Science Headlines - Computer Security

Science Headlines - Computer Security

An information service for media in New Zealand

Thursday 13 September 2007

New Zealand’s chief spy has announced that foreign government hackers have stolen sensitive information from Government departments. Computer security experts talk here about the prevalence of such international espionage, the dangers for individuals, and the potential for cyberwarfare.

1. Associate Professor Lech Janczewski, at The University of Auckland Business School, has over thirty five years experience in information technology and has written several books on cyberterrorism and cyberwarfare.

"There are many corporations that have budget bigger than the government of New Zealand and there are many people interested in what New Zealand is doing. These aren’t “enemies”. For example, if New Zealand government was negotiating a contract with huge software vendor, lets call them X Limited – and I have no idea if this is the case – then X Limited would be interested to know what the Government is thinking about this contract. Launching a spying campaign would not be difficult for them.

“This is simply a game that is played between organisations. The Crime Amendments Act has made unauthorised access to records punishable by law in New Zealand. But when the big money is on hand I’m quite reluctant to say that the game is played absolutely ethically and legally. If we’re talking about millions and millions of dollars many governments/corporations/people are tempted to find out a bit more information.

“I believe that the quality of protection is high by world standards. But I wouldn’t be surprised if there were both Chinese and US efforts to find out what the New Zealand government is thinking on particular issues.

“There are two aspects of breaking into a system – one is to get somebody’s information. The other aspect is to plant “malware” (malicious software) which could be used later to launch an attack against other targets, such breaking down a site with a lot of requests for service such as in a distributed denial of service attack.

”In May this year there was a political dispute between the government of Estonia and Russia and the result was that a number of Estonian banking services and ministries were blocked for many hours by this sort of attack. This was launched from hundreds of sites and is the latest example of cyberwarfare.

“An analogy can be drawn with the Y2K bug. That was perhaps the first round-the-world hunt to eliminate some bad programming practices. Many people took this threat seriously, even hoarding food and guns. After a lot of programming effort there were disturbances, but the effect was negligible. And the media said nothing happened. But if we hadn’t spent that money, perhaps it would have happened. Cyberterrorism is very similar. There are tools that can quickly, cheaply and efficiently break the back of a country. Nobody has done this so far, but we need to be protected.”

2. Associate Professor Henry (Hank) Wolfe is a computer security specialist at the University of Otago, and has provided advice on security matters to major government bodies within New Zealand and to Australian, Panamanian, Singaporean and U.S.

“Governments get hacked into all the time – it’s not something that’s new and it’s not something we should be frightened of. I think New Zealand security compares pretty favourably.

“I’ve been in IT for close to 50 years and the one thing I’ve learned is that there is no one hundred percent solution. There are now more than 100 computer emergency response teams (CERTs) around the world, sharing information about identified threats and potential remedies for them. This information is made freely available to the public at large and is a vital service. The first CERT was created in the United States in 1988 after Robert Tappin Morris created a worm that caused a large portion of the world’s servers to fail.

“Our New Zealand Computer Crime and Security survey for 2006 is just about ready to come out. This surveys around 500 New Zealand organisations about their security incidents, and it turns out your employees are as big a risk as outsiders –slightly more than half of attacks come from inside organisations.

“There are a few different groups of outsiders who will attack. You’ve got malicious young people who just want to fool around – but there are serious costs and consequences for all break-ins. Then you have the career criminal who wants to make a buck. Then you have the individuals who are in it for political purposes or for other strongly held beliefs.

“I believe that in the early the days it was just kids, but now there are increasing numbers of criminals using scripts that already exist and those exploits they themselves create to hack into computer systems. From the criminal’s perspective, this makes sense. If you rob a bank with a gun you’ve got about a 95 percent chance of being caught, and the average take is less than $10,000. But if a criminal goes into a bank through a computer, the average take is several hundred thousand dollars, and he’s only got about a two percent chance of being prosecuted even if he does get caught. If somebody in Russia breaks into a bank here in New Zealand – what are their chances of being prosecuted? Pretty low.

“Individuals need to realise that having good computer security – and more broadly information assurance – is vital, and is not just about having anti-virus software. An example is the Bluetooth technology often used to put your home computer in sync with your cellphone. If you leave this activated someone could connect up to your cellphone and download anything on it – without you knowing about it - from more than a mile away.”

3. Professor Clark Thomborson is a computer scientist specialising in software security technology at The University of Auckland

"It's normal for computers to get broken into, in fact if someone in authority had attempted to assure us that there had been "no" successful attacks on dozens of New Zealand governmental computer systems in the past year, I'd be incredulous.

"Successful attacks on commercial systems, in which sensitive information is obtained by the attacker, are now a daily occurrence in the US. I'd expect non-classified governmental computer systems to have a similar level of security.

"One of the big risks for governments and communication firms when they're holding data on people is identity theft. I am not aware of any statistics on this in New Zealand, but it's a not an uncommon thing in the United States, where around five percent of people lost money (about $2000 on average) to ID theft in 2006. There has been recent legislation over there to make companies reveal incidents of data theft so that the affected people have a chance to do something about it.

"In many cases the attacks are done by insiders - in the United States one of the most respected pension funds hired someone who the previous month had been convicted and sentenced to prison for her part in a $200-million insurance fraud. It's people issues at least as much as it's technology issues, and a rather nasty intersection between the two.

"New Zealand is in a really nice spot of being a first world country of a good size for collaboration between different government agencies, and some pretty sensible policy seems to be coming out of that. However, we can and should improve our systems - with incidents like these, it's about what are you doing to stop it happening again."

Science Headlines is a service managed by the Royal Society of New Zealand and funded by the Ministry of Research, Science and Technology.

ENDS

© Scoop Media