With their head in the clouds


by David Moss

October 2010


Around about the Harvest Festival here in the UK there was a sudden crop of articles in the media about breaches of website security:

• Stuxnet Worm computer virus 'aims to sabotage Iran's nuclear plant', said the Times: "A computer virus that has infected more than 60,000 machines in Iran may be a sophisticated cyber-warfare attack on Iran’s clandestine nuclear arms programme".

• E-crime detectives as vital as bobbies on beat, said the Telegraph: "Online fraud generated £52 billion worldwide in 2007 – a staggering sum. We believe there is major under-reporting of all types of cyber crime".

• In the light of the ACS:Law leak, how safe is our data?, asked the Guardian:

Late on 24 September an archive containing thousands of emails from solicitors ACS:Law appeared on the internet ... This year the Information Commissioner's Office (ICO) was granted powers to levy fines of up to £500,000 for serious breaches of data protection 'principles'. This contrasts with the powers of the Financial Services Authority, who this summer levied a £2.27m fine on insurance firm Zurich for its failure to adequately protect customer data.

Nothing new, it's been going on for years.

Back in 2003, the BBC reported that a "computer hacker has gained access to more than 5 million Visa and Mastercard credit card accounts in the US".

You need a certain amount of expertise to carry out these crimes and luckily, if that's the word, the inventiveness of the free market being what it is, training is available: "the websites shared tips on how to commit fraud and provided a forum by which people could buy the information and tools they needed to commit such crime".

Which could account for the increase in the magnitude of cyber crime that we are seeing now: "Albert Gonzalez ... is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts".

It's not just banks and insurance companies and retailers and solicitors and Iranian power plants that are affected. So are UK government websites. Back in 2006, we read that:

Forty organised tax credit frauds involving the theft of thousands of identities and worth at least £5 million are being investigated by Revenue and Customs inspectors, it was disclosed yesterday ... This is the latest problem to hamper Gordon Brown's beleaguered tax credit scheme, which was criticised this week by an influential committee of MPs after it overpaid £4 billion to claimants in two years ... Richard Bacon, the Tory MP whose inquiries uncovered the illegal activities, said he understood that manufacturers and large retailers were targeted. People's identities were being stolen on 'an industrial scale' ...

What with the increase in supply, the price of stolen identities has collapsed.

In 2005, a chap could get $60 a pop:

Cummings, who worked for Teledata Communications - a New York-based software company which helps lenders access major credit databases - had access to clients' codes and passwords. He would steal people's credit reports and pass them on to an accomplice, who would sell them on and share the profits with Cummings. The stolen identities, bought by intermediaries for about $60 per name, were then used to access the victims' bank accounts and use their credit cards.

A year later, the Sunday Times told us that "the stolen identities of Britons – including their credit card details, home addresses and security passwords – are being sold on Russian websites for as little as £1 each".

You have to buy in bulk, of course, to get prices that low but, apparently, you can sometimes get your money back if you're not satisfied – this is a professional and mature business with standards to maintain, international brands to build, customer satisfaction to consider, loyalty and amour propre.

The police do have their successes. In 2005, they "smashed" a £25 million cheque fraud and they "foiled" a £220 million bank theft. Which is good but it's an uphill struggle when you consider the geo-political scale of the threat:

American officials have been holding secret talks with Russia and the United Nations in an attempt to strengthen internet security and rein in the growing threat of cyberwarfare ... The potential for online warfare has become a hot topic in recent years, after a string of major incidents. Large-scale cyberattacks took place during last year's conflict between Russia and Georgia while the Estonian government came grinding to a halt after an internet assault in 2007.

Wherever you see that a new application has been found for the web, you need to be sceptical.

One last example. Washington DC, for the most democratic of reasons, are trying to ensure that temporarily absent residents do not lose their vote. The proposed web-based voting system was "hijacked" by well-meaning (white hat) computer scientists who demonstrated how easily black hat hackers could take over and ensure the election result of their choice. The system has been scrapped. As a spokesman for the Washington DC Board of Elections and Ethics says: "This is an abundance-of-caution sort of thing".

Naturally the more punctilious website operators display caution in abundance. They all conform to an alphabet spaghetti of security standards but it doesn't seem to help – the general impression remains that if the hackers want to invade your website, they will, whoever you are.

And the stakes are getting higher – the Information Commissioner wants to be able to punish reckless data controllers with imprisonment, in addition to fines.

Organisations which put their business applications and data on the web take part in what is known as "cloud computing". It follows from the evidence adduced above that anyone who can avoid putting their head in the clouds should avoid it, it is a dangerous thing to do, imprudent and inadvisable. Contra-indicated. Deprecated ...

Cloud computing sounds modern and exciting and is often promoted as efficient and green and it sounds Luddite to attack it but just how modern, excited, efficient and green will you feel when your bank account details are sold for £1 and all your money disappears?


Matthew Campbell, Christina Lamb, Uzi Mahnaimi and Bojan Pancevski, 10 October 2010, Sunday Times, 'Worm cripples Iran nuclear plant'

BBC, 13 October 2010, 'UK infrastructure faces cyber threat, says GCHQ chief'