Virtual Security and Digital Panic

Many within Central and Eastern Europe are unaware that Big Brother has not only put on a three-piece suit, but has also gone digital

At the end of September, thirty eight experts in computer security and data privacy issues from around the world converged on Budapest for the third annual ITBN. The ITBN, also known as the Information Technology Security Day, is an all-day conference devoted specifically to network security and data privacy issues. Although it's still a relatively new event, the ITBN has become one of the most visible and well-known information technology events in Central and Eastern Europe.

The original purpose of the ITBN is to draw the attention of the general public to security issues - even for those who are not immediately aware of them. It's a forum geared for both business users and end users alike with experts exchanging their ideas on the latest technologies and methods to safeguard computer networks and data.

Despite news of high-profile attacks and security loopholes, many within Central and Eastern Europe are still woefully unaware of the many security and privacy issues facing them, foremost because most don't devote enough time to familiarizing themselves with such issues. Others, meanwhile, realize that security and privacy issues are important but have still not realized the full extent of the dangers they face. At a press conference held during the ITBN, representatives of Cisco, McAfee, ICON and Symantec revealed that small firms spend only between 30-60% of what large firms spend on data and network security.

False sense of security

Yet the problem of data privacy and network security isn't limited to just corporations, however. Personal data on everyone exists in various databases belonging to state authorities and institutions as well as public service companies and utilities, not to mention ISPs. As a result, data privacy and network security must be guaranteed, not only through defensive measures (through the use of firewalls, for example) but legislation as well (i.e., privacy laws).

The extent of the threat is such that it's now big business to buy and sell personal data, namely e-mail addresses. For a couple of hundred of dollars lists of over 100 million e-mail addresses can be purchased; for a couple of thousand of dollars e-mail addresses that guarantee spam will reach their targets also can be bought. To make matters worse, many governments are likewise involved. The Hungarian government, for example, publicly acknowledged that it reserves the right to sell personal information contained in government databases to companies - and has even done so. There is no word, naturally, of what happens to the money it makes from such ignominious activities.

Aside from the "classic" security and privacy enigma of spam, identity theft is growing rapidly throughout Central and Eastern Europe as if to make up for lost time. This is still a relatively new form of crime for most people in the region, and hence many are totally unprepared. Every year scores fall victim to phishing attacks. In Hungary last year was a particularly active one for phishing attacks as major banks such as the Raiffeisen Bank, the Budapest Bank, and the Erste Bank were all targeted. This year the level of phishing attacks was less, with Hungary's largest bank, the OTP, suffering an attack in July to which it immediately responded. Still, many individuals are caught by these scams for they are unaware of exactly how these attacks work.

In many ways, Central and Eastern Europeans are caught in a paradox. On the one hand people feel their every move is somehow being watched when in fact they aren't; on the other, they often use computer and mobile devices with a false sense of security. The latter is further compounded by the fact that in Central and Eastern Europe encryption is rarely used and personal data can still be easily had using the old-fashioned way: by simply rummaging through the trash people throw out for old bank statements.

In addition to this, most are unaware of the spaces they inhabit, not realizing that they are constantly moving between public and private spaces and that these virtual spaces don't always correspond a physical space. In other words, a person can move between a personal and private virtual space while still remaining within the same physical space. To complicate matters further, personal and private spaces often overlap making it extremely difficult for the average user to grasp where they really are.

This aside, some within Central and Eastern Europe have trouble comprehending the simple difference between a personal machine and a public machine. Digital tracks (e.g., by not clearing the browser cache) and other data is often carelessly left on machines used by others. A particular annoying problem in some countries has to do with the use of company machines. In Hungary and other parts of Central and Eastern Europe, employees often regard a company laptop as their very own; thus, they feel that they somehow "own" it and treat it accordingly -- in other words, they can do with it whatever they want. As a result, what frequently happens is the laptop gets stolen, lost, or misplaced, with the employee totally ignorant as to what kind of important information may be on it -- not only their own, but that of the company as well.

