If we have a thousand monkeys typing away on a thousand typewriters, surely they can produce great works of literature – or so goes the popular adaptation of the Infinite Monkey Theorem. But in the context of information security, a similar idea has been taking shape in past few years. Crowdsourced security, leveraging on input from a host of geographically dispersed systems, is slowly gaining ground as a means to provide actionable threat intelligence for both the public and private sectors.
Our willingness to surrender personal privacy in exchange for services that we now consider essential, as discussed in a previous article, has made it much easier for large governments and private individuals alike to collect information.
We are constantly reminded of the growing number of privacy concerns from the use of Information and Communications Technology (ICT). Some are quick to blame governments or commercial entities when our personal information is compromised. Very few stop to think whether or not the blame should be pointed at ourselves. To what extent are we as end-users responsible for facilitating our own personal privacy?
Cybercrime against high-profile entities like eBay and Target is on the rise, and the media has conjured up nightmarish scenarios of cyber-criminals going on shopping sprees with our well-earned cash – easily obtained through stolen credit card information. The risks that the general public faces vary and should not be applied equally.
Recent events serve as the best example of how the context of security has shifted from the once server-centric model to that of a decentralized threat landscape. From the Heartbleed attacks to the widespread Internet Explorer vulnerabilities and finally the sensationalized OAuth issues, it appears that even organizations with a hardened perimeter infrastructure are just as vulnerable as an end-user at home.
Instances of large-scale compromises of both private industry and public institutions in 2013 prompted a flurry of activity among security researchers to identify emerging and established threats. Commonly identified as Advance Persistent Threats (APTs), this phenomenon is expected to continue well into the foreseeable future. Fundamental to the spread of these threats is one of their foremost methods of propagation – a water hole attack.
With the growing number of alleged cyber-attacks that are taking place between the United States and the People’s Republic of China, the talks in early June of 2013 between President Barrack Obama and President Xi Jinping were viewed as a much needed response to the crisis. Unfortunately, such steps may end in either half-hearted agreements or may collapse entirely under their own weight. Depressing as this outlook may be, such pessimism is rooted in the fact that cyber space, as a medium on which to expand national policy, is too good to pass up on for either party. Central to this idea is the fact that both countries have invested heavily in cyber space not only as a means of communication, but for economic growth as well.
The Dow Jones Industrial Average recently dropped by about 145 points and the S&P 500 index lost $136.5 billion dollars in value after a tweet from the Associated Press claimed that an explosion had taken place in the White House and that President Obama was injured. The tweet turned out to be false and stemmed from a hacked Associated Press Twitter account. The precedent has been set for us to take a long, hard and uncomfortable look at the challenges we face when relying on automated trading systems that gauge and react to public sentiment and that end with drastic results.
Following reports of cyber-attacks targeting the New York Times in January of 2013, a secretive legal review of the powers available to the president of the United States has brought to light the option of launching preventive cyber-attacks should credible evidence indicating an impending threat against the United States surface. In this context the United States reserves the right to use cyber weaponry with or without an existing state of war. While rhetoric concerning the growth of cyber threats has grown more prominent in the last three years, this is the first instance that a state has been reported to view cyber-instruments as a “preventive” or “deterrent” option. Though heavy investments have been made in the past years, there is no empirical evidence that demonstrates that the United States intends to utilize its cyber-capabilities as announced.
The recent crackdown on well-known Torrent services, aided by Internet Service Providers, has led to the increasing use of anonymizers. As the name implies, anonymizers allow for anonymous web browsing and are used by end users to bypass restrictions or blocks to web content. Anonymizers are proxy services, or “proxies,” that receive and execute web requests on behalf of the user, making online activity untraceable. It is the untraceable aspect of anonymizers that has caught the attention of the underground community.