Home > Articles > Security > General Security and Privacy

This chapter is from the book

Emerging Threats

Internet crime tends to move from bad to worse. Just as the amateur hackers quickly moved from vandalism to making money, there is always a fringe of crimes where money is not yet the primary motive or the techniques are not yet outright criminal.

Spyware

Spyware is the common cold of the Trojan world. Most spyware will not kill you, but it can make you feel pretty miserable until you get rid of it. And, like the common cold, almost all spyware will make you more vulnerable to more serious forms of infection, and some can ruin your financial health.

The small group of spyware companies clinging to the pretense that they are engaged in an honest business is rapidly dwindling. It is being replaced by worse.

The most benign form of spyware insinuates itself into a Web browser and provides a constant stream of reports on the sites the user is visiting, the pages viewed, and so on. The spyware company constructs a profile of the user from this information and sells it to any buyer willing to pay.

A more intrusive form of spyware called a cobrowser or adware pesters the user with advertising related to the sites he surfs. If you visit a site on rock climbing, an advertisement for climbing gear or outdoors clothing might appear. If you looked at a TV on one site, you might see an advertisement from a competitor.

The worst type of spyware silently watches the user and reports his most sensitive personal data to the organized crime rings that produced it. This might be used to steal money from the victim directly or to perform an identity theft and apply for a loan in his name.

Today, spyware of the first type has pretty much sunk into the second type, which is rapidly sinking into the third.

The same thing happened with spam. The first spam tried to sell real products. As people stopped buying, the spammers found peddling porn and fake Viagra was the only way to make spam pay. As the second generation of spammers found it increasingly difficult to get legal network access, the gray-market spammers were quickly displaced by the outright criminal.

We could make an effort to distinguish legitimate spyware from the outright criminal, but it is easier to make the propagation of any software intended to resist removal at the direction of the owner of the machine a criminal act. Spyware provides nothing of value to the Internet community.

Like the spammers, the spyware outfits are caught between the pincers of legislative and technical measures, which are certain to obliterate their "industry." Even if they manage to stay ahead of the technical measures intended to make it harder for them to infect machines and easier for users to remove infections, legislative action is inevitable. As with the spam "industry," all that will be left is a hard core of spyware operations whose activities are unambiguously criminal.

Terrorism

The Internet has become an infrastructure that is as critical to the running of the modern economy as the telephone system or electrical power. And just as the Internet is dependent on electric power to run, there are complex and increasing interdependencies between the Internet and the telephone and electrical systems.

The threat of cyberterrorism is usually considered in terms of preventing an attack on critical infrastructure. In a recent TV drama, the fictional cyberterrorists performed the highly unlikely feat of successfully disabling every nuclear power station in the U.S. by hacking into the computer system that controls them. In practice, such an attack would be most unlikely to succeed because the nuclear power stations in the U.S. were designed long before the Internet existed, and there is no reason why the computer systems that are used to control them would need to be connected to the Internet.

Bombs are simple but effective means of creating fear and causing disruption. Cyberattacks require considerably greater resources to perform and are much less likely to be effective in achieving these particular ends.

The history of the Red Army Faction (Bader-Meinhof Gang) and similar groups operating in Europe in the 1970s and 1980s suggests that it is more likely that terrorists will turn to the Internet for funding and propaganda rather than as a means of attack. The Red Army Faction financed its activities by robbing banks. Al Qaeda's primary means of finance was the opium trade. Paramilitary groups on both sides of the sectarian divide in Ireland funded their activities through bank robberies and extortion rackets. We must deny these and similar groups the ability to raise funds through Internet crime.

Most terrorist groups already operate Web sites to further their political program, either directly or through sympathetic groups. These Web sites are often the target of attacks by opposing political groups, in some cases disabling the sites completely, but in other cases posting their own propaganda on their opponent's sites.

Often the attacks come from hacker groups that do not consider themselves as terrorists in the conventional sense. But there is a significant risk that actions by these irregular groups might cause escalation of an international incident at a time when the state actors are trying to diffuse the crisis.

A situation of this kind occurred during an incident in 2001 when a U.S. plane struck down a Chinese fighter jet with a missile and was subsequently forced to land in Chinese territory. While diplomats from both countries worked to avert a major crisis, groups of hackers in both countries launched information warfare attacks that threatened to escalate it.

