Cybersecurity for You and Me

February 23, 2013 8:00 a.m.

Seven Steps to Computer Security

“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
-- Dmitri Alperovitch, Chief Technology Officer, Crowdstrike

With seemingly every major American institution under cyberattack, is it past time you and I review our own cybersecurity?

The Times reports that, "Computer security experts estimate that more than a thousand companies have been attacked recently." Nicole Perlroth, "Some Victims of Online Hacking Edge Into the Light," New York Times, February 21, 2013, p. A1. Once reluctant to report a breach, more companies are now coming forward. The Times provides quite a list -- including Apple, Google, Facebook, and Twitter.

In fact, the Times was the first of three major papers to acknowledge they'd been hacked, probably from China, followed by similar revelations from the Wall Street Journal, and the Washington Post.

Earlier this month President Obama signed an executive order "that promotes increased information sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure . . .." Michael S. Schmidt and Nicole Perlroth, "Obama Order Gives Firms Cyberthreat Information," New York Times, February 13, 2013, p. A16; "Improving Critical Infrastructure Cybersecurity," February 12, 2013, whitehouse.gov. (And see "Cybersecurity," National Security Council; "The Comprehensive National Cybersecurity Initiative," National Security Council; "Cyberspace Policy Review," White House (2009).) [Photo credit: multiple sources.]

Our computerized defense installations, including the nuclear arsenals, are getting millions of hostile hits a day. Defense Secretary Leon E. Panetta says that "the United States [is] facing the possibility of a 'cyber-Pearl Harbor' . . . [that] could dismantle the nation’s power grid, transportation system, financial networks and government." Elisabeth Bumiller and Thom Shanker, "Panetta Warns of Dire Threat of Cyberattack on U.S.," New York Times, October 12, 2012, p. A1. We now have an Army Cyber Command -- not to mention our real world, lethal video game controllers, operating drones in Pakistan and Yemen, among other countries, from comfortable locations here at home. (See "Home Grown Drones," February 16, 2013.)

If, with all their multi-billion-dollar resources, our government, military, corporations and other major institutions are under cyberattack, and losing more often than not, what hope is there for the rest of us?

Fortunately for us, like risks to our health, it turns out that the greatest risks to our computers are well within our control.

How many times have you heard these health tips: get a full night's peaceful sleep, control your weight (getting from "obese to "overweight" is a good start), eat more raw fruits and vegetables (and less sugar, salt and fat), exercise (both aerobic and strength training) 30 minutes a day, eliminate all tobacco and other drugs, keep alcohol consumption to a minimum, fasten your seat belt in the car and wear your helmet when riding a bike. Whether we're looking for ways to reduce our risks of heart disease, or cancer, or diabetes, or arthritis, or Alzheimer's disease, or other conditions, the advice usually includes these same basics.

Do we follow this advice? That's another matter -- albeit one that costs us $100s of billions in excess health care bills. The point is, whether the health of our bodies or the security of our computers, many of the factors are within our control.

No one can make their home or car 100% theft-proof. Thieves can break a side window on your car, or on a second story bedroom, and remove contents. However, they are less likely to take your stuff if you lock the doors to your house than if you leave them ajar; or if you close the windows and lock the doors of your car than if you leave the windows down and the key in the ignition.

If you are a computer professional, you already know what follows and far more. If not, here are some simple suggestions -- the computer equivalent of locking your house and car -- that can save you from most of the computer grief, some say as much as 90% or more, that can otherwise come your way. (Basic security for handheld mobile devices may be covered in a subsequent blog entry.)

1. There's no perfect security. Assume every email or text message you send could show up on the front page of your local newspaper, and may have already been scanned by your employer and some government agency. Every photo or bit of information about yourself you or your friends put on Facebook, or you share with an online merchant or Web page, may find its way to those you wish didn't have it. Every program you install on your computer may come with, or develop, vulnerabilities that enable strangers to enter your computer. [Photo credit: multiple sources.]

The only surefire way to avoid contributing to such problems is to stay off the Internet entirely, or at least put your most private material on a computer that's never connected to the Internet. Even then, of course, there's no way to protect yourself from what others put on the Internet about you, or release from supposedly confidential files. The University of Iowa recently had a couple examples of this. Ryan Foley, "University of Iowa apologizes for privacy breach; A staff member mistakenly sends an email to 2,000 students with all of their GPAs," Des Moines Register, February 8, 2012; Clark Kauffman, "Register Investigation: University of Iowa gives private student data to Johnson sheriff; Info on gun permit applicants' classroom performance, discipline history is protected by federal law," Des Moines Register, February 20, 2013; Clark Kauffman, "U of I suspends record sharing; University addressing concerns raised about student information given to law enforcement for gun-permit checks," Des Moines Register, February 23, 2013.

