Roger's Security Blog : Politics

Kaspersky’s View of a Secure Internet – Does this make sense? I think not

rhalbh — Sun, 19 Jul 2009 19:33:34 GMT

A few months ago, I already had some discussions with Eugene Kaspersky during an event of the Council of Europe on Cybercrime, how to address cybercrime on the Internet. At the moment, I am at a very, very slot connection and just got, what I saw on my RSS feed enclosure and could not verify the whole article but it is pretty much in line with the discussion we had there:

So, let me try to give you a perspective and some comments in this context. He seems to say: The short term solution is to get global cooperation with the police, because the police of different countries don’t know how to collaborate with one another. He believes the police want more successful investigations, not just to stop the criminals but to also own the list of successes. So nothing is getting done and each one is blaming the other for the problem. We have to start to work together, think globally, and create a global police force.I could not agree more with this but I am going one significant step further: We do not “only” need a better collaboration between the different police forces in different countries (or within a single country), we need a better collaboration between Law Enforcement, Judges, Prosecutors and the private sector. This requires a different way of thinking by all the parties but it is absolutely necessary. The biggest challenge here is, that there is not history of deep trust between these parties. From what I know, the Council of Europe is a great catalyst to help us all to get there. Additionally there are extremely good people in the different bodies like in Interpol, Europol who really want to move this on.

Next: The long term solution is to get governments around the globe to implement a universal list of rules and regulations for the public internet network. Well, yes and no. I am not completely sure, whether I want this. If these rules are written together with the industry, there is a certain chance that we regulate the right thing. However, knowing the different players at the moment, there is a good chance that this will not be used for the sake of a safer Internet but only to get a competitive advantage – and this would be really bad!

Finally he says: In addition, a personal ID will be required for internet access and for logging into financial websites, similar to a driver’s license or insurance card. “If you want to get connected or onto a website you will have to present an ID.” He explains. This is, where we had the discussion as I fundamentally object this idea. This is – in my opinion – not feasible as it would destroy one of the biggest advantages of the Internet: Free speech. Think about the events recently in Iran: Would the same kind of communication been feasible if we would have had strong authentication? Definitely not.

So, what we need is a model, which allows for both – and this is what we think the claims based authentication is about to deliver – it is part of the End to End Trust framework we introduced earlier.

So, I think that Eugene should stop with this claim. It does not really add to a fruitful discussion. Let’s collaborate (as stated above) to jointly work towards one goal: A safer Internet.

Roger

Get Safe Online – This Week

rhalbh — Tue, 18 Nov 2008 16:00:17 GMT

We see this concept all over Europe: There are National Security Awareness Days (or how ever they are called) in a lot of European countries. During these events, the industry (from software to banking to government to …) gets together to raise awareness on the most important trends, criminals explore attacking their victims.

This week in the UK there is the Get Safe Online Week, which is a very good example for me how this can work out. A lot of partners come together this week to drive awareness around different themes in the area of Online Safety.

I quote from their press release:

Today (which was actually yesterday) the UK’s fourth annual Get Safe Online kicks off, a weeklong internet safety awareness campaign encouraging UK computer users to take steps to ensure that they and their machines are protected.

In a time of economic uncertainty, online security is becoming even more important as the growth of the ‘shadow economy’ in stolen identities can mean a person’s assets such as savings accounts can be stolen and emptied faster than ever.

Particularly, the use of ‘phishing attacks’ is rapidly on the rise – where criminals send fraudulent emails designed to trick internet users into submitting their financial or other confidential details. 23% of UK internet users surveyed said that they or someone they knew fell victim to such an attack this year, compared to just eight per cent in 2007.

The image of the geeky hacker is inaccurate: the vast majority of computer crime in the UK is highly organized, with criminals dealing in the buying and selling of personal information used to defraud targets such as full name, address, passport details, driver's license number, date of birth, bank account details and sort codes, plus credit card numbers and security codes.

Get Safe Online Week aims to give everyone the tools and confidence to enjoy and use the internet safely. In the span of a couple of hours, anyone can learn a few simple steps to remain up-to-date and aware about online safety – a small investment compared to the potential loss and inconvenience if they are instead victims of identity theft.

