The Edge of Computer Security
|Neal Rauhauser||March 9th 2009|
Cutting Edge Sci-Tech Writer
The dark and increasingly dangerous world of identity theft is often presented to us as mere personal chaos revolving around fake credit card charges. While this is a valid concern, the emerging dimension of this threat is far more sinister. Today, identity theft has morphed into something far more odious: â€œidentity assumption.â€
This fast-growing crime now facilitates many drug deals and massive fraud. But that is just the beginning. It is only a matter of time before another major terror event occurs in which identity assumption is a key component. Security professionals are extremely reticent to divulge exact details lest they provide the roadmap for an upstart identity assumption ring; however, amid growing concerns, they are now willing to talk in general terms.
One quarter of the planet's population has some sort of internet access. PCs on high speed connections are left running nonstop, 24/7, with most sporting some version of Microsoft Windows operating system. They can be compromised en masse and herded together into vulnerable formations known as botnets. A shadowy, ever shifting market of botnet operators rent these systems in time increments as small as five minutes. Large scale applications include spamming and denial of service. The largest of these ever sighted controlled over 400,000 member PCs, the virtual equivalent of a nuclear tipped cruise missile when pointed at some hapless web site.
Smaller in scope but much more dangerous are systems used as hops for a system breaker, gathering credit card and personal information. Compromise a PC or two in each U.S. time zone, throw in a system in China or Vietnam, daisy chain them together, and the ad hoc camouflage is proof against any law enforcement effort, no matter how serious the misbehavior. Only a quarter of the world's countries have computer intrusion laws on the books and coordination isn't the best among those who do have them. Nations such as China or Vietnam are simply black holes for foreign law enforcement requests when identity-related crimes are involved.
Similar chaining occurs on the physical documentation side of this problem. Those skilled in this espionage-like trade obtain personal information from the Internet, parlay this into a library card or another sort of soft identity, then work their way up to driver's licenses and passports. Identities are then sold to the highest bidder with little concern for what their motives might be. September 11th proved that a single person can be as dangerous as a tactical nuclear weapon.
This global industry had its genesis in the collapse of the former Soviet Union. Well trained, idle KGB agents plied their trade in criminal rather than political intrigue and quickly became recognized masters of the art. The open, global nature of the internet was a natural outlet for them. Their success did not go unnoticed. Today many nation states reportedly employ similar organizations in support of their strategic objectives. The former territory of the Soviet Union has been a rich incubator for this, with Romania and Bulgaria receiving particularly high marks for their contributions to the problem.
The situation is about to get markedly worse for a variety of reasons. Consider the multi-billion dollar fraud of Bernard Madoff, the Stanford Financial Group, or the platoons of less creative players who merely rolled up eight and nine digit takes. If the regulators couldn't find and stop that, we can safely assume that no one is watching the contractual and operational security aspects of an outsourcing deal between an American company and a service provider in Pakistan. A simple lack of oversight, or even a lack of understanding of the need for oversight, can permit an authorized insider to cause more trouble than the professional system breaker.
Infosec Analyst Laura Wilson sums it up nicely: "Remember when the Soviet Union broke up and everyone was worried about keeping track of their plutonium? Today's situation is just as bad â€“ our companies can't keep track of the data with which they've been entrusted."
Wall Street's distress is going to exacerbate the troubles. Toxic paper tied to questionable mortgages has accumulated in bank vaults all over the country. Concerns are coming apart--not due to problems in their operation or overall concern about their sector--but instead due to bankers all but panicking and pulling their customers' credit in order to shore up their own shaky positions. Watching the market gyrations closely are players like the Chinese government, holding two trillion dollars in U.S. sovereign debt, and the Saudi Arabian Sovereign Wealth Fund with its six hundred billion dollar war chest.
The U.S. State Department in conjunction with the U.S. Treasury have rules in place to ensure that foreign wealth isn't buying up American companies for the sake of strategic interests, but these protected businesses are in narrowly defined categories. How this will work in difficult economic times when any company handling credit cards is a treasure trove of clean identities capable of enabling foreign agents and international criminals to move freely through our borders?
The provenance of the foreign companies doing the purchasing of domestic firms is another gap where identity assumption comes into play. A shell company leads to a false identity which leads to another shell company which leads to a far away post office box rented the summer before by a man three years dead. The first hints of investigation of the first ring of defenses leave those at the core of the problem plenty of time to wind up their operations and make their escape.
Madoff and the managers of the Stanford Financial Group were filled with hubris and were beyond unethical, but they are real people who sold a fake product. The next round of revelations will be of real products, falsified personal and corporate identities, and mysteries of future harm contemplated by the authors of the crime.
Cutting Edge Sci-tech Writer Neal Rauhauser is an analyst and consultant on energy and telecommunications. He is a member of the Stranded Wind Initiative and can be found at www.strandedwind.org.