The inability of many Central and Eastern Europeans to keep up to date or to fully understand how one's personal data or identity is at risk leaves them prone to new and innovative forms of data and identity theft. For instance, a new and innovative phishing technique doesn't even require a potential victim to use the Internet. Instead of the standard method of using a fake web site in order to trick users into giving up their personal details, this new technique involves simply sending an e-mail with a telephone number and convincing the victim to call the number. The automated answering system appears to be valid, with the exception that the voice recording attempts to convince the victim to give their personal information over the phone which is then recorded and sent to the attacker.

A Matter of Trust

Given the quick pace of change in the field of technology and the innovative ways in which this technology is being abused, security and privacy issues are becoming increasingly paramount. As a result, this year's ITBN was supposed to deal with subjects it felt people needed to be acutely aware of, among them the problem of data leakage, the secure storage and archiving of information, network security, the protection of mobile data, and the fight against misleading information.

While all this may sound like it's geared to a large sector of the general public, in actual fact it's not. A look at the actual schedule of the conference reveals all: most of the conference themes were highly technical and geared to a specialized audience, namely business users and system administrators.

Unfortunately, when talking about data security, the end user is often left out of the equation. At the same time, security is often highlighted above all else, while privacy concerns (especially those concerning customer data and unsavoury business practices) are relegated to the background, sometimes not even being mentioned at all.

One reason for this is because the issue of privacy is not only a sensitive subject for big business in terms of consumer data (i.e., advertising and data tracking), but is also a sensitive subject for governments as well. This is especially so for governments within Central and Eastern Europe, where old habits die hard and democracy is still in its infant stages.

Throughout the region data privacy laws are vague and often misleading. Although circumstances differ from country to country, most operate in more or less the same way. ISPs have been forced to allow for full access to all data that passes through their servers, better known as a "backdoor", which is then monitored by the police. Law enforcement agencies usually don't require a warrant in order to obtain information categorized as "confidential". This means the secret police can spy on an individual without any form of oversight by simply and arbitrarily classifying a certain operation as a state secret.

In conjunction with this, debates on digital privacy laws have been clearly lacking. Most users are unsure of their rights, and many Central and Eastern European web sites don't even feature a privacy policy. Where they do exist, users often ignore the privacy policies of web sites; likewise, they skim through them when forced to acknowledge that they have read them. Ironically, this form of blissful ignorance doesn't apply to all devices, mobile phones being a case in point. While people are generally unaware of the same form of control over ISPs, most are aware of the extent to which the state has access to mobile phone records and the conversations people make.

Many are aware that the police can at any time listen in on a mobile phone conversation and even use the conversation to pinpoint the location and the identity of the person using the phone (at least the identity of the person in whose name the phone is registered). Some are even aware of the fact that mobile phone records and conversations are stored in huge databases and that these archived conversations can be called upon at a later date.

The reasons for this increased knowledge of mobile phone surveillance vis-a-vis Internet surveillance are many. For one, mobile phone penetration in many countries of Central and Eastern Europe is at or near 100% (naturally this doesn't take into account that someone may have two phones and another person doesn't have any). Moreover, there is more experience with the use of mobile devices as more people have been using them for a longer period. Finally, the media has been full of stories of either crimes committed using mobile phones or of instances when the police have been able to foil crimes or track down criminals thanks to mobile phone surveillance.

This difference in knowledge people have of security and privacy issues depending on which device is being used (i.e., a computer or a mobile phone) seems to intersect when it comes to the use of WIFI. Security is no doubt a major issue as most wireless networks are unprotected. Not only is there little knowledge of the differences, strengths, and weaknesses of different security protocols (WPA, WEP, etc.), but some actually feel it's not in their competency to deal with such technical questions.

