Cyber Security

The Lawless frontier

 

With the advent of the internet at the turn of the 20th century, humanity entered a new age. Communication is now instantaneous, and our little planet connected by a vast, virtual web.
Today we are able to exchange text messages, pictures, and even live video feeds to and from anywhere on the globe. At the same time, criminals have moved online and co-opted this powerful technology for their own nefarious purposes.
One of the first and most well-known examples of cyber crime was displayed in the 1999 movie Office Space, in which three employees of a tech company upload a virus to the company’s computer network. The virus skims negligible amounts off of each bank transaction the network processes and transfers them to a separate account. After a certain amount of time and transactions, the bank account contained a sizable amount of money, at which point the criminals withdrew the balance with no one else the wiser. Though this “penny shaving” scam is most famous for its use in fiction, it was in the news as recently as 2008, when a cyber criminal collected the tiny verification deposits from a series of banks in his own account.
Cyber criminals do not always attempt to make money for themselves. In fact, most cyber hacks in the past two decades have been intended purely to stir chaos, were politically driven, or were simply challenges. Attacks usually take the form of denial of service attacks, which involve the traffic saturation of a website with requests from bogus IPs. The intention of these attacks is to deprive legitimate users the opportunity to access the website, and they are often successful. Companies often employ firewalls and websites to counter these attacks, but firewalls are only as effective as the operating system and are ineffective against powerful and unexpected attacks.
The threats against information security include threats such as malware, social engineering, and employee negligence. The focus of malware — whether software or mobile apps that contain malicious code — is to infiltrate a system by gaining access without the owner’s authorization from the owner. Malware can further be classified into four different types: viruses, worms, trojans, and rootkits. In this post PC era, the vulnerability of the systems is limited only to the imagination and resolve of the hacker.
With the widespread use of affordable smart phones the Internet is finally available to the masses. Cyber criminals have begun to target them over computers and business networks, and can easily take advantage of the inherent insecurity of the device through the lax coding of many apps. Smart phones contain so much of their owner’s information that they are basically a treasure throve of their owner personal information.
Over Labor Day weekend of 2014 a huge cache of compromising celebrity cell phone pictures was released via anonymous Internet websites 4Chan and Reddit. Subsequent investigation revealed that the vast majority of the pictures were obtained by hacking celebrities’ iCloud accounts. The fact that iCloud accounts are password protected and synced with the user’s IPhone is little protection: passwords can usually be discerned by gathering intelligence such as the user’s birthday, children’s names and any personally identifiable information, widely disseminated information, easily obtained on the internet.
As anti-malware vendor LavaSoft noted, 2014 was publicly regarded as “The Year of Breaches”. Since 2005, more than 75 data breaches in which 1,000,000 or more records were compromised have been publicly disclosed. The attacks on Home Depot and EBay in 2014, and on Target at the end of 2013, indicate an increase in attacks on retail and merchant data. The healthcare industry is less resilient to cyber intrusions than the financial and retail sectors; therefore, the possibility of increased cyber intrusions is likely.” According to the Ponemon Institute, 72 percent of healthcare organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data.
Despite the heightened awareness from the publicity of breaches throughout 2014 and earlier years, 2015 is on track to break all records. The massive data breach of the US Office of Personnel Management has assured 2015’s status as a record-breaking year.
Initial investigations of the OPM breach implicate foreign national interests; but cyber criminals in today’s world are not solely concerned with hacking user information. Cybercrime is a business and, like other innovative enterprises, cybercriminals have established online marketplaces through which they sell loot (e.g.: drugs, credit card numbers). The most famous of these was Silk Road, which operated on the “dark web” where a user’s IP address is hidden, precluding the possibility of identification, discovery, and arrest.

Silk Road operated as a kind of eBay for illicit sales of a plethora of products and services — including pharmaceuticals (stimulants, psychedelics, prescription drugs, etc.) credit card numbers, sex, and illicit drugs such as marijuana. The site was shut down in 2014 and its founder, Ross William Ulbricht, was arrested and sentenced to life in prison by the U.S. Federal Court in Manhattan.
Concurrent with the rise in cyber technology has been the rising concern for cyber terrorism. Whereas twenty years ago terrorists were primarily concerned with the destruction of property, there are growing fears that they will now attempt to infiltrate and expose computer networks using methods well known to cyber criminals: denial of service attacks and malware.
Researchers had long predicted that terrorist groups could hypothetically implant a virus or a worm into the SCADA computer systems controlling electricity grids, rendering large swaths of a province‘s grid unusable and leaving potentially millions without power. The Stuxnet worm, which entered the SCADA-controlled Natanz (Iran) nuclear facility through an infected USB key in 2010 was proof that the theory had become reality and that even more damaging attacks are a very real possibility.
In 2012, Iran was again the target of a hack of a different sort. The most recent breach of security at Iran’s nuclear facilities might not be considered serious… unless you hate the music of the rock band AC/DC. Two of the country’s controversial nuclear facilities endured a technological prank, in which AC/DC’s hit song Thunderstruck played repeatedly and at full volume.

Life in the technological environment of the 21st century presents both wonderful, astounding possibilities for prosperity and the fear of malicious application of those same technologies. Just as the advent of the atomic age in 1945 ushered in great leaps in science and energy, so too did it result in the deaths of thousands in Japan and generated the constant fear of a nuclear apocalypse.
Humanity has a curious talent for turning its greatest achievements into its worst possible nightmare. The technology of our young century has connected all humans to one another with unprecedented speed and ease. The Internet allows information to spread instantaneously, and smart phones put that information at our fingertips constantly.
Cybercriminals continue to sharpen their tools to improve the effectiveness of cyber attacks. Tried and true crime ware such as the Black Hole Exploit Kit, automatic transfer systems, and ransom ware have been refined and improved in ways that demonstrate how malware development has become increasingly professional in rigor, discipline, and methodology.
Combatting cybercrime, like crime in the physical world, generally involves governments. But how far should that role extend? Physical borders define the physical limits of nations, but cyber borders remain less clear, and the enforcement of the web is still undefined. Complicating the investigation of cyber crimes is the reality that they are usually multi-jurisdictional, sometimes involving countries where governments are willfully blind to the offense; yet other nations encourage cyber criminals.
Balancing government involvement in hampering cybercrime is problematic. Not enough government intervention could lead to increases in cyber crime, but too much intervention could bring about a police state (such as that created by Canada’s newly adopted Bill C 51) where every move and thought is monitored and collated (e.g. China, North Korea).
Just as Parliament can legislate the sale of products from a manufacturer in one province to a retailer in another, so too should it be able to make laws governing the activities in cyberspace within its border and ultra vires power for illegal activities committed upon its citizenry. But just like in the physical world, it stands to reason that there should be stringent oversight applied to any government program intended to secure and police cyberspace that undermines Canadians’ Charter protected freedoms.
Adequate independent, unbiased oversight is essential to ensure that Canadians’ rights and freedoms can be enjoyed, whether in the cyber or physical realm. On the other hand, inadequate or partisan oversight, and measures reminiscent of early 20th century police states deprives us of our remaining privacy and threatens our democratic processes.
Given the urgency of global affairs and how nations are responding, and the increasing complexity of privacy and technology, privacy is no longer easily defined. Indeed, the definition of privacy is as much in flux as the technology and the will continue to shift as new technology, new laws, and new government policies scramble the variables in new and interesting ways.

Marc-Roger Gagné