipulative.

In a 2001 paper, Cass Sunstein, a professor at the University of Chicago Law School, described the "echo chamber" effect of blogs and message boards. Rather than fostering debate, moderation and common understanding, he argued, these sites have contributed to the polarization of our political culture. People gravitate toward sites that reflect their established point of view, and once comfortably ensconced in their political echo chamber, the participants take turns preaching to the assembled choir, reinforcing each other's ideas and biases, and denouncing anyone who might disagree.

Rather than promoting open discussion and greater understanding, the Net continues to feed the cynical perception that every form of traditional authority is based on lies and corruption. The much-hyped free market of ideas is a world in which the loudest and most outrageous assertion dominates the discussion. Everybody believes they are being oppressed by those opposed to them. The truth is what you already think it is, and no one can longer be trusted.

What would you want to know about, if you could know about anything? The Internet continues to pose this question daily, on a massive, global scale, and the answers we've provided are depressing.

Tim Berners-Lee, the man widely credited with inventing the World Wide Web, once said he envisioned an "an interactive sea of shared knowledge . . . immersing us as a warm, friendly environment made of the things we and our friends have seen, heard, believe or have figured out. I would like it to bring our friends and colleagues closer." But the public at large saw an open invitation to indulge vice on an unimaginable scale. A 1998 study by Forrester Research pegged the market for online porn at close to US$1 billion annually; a statistic that is growing exponentially. How much it has grown since then is the subject of bitter disagreement, but one company, Internet Filter Review, reported that between 1998 and 2003 the number of pornographic pages on the World Wide Web rose from 14 million to 260 million. The numbers are staggering.

But the burgeoning world of online gambling dwarfs porn for sheer earning power. In 2004, the American Gaming Association, a lobby group for the legalized U.S. casino industry, estimated that online gambling was a US$7-billion to $10-billion business and was growing at the rate of 20 per cent a year.

If porn bores you and you don't have the stomach for online poker, infidelity is also a booming business on the Web. A recent study by Jupiter Research found that 12 per cent of people registered with online dating services are married, and Ashley Madison, a Canadian-based site specifically aimed at married people looking to have an affair, now boasts more than 700,000 registered members. Morality and personal ethics is fast becoming an area that few are venturing as the truth of these statistics is becoming more transparent than we care to admit.

It's an oft-repeated exaggeration that the Internet is being used overwhelmingly for debauchery. It is far more accurate to say the vast majority of what we do online is utterly trivial. Last year, the top 10 Google searches were as follows: Janet Jackson, hurricane Katrina, tsunami, xBox 360, Brad Pitt, Michael Jackson, American Idol, Britney Spears, Angelina Jolie, and Harry Potter. Berners-Lee's interactive sea of shared knowledge is primarily concerned with two actors, three singers, a video game console, a TV show, a fictional character and two natural disasters.

Some might argue that the Internet bears no responsibility for our own moral frailties and frivolous interests. The fact that the Internet has shown us as we really are may be disappointing, but the failure is that of human nature. There are reasons, however, to suspect that the Internet isn't just reflecting social values but is also helping to shape them. How many people do things online that they otherwise wouldn't because it's anonymous and consequence-free and behind closed monitors? Simply put -- the easier it gets to be bad, the worse we get.

Take, for example, the plague of academic plagiarism that has proliferated across university campuses over the past decade. In 2003, Rutgers University conducted the most comprehensive study to date on academic cheating, polling more than 18,000 students and 2,000 professors at 23 U.S. schools. An astonishing 38 per cent of undergraduates and 25 per cent of grad students admitted to using the Internet for some form of plagiarism in the past year, up from 10 per cent in a similar survey conducted two years earlier. About five per cent admitted to submitting an entire assignment cribbed from the Internet and passing it off as their own work, generally using one of the dozens of online "term-paper mills" that offer high-quality essays for sale on a staggering range of subjects. Perhaps most distressing, 44 per cent of the students said they see nothing wrong with cribbing material from the Internet.

Today's college students grew up with the World Wide Web, and many of them barely remember a world without it. Most wouldn't dare steal a DVD from a store shelf, but downloading the latest video release to watch with some friends is no big deal. Ask them if they consider it stealing, and they'll look at you like you're crazy. Why would buying a term paper or copying someone else's thesis be any different? They've come to expect that if it's available online, it's theirs to do with as they choose.

Alternatively, there are more insidious creatures in cyberspace than frat boys buying term papers. The Internet opened the floodgates to myriad forms of petty dishonesty, but real criminals looked upon its shroud of anonymity and saw an even greater opportunity. They made the Net a playground for their kind: hackers, spammers and con men. Stories of Trojan-horse programs stealing your passwords, worms burrowing into your hard drive, and spyware tracking your every move barely raise eyebrows anymore. We not only accept them, we expect them.

This year, Consumer Reports estimated that American consumers lost more than US$8 billion over the past two years to various online scams, and that approximately one in three Internet users will fall victim to some sort of cyber-crime in the course of a year, ranging from minor inconveniences, like small viruses affecting computer performance, to major frauds. Email fraud alone cost consumers US$630 million between 2004 and 2005.

David Wall is head of the School of Law at the University of Leeds in England, and recently finished a book called Cyber Crimes. He says that the world of crooks and con men has been forever changed by the evolution of the Internet. "The Internet has fundamentally changed crime, in that there is no longer any need to pull off a $1-million robbery, because it's now possible to do a million one-dollar robberies instead," he says. He points to spam as an example. Taken in isolation, each individual spam email is nothing but a minor irritation. But taken as a whole it represents a massive, multi-million-dollar industry, much of it based on luring the gullible into fraudulent schemes.

Thanks to the Internet, it's no longer necessary for con men to spend time and effort identifying potential victims. Just blast out 100,000 emails and wait for the suckers to come to you. It doesn't matter if 99.9 per cent smell a rat. There's money to be made from exploiting the most gullible person in a thousand. Then, there is the darker side, Wall says. The Internet has also proven to be a very effective tool for grooming young individuals either for sexual purposes or for violent ones. We know, for example, that extremist groups around the world have turned to the Internet as a powerful recruiting tool. We know that detailed instructions on a wide range of illicit activities, from making crystal meth to building a bomb, are just a simple search away. And the sexual victimization of children online continues to happen at an alarming rate. Last month, the University of New Hampshire's Crimes Against Children Research Center released a poll that suggested 13 per cent of Web users between the ages of 10 and 17 had received unwanted sexual solicitations online at some point during the past year. Believe it or not, that was considered good news, as it was down from 19 per cent in 2000. But "aggressive solicitations," meaning situations in which a potential stalker had attempted to make contact with the child off-line, held steady at four per cent.

And yet, when it comes to protecting their kids, most parents have been slow to respond. According to the Alexandria, Va.-based Center for Missing and Exploited Children, only about a third of families use filtering or blocking software to monitor what their kids are doing online. A recent poll by Teenage Research Unlimited found 39 per cent of those polled said their parents know "very little" or "nothing" about what they do online.

Perhaps that's because we've become inured to the dangers of cyberspace in an incredibly short period of time, and once we grow accustomed to being violated, it erodes the sense that we, or anyone else, actually have a right to online security. If you lived in a neighbourhood where your child had a better than one-in-10 chance of being sexually propositioned on the street, and one out of every three people would be the victim of a crime in any given year, you'd almost certainly move if you could. But on the Internet, those odds are considered acceptable as long as we can continue to get instant updates on Brad Pitt and Angelina Jolie.

Clark Sampson, founder of Netspace, one of the earliest dot-coms, said the Internet would change everything and everyone, and it has. But change is not always progress. For everything, the Web has simplified, accelerated and proliferated; there is at least as much that it has destroyed, and we can't say we weren't warned.

The 1995 book Silicon Snake Oil, by renowned computer systems expert Clifford Stoll, now stands as one of the most distinct warnings about all we had to lose to the Internet. In summation, Stoll wrote that the rampant idealism that accompanied the Internet into the mainstream would end in disappointment. He recognized then what has since become obvious: what we thought of as a means of making connections is actually a deeply isolating and insular medium. Online community is an oxymoron along the lines of virtual reality. "The computer hucksters have promoted a digital world which will not come to pass," Stoll said. As for the promise that simply by opening the lines of communication humanity would lay down arms and sing Kumbaya: "There are no simple technological solutions to social problems. There's plenty of distrust and animosity between people who communicate perfectly well. Access to a universe of information cannot solve our problems: we will forever struggle to understand one another."

And from now on, we will struggle within a wired world. The Internet has cost us trillions of dollars, and far more than that, but there's no going back. It is now so deeply entrenched and integrated into our personal culture -- in the way we speak and work and create and think -- that the only thing to do is to try to make it better, and hope that maybe we might somehow realize some of the dreams the idealists had when they invented the thing. Have we truly become more dehumanized and separated from the inherent truths that most of us were brought up on? Do we all finally need to take a long introspective look deep within our moral and ethical compass in a final effort to final put to rest the final question of who we really are and what or who is now the driving force of our existence? Is this a question we put to the philosophers and psychologists globally or more importantly to ourselves?

2010-03-15
Top Executive Security Threats

Sun Tzu, a legendary Chinese strategist born more than 2,000 years ago, taught the importance of knowing both your enemy and yourself:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

-- Sun Tzu, in The Art of War, Chapter 3, Verse 18

Truer words were never spoken when it comes to information security. To succeed, you must know your enemy as well as your own strengths and weaknesses. The following are six issues of which executives should be aware to protect their systems.

1. Know Your Enemy

The faceless external attacker often plays the villain role in the traditional information-security drama. While such external attackers exist and are a real threat, internal misuse presents a much greater risk and must not be ignored. To truly know your enemy, you must consider and understand both external and internal threats.

2. Understand External Enemies

By definition, external enemies attempt to attack you from outside your corporate boundaries. These attackers may be teenagers in their parents' basements, miscreants in other countries or credit card thieves, among others. External enemies attack your enterprise for various reasons; some are more malicious than others. Many external attackers resemble joy riders who steal cars for the fun of it. These attackers target your network to show off their skills and expertise to their peers. While they often have little malicious intent, they can cause vast amounts of damage to your systems. Politics motivate other external attackers. They may want to deface your public Web site and use it as a venue for their political messages. Such political defacements occur relatively frequently, numbering in the hundreds per year. Other motivations include theft, fraud, corporate espionage and even cyber terrorism. External attackers must be clever to infiltrate your perimeter defenses, but experience has shown that such infiltration is possible and, in some cases, even easy. The external threat includes individual attackers manually probing and penetrating your networks, as well as highly automated attacks such as worm programs. For example, the Code Red worm attacked and compromised hundreds of thousands of hosts around the world in a matter of hours. Skilled attackers can create such worm programs with little effort. The threat from worms continues to grow, and protecting your systems against them is crucial.

3. Defend Against Internal Enemies

Many traditional security approaches concentrate on building and protecting a hardened perimeter to protect against the external threat. This approach would be sufficient if all enemies were external. In reality, concentrating on the perimeter only builds a false sense of security while leaving your organization vulnerable to attack and misuse by those who can hurt you most: insiders. Insiders know what your most valuable information assets are, where they're stored and how to access them. An insider at a credit bureau drove the success of the recently apprehended identity theft ring that stole millions of dollars from individuals around the country (see story). Not all inside enemies are full-time employees of your company. Contractors, temporary workers and former employees may have privileged access to your systems with little control over or oversight of their activities.

4. Know Yourself

In the context of information security, knowing yourself implies understanding your systems and staff as well as the security risks associated with both. If you don't know your own points of vulnerability and risk, it's difficult to protect yourself. Again, too frequently information security initiatives focus on external forces and neglect internal systems, vulnerabilities and threats. Judicious use of risk analysis tools and background checks can significantly improve your knowledge of your company.

5. Be Aware of Regulations and Consequences

Serious consequences exist for ignoring security. The regulatory climate for information security and privacy is increasing. The Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and various other federal and state regulations are raising the security bar for corporations by requiring minimum security standards to be in place. Companies that don't comply will face significant penalties in the future. For example, a new law in California (effective July 1, 2003) requires businesses that own databases to disclose security breaches if certain personal information was or may have been compromised. Californians can bring civil actions for actual damages and injunctive relief against entities that fail to comply with the law (see story). Businesses also face the possible loss of customer confidence and revenue in the face of a successful attack against their systems. Egghead Software's widely publicized security breach led to a precipitous drop in its stock price and revenue; the business never recovered, and Egghead closed its doors not long thereafter. Customers will not buy from companies that they do not trust.

6. Protect Yourself

Rather than solely relying on perimeter defenses, such as firewalls, to safeguard your enterprise, protect each critical server and data store against misuse. By protecting valuable information assets directly, you achieve protection against both internal and external threats. Proper protection includes using technology products (such as intrusion prevention, anti-virus and access control software) as well as sound security processes (such as security policies and risk analysis). Using products and processes together to secure each critical asset yields the best protection.

Referring to warfare, Sun Tzu taught long ago the importance of knowing your enemy as well as knowing yourself. Information security is no different. Failure to understand the threats to your business and your ability to counter those threats could be catastrophic to your organization.

2009-12-03
What Direction is the Internet Headed?

The architecture of the Internet has always been driven by a core group of designers, but the form of that group has changed as the number of interested parties has continued to grow. With the success of the Internet, has come a proliferation of stakeholders - stakeholders now with an economic as well as an intellectual investment in the network.

We now see, in the debates over control of the domain name space and the form of the next generation IP addresses, a struggle to find the next social structure that will guide the Internet in the future. The form of that structure will be harder to find, given the large number of concerned stakeholders.

At the same time, the industry struggles to find the economic rationale for the large investment needed for the future growth, for example, to upgrade residential access to a more suitable technology. If the Internet stumbles, it will not be because we lack the technology, vision, or motivation. It will collapse because we cannot set a direction and march collectively into the future.

Just as the Internet revolutionized how the world accessed information and communicated through the 1990s, the ongoing development in speed, bandwidth, and functionality will continue to cause fundamental changes to how our world operates for decades to come. Some of the major trends shaping the future of the Internet are summarized below, along with extrapolated predictions:

Globalism
The future of the Internet global distribution of information and knowledge at lower and lower cost will continue to lift the world community for generations to come. People will have access to any information they wish, get smarter sooner, and become more aware of the world outside their local environment. A better-informed humanity will make better macro-level decisions, and an increasingly integrated world will drive international relations towards a global focus. Attachments to countries will marginally decrease, and attachments to the Earth as a shared resource will significantly increase.

