Enforcement

 I saw the below article on CNN this morning while I was bored at work, and felt like I needed to share some thoughts about it. As cybercrime evolves and grows, law-enforcement continues to make corresponding adjustments to fight it. Although the Secret Service may have prevented 1 billion in cyber crime fraud last year, the estimated cost annual cost of cybercrime is about 400 billion (CNN). Needless to say, we have a long way to go before we get a handle on it. Ed Lowery is a special agent with the US Secret Service, who acknowledges that there has been a marked increase in the level of sophistication in both the nature and accomplishment of cybercrimes.

 Cyber criminals are no longer the lone hacker looking to make a quick buck, now they are organized cartels and governments targeting the US and other countries. According to Lowery, the US is an especially appealing target for infiltration. Adding to the problem is the fact that they often operate from locations were enforcement is particularly difficult, which may be due to lack of cooperation and geographic tensions.   These regions make ideal stopping grounds for cyber criminals.

 Even when policing is possible, there is still the critical elements of detecting and hunting these criminals. Lowery believes that the skill sets of law-enforcement must mirror (or exceed) those possessed by the cyber criminals. In addition to cyber skills, law-enforcement also needs to have investigative skills, which is not a common combination. Both take years to develop and they don’t often occur simultaneously.

 In my opinion, the biggest problem facing cyber security is not the skill set of the investigators, or even the laws in place. The larger issue is enforcement, and the ability  to police in regions with little or no cooperation. This is going to be the greatest hurdle in the feeding an annual fraud bill of 400 billion.

Lake, M. (2014). Police vs Cartels In The High-Tech Battle To Stop Cybercrime.  Retrieved from http://www.cnn.com/2014/10/30/tech/web/police-vs-cartelscybercrime/inde.html.

I was initially going to write about something else this week, but  I couldn’t resist this headline: “China Is Hacking Its Own Citizens' iCloud Accounts.”   

The attack coincides with the iPhone 6 and 6 plus release in China.  China has previously launched attacks against their citizens’ Google and Yahoo accounts, but those attacks only resulted in the government being able to see what was accessed.  This new attack on Apple  is different though. Instead of just seeing what was access, the Chinese government is attempting to gain  the username and password for individuals utilizing iCloud. It wasn’t the idea of a government hacking its own citizens that caught my attention, it was the fact that I am absolutely not at all surprised that China is doing this. What does surprise me is that this headline didn’t show up before now. I would have guessed China was trying to crack into the iCloud years ago.   (I still suspect that this might be the case, and I doubt they are the only company involved in this kind of activity)

If they are successful in their attack, it will give them access to people’s pictures, documents, messages, etc. It  would be quite possible for the government to use this kind of information to build a case against an individual.  

It could be a criminal who successfully launches an attack against a company who acquires personal information, or it could be a government.  The bottom line here is that there really is no such thing as privacy anymore.

O’Toole, J. (2014). China Is Hacking Its Own Citizens' iCloud Accounts. Retrieved from http://
money.cnn.com/2014/10/21/technology/security/china-icloud/index.html.

Cash Payments

 For some reason I had a hard time coming up with a topic for this week’s post. I figured if I just started typing, something would come to me eventually – and it finally did (I’ll spare you the rambling that got me to the final topic). Our assignments have focused on the restaurant chain of Harry and Mae’s and the breach they experienced in their payment processing system. Even though this is a fictional company, the situation could very well be real. I got to thinking about the protection of my information whenever I pay after eating in a restaurant. I generally tend to fall on the side of paranoid, which means I never pay with my debit card when the waitstaff takes the card from the table to go pay at a terminal. I just use my credit card or pay in cash in the situations because I refuse to let someone walk away with access to my checking account. However, I willingly handover my debit card whenever I’m paying at the register. Because of our Harry and Mae’s case study, I’m starting to rethink this habit. Granted, the person behind the counter that I’m handing my card to isn’t going to have time to steal my information while I’m watching them, but I really don’t know what their payment processing system is like or how well protected my information is. Going forward I think I’m going to start using my credit card or cash in these instances as well. It’s not that I really want my credit card information taken, but with the ever increasing number of breaches lately, I expect it is likely at some point. No loss of information is pleasant to deal with, but I really don’t want  my checking account compromised along with everything else. This happened to a friend of mine, and it was months before she got everything straightened out. I just don’t have the patience to deal with that kind of a mess.

Simon Says...

In one of the chapters assigned for this week’s reading assignment, our book talks about social engineering.  I find this aspect of cyber security especially interesting -probably not surprising given the fact that I have a bachelor's in psychology.  Naturally, this is a topic towards which I would gravitate.  It’s also something I deal with every day at work.  My company has very strict privacy rules regarding client information where we have to verify very specific pieces of information before we can provide any client account data.   Sometimes just the fact that we ask the information upsets people, even after we point out that this is to protect their information. They just like to complain that this is their account they should be able to have their account information.

But what really surprises me is when other companies call for client account information, and argue with me that I should be able to talk to them about the account.  For example, a client’s  account is transferring to another company, and they call us to check the status of the transfer. We can provide limited information about the transfer: if it’s been received, if it’s in process it’s been completed etc. If there is something wrong with the request that we can’t process it, we ask the receiving company to instruct the client to call us.  At least once a day one of these companies will start yelling that I should be able to provide this information to them. When this happens, I usually ask them if their company has rules regarding client privacy, and they always reply yes but in this situation I should be able to give them what they’re asking for. They try various social engineering techniques, such as creating a sense of urgency, attempting to put themselves in a position of authority,  anything to make me feel like I should give them this information.   It’s frustrating, but it’s a factor in protecting client information.

I think I might have learned something

I’ve decided to comment on my assignments for this week’s blog post.  Last week was the initial design of the current system arrangement for Harry and Mae’s restaurants.  Much of the assignment was similar to the analysis we had done for a previous class, but I feel like I understood the assignment so much better this time around.  The purpose behind college and homework is to learn (obviously), but I’m starting to realize just how much I have learned.  I’ve understood all along that there is a learning curve with every class as I’m introduced to new topics and processes; however, for the first time in the program the assignments are requiring the prior knowledge learned in the previous classes. Each of my classes prior to this term, while enjoyable and informative, were pretty independent of one another.  Now they have begun to build on each other, which is interesting to me.  I don’t mean just the assignments, just the way the past has informed my current classwork.  I’m sure I would have been able to complete the assignments this week and last week if I hadn’t had the prior coursework, but it would have been much more difficult, if not overwhelming.  Fortunately I had the previous work that I could reference to complete these assignments.  I’m finally seeing the light at the end of the graduate work tunnel, and am happy to know that I have leaned not only the subject matter, but how to incorporate what I’ve that learning into my new projects.