Internet Crime: The Simple Truth
Relevant Links:
Internet Crime: Security
In some ways, the issue of security on the Internet reminds me of the insurance industry. We are presented with a plethora of worst case scenarios and a paranoid host of what-if's. Unfortunately, in the case of Internet security, the fears are somewhat substantiated by the facts. TCP/IP (Transmission Control Protocol/Internet Protocol), the backbone of the Internet, was not created with security in mind. There are several ways in which security can be breached: through the server (bugs or misconfiguration problems), through a browser (active content including ActiveX, cgi script, JavaScript, and binary files), and through network eavesdropping when the browser and the server are communicating (The WWW Security FAQ).
In the Privacy section of this site, I gave my own definition of security as: protection of a group; a company, a network, or even a government. Security also affects individuals directly and indirectly; though for political or economic reasons this is less likely to be the case. It is more profitable to steal data about a group of people than an individual. And, activities such as hacktivism (hack + activism) are more likely to draw mass media attention if a large number of people are involved. Security affects us indirectly in that governments increase taxes in order to implement costly security systems, and companies raise their prices to cover rising security costs. As protection devices become more sophisticated, so do the means of attack.
Computer technology, network technology, telecommunications technology, programming, and software are all developing at a rapid pace. "Attack" technology is developing at the same pace. Attack tools and methods are becoming automated, dynamic, distributed, and asymmetric. Firewalls are being bypassed, and there are an increasing number of infrastructure attacks such as: distributed denial of services, worms, Domain Name Server attacks (resulting in cache poisoning, compromised data, denial of services, and domain hijacking), and router attacks. To see what all this actually means, please read http://www.cert.org/archive/pdf/attack_trends.pdf..
What protection tools are available? Secure Socket Layer (SSL) is an authentication protocol using public-key encryption. SSL uses certificates to validate the identities of a client and a server. VeriSign is a good example of this. Secure Electronic Transaction (SET) is another example of digital certificates. It was developed by Visa and MasterCard to facilitate secure credit card transactions. Though fairly successful at ensuring protection, encryption, or cryptography, will never be perfect. For this reason, other security tools are developing. One of these is biometrics.
What is a biometric? A biometric is "a physiological or behavioural characteristic in order to verify the identity of an individual. Popular biometrics include fingerprints, voice patterns, iris and retinal patterns, hand geometry, signature verification and keystroke analysis." (Biometric Authentication) What is the difference between authentication and identification? "Authentication refers to the authentication or verification of a claimed identity. In other words, the user wishes to log on to a network or service, or undertake an on line transaction and claims to be a certain person. The authentication process seeks to verify this claim via the provision of a characteristic (PIN / password / token / biometric or other information), or multiple characteristics, known to be associated with the claimed identity. There is therefore a one to one matching process involved, as the characteristic in question is matched against the reference associated with the claimed identity, according to predefined threshold criteria in the case of biometrics. Identification seeks to identify a user from within a population of possible users, according to a characteristic, or multiple characteristics which can be reliably associated with a particular individual, without an identity being explicitly claimed by the user. There is therefore a one to many matching process involved against a database of relevant data. We should perhaps make a further distinction between identifying an individual from within a known population using relevant characteristics (PIN / password / token / biometric etc.) and seeking to identify an individual via connectivity address information. In the latter case, we may correctly identify an address and the name that is registered in association with it, but that does not necessarily guarantee that the same individual undertook a specific transaction (unless robust biometrics have been used across multiple processes)." (Biometric Authentication) Even with all privacy issues pushed aside, biometrics may not be the perfect solution to security issues either. Biometric devices can be tampered with. And, biometric systems are dependent on the same vulnerabilities inherent in any client-server architecture. Yet, biometrics could be useful in certain situations: in the health care industry, in the military, in prisons, and in crime prevention. Other emerging technologies include: Role Based Access Control (Role Based Access Control), the NIST IPsec Project (NIST IPsec Project), and Mobile Agent Security (Mobile Agent Security - Information Technology Laboratory).
The last security issue I would like to mention is viruses and Trojan horses. What is a computer virus? "A computer virus is a program designed to spread itself by first infecting executable files or the system areas of hard and floppy disks and then making copies of itself. Viruses usually operate without the knowledge or desire of the computer user." (Computer Virus FAQ for New Users) The most common way for a virus to enter your computer is through e-mail. Text files do not contain viruses. HTML files are text files. But, HTML files that contain binary files (such as: graphics, cgi scripts, JavaScript, ActiveX, macros, audio file, and video files) can contain viruses. E-mail attachments are binary files, and can contain a virus. Anti-virus software (Anti-Virus Vendors) is available to help you deal with viruses if your computer becomes infected. What then is a Trojan horse? "A type of program that is often confused with viruses is a 'Trojan horse' program. This is not a virus, but simply a program (often harmful) that pretends to be something else." (Computer Virus FAQ for New Users) Downloading a file containing a virus or Trojan horse will not infect your computer. The code must be executed for the virus or Trojan horse to start working. For this reason, you should scan any file you download with anti-virus software before opening it or executing it.
There is no perfect security system. (Visit Fred Cohen & Associates for some interesting articles about this.) There are also no statistics available on how likely it is that you or anyone else will experience a security related challenge or Internet crime. The best we can do is minimize the risk. There are no guarantees in any aspect of life. The Internet is not really any more dangerous than any other place. However, considering the number of Internet users, it is statistically more likely that a criminal activity will occur somewhere on the Internet. It is difficult to keep up with all the technological changes and innovations. This lack of information is perhaps the largest contributor to Internet crime. There are many government initiatives to educate the public, but I also believe that it is your responsibility as an Internet user and potential victim to get the facts. I hope that this site will aid you in this. For more information about government sponsored initiatives to educate the public in the U.S. about Internet crime, please visit the U.S. Government section of this site.
CERT
Coordination Center
Forbes.com: Amex's
Private Payments Aimed More At Fears Than Reality
Fred Cohen & Associates
ISACA InfoByte: E-Commerce
Security-Components Which Make it Safe
National Infrastructure Protection Center
(NIPC) - Home Page
NIST Computer Security Division 893 and
CSRC Home Page
The WWW
Security FAQ
Biometrics
Bio1
Biometric Consortium
The Common Biometric
Exchange File Format (CBEFF)
SET
SSL
iCOM,
Inc. - Secure Socket Layers
Introduction
to Public-Key Cryptography
Introduction
to SSL
Statistics
Security
Statistics - Home
Welcome to incidents.org - By The SANS
Institute
VeriSign
Microsoft,
VeriSign team on e-commerce security - Tech News - CNET.com
Netscape Security
Center by VeriSign: Security on the Internet
VeriSign Inc. - www.verisign.com
Viruses
CERT/CC
Computer Virus Resources
HOAXBUSTERS Home Page
Vmyths.com- Truth About Computer Virus
Myths & Hoaxes
Copyright @ 2002 by Robert J. Trader, University of
Kentucky Graduate Student.
All rights reserved.
This page was last modified: