Cyber criminals remain relatively free to cause disruption and alarm while stoking tensions across borders because of the lack of harmonisation of cyber law. This was only too evident during the furor surrounding the Google Gmail hacking attacks, with the origin of the attack allegedly based in China and consequent rumours purporting to the idea of a state sponsored attack.
However, while the cyber attacks were tracked to Jinan, the capital of China’s eastern Shandong province, we can’t be sure they were masterminded there. It’s possible that a series of different ISPs were used across multiple locations. Equally it would be in a criminal’s best interests to give the impression that their activities constituted a state sponsored campaign, leaving them hiding in the fog of confusion they have caused.
In reality attribution is the most difficult part of investigating a cyber attack. “Track and trace” takes time; in this case Google has been tracking these cyber attacks for just under a year. That’s not to say that cyberspace can’t be policed. Hackers such as these will leave some sort of footprint. However, cyber criminals are in the main highly intelligent and will use a series of evasive techniques to obscure detection.
We are certainly living in a more uncertain world which some perceive as more insecure. According to a survey, an international barometer of consumer concerns, citizens around the world are significantly more concerned about nearly all aspects of their security compared to six months ago.
This year in the UK, public insecurity reached its peak since the study started measuring consumer security concerns in 2007; with the greatest sources of concern bank card fraud (according to 93% of respondents) and identity theft (according to 91%); indicating the scale of the threat posed by the digital age.
While these fears are justified, members of the public have a role to play. Victims are often targeted because of the accessibility to their personal internet footprint. For instance, the Gmail hacking attacks were perpetrated through social engineering, which means that criminals may have used social networking sites like Facebook to gather all sorts of personal information about the individuals.
They would then have used this intelligence to send plausible and often personal emails linked to software intended to run on their computers undetected, all the while monitoring their emails. This is a common phishing technique, better known as spear phishing, that can affect anyone that ignores the warning signs. The Anti-Phishing Working Group has compiled a list of recommendations that you can use to avoid becoming a victim of scams here.
In these unsettled times when we cannot be sure who the perpetrator is or even what it is they are after, there is only strength in defence; and the best defence is vigilance. It doesn’t take much for a criminal to piece together information that people post on social networking sites and know more about them and their colleagues and friends than they should.
Equally, it’s down to users to activate the optimum security settings on their social networks or public email services, ensuring they’re using the verification systems offered to them and that their passwords are suitably tough to predict. And it is up to vendors and suppliers to ensure that the minimum “best practice” security is activated in a product by default.
While cyberspace remains an unknown entity for many people, the same rules that apply in the offline world also resonate in the online world. Just as one wouldn’t leave the car keys in the ignition, individuals shouldn’t make it too easy or too tempting for hackers to access their personal accounts or the organisations they work for from the information they glean from a site like LinkedIn for instance.
There are two sides to a security equation and it’s not sufficient to think we can simply apply technology to remedy everything. People must take responsibility for their actions and their activities, be that in the work place or at home.