What is possible, however, is to reduce 90% or more of these risks by applying some common sense basics, and finding someone you can consult with about the rest -- even if she turns out to be your 14-year-old computer geek neighbor.

2. Preventing loss of your computer. Roughly 10 million computers are stolen each year. Keep an eye on yours -- especially in airports. Don't leave it visible in your car or home. If you use it in public places, or at work, consider a cable and lock sold for this purpose.

3. Preventing loss of your data.

(a) If your software doesn't automatically save your work as you write, save it manually. Don't risk losing two hours of writing if the power goes off.
(b) If you're working on, or modifying, a document over time, save daily versions separately (e.g., "article-Dec 20," "article-Jan 21"). When the current version mysteriously disappears you will at least have the next most current available.
(c) The only thing that can be said with confidence about every computer's hard drive is that some day it will crash. Get an external hard drive, and use a backup program at least once a week that will save any newly created or changed files -- or at least copy to that drive the files you really don't want to lose. Store the external drive somewhere away from the computer (so that if your computer is stolen or damaged your backup drive doesn't disappear with it).
(d) If the files are worth greater protection (from fire, flood or theft of your external hard drive), like an entire doctoral dissertation manuscript, back up your files to a second external hard drive kept in a safe deposit box or other safe place away from the first external hard drive.

Nothing can eliminate every possibility of loss, but these suggestions will prevent some of the most common causes.

Preventing unauthorized access. The computer hacking making the headlines involves unauthorized acquisition of military or corporate intellectual property, trade secrets, and the pathways to bring down our electric power grid or other infrastructure. Nobody is going to hack into your computer looking for that. So what is your risk; what might strangers be doing with your computer?

The possibilities are endless, limited only by the hackers' imagination.

(a) They may be in the identity theft business, looking for enough of the details about your financial and other relationships to pass themselves off as you.
(b) Depending on your employer, they may try to use you as a pathway into their industrial espionage of the computers in your workplace. (Most people who find a flash drive in the company parking lot bring it into work and put it in their office computer.)
(c) Perhaps they're after your money, seeking to transfer money out of your bank account, or charge items to your credit cards.
(d) Maybe it is your entire list of friends' email addresses they want, in order to sell them to spammers.
(e) They may install a bit of software that captures each of your keystrokes, including your passwords.
(f) There is software that enables them to take over your computer without your knowledge, linking it to their network of computers used to send out spam or viruses -- maybe in your name from an email account of yours.
(g) They may just be up to devilment, leaving software that will erase files, slow operations, bring your computer down completely, or instruct it to destroy itself -- just to show off to their friends.
(h) And once in your computer, they would have access to all of your documents, spreadsheets, photos, or other things you might consider private.

So what can you do?

4. Use passwords -- or maybe even encryption.

(a) Password protect your computer. That way, if you need to leave your computer from time to time, but like to keep a number of Web sites or files open, rather than having to log off (and reopening everything when you return) you can just press CTRL-ALT-DEL, and choose the "Lock" option. When you return, enter your computer's password; the screen, sites and files you last saw will be waiting for you.
(b) Obviously, you don't want to put passwords on Post-It notes on your computer screen, or in your top desk drawer, or share them with others.
(c) You shouldn't use the same password, or minor variations of one, for all sites. It makes it too easy for those trying to get to your stuff.
(d) Perhaps less obvious, you want to make it hard to guess. A distressingly large number of cell phone passwords are "1234," "5555," or the equivalent in their inability to slow up an intruder. Make your passwords at least 8 characters, and include every category on your keyboard: capital letters, lower case letters, numbers, and those symbols above the numbers, like the "#" sign above the keyboard's number "3." Of course, the stronger the password (number of characters, mix of characters) the more difficult it is to remember and use. That might be worth it for the password to your online banking, but a weaker one might be enough for your local online newspaper.
(e) If you have a number of passwords you'll need a way to record what they are and save them -- preferably not on your computer. You might want to consider a master password system, such as LastPass.com; but they involve more description and instruction than can be provided here.
(f) Finally, to borrow from Big Pharma's TV ads, "Ask your computer consultant if encryption might be right for you." Like passwords, encrypting a file will provide an added layer of security, but also create, like master passwords, one more thing you'll have to learn about, and step to go through, in using that file.

And see, Gregory Johnson, "Yahoo Accounts Vulnerable to Hacking -- Why and How to Protect Yourself," ResourcesForLife.com, February 5, 2013.

