4.2 Security and privacy
The internet is not a particularly secure place. There are two aspects to this: the first is that information is widely published throughout the internet which can be used for criminal and near-criminal activities. The second aspect is that since the internet is an open system, details of its underlying technologies are freely available to anybody. This means that the way data passes through the internet is in the public domain; the consequence of this is that, theoretically, anyone with the right tools can eavesdrop on data passing from one computer on the internet to another.
Share ramping, book ramping and painting the tape
Internet application developers face security problems. This is not the only problem that faces internet users. The internet, and in particular the World Wide Web, has provided such a fast and anonymous means of communication that old forms of criminal activity have had a second breath of life. Share ramping is the process whereby rumours are started about a company which would result in its shares either rising or falling, for example a rumour about it being taken over. The criminals who started the rumour will then either buy the shares if they have fallen and make a profit when they rise or sell shares they had bought previously when the price rises. The internet makes communication so fast and anonymous that share ramping has become a major financial phenomenon. Share ramping was once known as painting the tape; it is derived from the ticker tape machines which were used to communicate share prices to dealers before the 1960s. A less serious form of ramping has occurred on online book retailing sites which publish readers’ reviews of books, where authors and the staff at publishers submit reviews under an assumed name and which greatly praise a book. This is known as book ramping.
It is worth examining the first problem. Already you have met one of the consequences of data being readily published on the internet: the fact that spammers can use programs known as address harvesters to send large quantities of unsolicited email to users. There are much more serious manifestations of this problem, for example a phenomenon that has occurred in the last three years is cyberstalking. This is where a user of the internet finds the details of another user's email account and harasses them electronically, sending them emails, contacting them via newsgroups and intruding into the chat rooms that they use.
The possession of an email address can even provide the means whereby someone can bring down part of a networked system. It is relatively easy to program a computer to send many thousands of emails to a computer which is handling email communication for a company or organisation; the volume of emails can be so high that the computer is unable to carry out its main function: that of enabling staff of the company or organisation to send and receive emails. This is a form of attack known as a denial of service attack or degradation of service attack. An example of this occurred when Serbian nationalists flooded the main Nato email server during the attack on Serbia in 1999.
This is a form of harassment where someone discovers your email address(es) and subscribes you to a large number of mailing lists. Often these lists generate as many as a hundred emails a day and some also send emails with large file attachments associated with them. A malicious user who wishes to disable another user's email processing can easily do this by subscribing them to hundreds of mailing lists; this is a process that is quite easy to automate. An attacker who wants to disable the communications of a large company can, if they have access to the internal email directory of the company, disable its email system completely.
The second aspect of security is that data flow across the World Wide Web and the protocols used to communicate with computers in the internet are public. This means that anyone who wishes to enter a computer system which has a connection to the internet or anyone who wishes to read the data passing through it has a major advantage. There is, however, a contrary point of view which states that by keeping security details open any security breaches can be plugged easily by patches generated from a knowledgeable community of developers.
There are major gains for the criminal in being able to access a ‘secure’ system, for example a criminal who can read the details of a credit card passing along a transmission line from a browser to a web server, can use that data to order goods over the net and remain undetected until the next time the credit card statement is delivered to the card holder; in this respect they have a major advantage over the criminal who just steals the card. A criminal who wishes to sabotage a network – perhaps they are a disgruntled former employee of the company – can send a program over the internet which is then executed on the internal network of the company and deletes key files. A commercial spy can monitor the data being sent down a communication line and discover that it is from a company to a well-known research and development organisation which specialises in certain niche products. This information, even just the name of the R&D company, is valuable to any competitor.
How secure is the internet?
In 1996 Dan Farmer, one of the leading members of the internet security community, analysed a number of internet sites using a tool known as SATAN which reports on security vulnerabilities. He discovered that out of the 2200 sites he accessed, 1700 were relatively easy to attack (77 per cent of the sites). This is a staggering figure; however, what makes it more staggering is the fact that Farmer chose sites which should have been neurotic about security, for example sites owned by banks, government agencies, insurance companies and credit card companies.
When the internet and the World Wide Web were developed security was not high on the agenda. There were two reasons for this: the first is that the developers of the embryonic internet were tussling with what was then novel technology and most of their focus was on basic aims such as establishing and maintaining reliable communications; the second reason is that very few people realised then that the internet was going to be used for commercial purposes – a theme which the previous section detailed.
Happily there has been a huge increase in technologies used to secure the internet. For example, a technology known as Secure Sockets Layer uses cryptography to encode the data passing between a web browser and a web server so that anyone eavesdropping is unable to read it.