Who is to blame for hacker-phobia?

Filed Under: Featured, Law & order, Privacy

Hackers, image courtesy of ShutterstockIf, like a good netizen, you keep a close eye on security issues like malware, cybercrime and hacking, you have most likely seen your news feeds awash with noise over the last few weeks, as the News International phone hacking saga reaches a headline-grabbing trial stage.

Of course, as far as hacking goes, there's not much to see here; the so-called "phone hacking" involved required little more than googling the default PIN number for various phone service providers, to get access to the voicemail of the rich and famous.

But what impact might this repeated use of the term "hacking" be having on our sense of privacy and security?

Real phone hacking

A phone hacking story from South Korea almost got lost in last week's news flood, but in this case there seems to have been at least a little real technical naughtiness going on.

A man, named only as Choi, was sentenced in a Seoul high court to 18 months jail time for snooping on a woman's phone, according to the Korea Times.

His initial sentence, imposed by the Seoul District Court, was for 10 months suspended for 2 years, but the higher court overruled this and insisted on actual jail time.

Choi was hired by the woman's suspicious husband, who paid 900,000 Won (£520, $840) for his services.

Magnifying glass and smartphone, image courtesy of Shutterstock.jpgHe was apparently able to implant a "bugging program" on the woman's phone by simply sending her a text message luring her to follow a booby-trapped link, although few details on the exact nature of the bugging are available.

Once the phone was compromised, Choi recorded 180 of the woman's phone calls, and passed on transcripts to her husband.

In passing the 18-month sentence, the court ruling explained its decision as reflecting the damage the man's actions may have caused to the sense of cyber security felt by the general public:

The court decided to sternly punish the defendant for creating privacy concerns among the public

The issue of public perception is important here, as in many cases security is only as good as people think it is.

Sense of insecurity

Your e-retail website may be running on the most secure platform, with elite ninja admins ensuring maximum safety and compliance with the strictest standards at all times, but none of that matters if the shopping public think it's too risky to enter their card details. Without public trust, you're just not going to get any business.

If the mass public starts to think all online transactions are too risky, or all smartphones are too likely to leak private information all over the place, they will stop using these things, with potentially serious effects for the workings of the world.

The good things about the web - suppressed political causes uniting on Twitter, scientific problems crunched by volunteer botnets of pooled processing power, unending streams of amusing cat videos - will be lost to us thanks to the erosion of trust in the internet and the machines that make it up.

Part of the perception problem is the use of the term "hacking", a multi-purpose word denoting both general computer fiddling for the joy of it, and general computer intrusion with malicious or criminal overtones.

Thanks to the influence of Hollywood, the image conjured up by the word "hacker" in most minds, including it seems police and judges as well as the average Jolene in the street, is of an invincible, unstoppable and almost always evil genius who can do anything they want with our computers and information.

News of the hacking world

At the moment it seems as though two major news items, the NSA/Snowden leaks and the phone hacking scandal, have teamed up to hit the news-reading public with a double whammy of privacy worries.

Edward SnowdenFrom one side we're being told that super-elite government geeks can break in anywhere and spy on anything, while from the other we hear that seedy private eyes hired by journalists can break into our phone lines and listen to whatever they want too.

While security experts will be able to read between the lines and figure out that no, the NSA hasn't really got a backdoor into all forms of encryption and no, those journos couldn't really listen to anything other than voicemails left on unprotected phones, the general public is being peppered with an ever more worrying view of the digital world.

The facts may be distorted and misrepresented, but the message is clear: you have no privacy, and not much security either.

Perhaps it's an exaggeration to suggest that people will really stop using smartphones or online shopping sites, but every dent in the armour of trust makes using these things a little less of a pleasure and a little more like a risky chore.

Blame game

So who is to blame for the perceived state of cyber insecurity?

People like Mr Choi should clearly be punished for actions which jeopardise people's sense of security and privacy. Exploiting vulnerabilities and implanting malware are criminal acts, and stealing our privacy can have just as much impact on our happiness as stealing our cash.

Some of the fault must also lie with the people building the systems and software we use, of course.

Default hard-wired passwords are always a bad idea, and there seems to be a major lack of awareness that these systems even exist, let alone the need to change passwords on them. If a smartphone can be compromised by simply following a URL in an SMS, then there's clearly a security hole or two to be patched up there too.

There is arguable reason to criticise the government agencies and private companies which seem to have insatiable appetites for our personal data, and often seem happy to use suspect means to acquire it.

But part of the blame must go to the media who spread unnecessary FUD about the dangers of technology and the wild wild web. This is something I'm sure I too have been guilty of in the past, despite efforts to remain skeptical and helpful.

Some of it must also, I'm afraid, rest on the shoulders of the mass public which is doing all this perceiving. If people are happy to see technology as a magical black box which they can have no understanding or control of, they cannot possibly expect to keep their privacy intact.

You yourself, of course, are a Naked Security reader and are thus making an effort to keep up with the world of cyber security, but the vast majority of people are blissfully ignorant of the workings of their phones and computers, and how they should be acting to keep their identity and information safe.

They are thus easily taken in by media hype and scary stories. And they need our help.

What can be done

Our cars are safer and more secure than they once were. This is in part thanks to improvements in technology such as airbags and crumple zones, but we have a significant influence too.

We wear our seat belts, we drive with due care and attention, we lock the doors when we park up. This is not something we learn just from playing around with a car, it is socially conditioned and almost instinctive.

Password, image courtesy of ShutterstockWith the internet we have no such instincts yet. Perhaps in a few generations' time it will be natural to choose good passwords, to update and patch our software, and to avoid entering sensitive info on untrusted sites or insecure connections, but for now people have to make the effort to learn these habits.

So we should always try to find out all we can about the tools and systems we use, the risks they may pose and how to minimise the dangers. We should strive to learn, and once we have some understanding, we should spread it out to those around us.

Once the public perception of cyber security shifts from something outside our control that is stolen from us by hackers, Google or the NSA, to something that we should take responsibility for ourselves, something we should make efforts to control and protect, the world will feel, and indeed be, a safer place.


Image of hackers, magnifying glass and smartphone and username and password courtesy of Shutterstock.

,

You might like

6 Responses to Who is to blame for hacker-phobia?

  1. Guest · 322 days ago

    Good post, especially liked the part concerning the public perceptions of the media

  2. Guest · 322 days ago

    Would have been nice to include concrete first steps about how to deal with non-security minded folks.

  3. Tamas Feher · 322 days ago

    > While security experts will be able to read between the lines and figure out that no, the NSA hasn't really got a backdoor into all forms of encryption <

    Whoever say that is not a security expert, period. The 8086 (original x86) instruction set was created AFTER the non-published discovery of differential cryptanalysis by the NSA. Guess what? All computerized crypto is faulty because of the underlying hardware.

  4. Lance ==)--------------- · 320 days ago

    You make an important point, but not the one you claim to be making. You said "in many cases security is only as good as people think it is." While it is true that well-implemented security is irrelevant if the public doesn't trust the site, that same lack of trust does not make the site insecure. More importantly, if a site's PR people over-sell the site's security, no amount of faith on the part of its users will put 150 million userIDs, email addresses, password hints, and passwords back into the vault. The security of a site is completely independent of its perceived security.

    The quoted statement is roughly analogous to Senator Whatzizname's statement that your privacy is not being invaded if you don't know about it.

    Truly, some things are a matter of perception, but these are not in that set.

    Lance ==)-------------------

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.