Information systems are always at risk, and cyber criminality is tough to police. There will always be question marks.
The conclusion that could be drawn from First Tuesday’s latest event, “Hacking vs Security”, was simple and stark: nothing is safe in the world of Information and Communication Technologies, and the laws policing cyber criminality are not necessarily ideally constructed to counteract it. “Criminal law is national law,” says Guy Modert, Head of the Legal Department at P&T, “and while a crime in the street is local, a crime over the internet can become global. What can be done about this?” Increased cooperation between national organisations such as local police forces and Interpol is obviously necessary in the fight to clamp down on cyber criminality, but the threats to security can occur at an altogether more scaled-down level.
“Security can be breached by a lack of awareness that may seem insignificant,” according to Gabriela Rapp, of the Ministry of the Economy and Foreign Trade. “If you leave Bluetooth activated on your mobile phone, someone can access all of your data and contacts with a simple program. With a small and easily available antenna, Bluetooth signals can be received from 1.6 kilometres away.” Simple steps can help protect, and clearly switching Bluetooth off is one of those, but nothing is invulnerable...
Listen to reason
“People must protect their data,” continues Rapp. “Having a password on a computer is all very well, but not much use if it can be cracked in quarter of an hour by a free and legal downloadable program. Data must be encrypted to counteract the threat of Trojans, programs which appear to be of benefit, or at least innocent, to the user but actually allow access to their data to uninvited third parties.” However, individuals can be surprisingly callow. Rapp cites the example of a questionnaire the ministry issued. Although they asked for no names, they managed to get some 50% of respondents to give their passwords to computer accounts. With other information gleaned from responses to the questionnaire, respondents’ identities would be easy to figure out and they would be in a very vulnerable position.
So what can be done about all of this? And who are the villains of the piece? Steve Clément of HackerSpace Luxembourg, preaches good sense. “A security breach can be as simple as just accessing the network cables physically, failing to lock doors and having inadequate surveillance,” he says. But systems can be accessed by different kinds of users. Clément shows that intent behind actions can vary. “Through hype and hysteria, hacker has become a dirty term,” he remarks, “but I consider myself a hacker. There is no criminal or malicious intent behind what I do or can do. If somebody breaks into a system with those intentions, then they are criminals and they belong in jail. Hackers do not necessarily fall under that category.”
Bad name or not, Clément insists that people like himself, with the skills they have, should be given more attention. “If we do it first, push the security limits, then people will see that it can be done and changes can be made. They need to be aware of this. Companies should support independent security research, and discuss issues of security breaches with the public rather than keeping them hidden.” It is a neat reversal. Rather than hiding that a system has been hacked, a business can use this to portray that their security is being updated, and their attitude towards it is more proactive. “There needs to be a trust relationship between businesses and hackers,” Clément concludes. “We can help them and they need to see that. No system is ever going to be 100% safe.” Those who are best-equipped to exploit that deficiency are also the ones best-suited to improving the situation, regardless of the field of communication.