Communities
The future of the Internet communications revolution is ongoing, now uniting communities as it recently united networks. Not everything about the Internet is global; an interconnected world is also locally interconnected. The Internet will increasingly be used for communications within communities as much as across countries. Local communities will organize in virtual space and take increasing advantage of group communication tools such as mailing lists, newsgroups, and web sites, and towns and cities will become more organized and empowered at the neighborhood level.

At the same time, communities will be as profoundly affected by the capabilities the Internet is bringing to individual communications, providing individuals in the once isolating city the ability to easily establish relationships with others in their local area by first meeting in cyberspace. From hobby clubs to political organizations to social networking, Internet applications will change expectations of geographically oriented community organizations, and provide increasingly wide choices to individuals who wish to participate in local communities that share their interests.

Virtual reality
The future of the Internet technological revolution will continue to be made in man’s image. Experiments with wide area voice and video communications on the Internet began to be held in the early 1990s. Voice over IP (VOIP) began to be used regularly for long distance voice communications in 2002. Internet video phones won’t be far behind. With the continued doubling of computer capability every couple of years, the ability of technology to process the complex analog environment that humans live in—“reality”—will continue to increase, and will be increasingly integrated with the Internet.

Three-dimensional graphics will become more sophisticated, and virtual reality interfaces such as viewers and tactile feedback systems will become more realistic. The technology will be applied to innovative ways to navigate the Internet’s information universe, for hyper-realistic gaming, and for group communications. There will come a day when you will be able to have dinner with a group of friends each in a different city, almost as though you were in the same room, although you will all have to bring your own food.

Virtual reality applications will not only better and better reflect the natural world, they will also have the fluidity, flexibility, and speed of the digital world, layered on the Internet, and so will be used to create apparently magical environments of types we can only now begin to imagine. These increasingly sophisticated virtual experiences will continue to change how we understand the nature of reality, experience, art, and human relations.

Bandwidth
The future of the Internet growth in bandwidth availability shows little sign of flattening. Large increases of bandwidth in the 10 Mbps range and up will continue to be deployed to home users through cable, phone, and wireless networks. Cable modems and telephone-based DSL modems will continue to spread high speed Internet throughout populated areas. High-resolution audio, video, and virtual reality will be increasingly available online and on demand, and the cost of all kinds of Internet connections will continue to drop.

Wireless
The future of Internet wireless communications is the end game. Wireless frequencies have two great advantages: (a) there are no infrastructure start-up or maintenance costs other than the base stations, and (b) it frees users to become mobile, taking Internet use from one dimension to three. Wireless Internet networks will offer increasingly faster services at vastly lower costs over wider distances, eventually pushing out physical transmission systems.

The Internet’s open TCP/IP design was originally inspired by use of radio communications networks in the 1970s. The wireless technologies experimented with in the 1990s was continually improved. By the early 2000s, several technologies provided reliable, secure, high bandwidth networking that worked in crowded city centers and on the move, providing nearly the same mobility for Internet communications as for the cellular phone.

Grids
The future of the Internet grid movement is as inevitable as the spread of the Internet seems now. The connection of thousands of computers on the Internet together to solve problems, often called grid computing, will continue to evolve and change many areas of human endeavor. In a large-scale example of the connected Internet fostering technological cooperation, un-used computer cycles from home users across the world will be harnessed together to provide enormous reservoirs of computer power for all sorts of purposes. Increasingly used for scientific and engineering research, grids can create processing powerhouses far larger than any one organization by itself.
Integration

The future of the Internet integration with an increasing number of other technologies is as natural as a musician’s experimentation with notes. The Internet will become increasingly integrated with phones, televisions, home appliances, portable digital assistants, and a range of other small hardware devices, providing an unprecedented, nearly uniform level of integrated data communications. Users will be able to access, status, and control this connected infrastructure from anywhere in the world.

One of the leading efforts to define the future of the next generation Internet is the Internet2 project, which grew out of the transition of the NSFNET to the Very High Speed Backbone Network Service (vBNS). The vBNS supported very high bandwidth research applications, and was established in 1995 as a cooperative agreement between MCI and the National Science Foundation.

Two-thirds of the experts predict at least one devastating attack on network information infrastructure or the country’s power grid in the next 10 years. Some experts believe serious attacks will become a regular part of life.

59 percent of these experts predict increased government and business surveillance as computing devices are embedded in appliances, cars, phones and even clothing. 57 percent of these experts predict more virtual classes in formal education, with students grouped by interests and skills, rather than by age.

56 percent of these experts predict changes in family dynamics and a blurring of the boundaries between work and leisure as telecommuting and home schooling expand. 54 percent look for a new age of creativity in which people use the Internet to collaborate with others and share music, art and literature.

53 percent predict that all video, audio, print and voice communications will stream to coordinating computers in homes and offices via the Internet.

The Internet experts believe the news and publishing industries will undergo the most dramatic changes over the next decade, with new “digital media titans” forming connections across media, entertainment, advertising and commerce. They also predict major changes ahead for educational institutions, workplaces and health care institutions. Fewer changes are predicted for religious organizations.

Security and Privacy remains a concern for sophisticated Internet users as new convenience technologies expand the ability to track users and their activities. Some experts predict increasing numbers of arrests based on surveillance by government, while others are concerned about “social surveillance” by businesses that track the habits of their customers.

The wondrous future of the Internet is just that, the future; but the above observations and statistics can hopefully enable us to integrate with these dramatic changes...only time will tell.
 

2009-12-03
Living Life on the Internet

They are all still down there, out of sight and out of mind -- hundreds of millions of miles of hair-thin strands of glass, uniquely strung beneath the streets of every city, under our homes, suburbs, deserts, and strewn across the ocean floor. It's enough optical fibre to wrap around the earth 4,000 times (scary statistics), with each strand capable of blasting library stacks of information across the globe at the speed of light. And almost all of it sits empty, dark and idle -- an unseen monument to every unfulfilled promise of the Internet. A statistical reality difficult to comprehend.

All the experts said we needed this vast amount of optical fibre because once we discovered the power of the World Wide Web; there would be no stopping it. Billions would flood into cyberspace, changing everything about the way we communicate, educate and entertain, and ultimately a force that changes and controls the very essence of our lives.

They are still selling the same old line. On Oct. 9, Google bought YouTube -- an Internet site used primarily for the unauthorized distribution of copyrighted material and minute-long clips of people singing karaoke in their basements. This titan of new media, we are told, is worth US$1.65 billion. It is just the latest step in our long descent into cyber-madness. After 15 years and a trillion dollars of corporate investment, just about everything we've been told about the Internet and what the information age would mean has come up short. The numbers will just get worse and more terrifying.

The idealists, engineers and programmers who conceived, pioneered, and engineered the Web described a kind of enlightened utopia built on mutual understanding, a world in which knowledge is limited only by one's curiosity. Instead, we have constructed a virtual Wild West, where the masses indulge their darkest vices, pirates of all kinds troll for victims, and the rest of us have come to accept that cyberspace isn't the kind of place you'd want to raise your kids. The great multinational exchange of ideas and goodwill has devolved into nothing more than cyber-terrorism. And the virtual marketplace is a great place to get robbed. The answers to the great questions of our world may be out there somewhere, but finding them will require you to first wade through an ocean of misinformation, trivia and human sludge. We have been sold a bill of goods.

Let's simplify this in a way that all cyber-dwellers can grasp. The Internet is becoming a very dangerous medium that needs both divine and human intervention if we are to remain stable.

From the very beginning, experts competed with one another to see who could come up with the best form of technology and human intervening medium. This competition is far from over. It was the most important breakthrough since the personal computer, no, the telephone -- or rather the telegraph, or maybe even printing press. Bill Gates, in a famous editorial for the New York Times, called the Internet a "tidal wave" that "will wash over the computer industry and many others, drowning those who don't learn to swim in its waves." You are either with it or will drown in it, simply put.

But it was John Perry Barlow, former lyricist for the Grateful Dead turned Internet visionary and co-founder of the Electronic Frontier Foundation, who set the gold standard for sweaty-palmed exuberance back in 1995 when Harper's magazine asked him to take part in a four-person discussion on the future of the Web. "With the development of the Internet . . . we are in the middle of the most transforming technological event since the capture of fire," he said. What's perhaps most telling is not so much that Barlow would make such a monumental claim, but that no one on the panel cracked up laughing, or even so much as contested the claim.

We've tempered our rhetoric in recent years, but only slightly. This year, the National Academy of Engineering released its list of the 20 greatest engineering accomplishments of the past 100 years. The Internet ranked 13th, but even that ranking seems generous. For instance, it came in just ahead of imaging technologies like the X-ray, MRI and radar -- breakthroughs that have allowed us to look inside the human body without breaking the skin, to predict the weather, and to see things invisible to the human eye. Has the Internet achieved anything remotely comparable? Next on the list are household appliances. Try going back to doing the family's laundry by hand for one week, and then see if you'd gladly trade your Internet connection to get your washing machine back. There is a humorous and honest statement.

Robert Gordon, an economics professor at Northwestern University, is one of the few who has consistently argued that the Internet is a useful tool, but not a revolutionary one. The inherent trouble with the Net, he says, is that it has produced precious little that is really new. Just about everything that's accessible through the Web was available through other means before. Email is fine, for instance, but it pales next to the achievement of the telegraph, which shortened the time required to communicate over vast distances from weeks to minutes. The internal combustion engine, refrigeration, even air conditioning, had profound impacts on our lives, making the impossible practical. The Web does nothing of the sort. Emails have replaced faxes and phone calls. Online shopping replaces sales that used to be made through a catalogue. And, for all but the most socially isolated, every hour spent trolling through chat rooms replaces an hour that might otherwise have been spent in real, live one-on-one conversation.

Even in the research and academic communities, which always had the most to gain from the Internet, Gordon says, the advantages should be kept in perspective. "It has made collaboration and communication faster and more efficient, but we're still doing the same things," he says. "The great works in my field were all written before the Internet. It didn't make possible a great improvement in quality, it just made it possible to get things done more easily."

That's important, because if the Internet was only ever about convenience and finding quicker ways of doing the same old things, then all those lofty claims that drove the Internet into the mainstream were little more than an isolated hype. But, as history has shown time and again, hype has proven to be very lucrative for business.

In the late 1990s, just as the dot-com gold rush was reaching manic proportions, Jack Welch, chairman and CEO of General Electric and perhaps the most respected executive in the world at that time, described the Internet as "the Viagra of big business." Welch is known for his colourful analogies, but rarely did he hit the bull's eye as precisely as he did that day. Just like America's favourite little blue pill, the Internet produced in business a rush of extreme excitement, which temporarily interfered with normal brain function. It was manifested in one of the most impressive market climbs in modern history between 1998 and mid-2000 -- a euphoric ride, followed by an equally astonishing collapse. Like Viagra, it sure was fun while it lasted.

That much is well known. But what most people still don't realize is that much of the global Internet mania that transpired in the late 1990s was driven by a myth, willfully propagated by a handful of corporate executives, several of whom are now in prison. The magic number of the dot-com boom was that, between 1997 and 2000, Internet traffic was doubling every 100 days. It was a stunning statistic that seems to have begun with WorldCom Inc., the telecom company headed up by Canadian Bernie Ebbers, which collapsed amidst scandal in 2002. That one statistic suggested the world was in the midst of a stampede to the Web, and it became one of the most immutable truths of the new economy, repeated in casual conversation by CEOs, analysts, day traders and taxi drivers. Whenever anyone would suggest that dot-com market valuations were getting out of hand, or pose a skeptical question, executives would simply pull out that jaw-dropping statistic.

According to professor Andrew Odlyzko of the University of Minnesota, Internet traffic was doubling every year between 1996 and 2002 -- still impressive, but a far cry from the more than 1,300 per cent annual growth implied by WorldCom officials and others. This was more than just an innocuous urban myth -- it was the seed of one of the most devastating and economically distorting episodes in modern history.

When the dot-com bubble finally burst in mid-2000, the losses ran into the trillions of dollars, and crushed the retirement dreams and career aspirations of millions. Where did all that money go? Some of it went to lay all that unused fibre optic cable. Some of it went to buy computer equipment for a thousand doomed Internet start-ups. And billions went to pay the bonuses of investment bankers and analysts, and to build vacation homes in the Caymans for the CEOs of dot-coms that no longer exist.

Google's purchase of YouTube suggests we're eagerly preparing to repeat our mistakes. MySpace, a money-losing social networking site, was similarly sold to NewsCorp almost a year ago for US$580 million. Speculation is now rampant. Yahoo! Inc. bought another nascent site, Facebook, for north of US$1 billion. All this for companies that did not exist a few years ago, and which have yet to prove that they can translate large traffic into even meager profits. Some analysts estimate YouTube is currently losing as much as US$1.5 million every month. One may ask why?

The Internet works like Viagra for big business, all right. But the list of those who get screwed goes far beyond just investors and pension plans.

In 1995, the U.S. government's top copyright officer, Marybeth Peters, called the Internet "the world's biggest copying machine." She didn't know the half of it. At the time, slow connection speeds and weak processing power meant the Web was still essentially a print medium. Within a couple of years, however, the full force of the Web's assault on intellectual property rights would come under the microscope and clearly into focus.

As we all remember, the real trouble commenced with Napster, the little company run by a 19-year-old named Shawn Fanning, who figured out a way to let users swap files stored on their hard drives over the Web. Within a year of its creation, Napster offered 200,000 songs available for free download. By February 2001, the site had more than 26 million users. The music industry sued for US$20 billion and eventually managed to put Napster out of the stolen-music business. But by the time the industry won, it had already lost. Napster was responsible for spawning dozens of copycat sites that continue to operate in the Web's legal grey zone, in which copying and distributing music and video for free is not really allowed, but isn't prevented either such as Limewire, Ares and Warez, to name a few.

The music industry partially solved the problem by giving in to it. All major record labels struck deals with legitimate online retailers like iTunes to make songs available for one dollar a track and albums for around $10. It won't stop most of the pirating, but at least now fans that are inclined to buy their music legitimately have a means to do so. At Christmas 2005, the burgeoning online music industry sold $20 million in digital music over the Web in a single week, and the popularity of such services continues to grow.

Still, illegal downloads from sites like Ares, Warez, Kazaa, Limewire, Acquisition and BitTorrent continue to outnumber legal ones by a significant margin. Music is now, for all intent and purposes, sold strictly on the honour system. And as connection speed and computer storage capacity improves, the same is increasingly true for movies, television programs and sporting events. Despite the objections of major publishers, Google is pressing ahead with a project to scan and store digitized copies of millions of books that would be searchable on the Web. It will undoubtedly be an amazing research tool. It's also a potentially crippling blow to publishers whose businesses depend upon selling books to thousands of libraries around the world.

