Who are the bad guys?

Wednesday evening, January 25, 2012, I am presenting Being Safe in a Digital World to the Cotton Club Greenwich, a Greenwich, CT group. The talk is intended to help tighten up one’s mental and digital defenses against digital data and privacy loss. My preparation got me thinking, “Who do we need to defend ourselves against?”

There are four categories of bad guys:

• Criminals
• Hacktivists
• Businesses
• Nation states

Malware or malicious software has many variants: viruses, Trojans, worms, spyware, key loggers, rootkits and others. The origins of malware can be traced back to 1962 at Bell Labs in a game called Darwin, which allowed players to replicate their code and destroy competitor’s code. The first spam message was sent in 1978 over ARPAnet, the Internet’s precursor, by a Digital Equipment Corporation employee.

Before the Internet most malware was spread via floppy disc. That era’s Malware was limited in scope and generally vandalized applications and operating systems.

Today, the Internet provides a gateway into almost all computational devices: computers, smartphones and tablets. The Internet changed the bad guys’ scope and goals. Transnational criminals use Internet-spread malware to make money via theft or through the sale of misleading services and products.

The 2010 Stuxnet worm probably used a USB thumb drive plugged into a Windows computer, rather than the Internet, as its attack vector and then migrated into Siemens firmware that controlled Iran’s nuclear weapons program centrifuges. It is thought that Stuxnet was created by agencies of nation states, the US, Israel or both working together.

2011 was a banner year for corporate data breaches. Sony was the poster child for bad server security. Over 100 million Sony customer accounts were stolen in an extended number of attacks. RSA fessed up to the theft of the private keys for its customers’ SecureID product. Epsilon’s servers were breached and millions of their corporate clients customers’ email addresses were taken. Several certificate authorities, most notably Diginotar, were cracked and fraudulent certificates were issued under their auspices. It is believed that the Diginotar crack led to executions of Iranian dissidents by the Iranian government.

Also worrisome is the placement of malware on our computational devices by the companies that sell us products and services. A 2005 Windows rootkit was spread by Sony BMG via music CDs. It infected hundreds of thousands of computers worldwide, including many US Government owned computers. More recently, the Carrier IQ rootkit was in the news. AT&T, Sprint, T-Mobile, Apple, HTC and Samsung admitted that they placed this spyware on millions of devices. Until Trevor Eckhart uncovered it on his smartphone, we were in the dark.

Hacktivists are groups with names like, al-Qaeda, Hamas, Anon and WikiLeaks. Their goals are political in nature. They often use distributed denial of service attacks (DDOS) to shut down the websites of their targets. Their targets tend to be organizations, businesses, governments, or high profile officials. There isn’t much we can do to defend ourselves specifically against hacktivists. Fortunately, I am unaware of hacktivists targeting private individuals.

We can defend ourselves against criminals. Antimalware software and firewalls, properly configured and maintained, go a long way to keeping us safe. It is harder to defend ourselves against other bad guys.

I believe the number one threat to our digital privacy and security is nation states. We know that China and Iran control their citizens’ access to information and these countries spy on their citizens. India is increasing spying on its citizens’ communications. India recently made noises about censoring Facebook, Google and other web-based services.

The potential for American government digital tyranny looms large. Since 9/11, the US government has used the excuse of security to greatly expand its digital spying. That spying includes warrantless searches of all American citizens’ digital communications. The recently shelved SOPA and PIPA bills would greatly expand both the federal government and large companies’ ability to censor the Internet.

After nation states, the next greatest threat to our privacy and security is large corporations, particularly the companies that sell Internet access and manufacturers of hardware that connects to the Internet. A further threat is industries, as evidenced by the RIAA/MPAA sponsored SOPA/PIPA legislation. Companies with access and influence over legislators can and do twist the laws to their benefit and against the public good.

Therefore, I am not optimistic about our future digital privacy and security. It is hard to fight nation states or to cause corporations to act responsibly, both in securing their own equipment or in leaving our rights and liberties alone.