5. Update your programs. You may not care about the features offered in the latest updated versions of programs you use. What you do need to care about are your computer's vulnerability to attack as a result of the current versions you're using. The more popular the program the more likely it is to have been targeted by those spreading viruses and other malware -- programs such as Java, Adobe's Acrobat Reader, Microsoft's Internet Explorer, and Google's Chrome. Again, there is no 100% protection from these attacks. But well over 90% of them are attacks by way of programs that have not been updated. Most browsers and programs provide a feature for automatic updates at no additional charge to you. They are primarily software patches to the program's newly discovered vulnerabilities. If you're compulsive about keeping them updated you will eliminate most of the risk -- not all, but most.

6. Be cautious of Wi-Fi connections. A Wi-Fi connection to the Internet turns your laptop into a radio transmitter and receiver. (As distinguished from connecting with what is called an Ethernet cable.) Some Wi-Fi connections are open to the public, others are secured with passwords. If you're using your own at home, make sure your consultant geek knows how to maximize your security (applying the same password suggestions as in 5, above). If you're out in public, find out how secure the system is -- and probably save any financial transactions until you're back home.

7. Be skeptical. If you're over the age of 5 you probably know about scams. If someone emails you, asking you to accept their $15 million from Nigeria, after you send them a deposit, it's highly unlikely you'll ever see again the money you sent them -- not to mention any of the $15 million. Those are relatively easy. More difficult are emails from people you know (whose email accounts have been hacked) that you open reflexively before noticing, and wondering why, they are now using an email address from Russia. It's an especially good idea never to click on Web addresses in emails from people you don't know, or even from people you do know if the email doesn't look quite right, or like something they would have sent. It's highly unlikely that your bank is asking you to send it your Social Security number, or online banking password, however much that email may look like it came from your bank.

As we began, "There's no perfect security." We may not have the computer security problems confronting our military, banks, and other large corporations, but we have our own set of challenges. We also have our own set of solutions, thankfully much simpler than those required by large institutions. Moreover, as with maintaining our health, most of the reasons for unauthorized intrusion into our computers are within our control. Whether we choose to exercise that control is up to us.

# # #

Weekly World News, Weakly World Privacy

July 18, 2011, 9:35 a.m.

Murdoch's Violations Small Part of Loss of Privacy
I have often said, "the problem is not that corporations violate the laws, it is that they write the laws."

I have often been wrong -- at least partially so.

Because, of course, the problem is also that corporations corrupt or otherwise violate the laws as well as writing them. BP and Massey Coal did both, and workers died. Murdoch's worldwide media monopoly hacked cell phones, published stories based on the conversations, and hundreds of citizens and celebrities alike suffered in a variety of ways.

There's no way to minimize or justify what the editors and reporters of Murdoch's News of the World did. It's awful. From the perspective of college classrooms it's a subject for studies of journalism, technology, and law. It's a global media story, an example of how technological "advances" gnaw away at our neglige of privacy, and thereby create Rubik's-cube-like challenges of legal analysis for legislators and lawyers.

If you haven't been following the events, here is a sampling from the New York Times of the thousands of stories the worlds' media have provided: Sarah Lyall, "Scandal Shifts Britain’s Media and Political Landscape," New York Times, July 8, 2011, p. A1; John F. Burns and Alan Cowell, "Former Aide to [Prime Minister] Cameron Is Arrested in Tabloid Scandal," New York Times, July 9, 2011, p. A8; Don Van Natta Jr. and Ravi Somaiya, "British Tabloid Sought Phone Data of Investigators," New York Times, July 12, 2011, p. A1; and Sarah Lyall and Graham Bowley, "Connections to Murdoch Start to Chafe British Leader," New York Times, July 13, 2011, p. A1.

But this is more than a story about the fall of one of the world's largest media barons. It should also be a teachable moment for all of us regarding our privacy.

Consider all of today's technological and other assaults on the standards of privacy accepted and expected by our great-grandparents. From that perspective, as awful as the Murdoch invasions appear to have been, they are but a very small part of what we need fear.

Like the insight of Walt Kelly's cartoon figure, Pogo -- "We have found the enemy, and he is us" -- or Winnie the Pooh's discovery that the tracks he was following were his own, most of the assaults on our privacy are self inflicted.

(1) Much of our lost privacy we have voluntarily abandoned. Take Facebook, for example. Our names, addresses, birth dates, family members -- all identified with "tags" in their photos -- and our network of "friends," are available for the databases of Facebook, criminals or law enforcement. We may keep unencrypted passwords on a thumb drive, smart phone, or laptop, available to whoever gets our lost or stolen equipment. I recently saw a desktop in a business with a Post-It note stuck to the screen, revealing to anyone who glanced that way the username and password. Once a voice mail hacker knows that 75% of users choose "1-2-3-4" as their password it makes it a whole lot easier to listen in. Now that the FBI (and anyone else) can search our trash without a warrant, we may still think we're destroying documents with credit card numbers or other valuable data because we took them out to the curb for trash pickup, rather than shredding them.