Some will undoubtedly find ways to make a virtue out of this new digital world. It will expose small artists to greater audiences than the old record company model. And it has already proven to be a ‘high' to consumers, who get almost unlimited choice and lower prices. But that benefit has arisen out of the fact that it has never been so easy and consequence-free to pilfer an exact copy of someone's work -- be it music, film, writing or research. To suggest the arts are ultimately better off thanks to Internet file sharing is to suggest that entertainers would've been better off to hand out CDs for free and live on donations from fans.

The whole system of ascribing an economic value to works of art has been thrown out the window. And artists aren't the only ones suffering from the sudden glut of cheap product being flung around the Web.

On Wednesday, July 5, Ken Lay, the former chairman and CEO of Enron Corporation died in Colorado. The news first hit the wires around 10 a.m., and at 10:06 Wikipedia, the online encyclopedia that allows users to update and modify entries, proclaimed that Lay had died "of an apparent suicide." Two minutes later, somebody changed the entry to say Lay had died "of an apparent heart attack or suicide." Less than a minute later, some cooler head intervened and corrected the entry to say the cause of death was "yet to be determined." At 10:11 the entry was changed again, this time asserting "The guilt of ruining so many lives finally led him to suicide." A minute after that, someone cited a news report that "according to Lay's pastor the cause was a 'massive coronary heart attack.' " Then, at 10:39, one of the Internet's anonymous, self-taught cardiologists wrote: "speculation as to the cause of the heart attack lead [sic] many people to believe it was due to the amount of stress put on him by the Enron trial." Finally, a few hours later, the entry was set straight, noting simply that Lay had died of a heart attack in Aspen. This example is a clear direction of how fast the internet is altering the truth of simple incidents but more importantly of “who” want to be on the top of the leading story. Don't be deceived by the speed of technology.

But other lies are not so easily set straight. Conspiracy theories, conjecture and outright fabrications masquerade as fact on the Internet, and often, nobody seems to notice the difference. The problem is rooted equally in the nature of humans and the nature of cyberspace. It does not dismiss the notion that facts must be supported and properly substantiated before being printed. The designers of the Internet put their deepest faith in the wisdom of the masses to establish truth and value by consensus. Google ranks search results based on how many others link to a particular site. Digg.com is a site organized according to users' ratings on what's interesting and what isn't. And Wikipedia, of course, is based upon the notion that hundreds of thousands of anonymous contributors, all acting as freelance fact checkers, can produce a reliable reference document. Unfortunately, the masses have proven themselves truly unworthy of that trust.

The real problem is that, with the spreading influence of the Internet, we are trading in authoritative and accurate for cheap and convenient. Wikipedia is only one example. Millions of people continue to flock to the Net for information on their health, their bank balances despite what we know about its certified fallibility according to security advisors and consultants across our globe. Studies by the American Medical Association and World Health Organization have found that the quality of medical information on the Web ranges from spotty to dismal. Whether you're after stock tips, or parenting advice, or movie reviews, it's all out there, free of charge, and generally worth exactly what you pay for it.

It would be easy to dismiss the Web, were it not for the impact it has had on the so-called "old media." And the effects it is having on today's society. Terrified of being left behind in the rush online, newspapers and magazines simply dumped the contents of their publications onto the Internet for free. Meanwhile, aggregator sites like Google and Yahoo!News troll the Web and post headlines, photos and lead paragraphs from publications all around the world, eating into the audience of traditional newspapers and collecting a share of the advertising revenue. The sudden shift in the economics of newsgathering has exerted huge pressure on the traditional news gatherers, and major outlets from the New York Times to London's Daily Telegraph have responded by paring back their news staff. And so, in an era in which we are supposed to have universal access to more information from more varied sources around the world, there are fewer and fewer reporters on the ground digging up original information. And the companies in the business of providing credible, original reporting are finding it more and more difficult to survive.

In the place of hard information, the ‘World Wide Web' has ushered in the era of the amateur commentator. Rather than reporting the news, the Internet actually excels at allowing millions to analyze the news of the day on their blogs and message boards. "It is no exaggeration to conclude that the Internet has achieved, and continues to achieve, the most participatory marketplace of mass speech that this country -- and indeed the world -- has yet seen," George Will, Newsweek's revered columnist, wrote a few years back. “Sounds spectacular, but what's the great value of a participatory marketplace of mass speech if so few have anything to say that's worth buying”?

Andrew Keen, a former Internet entrepreneur turned heretic, argues that this "digital utopianism" is playing havoc with our economy and politics. His forthcoming book, titled The Culture of the Amateur, is based on the idea that the onslaught of blogs, and social networking websites is primarily destroying our culture by celebrating mediocrity and devaluing talent. "The cult of the amateur is digital utopianism's most seductive delusion. . . It suggests, mistakenly, that everyone has something interesting to say," he wrote earlier this year, ironically, on his own blog.

Google News, Craigslist and the world army of bloggers have devalued journalism just as surely as Napster poisoned the market for recorded music. According to the PEW Internet and American Life Project, there are now more than 12 million bloggers in the United States alone, and more than a third of them consider what they do a form of journalism, even though little or no reporting is involved. There are certainly some interesting and insightful blogs, on a wide range of topics. But, in general, the more substantive the subject matter, the less reliable the commentary is. The vast majority of political blogs are deeply ideological and partisan, attract a core of like-minded contributors, and tend to devolve into vitriolic screeds or sophomoric insults. They feed on their contempt for the so-called mainstream media, which is derisively referred to as the "MSM," and is derided by both left and right as hopelessly biased and manipulative.

In a 2001 paper, Cass Sunstein, a professor at the University of Chicago Law School, described the "echo chamber" effect of blogs and message boards. Rather than fostering debate, moderation and common understanding, he argued, these sites have contributed to the polarization of our political culture. People gravitate toward sites that reflect their established point of view, and once comfortably ensconced in their political echo chamber, the participants take turns preaching to the assembled choir, reinforcing each other's ideas and biases, and denouncing anyone who might disagree.

Rather than promoting open discussion and greater understanding, the Net continues to feed the cynical perception that every form of traditional authority is based on lies and corruption. The much-hyped free market of ideas is a world in which the loudest and most outrageous assertion dominates the discussion. Everybody believes they are being oppressed by those opposed to them. The truth is what you already think it is, and no one can longer be trusted.

What would you want to know about, if you could know about anything? The Internet continues to pose this question daily, on a massive, global scale, and the answers we've provided are depressing.

Tim Berners-Lee, the man widely credited with inventing the World Wide Web, once said he envisioned an "an interactive sea of shared knowledge . . . immersing us as a warm, friendly environment made of the things we and our friends have seen, heard, believe or have figured out. I would like it to bring our friends and colleagues closer." But the public at large saw an open invitation to indulge vice on an unimaginable scale. A 1998 study by Forrester Research pegged the market for online porn at close to US$1 billion annually; a statistic that is growing exponentially. How much it has grown since then is the subject of bitter disagreement, but one company, Internet Filter Review, reported that between 1998 and 2003 the number of pornographic pages on the World Wide Web rose from 14 million to 260 million. The numbers are staggering.

But the burgeoning world of online gambling dwarfs porn for sheer earning power. In 2004, the American Gaming Association, a lobby group for the legalized U.S. casino industry, estimated that online gambling was a US$7-billion to $10-billion business and was growing at the rate of 20 per cent a year.

If porn bores you and you don't have the stomach for online poker, infidelity is also a booming business on the Web. A recent study by Jupiter Research found that 12 per cent of people registered with online dating services are married, and Ashley Madison, a Canadian-based site specifically aimed at married people looking to have an affair, now boasts more than 700,000 registered members. Morality and personal ethics is fast becoming an area that few are venturing as the truth of these statistics is becoming more transparent than we care to admit.

It's an oft-repeated exaggeration that the Internet is being used overwhelmingly for debauchery. It is far more accurate to say the vast majority of what we do online is utterly trivial. Last year, the top 10 Google searches were as follows: Janet Jackson, hurricane Katrina, tsunami, xBox 360, Brad Pitt, Michael Jackson, American Idol, Britney Spears, Angelina Jolie, and Harry Potter. Berners-Lee's interactive sea of shared knowledge is primarily concerned with two actors, three singers, a video game console, a TV show, a fictional character and two natural disasters.

Some might argue that the Internet bears no responsibility for our own moral frailties and frivolous interests. The fact that the Internet has shown us as we really are, may be disappointing, but the failure is that of human nature. There are reasons, however, to suspect that the Internet isn't just reflecting social values but is also helping to shape them. How many people do things online that they otherwise wouldn't because it's anonymous and consequence-free and behind closed monitors? Simply put -- the easier it gets to be bad, the worse we get.

Take, for example, the plague of academic plagiarism that has proliferated across university campuses over the past decade. In 2003, Rutgers University conducted the most comprehensive study to date on academic cheating, polling more than 18,000 students and 2,000 professors at 23 U.S. schools. An astonishing 38 per cent of undergraduates and 25 per cent of grad students admitted to using the Internet for some form of plagiarism in the past year, up from 10 per cent in a similar survey conducted two years earlier. About five per cent admitted to submitting an entire assignment cribbed from the Internet and passing it off as their own work, generally using one of the dozens of online "term-paper mills" that offer high-quality essays for sale on a staggering range of subjects. Perhaps most distressing, 44 per cent of the students said they see nothing wrong with cribbing material from the Internet.

Today's college students grew up with the World Wide Web, and many of them barely remember a world without it. Most wouldn't dare steal a DVD from a store shelf, but downloading the latest video release to watch with some friends is no big deal. Ask them if they consider it stealing, and they'll look at you like you're crazy. Why would buying a term paper or copying someone else's thesis be any different? They've come to expect that if it's available online, it's theirs to do with as they choose.

Alternatively, there are more insidious creatures in cyberspace than frat boys buying term papers. The Internet opened the floodgates to a myriad of petty dishonesty, but real criminals looked upon its shroud of anonymity and saw an even greater opportunity. They made the Net a playground for their kind: hackers, spammers and con men. Stories of Trojan-horse programs stealing your passwords, worms burrowing into your hard drive, and spyware tracking your every move barely raise eyebrows anymore. We not only accept them, we expect them.

This year, Consumer Reports estimated that American consumers lost more than US$8 billion over the past two years to various online scams, and that approximately one in three Internet users will fall victim to some sort of cyber-crime in the course of a year, ranging from minor inconveniences, like small viruses affecting computer performance, to major frauds. Email fraud alone cost consumers US$630 million between 2004 and 2005.

David Wall is head of the School of Law at the University of Leeds in England, and recently finished a book called Cyber Crimes. He says that the world of crooks and con men has been forever changed by the evolution of the Internet. "The Internet has fundamentally changed crime, in that there is no longer any need to pull off a $1-million robbery, because it's now possible to do a million one-dollar robberies instead," he says. He points to spam as an example. Taken in isolation, each individual spam email is nothing but a minor irritation. But taken as a whole it represents a massive, multi-million-dollar industry, much of it based on luring the gullible into fraudulent schemes.

Thanks to the Internet, it's no longer necessary for con men to spend time and effort identifying potential victims. Just blast out 100,000 emails and wait for the suckers to come to you. It doesn't matter if 99.9 per cent smell a rat. There's money to be made from exploiting the most gullible person in a thousand. Then, there is the darker side, Wall says. The Internet has also proven to be a very effective tool for grooming young individuals either for sexual purposes or for violent ones. We know, for example, that extremist groups around the world have turned to the Internet as a powerful recruiting tool. We know that detailed instructions on a wide range of illicit activities, from making crystal meth to building a bomb, are just a simple search away. And the sexual victimization of children online continues to occur at an alarming rate. Last month, the University of New Hampshire's Crimes Against Children Research Center released a poll that suggested 13 per cent of Web users between the ages of 10 and 17 had received unwanted sexual solicitations online at some point during the past year. Believe it or not, that was considered good news, as it was down from 19 per cent in 2000. But "aggressive solicitations," meaning situations in which a potential stalker had attempted to make contact with the child off-line, held steady at four per cent.

And yet, when it comes to protecting their kids, most parents have been slow to respond. According to the Alexandria, Va.-based Center for Missing and Exploited Children, only about a third of families use filtering or blocking software to monitor what their kids are doing online. A recent poll by Teenage Research Unlimited found 39 per cent of those polled said their parents know "very little" or "nothing" about what they do online.

Perhaps that's because we've become inured to the dangers of cyberspace in an incredibly short period of time, and once we grow accustomed to being violated, it erodes the sense that we, or anyone else, actually have a right to online security. If you lived in a neighbourhood where your child had a better than one-in-10 chance of being sexually propositioned on the street, and one out of every three people would be the victim of a crime in any given year, you'd almost certainly move if you could. But on the Internet, those odds are considered acceptable as long as we can continue to get instant updates on Brad Pitt and Angelina Jolie.

Clark Sampson, founder of Netspace, one of the earliest dot-coms, said the Internet would change everything and everyone, and it has. But change is not always progress. For everything, the Web has simplified, accelerated and proliferated; there is at least as much that it has destroyed, and we can't say we weren't warned.

The 1995 book Silicon Snake Oil, by renowned computer systems expert Clifford Stoll, now stands as one of the most distinct warnings about all we had to lose to the Internet. In summation, Stoll wrote that the rampant idealism that accompanied the Internet into the mainstream would end in disappointment. He recognized then what has since become obvious: what we thought of as a means of making connections is actually a deeply isolating and insular medium. Online community is an oxymoron along the lines of virtual reality. "The computer hucksters have promoted a digital world which will not come to pass," Stoll said. As for the promise that simply by opening the lines of communication humanity would lay down arms and sing Kumbaya: "There are no simple technological solutions to social problems. There's plenty of distrust and animosity between people who communicate perfectly well. Access to a universe of information cannot solve our problems: we will forever struggle to understand one another."

And from now on, we will struggle within a wired world. The Internet has cost us trillions of dollars, and far more than that, but there's no going back. It is now deeply entrenched and integrated into our personal culture -- in the way we speak and work and create and think -- that the only thing to do is to try to make it better, and hope that maybe we might somehow realize some of the dreams the idealists had when they invented the thing. Have we truly become more dehumanized and separated from the inherent truths that most of us were brought up on? Do we all finally need to take a long introspective look deep within our moral and ethical compass in a final effort to finally put to rest the looming question of who we really are and what or who is now the driving force of our existence? Is this a question we put to the philosophers and psychologists globally or more importantly to ourselves?

