Campus Security Focus
The Internet Crime Cafe
It was the late 1980s, the era of VAXes and the NSFNET. Needing more disk space, one of our students hacked the account of a faculty member who was on sabbatical at another university. His exploits, which soon included computers from coast to coast, went unnoticed until the student forwarded an important but unread e-mail to the faculty member's sabbatical account. After explaining to the student the error of his ways and thanking him for his honesty in coming to the aid of our faculty member, we hired him.
In retrospect, perhaps our response should have been the same as the response to the plea, "Don't be afraid," in 1986 horror film,
The Fly: "Be afraid. Be very afraid." Just as the lead character of the film, a brilliant but eccentric scientist, changed into something more malevolent than what he was before, so hacking has changed as well. While there are still lone hackers, motivated by the intellectual challenge, they have been largely supplanted by skilled teams whose objective is money, whose business model is organized crime, and whose scale is global. In the February 2006 issue of Business Week, Paul Horn estimated that 85 percent of malware today is created with profit in mind.
E-mail and malwareAnother indicator of this trend to profit motivation is the malware content of e-mail. MessageLabs processes more than 180 million e-mails a day and makes the results of their scanning process available. (Check out
Massage Labs' Threat Watch for real-time statistics of e-mail threats.) In the case of computer viruses, the last 12 months have seen the percentage of e-mail containing a virus fall from 1.65 percent to 0.28 percent. The percentage of e-mail that can be categorized as spam has remained fairly constant, between 50 percent and 60 percent. On the other hand, the percentage of phishing e-mail, whose objective is to steal something of monetary value, has doubled from 0.2 percent to 0.4 percent. And unfortunately, a recent
Harvard study found that 90 percent of the phishing recipients don't recognize a well constructed phish.
According to United States Treasury advisor
Valarie McNiven, "Last year [2004] was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs." Identity theft is on the rise.
According to the FBI, "Identity theft costs American businesses and consumers a reported $50 billion a year, causes untold headaches for an estimated 10 million U.S. victims annually, and even makes it easier for terrorists and spies to launch attacks against our nation." The FBI
estimates the total cost to American industry for all types of computer crime as about $400 billion dollars a year.
'That's where the money is'What's behind this trend? The rise in cybercrime is closely linked to the now almost ubiquitous use of credit cards (see The end of the cash era in the February 17th, 2007 issue of
The Economist) and growth of Internet banking and shopping. It is now relatively easy to steal quietly, remotely, and anonymously. When the famous 1930s bank robber Willy Sutton was asked why he robbed banks, his reply was, "That's where the money is." His response is equally true in today's cyberworld.
Although organized crime may lack the expertise to commit cyber crimes, they have the money to recruit the necessary talent. Hacking has become so commercialized that you can even
buy a book, online of course, on hacking!
Personal financial information is becoming a commodity item. A quick online Internet search yields sites selling social security numbers for $35 to $45 each. While the purchaser is usually asked to verify that the request is legitimate, flimsy responses often work. E-mail address lists go for as little as $39.95 per million addresses. It costs $400 for a complete package containing the information needed to gain control of a bank account. Making matters even worse, in the rush to make public records available online, sensitive financial data is too often made available for free as well. A county clerk's website included tax lien information for ex-congressman Tom DeLay that included his social security number!
For all of these reasons, the FBI has made its third highest priority to "protect the United States against cyber-based attacks and high-technology crimes." That puts cybercrime right behind protecting the country from terrorist attacks and espionage and well ahead of such traditional areas as violent and white-collar crime (Federal Bureau of Investigation
Strategic Plan 2004-2009).
So what does all this mean for higher education data security? Education's culture of openness, lack of central controls, decentralized and transient user population, and high-speed network access make us attractive targets. We can expect increasingly targeted attacks on our financial systems. We've been warned.
Reader input wantedThe kind of topics can you expect to see in this column are ones that might be too time critical, to limited in scope, or too speculative to be appropriate for a full length article in the monthly Campus Technology Magazine or T.H.E. Journal. Columns being considered include interviews with leaders and visionaries in the security community, emerging problems and solutions, long term trends and speculation, and, of course, timely events. I'd like to get feedback, opinions and suggestions from you, the reader. What would to hear about? Do you agree or disagree with the opinions expressed in the column? Have you heard something you are willing to share with a broader community?