(2) Professor Jonathan Zittrain speaks of what he calls "privacy 2.0" ("The Future of the Internet -- And How to Stop It").

As technology progresses through the decline in price that I call "the 99.9%-off sale" (not incidentally, with improved capacity and quality, and reduction in size and weight), it spreads, it becomes ubiquitous. The video recording capability that once cost tens of thousands of dollars is now merely hundreds of dollars or less.

Our actions are being recorded by the scanning video cameras in government buildings, banks, convenience stores and other private businesses. They monitor and bill those who run red lights. The Webcams in our laptops may take video of us without our knowledge.

But that's not the major problem.

Still and video camera capability is built into our smart, and even dumb, cell phones.

Couple this with the ease of uploading videos to YouTube, Facebook, or attaching them to emails. Anyone's embarrassing, or illegal, moment can suddenly go viral globally.

That's not the result of government, Big Brother snooping on us, or evil corporations. It's us; millions if not billions of us, recording and distributing information about each other -- usually for reasons somewhere between friendly and helpful, or at least benign.

(3) We gratuitously give our private information to Facebook, expecting little or nothing in return.

But we also trade off our privacy, our secrets, our personal identifying data, for perceived benefits. We give the bank our financial data, including how much cash we took out from which ATM machine, the day and time. We let the credit card company record where we went, what stores or other businesses we entered, what we bought, what we paid for it, where and when. The cell phone company tracks our every move, knows where we are, who we called, how long we talked -- and if they care to know, what we talked about. The airlines know where we flew and when; the rental car companies also.

I'm not saying these and comparable gifts of privacy to corporate America are irrational choices. It would be hard to function in today's world without, say, credit cards and phones. I'm just saying that we can't voluntarily turn over vast amounts of information about ourselves to government and merchants and then complain that they possess this information about us.

(4) This third-party possession of our most intimate information raises other problems.

The Fourth Amendment asserts a "right of the people to be secure in their persons, houses, papers, and effects" -- seemingly a kind of place-based security. So what about tapping phone lines from a place away from home? In the Supreme Court's 1967 Katz decision, involving law enforcement's recording of a conversation by means of a device attached to a public phone booth, the Court expanded the protection to include those things as to which we have (1) "an expectation of privacy" that most people would consider to be (2) "reasonable" -- the "reasonable expectation of privacy" standard.

So far so good. But in the 1976 U.S. v. Miller case the Court explained that once you've shared information with another, even though you did so in confidence and for very limited purposes, you no longer have an expectation of privacy in that information, let alone an expectation that courts will consider "reasonable." In the Miller case the defendant, Miller, attempted to claim a Fourth Amendment right of privacy in the cancelled checks and other records and documents maintained by his bank. The Court decided those were the bank's records as much, indeed more, than Miller's. Thus, he had no "reasonable expectation of privacy" and law enforcement could get access to those records from the bank, without providing Miller the protections he would have received under the Fourth Amendment had law enforcement come to his home for "papers."

So it turns out that, not only have we turned over a vast amount of information about ourselves to private corporations, we have, thereby, essentially turned it over to the government as well (in many instances) and lost the rights of privacy we have in information never shared.

(5) Once we go to work it only gets worse. Employers can listen in on their employees' phone conversations, read their email, know what Web pages they've visited, track how many keystrokes they contribute per hour or day, and install video monitors throughout the workplace. Even if the employer pledges you have personal privacy with regard to any of the above, courts may reject an employee's reliance on that assurance.

(6) Are there instances in which a hacker acquires information they had no authorization to access, or for which they exceeded their authorization? Of course. The Defense Department gets millions of such hits. There was a recent example of exceeding authority at the University Hospital. One can imagine many more driven by simple curiosity, or a desire to help a friend (such as a bank employee providing a woman contemplating divorce information about suspicious regular checks drawn on the errant husband's separate account).

The Murdoch reporters, and the editors to whom they reported, had no business getting access to the voice mail of 9/11 victims' families, or those of British soldiers killed in action, celebrities, or the murdered young girl. It's not only boorish behavior and a violation of journalistic ethics, it also happens to be a violation of the criminal law.

But if we really care about maintaining some little bit of our remaining privacy regarding our images, speech, writing, movements, actions, circle of friends, financial transactions, medical records -- among other things -- we need to look well beyond the Murdoch Empire, however vast and evil it may be.

And we need to begin with the person we see in our bathroom mirror.

# # #

Cyber Warfare, Hacking, and You

June 17, 2011, 12:06 p.m.; with added critique June 18, 2011, 8:30 a.m., and June 19, 2011, 9:15 p.m.

