Hackers, identity theft, data leaks, oh my!

"Every now and then I’d like to open the Clu-blog up for a guest blogger to post their pontifications up. After all, you’d get bored if it was just me all the time. Below is a blog post by my colleague Carole Theriault, senior security analyst here at Sophos. Over to you Carole…"

Carole Theriault

There are few techie terms that have hard-hiding mainstream appeal, but the words hacker, identity theft and data leak are certainly les mots du jour. When creeping out of the industry and into the mainstream press, there are bound to be anoraks determined to define the terminology, and those who use the term inappropriately either to “sex up” their headline (yep, I see the irony with my title…) or because they simply don’t understand what they are saying.

Recently, I was contacted by a UK publication to comment on a case of identity theft. The details were this: Oxford crown court was hearing the case of Palwinder Johal, a man accused of sitting driving theory tests for third parties for 300 quid (almost $600) a pop.

“Where is the identity theft?” I wondered. He was pretending to be other people, the journalist responded. Well, yes, that is true. I am obviously not condoning his behaviour – not least because the test is a walk in the park, and I would be very concerned if anyone got behind a wheel without being able to pass it – but, and this is a big BUT, people willingly handed over their identities, paperwork, and cash to this guy to sit their tests! Identity theft is about someone stealing one or several identities, without the person’s knowledge.

I grant that it is possible that the journalist in this particular case just didn’t know enough about identity theft to understand the difference, but this in itself is a concern. Identity theft, today, is still, in my view pretty clear cut.

The term hacker, however, is a little more difficult – perhaps because the term has been adopted by both good and bad sides. A *good* hacker, for instance, might be someone who helps companies and individuals test their systems in order to better secure them. Most call tweak the name hacker to penetration tester or ethical hacker.

On the flip side, you have those bad hackers that break into system where they have no right or business in order to steal information, plant malware, use resources for nefarious purposes so on.

Now – and this might be controversial – there is a band of grey here. What about those hackers that sniff where they don’t have necessarily have any rights, but find out something very interesting to the public at large?

Case in point – earlier this month, self-proclaimed hacker Mike Walker, aka Stryde, did some digging around on the web and uncovered some serious controversy regarding the age of some the Chinese gold medalists at this year’s Olympics. Walker found these, despite the information being removed from the General Administration’s website.

What are your thoughts? Are you glad that these hackers are out there? Personally, the moral here is simple as far as I am concerned: just don’t post anything on line that you don’t want cropping up in the future – it is much better to view the web as a place where everything is written in indelible ink than face the consequence of serious embarrassment tomorrow.