The James Bond image of the dashing super-spy had little basis in reality. Nowadays, the real spies are likely to be professional soldiers working at computers in an underground military base.
Hacking has been a topic of interest for me, ever since I read the seminal book The Cuckoo's Egg by Clifford Stoll. It's about a Berkeley astronomer who tracked down a German hacker who broke into U.S. military computers. Then he would sell the information to the Russian KGB.
Reuters had a fantastic article about the next phase of new Cold War: Cyberspy vs. Cyberspy. Like the headline suggests, much of the content focuses on government vs. government electronic warfare.
Of more interest to TechHui members is the section on commercial espionage, "The Business of Spying." This problem often goes unreported, because companies fear the damage to their reputations by disclosing cyberattacks:
The full scope of commercial computer intrusions is unknown. A study released by computer-security firm McAfee and government consulting company SAIC on March 28 shows that more than half of some 1,000 companies in the United States, Britain and other countries decided not to investigate a computer-security breach because of the cost. One in 10 companies will only report a security breach when legally obliged to do so, according to the study.
Google was one of the few Internet companies to speak out about this problem in 2010, when it reported Gmail accounts were being compromised.
The article goes on to say that this isn't the case of teenage pranksters out to steal some credit card numbers. These attacks are part of an orchestrated, state-sponsored campaign to gain an economic advantage:
"They've identified innovation as crucial to future economic growth -- but they're not sure they can do it," says Lewis. "The easiest way to innovate is to plagiarize" by stealing U.S. intellectual property, he adds.
This begs the question of what the U.S. government is doing to solve this problem. The Cuckoo's Egg painted an unflattering portrait of flat-footed bureaucrats who wasted time shirking off responsibility to other agencies. Avoiding blame was the name of the game.
On the bright side, I'd bet that the U.S. military and intelligence agencies have far superior technology to their rivals. Echelon > GhostNet.
Comment
@Cameron, my sister got a similar letter when UH was hacked (last year).
I expect we'll have to wait until it happens to some Senator's daughter and then we'll see legislation on this /facepalm.
I think one of the most disappointing things is how relatively little adoption there has been of (costly, but relatively simple) things like data at rest encryption, VPNs, multi-factor authentication - but perhaps even more importantly cyber liability legislation, i.e. laws that make companies who lose your information responsible for doing so.
I agree! I just got an email from Sony basically saying, "We lost your name, address, date of birth, credit card number, profile information, purchasing history and password - basically everything someone needs to steal your identity and/or embarrass you. Sorry. Here are some credit agencies to watch. Good luck." I've had the same thing happen with organizations in Hawaii. There should be legally mandated value placed on each piece of data. If you lose my name, address and date of birth you pay me $10K both as a punitive measure and to help me deal with the problem you made.
Hah! The Cuckoo's Egg! I read that like 15 years ago, boy do I feel old. Great book indeed, thanks for reminding me of it.
I think one of the most disappointing things is how relatively little adoption there has been of (costly, but relatively simple) things like data at rest encryption, VPNs, multi-factor authentication - but perhaps even more importantly cyber liability legislation, i.e. laws that make companies who lose your information responsible for doing so.
I've written on this before, and I do believe there has to be that fiscal incentive that if you think you can make money off my information by keeping it, then that risk to me has to be balanced by you having a financial incentive to protect it from unauthorized disclosure.
Otherwise you're essentially getting a free ride (profiting from my information), but you have very little incentive to protect it (other than perhaps continuing the business relationship).
Basically, there's zero (or very low) risk to you, relative to me - but most of the benefit is also yours. This asymmetry is dangerous and incentivizes risky behaviour. It's exactly like saying I'll fine you $10/day if you dump this waste in this lake. But if it costs you $50/day to safely dispose of the waste - then the fiscally responsible thing for you to do for your shareholders is to keep dumping that waste in the lake
Aside, another good resource is Schneier's monthly cryptogram. I simply don't have the time to keep up with SANS, Bugtraq, etc anymore.. we're way past the 90s..
© 2024 Created by Daniel Leuck. Powered by
You need to be a member of TechHui to add comments!
Join TechHui