[NOTE, June 18: Since posting this blog entry, I requested and received a critique from someone with more inside knowledge than I possess. (She/he wishes to remain unidentified.) Excerpts from her/his comments have now been embedded throughout the blog entry -- within brackets, quotes, and in this font.

It might have been less embarrassing to simply revise what I had written, but I have almost always been more interested in letting curiosity propel inquiry wherever it may lead than in being "proven right." Besides, it's both more honest and also more interesting reading to share with you both my text and the critique as written.]

A Primer
The hacker community -- Lulz Security and Anonymous, among others -- have had a good couple of weeks.

["Your first error is in referring to 'the hacking community.' There isn't one. Non-hackers tend to view hackers as a community due to the fact we have shared technical skills and some grossly similar social features. The reality is that if the 'hacking community' exists, it's an anarchist mob that's defined by temporary alliances, shifting loyalties, cults of personality and people whose fads have briefly aligned. Enduring long-term associations and friendships do exist, but they're much more rare than people think. We generally do not socialize very much outside our circles. Our few social mavens are rare birds, and prized for their abilities to make magic happen just by putting the right people together and standing well clear of the result.

"The 'hacking community,' to the extent it exists at all, is more a pool of diverse skills, philosophies and capabilities, which self-organizes in response to events. Consider the Iranian protests of a few months ago: there were contingents of pro-democracy hackers who were putting together anonymous relays to help get a trickle of uncensored communications into/from Iran, there were contingents of pro-regime hackers who were trying to shut down the pro-democracy types, and there were even jackasses who were exploiting the entire thing for juvenile sophomoric jokes ('the lulz'). Take any significant, serious event in the world and the 'hacking community' will within hours develop at least three or four responses to it, many of which are in open conflict with the others."]

Their targets have ranged from PBS and Sony, to Citibank and Lockhead, Google, the IMF, CIA, FBI, White House and U.S. Senate.

It has not been without cost. Sunday [June 12] Turkish police detained 32 members of the Anonymous cyberactivism collective on suspicion of planning attacks on a number of websites, after Anonymous took down the Website of Turkey's Directorate of Telecommunications. And Spanish authorities arrested three of the Anons group two days earlier on suspicion on organizing the cyber attacks against Sony, banks and governments.

["Second, the Turkish police didn't arrest 32 members of the Anonymous collective. There is no collective. It isn't as if these people carry membership cards and hang out in a clubhouse. Even the most hardcore Anonymouser wouldn't consider herself to be a 'member of Anonymous' or a 'part of Anonymous'. She might say that she /is/ Anonymous, which means she has adopted their political platform and is an autonomous agent spontaneously organizing with other like-minded people to perform acts.

"The hacking community, as it were, is *radically decentralized* -- decentralized to such a degree that most people can't imagine it functions at all. (And hackers grit our teeth and mumble, 'well, now that you mention it, it really *doesn't*.') It would be more accurate to say the Turks arrested 32 people who they allege have acted in concert under the banner of Anonymous -- but in the same breath you should say there is no guarantee these 32 people represented the beliefs of Anonymous as a whole, *because there is no such whole*.

"Compare to, e.g., if you said the Turkish police arrested 32 people from the freedom of religion collective. There really is no 'freedom of religion collective': freedom of religion is a philosophy which has many adherents, most practitioners of which want to murder the others who are believing in the wrong god and using their freedom poorly.

"And that's exactly what Anonymous is. Anonymous is a philosophical banner beneath which different people self-organize to perform acts in accordance with the ideals of Anonymous (to the extent it has any, and the jury's still out on that). What are the ideals of Anonymous? Well, Anonymous has been in a constant state of civil war in order to determine just that...

[[My source subsequently [June 19] provided me with additional evidence of his/her judgment that "the hacker 'community' [is caught up in] fractious, internecine conflict, cults of personality, fads, etc. Case in point. LulzSec and Anomyous are, as near as I can tell, identical in philosophy, goals and methods, and yet they're still engaged in a hatefest." She/he cites Matthew Lynley, "Hit the deck: LulzSec and Anonymous start trading blows," Venture Beat, June 15, 2011 ("Hacker group LulzSec has begun publicly attacking hacker group Anonymous, an action that could lead to a civil war of sorts between the two hacker groups that have similar origins.").]]

"The associations within a freedom-of-religion-collective would be rather permanent: people rarely wake up one day and decide, 'today I think I'll be a Buddhist.' The associations within Anonymous are in a constant state of flux as internal power battles play out."]