Espionage and Warfare

Intelligence agencies used computer networks to perform espionage long before the Internet existed. The best public account is to be found in Clifford Stoll's book, The Cuckoo's Egg. Stoll, an astrophysicist and system manager at the Laurence Berkley National Laboratory, discovered a 75-cent discrepancy in the accounting records on a computer. Investigating this minor discrepancy led to the discovery that the machine was being used as a staging post for attacks on U.S. military computers by German and Hungarian hackers who were selling the results to the KGB.

The use of computer networks to conduct espionage is not new, but the amount of information available to the Internet spy is unprecedented. Equally unprecedented is the ease with which information that at one time might have been regarded as highly sensitive can be obtained from nongovernment sources. Perhaps the most dramatic example of this is Google Earth, which allows anyone to view a satellite picture of virtually any part of the world. Satellite reconnaissance is no longer limited to governments.

Espionage is a national security concern but not necessarily a national security threat. What governments reveal about themselves is balanced by what they discover from others. A mutual exchange of information can help reduce mutual suspicion and the political instability that can create.

The possibility of cyberwarfare is of considerably greater concern. Paradoxically, governments might be drawn to cyberwarfare for precisely the reason that terrorists are likely to avoid it. By definition, the terrorist seeks to create fear and panic. Governments seek a least-risk means of achieving their political outcomes. Physical violence, even if performed by proxies, carries a high risk of retaliation. Since the end of the cold war, the number of states that actively sponsor terrorism has dropped. The number of states designated by the U.S. as "state sponsors of terrorism" has dropped from seven in 1979 to five in 2007.11 If a similar list had existed in the 1970s, it would have numbered 15 or more.

Cyberwarfare might provide a new opportunity for belligerent states to engage in low-intensity conflict. As with the use of terrorist proxies, cyberwarfare provides a degree of plausible deniability.

Cyberwarfare is only an attractive mode of attack against an enemy that is sufficiently dependent on a high technology infrastructure to make its loss a serious concern. A country that is only able to provide power for a limited number of hours each day is not going to be brought to its knees by an Internet outage.

Until recently, the ephemeral nature of Internet vulnerabilities has made cyberwarfare impractical. It is not possible to stockpile weapons for a cyberattack as if they were tanks, planes, or bullets. A cyberweapon has an unknown and short shelf life. Maintaining a cyberwarfare capability would require constant research and development. One approach for the country looking to develop a cyberwarfare capability is, therefore, to acquiesce to if not actively encourage the growth of Internet crime rings so that their technical skills may be called upon should this be required. Evidence is beginning to emerge that might suggest that this is happening.12

Pedophile Rings

Phishing is real crime, and a lot of money is lost, but as a banker who used to be a policeman on a homicide squad pointed out to me once, "It is only stuff." The worst effects of the online world are what can happen to people, not their money.

The positive effects of the Internet vastly outweigh the bad. The Internet is bringing information on sanitation and healthcare to slums around the world. It's giving the poor and the oppressed a voice in political systems from which they have been excluded. And the Internet has played a key role in the exposure of numerous abuses of children by pedophiles.

The threat of Internet pedophile rings was the first serious Internet crime that the mainstream media took seriously. The reports make it easy to believe that the Internet is filled with pedophile predators plotting to rape and murder children, a lawless frontier where law enforcement is impotent.

Fortunately, the truth is rather different; law enforcement was taking the problem of Internet pedophiles seriously before the first reports reached the mainstream media.

There will always be Internet sites offering pornographic material that offends the sensibilities of some government or other. Magazines sold openly on the shelves of newsstands in Germany would still result in a jail sentence if found in a UK home.

The material of concern for the purposes of this book is not what might merely offend but that which is universally prohibited, in particular explicit photographic or video depictions of prepubescent children in penetrative sex acts.

Internet pornography is a large, highly profitable, legal business. Child pornography is a threat to that business. The same is probably true albeit to a much lesser extent of the professional Internet criminal. Child pornography is a considerably greater risk than bank fraud; it is only going to be an attractive crime if it is considerably more profitable than the alternatives.

In 1995, the FBI began Operation Innocent Images, which tracked pedophile use of the Internet. FBI agents monitor online chat forums for criminal activities. Just as people who try to hire a hit man by responding to advertisements in the classified section of Soldier of Fortune magazine invariably end up talking to undercover law enforcement officers, pedophiles attempting to "groom" a victim in an online chat room are likely to receive a similar surprise.

In 1998 law enforcement agencies in 13 countries arrested 107 members of the Wonderland pedophile group. Police seized three quarters of a million images, many of which depicted sexual acts with minor children. Seven British members of the club received jail sentences of between 12 and 30 months, one received a 12-year sentence for rape, and another member committed suicide before the trial.

