The Hunt — Part II — Data Theft As A Service
Big Fines for Break-ins
New data protection laws have been passed, pressuring government and private companies alike to take data security seriously. Regulatory change has been accompanied by high profile security breaches and big fines levied at those who fail to protect their data. Even charities like the British Pregnancy Advice Service being hit, having to pay £200,000 fine for a data breach.
The Phoenix from the Ashes
This has led to a new burgeoning industry, selling, “Privacy as a Service” (PAAS). The government levelled fines provide incentive to companies to pay top dollar to protect data.
As a consumer and citizen, I want my data protected. So, all good if data security and individual privacy is prioritised. However there is a problem, a slightly unfair problem for the citizen and the data privacy, conscious company.
The Hunt
It’s not so fair, when the hardware and software to break-in, and capture data is also sold, with little regulation, and no corresponding ability to hold accountable. Explicitly, this technology can be sold to police services, however the websites for these companies are ambiguous. How much scrutiny, control and transparency is there of the industry? What prevents the products from getting into the wrong hands? If your image of a hacker (known as cracker* by real programmers), is of a smart intelligent kid with glasses. With these tools it could be any old fool with under £2000 pounds.
The Burglars Tool Bag
Tools are being sold with features like: 1) Complete Invisibility to the network owner. 2) Data replication in real time, at packet transfer level 3) Assistance to de-encrypt the packets at the mirrored site. 4) Assistance to identify, network points to compromise the whole network. 5) Capture via wireless. 6) Ability to interrupt the network. 7) Password Breakers. 8) Filters to copy data, according to sender, receiver, key words
Do data security efforts of IT staff, who frankly are not likely to be hardened criminals or spies, stand a chance, when this software and hardware is poorly regulated. Not to mention that, technology like this, will be upgraded, and improved ad-infinitum.
International Trade in Virtual Armed Robbery
The products are sold internationally and free-ware versions are available on-line. Considering the damage that can be done, by a device that can break network security, capture, and copy data as it is passed across the network, would not it be appropriate to regulate this, as much as the arms trade.
The Hunters and the The Hunted
Although as yet, I have no information as to the extent of the abuse of the technology. We can imagine, who we don’t want to get access to this software and hardware. The list would include the obvious, like terrorists and fraudsters, however the list would extend to organised criminals, sex traffickers, paedophiles, extremist individuals and groups of all types and motivations, vigilante groups, competitors, gamblers, inside traders, human rights abusers and more…
Possible Steps To Protection
Research that needs to be done:
1) Who sells the software and hardware, including government agencies and private companies?
2) What is the proliferation, how many units have been sold, rented out how many times, to whom?
3) What evidence is there of misuse of software and hardware in police agencies, are they actively capturing this data and doing checks on criminal phones etc, similar to weapons checks.
4) Using which manufacturers hardware and software has been been found to be misused?
5) Is software and hardware being cloned and whose software and hardware is susceptible to this?
6) What identify checks are done?
7) What security is in place that the software and hardware can not be misappropriated?
8) What tracking is done of the subsequent movement of the software and hardware once it has moved from the purchaser to the purchased?
9) Are laws strong enough to make sure that this software and hardware can not be used to clone company data unless there are very strict guidelines.
10) How is the copied data kept safe from further cloning and distribution?
________________________________________________________________
* Crackers Vs Hackers: Hackers I have spoken to have expressed annoyance at the media’s misuse of the term “hacker”. It does not mean a person who breaks through IT security, for illegitimate and monetary gain. The correct term for this person is a “Cracker” or “Black Hat Hacker”.
In contrast, the real meaning of the term “hacker”, is a programmer, who modifies original code, to create a solution, to any problem. When IT staff refer to hackers, they normally are referring to programmers who are doing good things. I hope this helps to set the records straight for the much maligned hacker.
Note: I have not included many sources, for the simple reason I don’t want people navigating to these sites. I viewed these sites to assist a journalist in translating technical terms. However an investigative mind and Google will give anybody all the information I obtained, easily. However I will make it difficult as possible by not including any terminology that would be useful in this article.
Helpful feedback will be welcome.