The Internet has grown faster than Kudzu; in fact, it is the largest and fastest growing anything in the history of the world -- and there's nobody in charge. If a part of the backbone goes down, the traffic routes itself around it and follows another path. That was a deliberate part of the Defense Department's plan in creating the Internet's predecessors: it wanted a communications system that could not be knocked out with a single bomb on "headquarters."

["Third, the DoD did not plan for the internet to survive nuclear strikes. Urban myth. The DoD didn't want the internet at all. The DoD was, through the Advanced Research Projects Agency, funding a lot of different scientists in a lot of different places. These scientists said, 'hey, can we spend some of our research grants to build a better way for us to collaborate?' ARPA said yes. In those days communication channels were unreliable and expensive, so ARPA's scientists developed a network that could work even if large parts of it went down. The rest, as they say, is history. The DoD has never trusted the internet to handle national-defense data: rather than trust the internet, DoD much prefers to trust MILNET (its own version of the internet)."]

Whether the global hacking community deliberately modeled its organizational structure and governance on that of the Internet, or did so as a matter of necessity, it is equally resilient. Whatever may happen to the 32 in Turkey and the three in Spain, the organizations and the hacking by their members will continue.

What's going on is serious enough that, without getting into the jargon and details of hacking techniques, each of us needs to have at least some basic understanding of what's happening. And that understanding requires that we recognize the enormous variation in the sophistication of hackers' techniques, their motives, and the consequences of their actions.

Let's consider these variations in turn.

Sophistication of techniques.

It helps to begin with the variations in sophistication of those doing mischief in what the cyberati refer to as the "brick and mortar" world in which the rest of us live. Consider the range. A burglar may see three days of newspapers in a driveway with no cars in sight, try each of the exterior doors, find one that opens (or a key under the door mat), walk in and walk out with the new HD wall screen TV. A company's bookkeeper or accountant may design accounts and transactions that can cover for years their embezzlement of thousands of dollars. Art thieves may figure out how to disable, or otherwise get around, heat sensors, motion detectors, and video cameras, to make off with a multi-million-dollar painting. Or our military may design fighter planes that fly with no pilots, send video recordings thousands of miles back to control centers, and fire missiles at designated targets.

Just as there is unsophisticated brick-and-mortar crime, there is also unsophisticated virtual world, electronic crime. It doesn't require much sophistication to find a credit card in the parking lot of a big box store, pick it up, and use it to make some purchases there. It doesn't require much more to get into a computer network if an employee's user name and password are displayed on a Post-It note stuck to the monitor's screen. Information that ought to have been encrypted, and kept behind more than one firewall, may have been inadvertently left on a public Web site or made equally vulnerable. In fact, an awful lot of what's characterized as "hacking" involves little more than asking -- a current, or former, employee may provide the necessary information, perhaps even one who designed the security system. The credit card information may be obtained from a receipt found in a dumpster. A hidden camera may record users' ATM pin number key strokes.

A Google search for "denial of service attack tools" (software) produces nearly a million hits. Some of what Lulz Sec and Anonymous members have been doing involve denial of service attacks. They send so many requests to a Web site that its servers slow down or stop, preventing legitimate users from gaining access. Such attacks are a nuisance, a big nuisance, but they need not do any harm to infrastructure or physical property, and do not provide the attacker access to the contents of the site, or its network. It's something experienced teenagers can do, if so inclined.

Similarly, while designing malicious software programs may require some sophistication, getting them onto a computer inside a secure location may involve little more than putting them on a thumb drive, leaving it in the building's parking lot, and hoping some employee will find it, put it in their computer to see what's on it, and thereby unwittingly load the hidden software onto the institution's "secure" computer network.

At the other extreme, what has been described as "the most sophisticated cyberweapon ever deployed," a complex computer program called "Stuxnet," is suspected to have been the creation of some of the most brilliant computer programmers in the West. It was specifically designed to attack the centrifuges in Iran's weapons grade uranium facility, causing them to spin at speeds ultimately producing their self-destruction. This destruction, under the watchful eyes of Iran's trained scientists, was made possible by the program's additional ability to simultaneously take over the recording and reporting facilities, which continued to display to the facility's guardians that everything was operating normally when it was not.

This is the kind of sophisticated attack that could be waged by an enemy against our infrastructure, such as the electric grid -- turning off the traffic, as well as the house, lights, shutting down air traffic control, the stock market, banks and financial transactions, turning off the natural gas and gasoline pipelines, and filing stations' gas pumps, and so forth. Except, of course, such a strike would be far, far easier than what the Stuxnet was designed to do -- and accomplished.

["Fourth, under 'Sophistication of techniques,' you should also put 'velocity' of techniques. If a particular criminal offense nets you only $0.001 per attempt it's clearly more worthwhile to you to flip burgers at McDonald's. If you can do a million attempts per second, though, you're now raking in $1000 /per second/ and you're going to be sipping mai-tais on a beach somewhere. Network crime doesn't have to be particularly efficient or effective, because the network allows you to do so damn much of it.