Still, one cannot help but wonder, what else could we have done with all that time and money if we hadn't blown it on the Internet?

2009-09-09
Facebook & Cybercrime

Cybercrime is rapidly spreading on Facebook as fraudsters prey on users who think the world’s top social networking site is a safe haven on the Internet these days.

Lisa Severens, a clinical trials manager from Worcester, Massachusetts, learned the hard way. A virus took control of her laptop and started sending pornographic photos to colleagues.

“I was mortified about having to deal with it at work,” said Severens, whose employer had to replace her computer because the malicious software could not be removed.

Cybercrime, which costs North American companies and individuals billions of dollars a year, is spreading fast on Facebook because such scams target and exploit those naive to the dark side of social networking, security experts are now saying.

While News Corp’s (NWSA.O) MySpace was the most-popular hangout for cyber criminals two years ago, experts say hackers are now more entrenched on Facebook, whose membership has soared from 120 million in December to more than 200 million today; statistics growing exponentially.

“Facebook is now the the social network of the decade. Computer hackers go where the people go. It is simple psychology. It will and always will be that way.,” said MacLean, a senior security consultant in Toronto.

Scammers break into accounts posing as friends of users, sending spam that directs them to websites that steal personal information and spread viruses. Hackers tend to take control of infected PCs for identity theft, spamming and other mischief procedures which provide sensitive and personal information readily available said MacLean.

Facebook manages security from its central headquarters in Palo Alto, California, screening out much of the spam and malicious software targeting its users. That should make it a safer place to surf than the broader Internet, but cyber criminals are relentless and many break through Facebook’s considerable filter.

The rise in attacks reflect Facebook’s massive growth. Company spokesman Simon Axten said that as the number of users has increased, the percentage of successful attacks has stayed about the same, remaining at less than 1 percent of members over the past five years.

By comparison, he said, FBI data shows that about 3 percent of U.S. households were burglarized in 2005.

“Security is an arms race, and we’re always updating these systems and building new ones to respond to new and evolving threats,” Axten said.

When criminal activity is detected on one account, the site quickly looks for similar patterns in others and either deletes bad emails or resets passwords to compromised accounts, he said. Facebook is hiring a fraud investigator and a fraud analyst, according to the careers section of its website.

CANNOT GUARANTEE WEB SAFETY

But ultimately Facebook says its members are responsible for their own security and personal privacy. “People need to be better educated on internet security to better ensure more formidable security and privacy policies in place on such a huge site that radiates across the globe” said MacLean

“We do our best to keep Facebook safe, but we cannot guarantee it,” Facebook says in a warning in a section of the site on the terms and conditions of use, which members may not bother to read. (www.facebook.com/terms.php)

“People implicitly trust social networking sites because they don’t understand the real threats and dangers. It’s like walking down the street and trusting everybody you meet,” said Randy Abrams, a researcher with security software maker ESET.

Amy Benoit, a human resources manager in Oceanside, California, said she may stop using Facebook altogether after she became entangled in a popular scam: A fraudster sent instant messages to a friend saying that Benoit had been attacked in London and needed $600 to get home.

Yale University last week warned its business school students to be careful when using Facebook after several of them turned in infected laptops.

One of the most insidious threats is Koobface, a virus that takes over PCs when users click on links in spam messages. The virus turned up on MySpace about a year ago, but its unknown authors now focus on spreading it through Facebook, which is struggling to wipe it out.

“Machines that are compromised are at the whim of the attacker,” said McAfee Inc (MFE.N) researcher Craig Schmugar.

McAfee, the world’s No. 2 security software maker, says Koobface variants almost quadrupled last month to 4,000. “Because Facebook is a closed system, we have a tremendous advantage over e-mail. Once we detect a spam message, we can delete that message in all inboxes across the site,” said Schmugar.

Facebook’s Axten said the site does not know how many users have been infected by Koobface.

A new website that follows Facebook news, www.fbhive.com, recently identified a vulnerability that made it possible to access any user’s private information using a simple hack. The loophole has since been closed.

“We don’t have any evidence to suggest that it was ever exploited for malicious purposes,” Axten said.

Hackers even find ways to get into accounts of savvy users like Sandeep Junnarkar, a journalism professor at City University of New York and former tech reporter. Last month he learned his account was hacked as he waited for a flight for Paris. He quickly changed his password before boarding.

“Am I surprised that it happened? Not really,” he said.

2009-07-22
How to Protect Yourself Online

General Security Tips

  • Check with your Internet Service Provider to see what kind of protection is offered by their network and use it.
  • Always keep your security software working and up-to-date. Especially if you use a laptop on unprotected wireless networks in airports, cafes or other locations.
  • Set up your computer to encrypt all files and transmissions to make it harder for potential intruders to gain access to confidential information. Check your operating system for details on how to do this.
  • Install updated anti-virus software and a firewall. Anti-virus programs can prevent infections, and a good firewall will help filter out any unwanted communication between the internet and your computer.
  • Secure your wireless network if you use one at home. Use the highest level of encryption available to your network and change the SSID default setting. Read the details carefully when setting up your wireless router. Skipping those steps is like leaving the front door to your computer open. Anyone nearby can use your network for illegal activities.
  • Turn off software features you don't use such as printer sharing and file sharing. If you need to share files between computers set passwords to accounts and give only those accounts access. Never share your entire drive, only share folders which contain the files you want to share.
  • Use the latest Web browser version and install security patches when available.
  • Turn your computer off or disconnect from the network between uses. Disconnecting your computer from the internet when you're not online, or shutting down the computer, lessens the chance that an intruder will be able to access your system.
  • Beware of web pages that require software installation. Scan all programs downloaded from the Internet with an up-to-date security solution. Only download programs from websites you trust.
  • Always read the End User License Agreement and cancel the installation process if other "programs" are going to be installed in addition to the desired program.
  • Create strong and hard to guess passwords. They should contain a combination of letters and numbers (alpha-numeric) and not contain easy obtained information such as nicknames and birthdays. Never share your passwords. Do not write your password down. Do not keep them stored on your computer.
  • When you have finished your log-in session, remember to properly log-off and close the browser screen. This ensures that any stored or cached information is deleted from the system and intruders or other viewers are not able to view your confidential information. This is especially important when using a public computer or an unsecured wireless network.
  • Make backups of important files onto separate disks. If your computer does become infected, you'll have a clean copy of your files when reinstalling.


Tips for E-mailing

  • Don't give out your primary E-mail address unless you absolutely have to. Get a secondary, free E-mail addresses to use for for shopping, random web surfing, or web site reply.
  • Beware of unexpected or strange-looking emails, regardless of who the sender is. Never open attachments or click on links in these emails.
  • If you trust the sender of the email, scan their email attachments with a security solution before opening them. If they send you a URL and it is short enough, type the URL in your web browser instead of clicking on it from the email.
  • Use rules and filters that scan messages as they come in, move them into folders and send automated responses. This will separate out the 'spam' or unwanted e-mail.
  • Be alert when receiving emails that request account details or personal and sensitive information. Never email financial information to anyone.
  • Don't post your e-mail address anywhere on the web. That will only attract spam.
  • Never respond to e-mail inviting you to be taken off their list. This only confirms your address is active and makes your e-mail address even more valuable.

Tips for Safe Online Banking

  • Avoid using public terminals (such as Internet cafes) for Internet banking.
  • Be aware of the higher risk of interception during a wireless connection. Only do your banking via a wireless hotspot if you are certain of the integrity of the connection.
  • Never access the site via a link. Type the address into the browser address bar or save the address as a 'Favourite'.
  • Do not open other websites while logged into Internet Banking; only have a single browser window open.
  • Check for the padlock in the lower right of your browser window (it indicates a secure site SSL). You can click on this padlock to verify the site "owners".
  • When you complete your online banking tasks, log off and close the browser window.
  • Never provide your password over the Internet (by email) or over the telephone to anyone (including persons identifying themselves as bank officials).

Tips for Online Shopping

  • Shop at secure web sites. Look at the top of your screen where the Web site address is displayed for https://. The "s" that is displayed after "http" indicates that Web site is secure. Often, you won't see the "s" until you actually move to the order page on the Web site.
  • Research the web site before you order . Shop from companies that you are familiar with. If it's an unknown company, look for a physical address and phone number. Call it to ensure that the company is legitimate.
  • Read the website's privacy and security policies. Find out if the merchant intends to share your information with a third party or affiliate company. Read the terms and conditions section carefully. Look for online merchants who are members of a seal-of-approval program that sets voluntary guidelines for privacy-related practices, such as TRUSTe, Verisign, or BBBonline.
  • The safest way to shop on the Internet is with a credit card. Obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges.
  • Never give out your social security number. There is no reason for the merchant to have it and it could lead to identity theft.
  • Don't fall for "phishing" messages. Identity thieves send massive numbers of e-mails to Internet users that ask them to update the account information for their banks, credit cards, online payment service, or popular shopping sites. The e-mail may state that your account information has expired, been compromised or lost and that you need to immediately resend it to the company. Legitimate businesses don't ask for sensitive information via email.
  • Save records of your orders. After placing an order online, you should receive a confirmation page that reviews your entire order. It should include the costs of the order, your customer information, product information, and the confirmation number. Print out a copy. Often you will also receive a confirmation message that is e-mailed to you by the merchant. Be sure to save this message as well as any other e-mail correspondence with the company.
  • Shop with companies located in the Canada. If not, always read the merchant's shipping policies to find out about extra costs associated with cross border shopping. They can be costly.
  • Learn the merchant's cancellation, return and complaint-handling policies. Don't expect less customer service just because a company operates over the Internet. Find out who pays for shipping if the item needs to be returned, what the time limit is and whether or not there is a restocking fee if you need to return the order. Do you get a store credit, or will the company fully refund your charges to your credit card? If the merchant only offers store credits, find out the time restriction for using this credit.

Tips for Parents

  • Keep computer in a common area so that you can monitor your child's online activity.
  • Agree on websites your kids can visit. Review the content and the privacy and security policies of the sites your child frequents.
  • Investigate web filtering tools (such as Windows Vista Parental Controls or Windows Live OneCare Family Safety for Windows XP).
  • Talk with your kids about entering personal information online. They should never give out identifying information such as their name, home address, school name, or telephone number. Encourage them to use nicknames to identify themselves.
  • Tell your children to ignore unwanted contact from people they have never met. Never arrange a face-to-face meeting with someone they met on-line.
  • Encourage your children to tell you if something or someone online makes them feel uncomfortable or threatened. Praise them when they do so and take appropriate action.
  • Maintain access to your child's on-line account and randomly check his/her e-mail. Check browser history to see which websites they frequent.
  • Encourage your children to be cautious and wise about what they post. They need to be respectful of others.
  • Review a website before allowing your children to purchase anything over the Internet. See shopping tips as above.
  • Teach your kids not to download programs, music, or files without your permission. File-sharing and taking text, images, or artwork from the web may infringe on copyright laws and can be illegal.
  • Talk to them about programs like Yahoo chat and MSN and the problems that can occur in a private chat and what to avoid and be careful of when texting information

If we all embrace these security precautions, it will minimize the risk and time of something down the road that could really be a problem to resolve. Good security policies and practices are the best defence to a strong and powerful offence like the Internet.

2009-07-06
Top Five Computer Crimes

Computer crimes are on the rise, and cause financial and personal damage to the victims they affect. The easy accessibility of computers and the anonymous nature of the Internet has allowed new ways to perform illegal actions. Security measures are always being created to help prevent problems from occurring, but knowledge is the key to prevent us from becoming a victim.

  1. Computer fraud happens when a victim is conned into believing that he will receive money or something else of value. There are common types of this crime currently in practice. "Phishing" scams involve creating fake emails while pretending to be a legitimate business like a bank or credit company that asks the victim to confirm personal information. Some other types include phony emails about a bogus inheritance, jobs overseas, handling money transactions (for a large salary), and illegitimate loan approvals.
     
  2. Computer industrial espionage involves the stealing of trade secrets or spying on persons through technological means for bribery, blackmail or corporate/personal advantage. One notable variation of this crime is termed the "hack, pump and dump." An account is created with an online brokerage company and multitudes of other accounts are hacked into and used to purchase particular stocks. When the stock's value goes up, the stock is sold through the original online account. Other methods include using spyware software (such as a Trojan horse) to find out login names and passwords, electronic eavesdropping and the use of computerized surveillance to obtain company secrets and other sensitive information.
     
  3. A computer virus transmitter is someone who creates a malicious virus to infect computers from functioning properly, run annoying programs and/or gain access to the victim's personal data. This type of software is commonly known as "malware." Persons can unknowingly download these programs through websites, emails and pop-up windows. Common types of malware are called adware, spyware and Trojan horses.     
     
  4. Software piracy is one of the most common computer crimes. Copying software for the distribution or personal use is considered an illegal act. Programs that are not protected with encryption keys (installation ID number), malware protection or other types of anti-piracy methods are easy to copy. However, these tools are not 100 percent fool-proof. It can never be assumed that someone cannot find a way around these types of protections. Therefore, anti-piracy methods will constantly be fine-tuned and improved.
     
  5. Knowingly selling, distributing or buying child pornography (under age 18) through the Internet is a crime. The Internet has also been used as a tool for child prostitution. Pedophiles have used chat rooms to lure minors into illegal sexual encounters. Prosecution of these crimes is difficult due to the anonymous nature of the Internet.

Cyber crimes continue to rise exponentially, so stay educated to help minimize the risk of becoming a victim and another statistic.

2009-06-23
Computer Technology Today

Today, many people rely on computers either for homework, work and/or inputting and storing useful information.  Therefore, it is important for the information on the computer to be stored and kept properly. It is also extremely important for computer users to protect their computer from data loss, misuse and abuse.

For example, it is crucial for businesses to keep information they have secured so that hackers can't access the information. Home users also need to take means to make sure that their credit card numbers are secure when making any online transactions.

A computer security risk is any action that could cause loss of information, software, data, processing incompatibilities  or cause damage to computer hardware . An intentional breach in computer security is known as a  " computer crime " , which is slightly different from a cyber-crime. A cyber-crime is known as "illegal acts", based on the internet and is one of the FBI's top priorities.

