It is not just governments and corporations that have to worry about cyber attacks: individuals are just as susceptible to data and identity theft, as well as falling prey to hackers who may use hapless users’ IP addresses to mask their own nefarious activities.
To understand what kind of challenges and cyber threats an Internet user can face, Dawn spoke to Ron Deibert, director of the Citizen Lab at University of Toronto’s Munk School of Global Affairs. The Citizen Lab “focuses on advanced research and development at the intersection of information and communication technologies, human rights, and global security”.
Q: What risk, if any, do normal Internet users face from hackers and that seek to collect intelligence on governments?
A: Individuals face growing risks in today’s Internet environment, for several reasons. More of our lives are increasingly mediated through digital technologies that are interconnected with each other, and with the Internet. This interconnectivity is happening at an extraordinarily fast pace, especially in countries like Pakistan that are starting with a low baseline of connectivity but which are going through rapid growth rates. Because of the fast pace, and the fact that there are so many institutions and companies responsible for so many different aspects of the communications systems we depend on, security risks are multiplying. Much of what we used to keep private, in our desks and filing cabinets and behind locked doors, we now entrust to private companies, to “cloud computing services” many of which are operating in far-off jurisdictions. This highly distributed and volatile information environment opens up many opportunities for exploitation, by individuals, criminals, non-state actors, and governments. Adding to the problem is that governments are ramping up offensive cyber capabilities which, in turn, are creating a market for advanced exploitation products and services. That is why the question of how to secure cyberspace in a way that preserves openness, innovation, and individual freedoms and liberties is one of the great challenges of the 21st century.
Q: What are some of the more common methods that can be used to infiltrate individuals’ systems?
A: Because we constantly emit a data stream around us wherever we go, as for example in our mobile devices, there are many opportunities for those who have access to those data streams to intercept it. If you think about your mobile device - every few seconds it emits an electronic pulse, a kind of beacon, to the nearest wifi router or cellphone tower that contains information about the make and model of the phone, the geolocation of the phone, the operating system, and sometimes even the name of the individual who owns the phone. Many of us have on our mobile device several dozen applications that do more or less the same thing. We are, in effect, turning our digital lives inside out, leaving a digital exhaust wherever we go. That exhaust does not disappear into the ether: it sits on the servers and the computers of the companies that provide the services that we depend on: the manufacturer of the device, the operating system, the applications, the SIM card, the cell tower, the wifi router, and so on. If any of those individual components of cyberspace are insecure, unauthorized individuals or groups can access highly revealing personally identifiable information. Recently, there has been attention, especially in the United States, on fake cell towers, one brand of which is called a “Stingray” which is used by law enforcement but can also be used by spies and criminals, which collects information from mobile devices that happen to pass by. A lot of information is emitted by a mobile device that can be intercepted if it is not properly secured. Not just the device either: the applications that are contained in the mobile device can give themselves permission to extract a lot of personally identifiable information.
Q3: How robust, in your opinion, are the cyber security capabilities of telecom firms, such as cellular operators and ISPs and would they be susceptible to sophisticated, targeted attacks?
A: There are tens of thousands of telecom companies, cell phone providers, ISPs, Internet cafe operators, application providers, and even manufacturers of software and hardware that we depend on for securing our private information. The security practices of these providers vary widely, and there are very few internationally accepted standards that can be enforced to ensure security compliant behaviour especially on a global level. As we go about our daily lives we depend on these services, often unwittingly. As we move about our cities and countries with our devices turned on, we might not even be aware that our traffic is passed from one provider to another. Not only are these companies susceptible to targeted attacks, they might also be susceptible to pressure from criminals and nation-states to comply with demands to share user data, with or without a warrant.
Published in Dawn, May 19th, 2015