"Velocity -- the ability to scale up your efforts -- is a big deal. One real mark of sophistication is velocity. A well-designed computer virus can infect 95% of all susceptible computers on the internet in about fifteen minutes. Quite often, by the time you know you're under attack it's too late and you've already lost. Against an unsophisticated teenager, reactive security measures work pretty well. Against a sophisticated operator, reactive security measures are pretty much useless."]

Could it happen? It could, according to the Director of the CIA, soon to be Secretary of Defense, Leon Panetta, who told Congress last week, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems."

Motives

The motives of hackers vary as much as the sophistication of their methods.

Some attacks, like Stuxnet, appear to be acts against one nation by another -- in that case literally, the history shows, an alternative to dropping bunker buster bombs on the facility (an option considered and rejected).

The Defense Department has recently declared that when a cyber attack on U.S. infrastructure, or defense installations, can be traced to another nation's government, it will be considered an act of war justifying our response with conventional military weaponry.

["Fifth, under 'Motives'" you're misquoting DoD badly. DoD has never said cyberattack *will* be considered an act of war. DoD has said that *depending on the consequences, it could be considered* an act of war. This is a pretty sensible policy. Your other points are quite accurate, though.

[[NJ: For more on the content, context, and challenges of this DOD declaration, see David E. Sanger and Elisabeth Bumiller, "Pentagon to Consider Cyberattacks Acts of War," New York Times, June 1, 2011, p. A10.]]

"Further, under 'Motives' you declare the hack of PBS was a protest about how they handled a Wikileaks story. The question becomes, why are you taking felons at their word for why they're committing their offenses? I suspect the real motive was because PBS is high profile and gets noticed -- the motive the attackers gave is just a rationalization and/or public-relations theory. 'We're engaged in political protest!' goes over in the public eye a lot better than 'we did it all for the lulz!'"]

There are a number of problems with this declaration. (1) Since our government is engaged in cyber attacks on other countries, presumably those countries could rationally justify dropping bombs on the United States. (2) It is often very difficult to know where cyber attacks are coming from. (3) Many involve multiple global operatives. For example, the computer theft of $10 million from banks was run out of 49 cities on multiple continents. (4) When a single country can be identified beyond a reasonable doubt, it's still not clear who is behind the attack: that country's government, its organized crime operatives, or just its precocious teenagers. If our government cannot know, let alone control, everything our mafia and teenage cyber gangs are up to, it's neither reasonable nor fair to expect that other countries are able to control what their criminals and teens do. (5) Indeed, a country ("country A") intent on harming another ("country B") could fairly easily construct a cyber attack on the U.S. in such a way as to make it appear that the attack on the U.S. came from country B, thereby causing the U.S. to launch a retaliatory attack on country B rather than country A. There are many potential examples, such as Pakistan and India, Israel and Palestine, North Korea and South Korea.

Shy of the devastation brought on by cyber warriors are the individuals engaged in serious, organized crime -- mass scale identity and credit card theft and resale, or movements of money (including that of banks and their clients).

Then there are those who do a little of the former, but are mostly just up to devilment -- a form of electronic vandalism. For example, the hack of PBS was a protest against a Frontline program about Wikileaks.

For those just beginning hacking -- eight of the Turkish 32 were minors -- hacking is often little more than a challenge, a hobby, and a way to earn the respect of one's hacking contemporaries and elders.

(Of course, there are also the white hats: those who are hired by the hacked company to try to break in, to test the adequacy of the company's security measures.)

Consequences

The consequences can vary from unsuccessful and unnoticed attempts at unauthorized entry, to little more than a minor nuisance (denial of service attacks), to taking over personal computers and using them to circulate harmful viruses or other malware, loss of national security secrets, or closing down vital infrastructure (such as the electric power grid).

Any unauthorized impact on a computer is something we need to know about and try to prevent. All are, not incidentally, already illegal. But in our efforts at prevention and enforcement it's important for us to be able to distinguish between that which could bring down our country's infrastructure, and that which is kids' play.

["Sixth, under 'Consequences': it is not strictly speaking necessarily illegal for someone to attempt to exceed their granted authority to a system (although a naive reading of the Computer Fraud and Abuse Act could make one think otherwise). C.f. the Lori Drew case, where Drew was accused of violating CFAA because she violated a website's terms of service. The government's rationale was the ToS was the grant of authority, she violated the ToS, therefore she exceeded her authority and violated CFAA. The judge in the case threw out Drew's conviction."]

Obviously, if the computer systems of governments and major corporations are vulnerable, so are yours and mine. What can we do to protect ourselves?