Even though the Wonderland club was extensive, its primary purpose was perversion rather than profit. Members of the club swapped images and videos. To join, a prospective member had to provide a large number of original images.

The breakup of the Wonderland gang and subsequent police operations demonstrate that the Internet does not allow pedophiles to operate without fear of prosecution. The members of Wonderland were caught despite attempting to use sophisticated encryption technology.

The use of technology cuts both ways; the most sophisticated Internet criminals can use technology to conceal their activities, but Internet technology also makes it easier to identify Internet criminals with ordinary skills or less. Even the most sophisticated Internet criminal only needs to make one mistake to get caught.

The Internet allows groups of all kinds to operate on a much larger scale than previously but does nothing to change the risks inherent in operating any criminal operation on a large scale. The more members that a criminal organization has, the greater the risk that one of the members will be caught with information that incriminates other members of the group.

The existence of the Wonderland club had been revealed by forensic examination of computers seized in an earlier 1996 investigation into a pedophile ring called The Orchid Club, which led to 19 defendants receiving sentences ranging from 12 months to 30 years.

Internet pedophiles remain a serious problem, but it is the only Internet crime problem that can be regarded as being under some measure of effective control.

The arrest and prosecution of Internet pedophiles demonstrates that Internet crime can be investigated and controlled. It is hard to get law enforcement in another country to investigate a case involving computer hacking, but pedophilia and bank fraud are a different matter.

Offline Safety

Online dating poses many risks, only some of which are criminal matters. The real safety concern is not what happens online. There are few places safer than the Internet; risks to life and limb occur only if the participants meet offline. Online chat rooms can result in emotional injuries, but there is no risk of physical harm unless online activities cross into the offline physical domain.

Despite widespread expressions of concern, safety appears as an afterthought in many popular books on Internet dating—a few chapters thrown in at the end. Heaven help the reader who starts dating before finishing the book!

The boundary between the online and offline world is an important safety control. Strictly speaking, the online world is not anonymous and never has been. An online avatar is a pseudonym, an alternative persona, a mask that is to be worn by its unique owner.

Maintaining the pseudonymity offered by online interactions allows participants to reduce the risk that the boundary between the online and the offline world will be broken without their permission. It also increases the risk of physical harm if those boundaries are breached.

The boundary between the online and offline worlds may sometimes be breached without permission. It takes some skill to hide effectively online. Occasionally, an involuntary breach leads to serious consequences. More often, the connection between the online and the offline world is made voluntarily. The point of online dating is to meet people after all.

Internet stalkers are a real risk for women in particular (and also for men). The risk of an unwanted pregnancy or contracting a sexually transmitted disease is considerably higher. A study of online dating by Dr. Paige M. Padgett at the University of Texas reports that "Seventy-seven percent of respondents who met an online partner did not use condoms for their first sexual encounter".13 None of the online dating guides I read made mention of condoms or birth control either.

If you are a woman and you meet an Internet criminal in person, you may have worse to fear than crime. While researching this topic, I went to an airport bookstore and asked if she had any books on online dating safety. Immediately she handed me a book and said, "It's not the Internet, but you should warn women about the men who read this."

After reading the book, I agree. A how-to guide for lounge lizards,14 the book advises men to peacock (that is, dress like a pimp), frequent places where lots of women congregate, and attempt to attract them through "demonstrations of high value" (that is, project a huge ego). The only counterintuitive part to the process is the idea that the man should demonstrate a high value relative to the woman by expressing a lack of interest in her and talking her down. Feminists will be disappointed to discover that the guy who insists that the woman buy her own drinks might well be a misogynist intent on establishing a high relative value rather than a champion of equality.

There is a curious mismatch between the shallowness of the pickup lines presented and the use of technical jargon. The mismatch is explained when it is realized that many of the terms used come from writers who are not generally regarded by mainstream psychology and whose theories are of the type that explain rather too much and predict rather too little.

Looking at the work a little closer, I noted some curious similarities between the self-styled "seduction community" and the activities of the online vandals who preceded the rise of the professional Internet criminal. Both groups display the same ego-centricity and obsessive use of jargon as a substitute for understanding, the same outlandish claims made for their success in applying their expertise. Finally, unpicking the wider social circle, I recognized some names of notorious (and some not so well known) Internet criminals.

In retrospect, it is obvious that someone specializing in "social engineering" would attempt to apply his skills for sexual advantage. As with all advice from such circles: Caveat emptor. If the author of a book openly boasts about his success in manipulating people, he is almost certainly attempting to manipulate his readers too.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020