Tuesday, July 30, 2013

Barking up the wrong tree

Does the NSA have any business routinely collecting and searching call records (not the calls themselves) across America? On balance, I find that the national-security case is strong and the legal justifications convincing. That said, this seems to be one of those topics about which -- apropos the recent narrow bipartisan vote in the House not to stop the program -- reasonable people can differ.

If only the public and our pols paid half as much attention, showed half as much outrage, and took half as much action re (a) massive security vulnerabilities and (b) other privacy violations that are clearly illegal. 

Are you familiar with the SIM (subscriber identity module) card in your mobile phone? Well, CNet reports that "SIM card flaw said to allow hijacking of millions of phones: Vulnerability in the security key that protects the card could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, a security researcher warns." This vulnerability may endanger up to 750 million mobile phones -- and their users.

Do you use credit cards? Then (courtesy of Yahoo! News), note that "Russian hackers got 160 million bank card numbers, but that wasn't worst part." Some key paraemeters:

"Among the 15 businesses allegedly hit by the four Russian and one Ukrainian hacker from August 2005 to July 2012: 7-Eleven, JCPenney, JetBlue, and Dow Jones. One of the Russians was also charged separately with hacking into the business-operation servers of the NASDAQ stock exchange from 2008-10 and manipulating data."

160 million stolen credit cards isn't the worst part? Nor that this theft went on for seven years? You might well ask: then what is the worst part? The "also charged separately" segment of the above quote provides a clue. More explicitly:

“The worst cyber threats that the financial sector will soon be facing may not be thefts of money,” wrote Scott Borg, director and chief economist of the US Cyber Consequences Unit, a think tank advising government, in a recent report.

"Future cyberattacks could target the information that financial service corporations and their clients use 'to create and capture value and to maintain market integrity,' he wrote. 'Some of the new cyber attacks will simply aim to steal this information. Others will attempt to alter or manipulate it to create business and market effects.' "

Are metaphorical alarm bells sounding?

As for real alarm bells, you may not be able to trust them. From PC Magazine, see "Emergency Alert System Vulnerable to Hackers, Report Finds." They state:

"According to Seattle-based IOActive, the systems that intercept emergency messages from federal officials and then interrupt regular broadcasts to transmit the message - known as DASDEC - are susceptible to cyber attacks."

If you worry about government intrusions into your privacy, rather than efforts focused (at least primarily) on our collective safety, ask yourself which government is the real problem. The Washington Post reports that "Vast majority of global cyber-espionage emanates from China, report finds."

"Analyses of hundreds of documented data breaches found that hackers affiliated with the Chinese government were by far the most energetic and successful cyberspies in the world last year, according to a report ... by government and industry investigators." 


Anonymous said...

Reasonable people differ and there is no substitute for vigilance. Almost all useful tools have been abused: from knives to fertilizers—check the 'weapons' selection in a game of CLUE. Of course the NSA does 'traffic analysis' which enables them to identify surges in communications between critical nodes prior to their operations. They also do key word searches which could lead them to read actual emails ... so even in jest you don't want to talk about bombing something or killing your least favorite executive. I'm not saying it would get you arrested (I'm not saying it wouldn't either) but it could get you on a 'watch list'. On the other hand terrorists thrive on anonymity; they have become the 'super-powered' individuals warned about it SF going back many years. I am confident that intelligence analysts are not after us (having been one for a life-time) but they have no voice in data use beyond collection and analysis. Policy makers have been less scrupulous about the use of data and technology and about the protection of same—especially if it impacts their budgets. Still we must move ahead as a species. There will be costs and we must be vigilant, but as a self professed 'reasonable person' I think costs and effort are worth it.

Edward M. Lerner said...

Anonymous -- thanks for your thoughtful comment.

- Ed