Self-defense

There is probably little or nothing we can do to protect ourselves from the kind of sophisticated attack that could be imagined and implemented by hackers with the skills of those able to create something like the Stuxnet worm. Fortunately, such individuals are few and far between and those that exist are not likely to waste their professional time trying to read our Microsoft Word documents.

["Seventh, under 'Self-defense.' When you say there is little to nothing regular people can do to defend themselves against serious attackers, you're being both too optimistic and too pessimistic. A very important concept is *target specificity*. If a highly trained cyberwarfare operator with a few years of dirty tricks experience decides to target you, and you specifically, then there is literally nothing you can do about it -- not even unplugging your PC will work, since so many of the vital records in your life exist on computer systems beyond your control. At the same time, though, if you are not a specific target, there's a lot you can do. Keep a well-honed sense of skepticism. Check with your OS vendor regularly for security updates. Don't open random things people send you in email. Browse the Web with Firefox or Google, and not Internet Explorer. Etc., etc. There's not much you can do about a bullet with your name on it, but there's a /lot/ you can do about all the hot lead flying around addressed 'To Whom It May Concern.'"]

But there are a good many basic and obvious things we can do to protect ourselves from the electronic devilment, vandalism, and theft to which we may be vulnerable. Use common sense (and a locking cable) to prevent theft of the entire laptop. Create more complex passwords than "password." Don't write user names and passwords on paper kept within easy access from the laptop. Use encryption for documents that warrant it. Get good quality virus protection software and keep it up to date. If you have a home Wi-Fi signal others could access, make it a locked, password protected signal.

And while we're at it, recall the observation that every hard drive will, someday, crash; we just don't know when. So make regular backups (or offloads) of any documents you care about onto an external hard drive (or two; one stored somewhere away from home or office). That way, if the laptop self-destructs from an attack, is lost or stolen, or is otherwise destroyed (or the time comes for your hard drive to crash) you will at least have retained the computer's contents -- which may be much more valuable to you than the computer itself.

I will close with one final observation regarding the extent to which we, and our friends, are our own worst enemies when it comes to protecting our privacy and identity. Most of the privacy and identity we have "lost" we have willingly given away in exchange for what we've perceived as benefits.

The credit card company knows what cities and stores we have been in, at what hour of what days, what we purchased and what we paid. The bank has all our loan and checking account records (legally considered their records, not ours). It knows where and when we've visited ATM machines, and how much cash we withdrew. Our cell phone carrier knows where we've been, and when, whom we've called, and how long we've talked. The airlines know where we've flown and when. Some have as well our Social Security numbers, birthday, address and phone numbers.

They haven't hacked or otherwise stolen this information from us. We've voluntarily given it to them. We believe that the use of checks, credit cards, ATMs, cell phones and airlines is well worth the loss of privacy.

What we may not be aware of is that the Supreme Court says once we voluntarily give information about ourselves to third parties, (a) we no longer have a "reasonable expectation of privacy" with regard to that information, and (b) the third parties are free to hand it over to law enforcement, or others, without letting us know they have done so. And the government has not violated our Fourth Amendment rights to be protected from governmental "search or seizure" if it was third parties, rather than the government, that obtained the information in the first place and simply handed it over to the government when asked.

Walt Kelly, the creator of the comic strip character Pogo, once had him say, in the context of environmental issues, “We have found the enemy, and he is us.” So it is with our loss of privacy. Much of the problem is not that George Orwell’s 1984 Big Brother is watching us (and digging through our trash, as the FBI is now permitted to do without a warrant).

The problem is that we and our Facebook friends are the “enemy,” watching us, recording us, photographing and videoing us, writing and commenting about us, circulating all of the above, and filing it all away, in public (on Facebook; and on Facebook’s servers forever), where Big Brother can come and just download it all. The government can then include and save it with all the other databases that include records and information about us (school, medical, military, vehicle and criminal, credit card, bank, real estate, etc.). It can then “data mine” all of this information to its black heart’s content. Facebook's latest invasion -- face recognition, plus "tagging" of individuals in photos -- added to the rest, now makes potentially available to the FBI, CIA and NSA everything a criminal record would contain but our fingerprints. (And with fingerprint ID gaining in popularity for check cashing and door opening, they may soon have that as well.)

If none of this bothers you, if it's worth the services you get in return, fine. No problem. Just make sure it's really what you want.

It is a whole new jumbled jungle of two worlds out there. One is a virtual world of blue smoke, reflective mirrors, electrons and no parachutes. The other is a world of crumbling brick and mortar. Both offer wonderful opportunities from which we benefit. Both also present risks which we ignore at our peril.

Have a nice day.

# # #