There are several distinct categories for people that cause cyber-crimes   and they are referred as "hacker", "cracker",  " cyber-terrorist ", "cyber-extortionist", "unethical employee", "script kiddie" and "corporate spy". 
 
The term,  " hacker " , was actually known as a good word, but now it has  become a very negative view. A hacker is defined as someone who  unlawfully accesses a computer or computer network .

They often claim that they do this to find leaks in the security of a network. The term  " cracker " has never been associated with something positive .   This refers to someone  who intentionally accesses  a computer or computer network for evil reasons. It's basically an evil hacker.  They access it with the intent of destroying or stealing information. Both crackers and hackers  have advanced network skills. A cyber-terrorist is someone who uses a computer network or the internet to destroy computers for political reasons. It's just like a regular terrorist attack because it requires highly skilled individuals, millions of dollars to implement and years of planning.

The term "cyber-extortionist "  is someone who uses emails as an offensive force. They would usually send a company a very threatening email stating that they will release some confidential information, exploit a security leak, or launch an attack that will harm a company's network. They will request a paid amount to not proceed ,  sort of like blackmailing in a sense.
 
An unethical employee is an employee that illegally accesses their company's network for numerous reasons. One could be the money they can get from selling top secret information  or some may be bitter and want revenge.

A script kiddie is someone who is like a cracker because they may have the intentions of doing harm, but they usually lack the technical skills  They are usually silly teenagers that use pre-written hacking and cracking programs. A corporate spy has extremely high computer and network skills and is hired to break into a specific computer or computer network to steal or delete data and information.

Shady companies hire these types of people in a practice known as  " corporate espionage ". They do this to gain an advantage over their competition  in an illegal practice. Businesses and home users must do their best to protect or safeguard their computers from security risks.

The next part of this article will give some pointers to help protect your computer. However, one must remember that there is no 100% guaranteed way to protect your computer,  so becoming more knowledgeable about them is a must  in this day and age .

When you transfer information over a network it has a high security risk compared to information transmitted in a business network because the administrators usually take some extreme measures to help protect against security risks. Over the internet there is no powerful  administrator, which makes the risk a lot higher.  If your not sure  if your computer is vulnerable to a computer risk,  then you can always use some type of online security service which is a website that checks your computer for email and  internet vulnerabilities. The company will then give some pointers on how to correct these vulnerabilities.

The Computer Emergency Response Team Coordination Center is a place that can do this. The typical network attacks that put computers at risk includes viruses, worms, spoofing, Trojan horses and denial of service attacks. Every unprotected computer is vulnerable to a computer virus, which is a potentially harming computer program that negatively infects a computer and alters the way the computer operates without the user's consent.

Once the virus is in the computer,  it can spread throughout infecting other files and potentially damaging the operating system itself. It's similar to a bacteria virus that infects humans because it gets into the body through small openings and can spread to other parts of the body and can cause some damage.

A computer worm is a program that repeatedly copies itself and is very similar to a computer virus. However the difference is that a virus needs  to attach itself to an executable file and become a part of it. A computer worm doesn't need to do that as it seems to copy to itself and to other networks and eats up a lot of bandwidth.

A Trojan Horse, named after the famous Greek myth, is used to describe a program that secretly hides and actually looks like a legitimate program, but is a fake. A certain action usually triggers the Trojan Horse and unlike viruses and worms, they don't replicate itself.

Computer viruses, worms and Trojan Horses are all classified as malicious-logic programs which are just programs that deliberately harms  a computer.
Although these are the common three, there are many more variations and it would be almost impossible to list them. You know when a computer is infected by a virus, worm, or Trojan Horse if one or more of these acts happen:

  • Screen shots of weird messages or pictures appear
  • You have less available memory then you expected
  • Music or sounds plays randomly
  • Files get corrupted
  • Programs or files that don't run properly
  • Unknown files or programs randomly appear
  • System properties fluctuate

Computer viruses, worms and Trojan Horses deliver their payload or instructions through four common ways.
First, when an individual runs an infected program. So if you download a lot of things, you should always scan the files before executing, especially executable files. Second, is when an individual runs an infected program. Third, is when an individual bots a computer with an infected drive.   So that's why it's important to not leave media files in your computer when you shut it down. Fourth, is when it connects an unprotected computer to a network.

Today, a very common way that people get a computer virus, worm or Trojan Horse is when they open up an infected file through an email attachment. There are literally thousands of computer malicious logic programs and new ones come out by the numbers, so that's why it's important to keep up to date with new ones that come out each day. Many websites keep track of this.

There is no known method for completely protecting a computer or computer network from computer viruses, worms, and Trojan Horses, but people can take several precautions to significantly reduce their chances of being infected by one of those malicious programs. Whenever you start a computer you should have no removable media in the drives. This goes for CD’s, DVD’s, and floppy disks.

When the computer starts up, it tries to execute a bot sector on the drives and even if it's unsuccessful, any given various on the bot sector can infect the computer's hard disk. If you must start the computer for a particular reason, such as the hard disk fails or trying to reformat the drive, make sure that the disk is not infected

2009-06-17
Researchers Find Massive Botnet On Nearly 2 Million Infected PCs

More than 70 government-owned domains hit, and nearly half of the overall infections are in the U.S.

Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the U.S.

The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains -- 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.

Aside from its massive size and scope, what is also striking about the botnet is what its malware can do to an infected machine. The malware lets an attacker read the victim's email, communicate via HTTP in the botnet, inject code into other processes, visit Websites without the user knowing, and register as a background service on the infected machine, for instance. The bots communicate with their command and control systems via HTTP.

Botnet expert Joe Stewart says it appears to be similar to other downloader-type botnets. "It looks a lot like other downloader bots out there," says Stewart, director of malware research for SecureWorks. "It has a system for installing other malware and getting paid for it. The first stage is to get the bot piece onto the machine, and then they get paid to install other malware."

Finjan says victims are infected when visiting legitimate Websites containing a Trojan that the company says is detected by only four of 39 anti-malware tools, according to a VirusTotal report run by Finjan researchers.

"We don't have our hands on the actual [stolen] data, but we can tell a lot of what they [may be] doing with it by the malware," Shalitin says. "They can use it for spam, [stealing data], and almost almost anything."

Around 45 percent of the bots are in the U.S., and the machines are Windows XP. Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3 percent, Opera; and 1 percent Safari. Finjan says the bots were found in banks and large corporations, as well as consumer machines.

Shalitin says it appears that the botnet operators may be buying and selling bots or portions of their botnet based on a communique Finjan discovered on an underground black-hat hacker forum in Russia.

2009-06-12
Cyber Crime Spreads its Viruses

"It was a very good year for the cyber criminal". That is the depressing conclusion given by Guy Bunker, chief scientist at Symantec, on the basis of his company's Internet Security Threat Report for EMEA 2008. "They had a productive time, creating 60 per cent of all known malware in one year."

This explosion in activity reflects the commercialization of Internet attacks, with the origins moving from amateur hackers to organized crime. Even the basic components are now being sold like legitimate products. "One of the phishing toolkits is responsible for 14 per cent of all phishing on its own," notes Bunker. It can be bought for a couple of dollars.

"People leave their computers on all the time with broadband. That becomes a valuable asset to cyber criminals who seize computing power," he says. One advantage for criminals of this usage pattern is the ability to send millions of phishing emails from a single hijacked system, rather than having to gain control of multiple computers.

There were some successes in the battle against Internet fraud. The closure of a number of "cyber crime-friendly" ISPs led to a decrease of between 50 and 70 per cent in overall spam volumes. But new hubs for criminal Net activity have developed in Russia, Poland and Brazil from where attacks can be launched remotely.

The UK suffers most from the use of back doors and Trojans, something Bunker puts down to the way cyber criminals look for vulnerabilities and then exploit them rigorously until they are closed. "They will use a technique in one region, then when it gets shut down, they move onto somewhere else," he says.

Patches are usually developed in less than one week from detection of a worm or virus. With the explosion in multi-media online, however, it has become easier for cyber criminals to get Net users to download an attachment without checking it. Many users of computers in the workplace switch off anti-virus software in order to enable their access to such content, thereby leaving themselves open to attack.

Last year's Brisv worm modified multimedia files to open malicious URLs in this way and was the top new piece of malware reported in 2008. Worryingly, 87 per cent of confidential information threats had remote access capabilities, although this was down from 94 per cent in 2007.

"Companies need to review their security policies to ensure people can't switch off anti-virus applications and create vulnerabilities. The other thing they need to look at is smart phones," adds Bunker.

"A lot of computers have Web-enabled applications that give access to smart phones. If you run a report on your top 100 customers and their credit card details using that device, that is of very high value for cyber criminals," says Bunker. Blackberries and iPhones could be compromising corporate firewalls.

To assess Internet security risks, Symantec monitors 750,000 servers in 200 countries, allowing it to watch how a particular technique gets adopted from one country into another. Often the initial attack is trialed in a remote location, such as Peru, in the hope of testing it band then rolling out before a security patch gets written.

The scale of the effort being applied to online criminal activity is sometimes bewildering. According to Bunker, 60 per cent of all the software written in Windows is malicious. "We use behavioural analysis to look at what an application is trying to do when it is installed," he says. As soon as it acts improperly, such as linking to a phishing site, it is identified as malware and a security patch gets developed.

Looking at the trends for this year, Bunker believes it will prove to be a bumper one for cyber criminals. "Consumers in a down economy are looking to save money. Where do they go to do that? The Internet. That is what cyber criminals are planning to do, too - putting up offers to lure people in," he warns.

2009-06-06
Top Online Security Threats for 2009

Twenty years after the release of the Morris Worm, one of the first worms discovered on the Internet, the Web has proven to be the primary place where bad guys lurk, looking for poorly secured websites to plant malicious code. And, they find plenty.

According to the 2009 Security Threat Report [PDF] from Sophos, one new infected Web page is discovered every 4.5 seconds. With that in mind, we thought we'd take a look at the top security threats you should be looking out for in 2009.

SQL Injection Attacks
The Sophos research showed that over the past year the number of SQL injection attacks against innocent websites increased, a trend Sophos expects will continue next year.

Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware.

A recent report from the Internet Crime Complaint Center also points to an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. Unfortunately, cyber criminals prey on the needs of Web users at any given time, and this time the economic crisis is their meal ticket.

The article is well worth reading if you're interested in how attackers compromise websites by SQL Injection or if you want ideas on how to reduce the likelihood of intruders gaining access to your private data.

Third Party Advertising Agencies and Scareware
In February 2008, Sophos confirmed a 'poisoned Web advertising campaign' on BBC competitor ITV's website that affected both Windows and Mac machines. While we've all seen Scareware, the pop ups designed to scare people into buying anti-virus software, this is the first time it has been seen for the Mac.

According to Sohpos, a Flash file was injected into traffic served up by ITV.com via third party advertising agencies. Designed to promote a program called Cleanator (Windows) or MacSweeper (Macs), the programs claimed to detect "compromising files" and encouraged users to purchase a full version of the package.

As websites often use third parties to serve up their advertising, Graham Cluley, senior technology consultant at Sophos suggests taking care when selecting agencies. "Website owners should ask the third party agencies they use what procedures they have implemented to positively vet the adverts that they deliver for malicious content or unsavory links.

Social Networking Sites
With social networking on the rise, the bad guys have found yet another playground on the Web. The Sophos report reveals 1800 Facebook users had their profiles defaced in August by an attack that installed a Trojan while displaying an animated graphic of a court jester.

Gated sites appeal to the bad guys because they form a "launching pad" for mass distributing malware attacks and spam, like the recent Koobface Trojan which attacked both MySpace and Facebook and transformed victim machines into zombie computers to form botnets.

Twitter too has become a tool for cyber criminals to distribute malware and marketing messages. In many cases, the bad guys steal members' usernames and passwords and bombard the victims' friends with marketing messages or direct them to third party websites. With Twitter especially, it is difficult to discern where links are going due to the 140 character limit and the use of services that shorten URLs.

On the flip side however, Chris Boyd of FaceTime Security Labs at this years RSA Conference explained that social networking sites are incredibly useful for security researchers. "The people that create these things have been on social networking sites since the beginning; they need to be on them a lot to understand them intimately enough to exploit them. But many times they leave a trail online that we can use to track them, to find out things like their names, ages and friends."

Apple Macs Becoming "Soft Targets"
While Mac malware is miniscule compared to Windows malware, Sophos recommends Mac users follow safe computing best practices and avoid complacency even though cyber criminals are more likely to stick to attacking Windows computers in the foreseeable future due to the higher financial incentive.

With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it.

Along with the scareware attack mentioned earlier, there have been other attempts to infect Mac computers in 2008: the OSX/Hovdy-A Trojan, the Troj/RKOSX-A Trojan, and the OSX/Jahlav-A Trojan.

Smartphones: A New Toy for Cyber Criminals
While most malware and spam is produced as a result of financial incentive, with smartphones, Sophos believes malware will more likely be written by those wanting to make headlines. As neither the iPhone or the G1 has yet been the target of a significant attack, someone will want to be the first and claim the title.

Apple iPhone
According to Sohpos, iPhone users are more vulnerable to phishing attacks than their desktop counterparts for three reasons:

  • They may be more willing to click on links because entering URLs on a touch screen is more difficult
  • The iPhone version of Safari doesn't display URLs embedded in emails before they are clicked on making it more difficult to tell whether a link leads to a phishing site
  • The iPhone browser doesn't display full URLs making it easier for the bad guys to trick users

Google Android
Hackers are only just getting a real look at the Android OS so there is not much to report however, one security flaw was revealed only days after the G1 went on sale. The flaw, discovered by Charles Miller, a principal security analyst at Independent Security Evaluators, was in the browser partition of the phone. According to the New York Times, the flaw enabled keystroke logging software to be installed, making it an easy trick to steal identity information and passwords.

Additionally, while many are impressed with Google's open attitude to applications, others are concerned about the ease in which malicious software could be distributed and caution when it comes to downloading third party apps is advised.

Sophos predicts as more people purchase smartphones, creating threats will become increasingly attractive to cyber criminals: Imagine a generic Mac OS X attack made for the iPhone that could also cripple the Mac computer.
Other Interesting Stats from the Sophos Report

  • There were five times as many malicious e-mail attachments at the end of 2008 than at the beginning of 2008
  • The United States hosts the most malware on the Web at 37 percent
  • Computers in the United States relay the most spam at 17.5 percent

Cyber criminals will always be ahead of security experts simply because most of what the anti-malware providers discover is generally published for the public; the bad guys aren't as open with what they do. But, being aware of trends, keeping security patches up to date, and installing firewalls will do much to thwart the majority of attacks.

