From the outside in

Monday, June 20, 2011

Andrew Reinbach: Computer "Security"

via Technology on HuffingtonPost.com by Andrew Reinbach on 6/19/11

Right now, you're sitting in front of our pact with the Devil. When you finish reading this, you will do nothing about it.

The Devil is the Internet, if you were wondering. As the proprietor of this site recently wrote, the Internet opens up a world of wonderful possibilities -- possibilities we're just beginning to understand.

But since it takes us everywhere; everywhere can reach us. That includes bad guys, some of whom work for major criminal gangs or governments. That possibility's the price we pay for watching riots in Kyrgyzstan in real time if we want to.

But that price is peanuts compared with what the world's major institutions pay. Their world, kept from view, is cyberwar, 24/76.

If that sounds like science fiction, welcome to the future. Things have gotten so wild out there that just this Saturday, the Lulz Security hacker group -- which last week took credit for stealing the personal data of about 200,000 players of Brink, an on-line game -- Tweeted Sega Corp., the Japanese game manufacturer, and offered to go after hackers that had broken into its system.

"Sega - contact us," Lulz said in its Tweet. "We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down."

Offers like that probably didn't stream into the offices of Sony Inc., CitiGroup, the CIA, the US Senate, or the International Monetary fund after they'd been attacked in early June's wild outbreak of high-profile attacks. Those boys were probably attacked by some of those major criminal gangs or, in the case of the IMF and CIA, a government. They're on their own.

When guys like that are attacked, though, it's not just about them; it's about all of us -- the entire world, now bound together by the Internet, because when they're attacked, it means we -- or at least our accounts and personal data -- can be attacked.

And there's the rub; since the Internet's everywhere, the bad guys can go everywhere. Admiral Mike McConnell, a Booz Allen Hamilton executive vice president, is an old source of mine who's run the National Security Agency and was the second Director of National Intelligence.

"In the old days, if the Pentagon wanted to send a message to a ship at sea, it would be coded, and sent to the ship in an encrypted radio burst," he once told me. "It would be decoded and put into the Captain's safe. The chances of capturing that message or decoding it were small. If somebody wanted to get that message, they'd have to get on the ship, open the safe, get the message, and get off the ship. But now, all they have to do is break into the computer network."

Which is easy.

"Nothing is 100 percent guaranteed impenetrable," he said. "In my experience, when you are testing something to see if there is a vulnerability, you most always find a vulnerability."

"Today, with all our networking, the vulnerability does not end with the transmission [of data]," he added. "It's gone from worrying about data in motion to also worrying about data at rest," because much information is stored on hard drives. "That's where the vulnerability is."

And when Adm. McConnell was talking to me, a Silicon Graphics workstation was a powerful platform. Today there are "zombie bots", virtual supercomputers made of networks of thousands of hijacked computers that, working unknown to their owners, are rented to criminals. Given time, they can overpower any system.

Like I said: Welcome to the future. Underneath our world of everyday email with friends and associates, or reading this article, there's a shadowy world at war.

Another old source of mine once laid out just how warlike that can be. This guy, then in charge of computer security for a very large global bank, told me that every once in awhile he'd get on a plane, disembark in some obscure city, strap on a bullet proof vest, and break down a door in armed company to get at a particularly noxious hacker.

To survive in this world, in other words, big institutions are their own police in a world in which the notion of sovereign nations just doesn't apply.

When I was covering this ten years ago, you could break into any computer perfectly legally; all you had to do was operate from a country that had no laws against what you were doing -- Monaco, in those days, or Ukraine.

Nothing's changed since. Certainly, anybody with a good satellite uplink and their own electrical generators could operate today out of Waziristan, say, or a ship anchored outside the international 12-mile limit, and be almost immune from ordinary law enforcement -- since you weren't breaking any laws where you were.

Not that the people we're talking about are worried about breaking laws. This past week, somebody stole $500,000 from someone's BitCoin account. Bitcoin is a virtual payments system that allows you to make completely anonymous payments to anyone, anywhere.

When you're talking about stealing that much or more -- consider that the recent CitiGroup hack stole data about 360,000-plus credit cards -- a lot of qualms go by the board.

This is crime, folks: Would somebody stop at kidnapping the wife of some computer worker if it meant being able to steal, say, $400 million? That's how much was reportedly extorted from the City of London in the Dark Ages of computer crime -- 1996.

In that caper, a Russian gang managed to slip what's called a "data bomb" into the system of an international bank. Data bombs force computers to make mistakes in computation.

How it was done isn't known. Temp workers were suspected at the time, but it could just have easily been an employee with a kidnapped wife. Anyway, once it was done, the gang sent a "Pay or die" email to the head of security.

"Come and get me," he said. Then the gang set off the data bomb and fried a corner of the bank's overseas futures operation. Millions were lost in a flash.

Then the head of security got an email on his private laptop: ""Now do you believe we can destroy your computers?" Millions were wired to the designated account in short order. After that, the gang only had to threaten and the money was sent.

Does this mean we should unplug the Internet now and go back to licking stamps? No -- just that the world we see isn't the world that is. If a kid a few years ago could hack so deep into T-Mobile's cellphone network that he could steal Demi Moore's cell phone pictures, nothing should surprise us.

What to do? I'm not unplugging my laptop. I publish on the Huffington Post, for God's sake. I have a website. I do Facebook. I get all my news from the Internet, and email constantly.

On the other hand, I'm cautious. I have a router on my connection, which blocks most attacks. I have good security software. I don't click on mail or links from strangers. I have a dedicated bank account for doing anything financial online, keep it empty, fund it per transaction -- in person -- and never touch it with my computer. If I was smart, I'd switch to a Linux operating system -- but that's way beyond my feeble computer skills. It all lengthens the odds.

Even so, the real reason I'm relatively safe -- and so are most of you -- is because I'm nobody. Bank robbers go where the money is, so a major criminal enterprise can't be bothered with our personal computers when they can hack into a bank. Of course, if it's your account they steal; well, in most cases -- not all -- banks, stores and the rest will make you whole and write it off as the cost of doing business.

For a good look at what we're facing here, and what we can do about it, you can do a lot worse than read The New War, published by Sen. John Kerry in 1997. Kerry lays out the problems clearly and makes sensible suggestions about how to deal with a world with only nominal borders.

Anything he says, of course, is subject to attack by his enemies on the Right; but for some, that's more of a ringing endorsement than anything else.

Visit me at my website, Reinbachs Observer. When you do, don't forget to click on an ad to help pay for this stuff.

Posted via email from The New Word Order

No comments:

Post a Comment