A grim outlook for Internet security
Roger Grimes is a security professional who writes a regular column at InfoWorld. His latest column paints a very bleak picture of Internet security. He begins:
One third of all U.S. adults had their identity and financial information stolen or lost in 2006 alone. Bogus messages make up 90 percent of the e-mail traffic on the Internet. Ninety-nine percent of all malware exists to steal your money. Tens of millions of dollars are being stolen off the Internet every day from bank fraud, phishing attacks, bogus stock trades, extortion, etc. A large percentage of the Internet is owned and operated by the criminals, and they almost never get caught.
If that doesn’t sound bad enough, here’s a prediction that he makes:
In the future, there will be a huge Internet crime theft. The loss will total in the billions of dollars after a single hour. When it is through, it will interrupt the Internet, the banking system, and business in general for a week or more as we struggle to find out how it happened. Our resolve and trust in our money being stored in electronic bits will be tested.
Why am I so sure it will happen? Because we’ve got human greed on one side and passive indifference on the other.
The techniques that would allow hackers to steal billions of dollars are absolutely no different than the ones they already use to steal millions of dollars today. Most criminals are content to steal hundreds of thousands to millions of dollars. They understand the phrase “staying under the radar.†But one day, an online Lucky Luciano (recognized as the father of organized syndicated crime) will rise up and go for the big one.
Grimes does propose a possible solution:
There is a way to stop it, of course, but it isn’t a particular device, software product, or even a process. It’s universal authentication and the loss of default anonymity on a new Internet. How would the nature of online attacks change if the attacker knew we could identify them every time?
Start with the Trusted Computing Group’s specifications and build the authentication into all participating computers, the software, and the data communications pathway. Build authenticated hardware with the Trusted Platform Module chip. You can then authenticate the OS and authenticate the applications running on the OS. This gives us an authenticated computing platform. Without this none of the other parts work.
Next, you build in two-factor or biometric authentication to verify the user. Each end-point network would be responsible — and held accountable — for verification of their users. Finally, and most importantly, we give up our right to default anonymity on the Internet. Every packet can be traced from original source to final destination.
Grimes may very well be right about what he proposes but the practical chances of his suggestions being implemented are, to put it mildly, slim. Most of Western society is still not aware of the trade-offs in cost, convenience, and privacy that are necessary for proper Internet security. In fact, many still cherish an idealistic notion of some sort of completely open community where everybody is equal and where services and information are (mostly) free. The utopian view would indeed be something to strive for were it not for the basics of human behavior. It is an unpleasant but undeniable truth that any activity involving large numbers of people will include criminals and other sociopaths. And any activity where large amounts of money are to be gotten attracts clever and determined attempts to take advantage of the trusting, naive, and ill-informed.
The reluctance of banks, stock brokers, credit card companies and other institutions to spend the money necessary for better security doesn’t help. Nor does the fact that Microsoft and other software companies have been so late in recognizing the importance of security. There has been a belated attempt to catch up but, as the statistics show, it’s too little, too late.
Grimes is probably right. Security measures will be half-hearted until some big caper takes place. Maybe then we’ll do what’s required.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
A valued reader (my wife) has commented that the statement, â€One third of all U.S. adults had their identity and financial information stolen or lost in 2006 aloneâ€, is hard to believe. I agree and I thought so when I read the article. However, Grimes has access to information that I do not and security is his profession so I made no comment on this very high number. The one third includes “financial information†and there are a lot of reports of lost laptops containing large collections of personal records, hacks of computers containing records, lost tapes with account numbers and other incidents that are not caused by phishing or Trojans. Most of these incidents seem to pass without a lot of reported identity theft. However, the organization Phishinginfo.org (http://www.phishinginfo.org/) states in large letters on the home page, â€1 in 6 people are victims of ID theftâ€. Exactly how they count things, I do not know. Exact numbers are probably not even available since banks and credit card companies are not eager for public knowledge of the size of the problem to get out. Whatever the actual numbers, however, identity theft is not a small problem and it growing larger all the time.