2009-05-20
Cyber Crime Growing in Canada

Canadians are now more likely to be victims of crime on the Internet than they are on the streets, suggests a new survey commissioned by the Canadian Association of Police Boards.

Cyber crime -- things such as identity theft, computer viruses and online harassment -- is very close to surpassing illicit drugs as the top crime category in North America.

The survey, completed last January by Deloitte LLP, found that nearly half of the 567 respondents had been victims of cyber crime, and 70% said they did not report the crime.

Almost everyone surveyed -- 95% -- thought they were being targeted by cyber criminals.

"If that doesn't scare you, I don't know what will scare you," said Calgary police Chief Rick Hanson during a news conference Wednesday.

"It's huge and it's getting worse," said Ian Wilms, chair of the Canadian Association of Police Boards. "You lock your door at night time, but people don't, when online, just take the 30 seconds to update the security patches on their computer."

The report finds that the number of incidents has increased dramatically since 2001.

"The pool of victims grows larger every day while the pool of perpetrators also gets larger, younger and more sophisticated . . . this is a new era for police, fighting a new type of criminal," said Mr. Wilms in a statement.

Staff Sgt. Dick Nyehuis, head of the Calgary Police Electronics Surveillance Unit, says his department has seen a 1,239% increase in seized computers over the past three years.

"We've now seen that there is a need for an online presence so we can monitor website and chat rooms to try and look for and identify people who could be a danger," said Sgt. Nyehuis.

"It's a growing industry and I think it's going to take a different approach right across Canada to address it," said Calgary police Chief Rick Hanson.

"We've known for some time that it's a growing crime threat, locally and nationally and internationally. I think this survey shows that more needs to be done.

"Is it a surprise to us? No. But like anything else our resources need to grow with the magnitude of the problem."

Digital law expert Michael Geist says the numbers seem a little inflated and that could pose a problem for law enforcement.

"It suggests that there is widespread concern about the issue," said Mr. Geist.

"If we're thinking about how we prioritize law enforcement and address these issues, we need to focus on whether there is significant financial harm or whether personal safety or personal privacy is put at risk."

The most common definition of cyber crime is broad -- a criminal offense involving a computer, meaning that major issues such as child pornography and fraud are lumped in the same category as viruses and spam.

Still, Mr. Wilms stressed that action is needed sooner rather than later.

"We can't afford to let the Internet become a no man's land."

Tom Keenan, a University of Calgary professor of computer science said the good news is people are becoming more aware of cybercrime.

"The bad news is we're not getting quite to the point where people take all the right precautions. We're kind of locking the front door but then leaving the back door open."

2009-05-11
Government of Canada Invests in Aviation Security

New aviation security measures will now protect Canadians and enhance efficiency so that Canada's airports and air carriers remain competitive internationally. The Honourable Rob Merrifield, Minister of State (Transport), and the Honourable Jean-Pierre Blackburn, Minister of National Revenue and Minister of State (Agriculture), announced today that the Government of Canada is going to be investing $358.7 million this year in an effort to create a more secure and efficient air transportation system for Canadians.

"Our government is committed to the security of our airports and the people who use them," said Minister Merrifield. "This investment in aviation security represents a major step forward in protecting Canadians while supporting economic growth through the efficient flow of passengers and goods."

Funding for the project will be in the amount of $355.8 million for 2009-2010 and will enable the Canadian Air Transportation Security Authority (CATSA) to strengthen and improve the efficiency of airport security screening operations and technology. The Government of Canada will also invest $2.9 million to support the initiation of airport security plans as a priority this year.

"Airport security plans will promote the coordination and integration of airport security, something that will greatly benefit travellers at airports across the country," said Minister Blackburn. "These new initiatives show that the Government of Canada is committed to strengthening aviation security on all fronts."

Strengthening airport security is an important part of Transport Canada's ongoing commitment to protect the travelling public, the aviation industry, aviation workers and infrastructure. The airport security plan initiative supports that goal by ensuring that all security requirements and mitigation strategies are developed and clearly outlined, and that airport operators' and tenants' roles and responsibilities are clarified.

"This is indeed a very good day for aviation security in Canada. Air travellers will not only be more secure as a result of this investment – this demonstration of support will also keep our country among world leaders in this global industry," said Kevin McGarr, President and CEO of CATSA.

The new measures will ensure that Canada remains closely aligned with the security measures of its key international partners, and will support the Canadian air transportation industry to help it remain competitive internationally.

2009-05-08
Governments Taking Cyber Attack Seriously

The US government has now publicly announced that the nation's central power grid is now very vulnerable to a cyber attack, following reports that it has been infiltrated by foreign spies. These attacks, according to the Wall Street Journal have reported that the breaches on the US grid were reported as coming through both Chinese and Russian hackers.

"The vulnerability is something [we] have known about for years," said US Homeland Security Secretary Janet Napolitano.

"We acknowledge that... in this world, in an increasingly cyber world, these are increasing risks," Ms Napolitano added.

She has refused to comment on the WSJ story that such as intrusion had taken place, but security experts said they were not surprised by the claims made by Homeland Security.

"There is a pretty strong consensus in the security community that the SCADA equipment, a class of technology that is used to manage critical infrastructure, has not kept pace with the rest of the industry," said Dan Kaminsky, a cyber security analyst and director of penetration testing for IO Active.

"Software for desktops and the internet have been dealing with the issue of security for the last 10 years, and that hasn't really come into the SCADA realm.

"From a geo-political standpoint, this has created an opening for skilled 'hostiles' to obtain a presence in places we would rather they didn't have one."

It was reported that the intruders had not sought to damage the power grid or any other key infrastructure so far, but suggested they could change their approach in the event of a crisis or war. Now that outside countries have a much clearer picture on the internal infrastructure and schematics of such a critical operation, anything is possible, and security in such a critical industry now falls under Extreme Due Diligence, or the lack there of.

Security experts have commented that the involvement of the Chinese and Russians in such a scenario could now show they were, and/or have been strategically thinking about how either to constrain the US, or to inflict more damage if they felt a need to do so. It seems that the US Department of Defense or CERT has not been placing enough emphasis on core systems that could have severe reprocussions if they were compromised by an outside source.

"I think that China recognizes if in a very strategic sense you want to ensure you have the ability to exploit another country's potential weakness or vulnerability, but do it in a way that isn't confrontational or cause an international crisis, then this is a very good way of doing that," Eric Rosenbach, of Harvard University's Kennedy School of Government's Belfer Center, told news agencies.

The motives behind these potential attacks are undoubtedly military or political in nature, said Tim Mather, chief security strategist for the RSA Conference, the world's biggest security event.

He went on to tell the BBC: "These countries are not doing this willy-nilly. There is a tactical reason for all of this and no doubt tied to a longer term strategic plan which is easy if they need to jerk the chain of the US, then this is the way to do it.

"This is like having an ace in the hole for the Chinese or Russians, just in case," said Mr Mather.

In the coming weeks, a government review of cyber security is due to land on the desk of US President Barack Obama. The next course of political action by the President will be very much an interesting one.

"The president takes the issue of cyber security very seriously, which is why he ordered a top-to-bottom review shortly after taking office," said White House spokesman Nick Shapiro.

He added that the White House was not aware of "any disruptions to the power grid caused by deliberate cyber-activity here in the United States".

Mississippi Democratic Representative Bennie Thompson, chairman of the House of Representatives Homeland Security Committee, said he would introduce legislation to address weaknesses in the system.

"Our electric system is critical to our way of life, and we cannot afford to leave it vulnerable to attack. Our oversight indicates there is a significant gap in current regulation to effectively secure the infrastructure," he said.

The North American Electric Reliability Corp, the industry group with responsibility for grid reliability and security, said it was unaware of any cyber-attacks that had led to disruptions of service.

"NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats. There is definitely more to be done," the group said in a statement.

"To date the number of people in the position to cause harm on SCADA has been thankfully relatively small," Mr Kaminsky told the BBC.

"But however small, it is big enough to be a problem and a problem that can potentially turn the lights out and cause economic harm to our country. The game is up," he said.

Security and response time are critical variables in any government attack, especially one like this of such magnitude. Only time will tell where the priorities of national security lay.
 

2009-05-03
The Oldest Form of Identification

Biometrics may seem new, but they're the oldest form of identification. Tigers recognize each other's scent; penguins recognize calls. Humans recognize each other by sight from across the room, voices on the phone, signatures on contracts and photographs on driver's licenses. Fingerprints have been used to identify people at crime scenes for more than 100 years.

What is new about biometrics is that computers are now doing the recognizing: thumbprints, retinal scans, voiceprints, and typing patterns. There's a lot of technology involved here, in trying to both limit the number of false positives (someone else being mistakenly recognized as you) and false negatives (you being mistakenly not recognized). Generally, a system can choose to have less of one or the other; less of both is very hard.

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it's important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It's hard to affix a fake fingerprint to your finger or make your retina look like someone else's. Some people can mimic voices, and make-up artists can change people's faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they've touched, and posted them on the Internet. We haven't yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they're not secrets.

And a stolen biometric can fool some systems. It can be as easy as cutting out a signature, pasting it onto a contract, and then faxing the page to someone. The person on the other end doesn't know that the signature isn't valid because he didn't see it fixed onto the page. Remote logins by fingerprint fail in the same way. If there's no way to verify the print came from an actual reader, not from a stored computer file, the system is much less secure.

A more secure system is to use a fingerprint to unlock your mobile phone or computer. Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can't inject a previously stored print as easily as he can cut and paste a signature. A photo on an ID card works the same way: the verifier can compare the face in front of him with the face on the card.

Fingerprints on ID cards are more problematic, because the attacker can try to fool the fingerprint reader. Researchers have made false fingers out of rubber or glycerin. Manufacturers have responded by building readers that also detect pores or a pulse.

The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system.

Of course, not all systems need that level of security. At Counterpane, the security company I founded, we installed hand geometry readers at the access doors to the operations center. Hand geometry is a hard biometric to copy, and the system was closed and didn't allow electronic forgeries. It worked very well.

One more problem with biometrics: they don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck. The failures don't have to be this spectacular: a voiceprint reader might not recognize someone with a sore throat, or a fingerprint reader might fail outside in freezing weather. Biometric systems need to be analyzed in light of these possibilities.

Biometrics are easy, convenient, and when used properly, very secure; they're just not a panacea. Understanding how they work and fail is critical to understanding when they improve security and when they don't.

2009-04-27
2008 In Review

Malware, especially from compromised web sites, was a huge issue in 2008. Many legitimate sites such as MSNBC.com, History.com, ZDNet.com and many others suffered compromises, in some cases for days. Unlike the past, the sites looked normal, but unsuspecting web surfers with vulnerable systems were exploited when they visited these sites.

Search engines were used, such as Google, to compromise systems. This happened in several ways, including:

  • Tricking the search engine indexing and results logic to escalate malicious web sites to the top of the list where users were more likely click on it.
  • Using the "paid for" or "sponsored links" areas of search engines to direct users to compromised sites.

As predicted, hackers towards compromising end points (individual systems such as desktops, laptops and servers) and placed less emphasis on external direct attacks - although this still happens frequently.

On the flip side, we expected botnets to play a larger role in 2008. While botnets increased in size, scope, and sophistication, they weren't used to the scale expected. Basically, botnet controllers were sowing more and reaping less in 2008.

Also, out of the blue, we had the whole DNS exploit issue come back from the dead. We saw a lot of these in the 90's when DNS was first used and then we went nearly a decade without many DNS flaws. I don't think anyone expected a core DNS vulnerability on a worldwide scale. The good news is that very few known cases of serious exploits occurred.

Vista had fewer serious security vulnerabilities than expected. This may be because so few people are migrating to Vista and many even downgraded to XP. I imagine that if more people were using Vista, 1) we would find more vulnerabilities and 2) more attackers would spend time trying to exploit it. Attackers are all about bang for the buck. If most people are still using XP, they will focus on XP. It is just that simple.

Looking Forward to 2009
What data security threats will be most prevalent? Let me first start with some general predictions.

  • The volume of attacks from international sources has and will continue to increase especially towards government and military networks. The fog is beginning to lift and as it does we will see the vast majority of these attacks coming from China and being tied to government sponsorship.
  • Data security breaches tied to theft will significantly increase. It will not surprise anyone that mobile devices are stolen most often.
  • The sophistication of application level attacks such as SQL injection, buffer overflow, cross site scripting (XSS) and others will increase. These will be directed towards high traffic web sites (news sites or social networking sites) that, when compromised, will install malware to a large numbers of users.
  • For the most part, botnets will not need to be the concern of small business or consumers. Service providers and large enterprises have added steps (perhaps just in time) to reduce the challenges of botnets.
  • Bandwidth consumption will percolate higher in the list of IT challenges for organizations of all sizes. More and more users will use the web to download content. Our appetite has changed from text with a few graphics to streaming high definition video, huge downloads, and YouTube.

This year the list is different. This is due to the environment in the US from an economic, legislative, and political perspective. The different perspectives are so volatile that the environment alone will spawn some new threats we have not dealt with. The type and volume of information that is now available on the Internet creates additional threats. The top nine threats and their corresponding solutions/New Year's Resolutions are listed below in descending order of severity. Each threat is ranked by status as a Rising, Steady or Weakening Threat.

#1. Malicious Insiders - Rising Threat
Employees with malicious intent have always been the biggest threat to their organizations. According to www.infosecurityanalysis.com, when a data security breach occurs as a result of a malicious insider, more records are compromised than any other breach source (including hackers). In 2008 we learned about Dwight McPherson, who worked in the admissions office at NY-Presbyterian Hospital/Weill Cornell Medical Center. Dwight was approached by a man who told him he would pay him for medical records of males born between 1950 and 1970. Dwight took nearly 50,000 records and sold two batches of 1,000 records for $1,350 before getting caught.

Several studies indicate that only a small percentage of data breaches are reported. Many companies still choose not to report them because it shows a systemic failure in hiring practices, policies, procedures, auditing, enforcement and technology safeguards. As economic times get worse, we will likely see desperate and malicious employees compromise security for a few extra dollars.

#2. Malware - Steady Threat
Malware means malicious software, which can include viruses, worms, Trojan horse programs, etc. When a vulnerable user accesses this web site, their system becomes infected. The system then falls under the control of the attacker.

This is such an effective method to distribute malware and compromise systems that it has become the most prolific method.