I think that this is a great initiative, which needs our broad support:

Roger

Hacking is destroying economic growth

rhalbh — Fri, 26 Sep 2008 09:54:09 GMT

As usual (and probably as most of you) I started today scanning through my mails and RSS feeds for important and urgent information. By doing that, I stumbled across an article called Hackers and Nigeria vulnerability to cyber terrorism and I started to read it.

As you know, I blogged several times already on the developing countries and the challenges they face. There are some pretty interesting statements in this article:

For many experts in the Nigerian IT industry, the impact of hackers is so colossal that it has the capability of wiping out development gains of a nation and retarding her growth fortunes by many decades. In terms of Gross Domestic Product, (GDP), experts have expressed fears saying that if proper steps are not taken to fight the ugly trend to the barest minimum, it will continue to cause more than good.

Pretty tough, isn't it: So, the criminals on the net are able to destroy all the good things that are done within a country to grow economy…

To many informed countries, according to him [Chris Uwaje , President of Global Network For Cyber Solutions] , it has become a matter of life or death – because the survivability of their nations now revolve on the dynamics of Information and Communications Technology. "ICT is now accepted, not only as the common currency, but indeed, represents the centre of gravity of the new world and new economy of the universe!

So, try to put yourself in the shoes of a government elite in a country like Nigeria. You have to ensure the true basics (water, power etc.), public safety, fight corruption (if you are not part of),… and then somebody asks you to fight cybercrime? As most of the politicians today did not grow up with this technology, it is extremely hard to convince them.

And then Uwaje pointed out the size of the problem:

Also a common knowledge in the ICT domain reveals that globally, "ID theft costs banks $1 billion a year. In the USA, nearly 10,000 victims had home loans _ totaling about $300 million _ taken out in their name in 2002 and another 68,000 had new credit cards issued in their name"

"While the FTC received 161,000 identity theft complaints last year, the FBI estimates the actual number of victims is probably closer to 500,000" What is the situation in the Nigerian Banks? We are reliably informed that a colossal N7.3billion Naira was lost to fraud in our banks, last year. Can that be all or is it more in this era of e_transactions and Cyber Space operation and life style? What will it cost the Nation to recover from this and similar future damages?" Uwaje explained.

Roger

Why I do not like e-Voting

rhalbh — Sat, 30 Aug 2008 07:47:00 GMT

As you know, I am Swiss. Switzerland is known as being one of the most direct democracies in the world. It is not uncommon for us having (or being allowed) to vote every other month as there are a lot of ways to influence what our politicians and/or our government does. This makes the system often pretty slow but I really, really like it.

When I was working for PricewaterhouseCoopers years ago (I think it is around 10 year ago now), the discussions around e-Voting started to come up. People loved it – and I hated it. Let me tell you why: We have (here in Switzerland) several options to vote: We can go to the local community early during the week before a voting and hand our votes in. We can send it via Post (which I use most often) or hand the vote in on the voting weekend. There is a lot of effort then going on to count the votes and we usually have the results ready on the voting weekend around 5pm or 6pm. So, the system works well but there is significant manual work involved, I know. The key thing here is that this process is in the heart of our democracy. If this process is broken (or just not THAT trusted anymore) this would be a significant problem for our country.

Now there were a lot of politicians would loved to talk about e-Voting (without really knowing the consequences in my opinion) as it gave them the touch of being modern, technology aware etc. and there were trials in different states here in Switzerland which were pretty successful.

Why am I still against it? Well, I am convinced that these systems can be built in a more secure way than the old process. Manually counting votes is flawed, we know that. But guess what: We learned to live with that since a long time and trust this system. Do we trust a computer counting the votes? I do not think so. Do we trust a computer not losing votes if we have to do a re-counting (which happens from time to time here of the result is close) – hmm, I guess not.

And looking at recent articles, I think we are right: Diebold comes clean, admits that its e-voting machines are faulty, Mom, Can My Voting Machine Spend the Night? (people taking voting machines home), Why Election Technology is Hard (Bruce Schneier)

So, it is by far not a technology problem but a trust problem. And guess what: I am a geek and I love technology – I will still use paper to vote!

Roger