In addition to this, it's still unclear what exactly is a crime when it comes to hacking into a wireless network. This uncertainty extends to the media as well, as exemplified in a recent Hungarian radio report on wireless networks. The subject was about using a neighbour's wireless network with their full knowledge and approval. Despite this communal relationship in terms Internet access, the person "hacking" into the wireless network was referred to as a "thief" and his action as "stealing". One wonders if there wasn't a hidden agenda to this report sponsored by big business interests (i.e., ISPs) in order to discourage people from saving money by sharing a connection between neighbours.

Web Wars

A growing security threat that is still not talked about very much, either at the ITBN or elsewhere, is the problem of web wars. Although end users aren't targeted directly by such actions, the fact that zombie machines are often used to carry out such attacks means web wars are a serious security issue nonetheless. In future, people may have to pay close attention to the prospect of a web war as much as they do to conventional wars they presently see on television.

The concern over web wars was clearly highlighted earlier this year when such a conflict erupted between Estonia and Russia lasting several weeks. Some claim that there was no such web war, saying that the mass media blew the entire situation out of proportion. It's a matter of fact, however, that from late April to mid-May of this year servers across the tiny Baltic country were unduly overloaded.

The origins of the web war between Estonia and Russia is not that difficult to discern. At the end of April when the Estonia government announced its intention to move a Soviet war memorial to a more appropriate location, over the next few weeks servers at Estonian media outlets, banks, and government agencies suffered more than one hundred DDoS attacks. Some attacks were quite extensive, lasting over 10 hours and with a combined bandwidth of 100 Mbps.

In Estonia virtually everyone agreed that Russia was the source of the attacks, with some pointing an incriminating finger at the Kremlin. The attacks weren't launched exclusively with the aid of zombie machines and bot networks, however, and many of the IP addresses used in the attack weren't even spoofed. This suggests that the entire episode wasn't orchestrated by a committed group of expert hackers, but was more of a broad based event. In fact, as the question over the removal of the Soviet war memorial heated up offline, various Russian blogs and forums called on patriotic Russians to launch an online invasion of Estonia, to which scores answered the call, both professional hackers and enthusiastic amateurs alike.

Yet some still see the hand of Putin inexorably linked to the online attack against Estonia. According to the online portal Postimees it was clearly the Nashi who was behind the attacks. The Nashi ("Ours" in Russian), dubbed by some as the "Putinjugend", is a Kremlin-funded youth movement in Russia that includes more than 100,000 members. In April and May 2007, Nashi members held daily protests in front of the Estonian embassy in Moscow in protest of the moving of the Bronze Soldier of Tallinn to a military cemetery. The view that the Nashi were behind the DDoS attacks against Estonia was later reinforced by an article in the Delovye Vedomosti, in where a senior Nashi member confirmed that they were behind the attacks.

Digital panic

Web wars are nothing new in Central and Eastern Europe and they are foremost nationalist in content and design. Traditional prejudices and even hatreds which had sparked wars and genocide in the past have since found a more convenient outlet online.

Usually, the general public is spared the worst of these virtual conflicts as hackers from both sides attack each other's sites, as was the case during the hacker wars between Hungary and Romania in 2001-2. Yet, as the DDoS attacks against Estonia earlier this year has shown, such conflicts are no longer restricted to a small segment of computer users. More and more are being caught in the crossfire, and the collateral damage is indeed becoming quite high.

Along these lines, web wars have become an additional aspect to our overall notion of digital security. Still, this aspect is perhaps the least familiar of them all. While services and access to information may be temporarily suspended, there is little an end user can do. Thus, although the New York Times noted a sense of "digital panic" among Estonians, this so-called "digital panic" wasn't felt by the average end user but by server administrators who had to deal with the problem. In future, however, as more and more people run their own servers from home, the need to be familiar with such attacks has become that much greater, and the notion of a "digital panic" may then indeed become a serious issue that must be dealt with. (John Horvath)