#3. Exploited Vulnerabilities -Weakening Threat
Exploiting a known vulnerability is the normal process when people talk about hacking. Hackers find a weakness and exploit it for their gain. There is nothing new here, except the location of the systems.

In times past, it was external systems such as email servers, web servers, and firewalls that would be broken into. These attacks are moving inside the network. Systems on the inside of the network are not patched and updated as frequently. Networks have a hard outer edge and a gooey center from a security perspective. Organizations rely on Microsoft SUS (system update service) that patches to keep the systems up-to-date. The problem is that SUS only patches Microsoft, which leaves all the non-Microsoft operating systems applications vulnerable.

IT professionals make the mistake of thinking, "It was only the administrative assistant's machine that got compromised and it didn't have any sensitive information on it." If a system gets compromised, the attacker may have control of more than just that one system. From that system they could launch additional attacks to other systems. They can 'sniff' the credentials of anyone on that system to access other systems. Typically, the first system to be exploited is just the base camp to compromise more valuable assets.

When an internal system is compromised, the bad guys now have ways of bypassing your entire network and edge based security controls. They use encrypted tunnels over commonly used ports to make their deeds virtually invisible.

#4. Social Engineering - Rising Threat
Gartner states that the greatest security risk facing large companies and individual Internet users over the next 10 years will be the increasingly sophisticated use of social engineering to bypass IT security defenses. Kudos to Gartner, they were right, and I believe 2009 will be the year of more social engineering attacks. Why spend days trying to crack a username and password using sophisticated software and potentially get caught, when you can trick someone into just giving you theirs? With hacking, you are compromising a computer, and with social engineering you are compromising a human.

In 2009, we will see the common use of many social engineering ploys. Any method of communication can and will be used to perpetrate fraud including telephones, mobile phones, text messaging, instant messaging, and social networking sites. Additionally, many people will fall prey to their own natural curiosity. For example, leaving a CD infused with malware entitled "2008 employee compensation & bonuses" by the elevator or a USB thumb drive near the door of the building that will infect a system when plugged in.

#5. Careless Employees- Rising Threat
Careless employees are not a threat we have highlighted in the past. Not only have we seen a trend that includes more mistakes made by careless or untrained employees that lead to a security compromise, but this will be fueled by the economic climate. With a recession, business will have to do more with less. The strain this puts on employees causes them to cut corners on important duties. Systems will not be updated, logs will not be reviewed and alerts will go unchecked. This creates gaps that can be exploited by the attackers.

A poor economic climate may lead to less formal employee training. This leads to policies and procedures not being followed. Liability issues arise. Data exposure can occur. One example of this is how my wife s personal information was compromised. The local University Hospital had a procedure to have their backup tapes (with thousands of sensitive patient records) taken off-site by a third party provider. The employee of the data archive and transport company decided not to follow procedures and instead of dropping the tapes off at their destination, went to his second job. While at his 2nd job, his car was broken into and the tapes were stolen.

#6. Reduced Budgets - Rising Threat
As you can see, there are many threats that have roots in a downward economy. A weak economy leads to companies tightening their budgets. This results in lower headcount and less money for upgrades and new systems. Just because the economy slows does not mean that criminals slow down. In fact, it is often the opposite. There are always those system upgrades, process improvements, and new technologies that were put into next year s budget that may now be put on hold. 2009 may see reduced budgets, which means more exposure and security gaps that can lead to a data security breach.

#7. Remote Workers - Steady Threat
Companies that support telecommuting are on the upswing. Remote workers and travelers all pose unique security risks. Often, we see organizations install a VPN box without much thought to security. A VPN only encrypts the traffic between the remote user and the company. If that system is compromised, you are effectively encrypting (keeping private) all of the hacker s traffic. VPN’s are usually installed in a way that bypasses edge based security devices such as the corporate firewall. Remote workers have greater exposure to system compromise for several reasons:

  • The company does not own the computer they are working from and it does not have the security software like other corporate systems.
  • Remote users are more likely to allow their systems to lapse in their security protection. They do not update software because they often pay for it out of their own pocket.
  • When something goes wrong, there is no IT person to help them, thus they do whatever it takes to get it working which may disable needed security measures.
  • Theft is the #1 cause of data security breaches. Most people house some sensitive corporate or customer data on their laptops. 1 in 10 laptops is stolen within the first year of ownership.
  • A remote computer is not subject to the same security requirements as a corporate computer. For example, you may use web content filtering on the corporate network to block access to inappropriate web sites. Remote user traffic is usually not routed through the same system. As a result, the remote user may access a web site that could infect and compromise their system. When that system connects to the network, that compromised system can now spread and attack other internal systems.
  • Children and other household members may use the same computer mom or dad use for work. They install a game; hit a web site, or any of a number of things that can lead to the compromise of the system. All you hear is "Dad, the computer is running really slow again!"

#8. Unstable Third Party Providers - Strong Rising Threat
Most providers have begun to see slowing sales and weaker profits. At the same time, regulators are requiring many providers to achieve and maintain strong compliance. While there is an increase in expenses, there is a decrease in revenues. We believe this will lead many providers to go out of business or cut corners that could lead to a compromise. At this time, it is imperative for organizations to streamline their 3rd party providers. Ensure you are using providers that have been in business for a long time and have seen hard times before. Use providers that have been regulatory focused for years rather than ones that are just trying now. Ask for audited financials and ensure that your provider is profitable.

Choose a provider that can offer you multiple solutions to gain the benefits of economies of scale. I am a big proponent of outsourcing, but it must be to the right organization.

#9. Downloaded Software Including Open Source & P2P Files - Steady Threat
IT administrators may be tempted to take on more themselves. They may download and install open source software or freeware in an attempt to save money. We have found that these tools in the hands of an inexperienced user may lead to a huge waste of time or a data breach. Almost all security software available commercially has a freeware or open source counterpart somewhere. The installation, configuration, fine tuning and other aspects of a software lifecycle sometimes are more than any individual can handle, especially if they don t have the time and training to do it.

Lastly, users that are allowed to download and install software on their desktops are a huge risk to their company. For example, we have seen unsuspecting users install modified versions of P2P software. Rather than just giving the user the ability to download music and movies (which is a bandwidth problem by itself), these programs can be modified to scan the local system and network systems to catalog sensitive information such as spreadsheets and databases and make them publically available for download anywhere in the world. Your firewall and most other security devices cannot detect or stop this activity.

All software downloaded and used should be done by a trained IT professional. I believe we will continue to see many data breaches as a result of downloaded software in 2009.

This doesn't have to be all doom and gloom. By realizing these threats, we can work to ensure our exposure is limited. Additionally, it gives us the opportunity to look at alternative solutions. A company that has traditionally kept their security management and monitoring in-house may use this as an opportunity to look at the cost benefits of outsourcing this to a leading security firm. Some of the technology you have been using to reduce your risk may be outdated and you can replace it with newer systems that can protect your organization better for the same or less money. Challenges such as this give us the opportunity to rethink the way we have done things in the past and find newer, optimized ways of securing our organizations. With data security, it isn't about having more as much as it is about having the right stuff.

2009-04-19
The Future of the Internet is not Multimedia

Many networking experts feel that the next big revolution in data networking will be the development of Quality of Service (QoS) networks with the ability to guarantee the delivery of time sensitive data. Such networks would be used to deliver voice and video over data networks like the Internet and ultimately to deliver advanced interactive multimedia services that have been promised to us for so many years now.

However some network gurus speculate that contrary to common opinion real time video conferencing or multimedia will NOT be the major traffic driver in the networks of the future. In fact, some speculate that the growth of data traffic types will be the opposite of common convention and result in decreasing demand for QoS networks needed to support multimedia!

In the past network data has been characterized in different ways to address the need for QoS support as for example constant bit rate for voice, variable bit rate for video and available bit rate for data. However, another way of characterizing data in terms of QoS is to look at how it is originated and received. From that perspective data traffic can be divided into 3 major traffic types: Human to human data for voice telephony and interactive video conferencing; Human to computer data for web access, and video playback servers; and finally computer to computer data used in e-mail, web caching, routing updates, news feeds, database synchronization, etc

Human to human communications are considered to be those services where a live human being is required at both ends to complete the communications connection. They include such services as voice telephony and real time video conferencing. Human to human communications are the most demanding of QoS networks as the usual human I/O devices, the eyeball and the ear drum, have the limited buffering capability and hence are the least tolerant of delay and jitter in a communications channel.

But, these services are in fact probably the slowest growing of all communication services. Traditional voice telephony has experienced very little growth in the past few years and video conferencing growth despite all its promises, remains anemic.

Human to computer communications on the other hand has been the success story of the decade. Human to computer communications include the obvious things like the Web, but it also includes such things as voice and video playback services that are just starting to come on line. Although these services can undoubtedly benefit from a QoS network, they can still be delivered quite effectively with adequate buffering over existing non-QoS networks. There is no reason not to believe that the exponential growth experienced by this type of communications connection particularly driven by the web should continue, if not accelerate.

Computer to computer communications may, however, be the real driver for advanced networks and bandwidth. Computer to computer communication occurs when no human initiates the communication. Such things as distributed web caching, routing updates, multicast feeds, news feeds, batch processing, and database synchronization are typical of computer to computer communication. E-mail and voice mail are also considered to be computer to computer communications because they usually use a store and forward server and don't require immediate connectivity across a network.

We are only really starting to see the early growth of this type of network traffic. Surprisingly, as with voice, most existing computer to computer traffic still exists on proprietary SNA and leased line EDI networks. When this traffic with its concomitant exponential growth moves over to the Internet there will be an increasing demand for network bandwidth.

As well, new applications being developed in the Next Generation Internet (NGI), Internet 2 and CA*net II programs in such areas distributed human genome sequencing, geo-spatial database mapping and database mining promise an even greater growth in this type of traffic. These applications alone can consume phenomenal bandwidth which is many orders of magnitude larger than traffic voluumes typical of human to human communcations.

In the US and Canada, data traffic volumes now regularly exceed voice traffic volumes. It is expected that this trend will continue, if not accelerate, and the predominant form of traffic carried over advanced networks will be computer to computer traffic.

One of the fundamental assumptions for future advanced networks was that real time interactive human to human communications will be the predominant traffic type. Distance education, medical collaboration and tele-immersive virtual reality are cited as common examples of the future telecommunications traffic profile. The requirement for a QoS network was necessary in order to book or reserve bandwidth on a relatively congested network to be used principally for human to human communications.

However, if networks turn out to be principally be used for computer to computer and/or human to computer to communications then this will have a significant impact on the need and design of QoS networks. Computer to computer networks with their high provisioning ratios necessary to accommodate their fractal data distribution patterns may be adequate not only to support the primary use of non QoS data but also the requirements for real time human to human communications without the need of deploying complex QoS networks. In this case the real time traffic can be used to fill in the spaces, as it were, between the much higher volume data traffic.

Simple services like prioritizing human to human communication in the buffers of the network routers and switches (Weighted Fair Queuing (WFQ) and Random Early Detection (RED)) may be all that is necessary to provide excellent voice and real time video quality over the Internet. More importantly, WFQ and RED can be implemented without the need for complex multilateral QoS agreements between competitive Internet Service Providers.

Another significant and related factor that may effect the deployment of QoS networks is the dramatic increase of available bandwidth. In Canada's major metropolitan centers, in particular, there is considerable competition from cable companies and other network service providers. As a result we are seeing dramatic increases in available bandwidth.

And the best is yet to come. The carriers are now starting to deploy services called Wave Division Multiplexing (WDM) that promise dramatically increase available bandwidth on EXISTING fiber networks. In a few years there may be a much as 1000 fold increase in available bandwidth on existing networks. This will inevitably will drive prices further into the ground. For that reason alone some network experts believe that cost of over provisioning networks to accommodate the needs of real time voice and video may turn out to be cheaper and more reliable than implementing complex QoS mechanisms.

The future of QoS networks is cloudy, and time will only will tell if the future multimedia applications or computer to computer data networking will be the primary driver for advanced networking.

2009-04-16
The Future of the Internet

The Internet has been around since the 1960s. Since 1994, the digerati of users has grown from approximately 13 million to more than 300 million globally. Shortly it will incorporate holographic technology. Looking beyond, it will become ubiquitous and as elusive as air, as it morphs into our biological make-up!

Culturally, within its brief lifespan, the Internet seems to have engulfed our very beings. In the 2.0 world of social media, we are now on the Internet more than we watch TV, and sometimes more than we sleep, drink, eat or work.  So can you possibly imagine how we will live without it? And even more mind-boggling: What on Earth could possibly replace it?

HOLOGRAM TECHNOLOGY
Holographic storage has been the dream of scientists for 30 years. Glen Sincerbox, a data storage expert for IBM has worked on holographic memory since the early 1960s. Holographic science is now being used to record holotechnology DVDs over a hundred gigs of memory.  Future generations may store as much as a terabyte (1000 gigs), when holographic technology melds computer games, internet access and television together.

HOLOGRAPHIC TELECONFERENCING
Today, teleconferencing has taken a major step forward in transferring hologram images of people. Think of the first time we witnessed George Lucas' imaginative hologram of Princess Leia in "Star Wars.” Similarly, if a business executive in the States was to conference his boss in London, all he has to do is command his computer to contact that particular person: "Computer, call the President in our London office."  And voila, the President will be sitting across from him as if he were right in the room. On the other end, the President will experience the same immersion connection. During the recent election coverage, CNN developed this same hologram technology to beam an image of the news correspondent Jessica Yellin from Chicago into CNN's Atlanta newsroom.

HOLOGRAPHIC COMPUTERS
In the movie "Minority Report" starring Tom Cruise, we get our first glimpse of what holograms will look like as computers. No mouse, no keyboard, just virtual screens and your hands at the controls. When this movie was released in 2002, this futuristic technology was thought of as pure Hollywood fantasy. Less than 7 years later, however, engineers have developed a similar computer. By sensing hand movements, Microsoft's TouchLight devices allow users to physically grab hold of files displayed on a holographic screen. The software giant, together with its partner firm Eon Reality is aiming to have desktop versions of the computer available to PC users within the next 2 years.

THE INTERNET OF THINGS
What will the Internet be like 10 years from now? By 2020, as appliances, vehicles and buildings start going online, there will be more “things” on the Internet than people. Internet-enabled cars and airplanes are coming online, and smart houses are being built every day. The "Internet of Things  will allow sensor-enabled physical objects, such as appliances in your home, products Internet of ThingsInternet of Thingsin a store, cars on the road to virtually talk to one of another, the exact same way humans communicate on the Internet. With this advancement almost every object in your home and work environment will eventually be interconnected with a unique IP address, whereby you will be able to make your coffee, and pick out the clothes instantaneously, with a simple mouse click.

THE INTERNET OF YOU
The introduction of programmable, nanoscale machines will extend the Internet to things the size of molecules that can actually be injected under your skin, leading to Internet-enabled people. Yes, humans will eventually replace the Internet. More and more of the world's information will be accessible immediately and from virtually anywhere. In an emergency, our health records will be available for remote medical consultation, complete with specialists and perhaps even some remote surgery.

Futurist, David TowFuturist, David TowAccording to futurist, David Tow, by 2040, humans will be attached to a people-centric sensory web- tracking device where movement and behavior will be recorded via embedded sensors and micro processors.  David Tow Image  By 2050, children will be neurologically rewired as the interactive Internet becomes an invisible part of our physiological make-up. From this period forward, humans will live out most of their waking and even sleeping moments in cyberspace as human and computer intelligence are seamlessly co-joined in a Matrix-like fashion.
 
Toward the end of the 21st Century, Web 5.0 will emerge as a global sentient network of networks, incorporating artificial and human intelligence and resulting into a form of global consciousness. Genetic mutation will still occur but no longer will it the physically fit who will survive, The combination of modern medicine, sentient intelligent technology and a virtual cyber reality will now insure that the fittest MINDS inherit the Earth.

So, from holograms to Internet-people, many of us will witness these transformations in our life-time. The question is will be accepting of these changes, or will we go kicking and screaming in the dark night! Time will tell. Stay tuned.

2009-04-09
Cyber Spies And Saboteurs

The U.S. National Security Agency's control centre for spy satellites is located near Bad Aibling, in Germany. As U.S. Defense Secretary Donald Rumsfeld unleashes a "shadow war" of covert special-forces operations against terrorist Osama bin Laden, he is sending into action many high-tech warriors who have neither guns nor grenades, and whose combat missions won't take them anywhere near Afghanistan.

Their brand of fighting goes by the innocent-sounding term of "computer network exploitation." Most people would simply call them computer hackers.

But unlike rebellious teenagers sitting at their bedroom computers, these hackers work for intelligence agencies and have advanced training in computer science, math and cryptology.

No government agency in Canada or the U.S. has acknowledged that it employs hackers to break into computers. That information is secret because the targets of "computer exploitation" are not just terrorists like bin Laden and hostile states. The targets can just as easily be citizens at home, trade negotiators and diplomats from friendly countries, or foreign businessmen bidding against a domestic company.

In this exclusive Gazette report, some of North America's top intelligence, military and computer experts talk about how government hackers are transforming the Internet into a tool for spying and warfare. They say U.S. spy agencies, and very likely Canadian ones too, have been hacking into computers for years.

Right now, they say, hacking plays an important role in President George W. Bush's war against bin Laden and his supporters.

While this tool is limited by the fact that there are few computers in Afghanistan, where bin Laden is said to be hiding, it may prove critical in tracking down his bank accounts and business fronts around the world, said intelligence expert Jon Concheff, who spent 21 years in the U.S. Special Forces.

Hacking, he said, "is a logical and critical adjunct to the revivified campaign against terrorism."

Canada's military says it wants to engage in hacking, too. In June, one of Canada's top commanders in "computer operations," Colonel Randy Alward, announced that the Canadian Forces want to include hacking in their military arsenal. Under the policy, military hackers would be trained to disable communication systems, destroy electronic information and plant destructive computer viruses.

But experts caution that hacking is a dangerous and unpredictable new tool.

"I think this is perilous. I'm more worried about what states are doing than Mafiaboy," said Ron Deibert, a University of Toronto professor who studies the Internet and has been an external examiner on computer warfare at the Canadian Forces College in Toronto. (Mafiaboy is a Montreal teenager who pleaded guilty this year to hacking into U.S. Web sites.)

"When we talk about information warfare, people don't see it applies to them," said Robert Garigue, a retired Canadian Forces lieutenant commander, now the Bank of Montreal's vice-president (information security). "But it does. We've created this social space (on the Internet), and conflict is moving into it. Every decision you make is mediated by computer. In that sense, the computer layer becomes very powerful when you can manipulate it."

Computer spying couldn't have been born in a prettier place. Nestled into the side of Colorado's majestic 4,300-metre-high Pikes Peak, Schriever Air Force Base lies where the rolling plains meet the eastern wall of the Rockies.

The facility controls all of the U.S. Defense Department's classified satellites, and is home to President George W. Bush's National Missile Defense project.

In July 1994, the base saw a history-making demonstration by Kevin Ziese, a computer scientist in the newly created U.S. Air Force Information Warfare Centre. The top brass was out in force as Ziese showed how to hack into a computer system.

He refused to say what he broke into ("I don't feel comfortable going into details"), but it is clear the exercise impressed the generals. "Once you see a demonstration of how to break into a computer system, it doesn't take a rocket scientist to realize it has an offensive capability," he said.

Shortly after, the U.S. military created its first organized information warfare program to train super-hackers. One of their jobs would be computer exploitation, stealing sensitive information and leaving enough secret back doors so they can sneak back into a computer.

Ziese refused to provide details of U.S. hacking operations, but likened them to clandestine special forces missions now employed in Afghanistan. "I would draw an analogy between computer exploitation and special-forces exploitation. There are clearly cases where (sending in) the special forces makes good sense, but they would be relatively few. This would be equally true for computer exploitation," he said.

"Their job is to dig up what's in computers (of groups) that hold views that may be harmful to the U.S.," said Hal Gershanoff, editor of the Journal of Electronic Defense, a Norwood, Mass.-based monthly published by the Association of Old Crows, a group of experts in computer warfare.

In bin Laden's case, U.S. government hackers don't have many targets in Afghanistan, but they could break into computers of his businesses, wealthy associates and followers elsewhere, said Winn Schwartau, an information-warfare expert who advises the U.S. Defence Department. As well, they could target banks that haven't agreed to collaborate with the U.S. by freezing terrorist-linked accounts.

"It would be really stupid of us not to do a computer network attack into their systems," he said.

Government hackers can also have a more destructive mission - attacking or manipulating sensitive computer networks. This quickly becomes computer warfare - what the media sometimes calls cyber-warfare. Most experts are loath to discuss such operations, but they said hackers can bring a country to its knees and cause as much damage as nuclear weapons - shutting down power grids, air-traffic control, emergency services and telecommunications.

Ironically, this means hacking is a double-edged sword for countries like Canada and the U.S., which are far more vulnerable to being attacked themselves than low-tech opponents like bin Laden.

The U.S. Special Forces soldiers sent into Afghanistan to hunt down bin Laden are packing more than rifles and survival gear. They went armed with high-tech communications links that would feed them the latest intelligence from the U.S. National Security Agency. The NSA is so secret that its existence wasn't even acknowledged until the 1970s. It's thought to have a budget of over $11 billion a year and to employ more people than the CIA and FBI combined.

The NSA's job - like that of its Canadian sister agency, the Communications Security Establishment - is to collect signals intelligence (SIGINT in spy lingo) by filtering through rivers of local and international phone calls, faxes, satellite transmissions and E-mail.

Their role was defined by the digital age. Now, instead of passively waiting around to catch messages in the sky - known as midpoint collection - they could reach through the airwaves right into a computer - endpoint collection. Some dub it HACKINT. Intelligence historian James Bamford calls it the "the most profound change in the history of signals intelligence."

"Throughout most of its history, the NSA has been considered as a support organization to war fighters. But what the NSA is saying now is they won't play the support role. They will play an active role," said Bamford, author of Body of Secrets: Anatomy of the Ultra-Secret National Security Agency.

"They will be on the front line in taking offensive actions."

Bamford said much of the NSA's "endpoint collection" is being done through a hyper-secretive agency called the Special Collection Service, based in Beltsville, Md.

The service was set up in the late 1970s to combine the physical penetration skills of the CIA with the technical expertise of the NSA, and is jointly run by both agencies, said Washington, D.C., intelligence analyst John Pike. "It's the black-bag, breaking-and-entering, Mission Impossible-type agency."

The only inside account of this agency comes from a Canadian, Mike Frost, a retired veteran of the Communications Security Establishment. In his 1994 book Spyworld, Frost said the mysterious U.S. service, known to insiders as College Park, specializes in secret missions from U.S. embassies abroad.

Experts say U.S. spies have secretly engaged in HACKINT for years with little public debate. Ironically, its biggest critics are military strategists.

"There is a big question (in government circles) as to how far it should go," said Roger Molander, a former member of the U.S. National Security Council, now a computer-warfare expert at the RAND Corp., a think-tank close to the Pentagon and U.S. intelligence agencies. A major concern is that government hacking blurs the lines between peace and war, he said. "If you get caught mapping out the critical infrastructure of an important power grid in an escalating crisis, people might view it as an act of war."

Daniel Kuehl, a professor specializing in computer warfare at the Pentagon's National Defense University, agreed. "State vs. state espionage is an accepted part of statecraft. But what if I insert a program in an air-defense system? What line have I just crossed? Nobody knows. Have we gone to war? None of the old measures apply here. This environment has all kinds of borders we don't understand yet."

Another big unknown is the spin-off of government hacking. An attack on one country or terrorist group could bring down computers in other parts of the world, like a computer virus spinning out of control. "After one (computer warfare) exercise, we reacted, 'Oh my God, how many systems did we take out?' " said Robert Garigue, the former Canadian Forces lieutenant-commander. "It's a very difficult weapon to use. It's not as simple as the Americans make it out to be. Have you any understanding of what the cascading effects are? It is a naive belief to think we can partition this off so we won't be affected."
Tiit Romet, a scientist formerly employed by Canada's Department of National Defense who helped develop military information-operations strategy, painted a worrisome scenario. "We could show the vulnerabilities of the power grid of country X. If we get into a conflict - say we want to disrupt the power network in some cities, maybe black out hospitals - that's where the ethical questions come in. What happens if kids get killed?"

Another problem is that hackers have to conceal their identity by invading neutral machines - like those of a university - and launch an attack through them. This raises the prospect of spies indiscriminately breaking into civilian machines and turning them into unwitting hacking devices.

"It's one thing if you're the CIA and you bribe someone to give you information. It's another thing if you are actually invading common (Internet) carriers to do it. The end result is the same, but you have to penetrate an awful lot of systems that are commonly used," said James Bamford, the intelligence historian. "The question gets raised, 'Where will they do it next? What restrictions are there?' "

Just as troubling, say experts, is the lack of public scrutiny and legal restrictions. "The people doing it don't like to admit they are doing it. I don't think there has been any (Congressional) oversight at all," said Peter G. Neumann, an eminent Silicon Valley computer scientist and privacy expert who has testified to Congress on computer security. "It's a very delicate business. You're on the tip of the iceberg here."

Coming Up in Cyber Wars

Monday, Oct. 8: Hackers call it "Black Sunday." Just before the last Super Bowl game, U.S. TV giant DirecTV launched a secret attack from its orbiting satellites. This disabled 200,000 illegal smart cards that let viewers watch hundreds of television channels free. Experts say the attack shows that "smart" cards and wireless devices have built-in back doors to allow access to not only companies, but also hackers, governments and even terrorists.

Saturday, Oct. 13: Nicodemo (Young Nicky) Scarfo, the inspiration for one of the wiseguys in The Sopranos, is on trial for - it is alleged - running a $7-million-a-year mob bookmaking operation. He's also become the unlikely poster boy for privacy issues. Scrafo was the object of a controversial, cutting-edge surveillance technique called "keystroke logging" that allowed the FBI to reproduce everything he typed on his computer keyboard.

Sunday, Oct. 14: The warning comes from an unlikely source - computer guru Bill Joy of Sun Microsystems, an Internet-technology giant. Joy says the time is coming fast when humanity might be destroyed by its own technological creations. "The new Pandora's boxes of genetics, nanotechnology and robotics are almost open," he says, "yet we seem hardly to have noticed." Joy's grim outlook is shared by unlikely figures in the high-tech world.

2009-04-06
U.S. Strategic Command Aims at Improving Cyberdefense

Cyberspace is the next great frontier for warfighters. U.S. forces rely heavily on their computer networks for command and control, intelligence and communications, but these architectures also are potentially vulnerable. In recent years, U.S. government and Defense Department networks have come under increasing attacks and probes from adversaries as diverse as nation-states to disgruntled individuals.

U.S. Strategic Command's (STRATCOM's) mission is to secure, defend and operate the Global Information Grid (GIG), allowing warfighters the freedom to operate across the globe, explains Kevin Williams, director of STRATCOM's Global Innovation Strategy Center. "We are always trying to find ways to do cyberspace operations better and to take advantage of what's going on in the private sector, academia and other government agencies throughout the military," he says.

Williams notes that STRATCOM's commander, Gen. Kevin P. Chilton, USAF, is the first combatant commander responsible for securing, operating and defending the GIG. Because of this unique responsibility, the command is interested in finding new ways to secure the GIG and the data that it carries. One way to find "out of the box" ideas is to solicit them from a variety of sources.

Although there are many cybersecurity conferences and symposia, Williams explains that the upcoming event in Omaha, Neb., is the first where attendees can present ideas to help the combatant commander carry out his mission in cyberspace. "There is a real chance to make an impact here. It's not about replowing old ground. At this symposium we're really after discovering what we don't know and finding bright ideas, opportunities and new ways of looking at things that we can bring to our commander," he says.

The event's track sessions will provide attendees with the opportunity to participate collaboratively to solve a set of problems. The sessions are designed to capture information and provide it to Gen. Chilton. Symposium attendees will be members of the U.S. government, state and local government, industry, business and academia-both domestic and international. By leveraging a broad level of expertise from these thought leaders, Williams says the command will gain new viewpoints to address the challenges it faces. Information from the track sessions will be collected and presented as a paper after the symposium.

Other issues that will be discussed include operating and securing supply chains, reacting to viruses and other cyber issues. "It's not just about us, or the military or STRATCOM. It's all of us trying to synchronize and provide a coherent approach to solving these issues," Williams shares.

Operating in and across cyberspace is the theme of the AFCEA/STRATCOM cyber symposium U.S. forces have the freedom to operate in cyberspace. "Advancing Cyberspace Capabilities to Deliver Integrated Effects," which will take place on April 7 and 8 in Omaha, Nebraska. The goal of the symposium is to determine the challenges and opportunities to ensure that U.S. forces have the freedom to operate in cyberspace.