Net wide open for cyber spies

Are your secrets safe when they are stored electronically? WARREN GAMBLE pries into what can be the very public, invasive world of the internet.


The internet can show you the world - but it can also bring the world to see you.

The hyperspeed revolution in the way we communicate and do business has left issues such as privacy in its wake.

Whereas the locked filing cabinet was a solid keeper of personal and financial secrets, a website can be unpicked from afar without a company's knowledge.

Every time you use e-mail, surf the web, or visit a chat room, it creates the potential for you to be tracked and your communications intercepted.

Exploiting the new frontier are an array of cyber intruders - organised crime chasing credit card numbers, hackers chasing the kudos of their peers, advertisers chasing a cheap way of peddling their wares.

Protection does exist. Banks use advanced tools to protect customer details, but most of us cannot be bothered to make the extra effort to use devices like free encryption software for sensitive e-mails.

Commentators in the United States say that is because internet users expect privacy as of right, and want the Government to uphold that with laws if necessary.

In New Zealand, the Crimes Amendment Bill now before Parliament will finally make hacking - defined as entering a computer system without authorisation - illegal. It will be punishable by a maximum of two years in jail.

But while the bill may help to shut down one privacy threat, it has attracted more attention for potentially creating another by exempting the Security Intelligence Service, the Government Communications Security Bureau and the police.

Privacy Commissioner Bruce Slane is unhappy at the proposed hacking exemption for police.

"It seems to me that law enforcement officials secretly snooping on people's computers, in circumstances where it will be a crime for others to do so, paints a highly distasteful picture.

"Any covert police hacking should be allowed only in the most extraordinary circumstances and certainly not as a routine matter authorised by a simple search warrant."

The police electronic crime unit's national manager, Maarten Kleintjes, says police will be disadvantaged if they cannot intercept e-mails from criminal suspects.

"It would be like saying police can stop only white cars in drink-driving checkpoints," he says.

Incriminating data is often able to be captured for only a short period before being sent elsewhere, thwarting a physical police search and seizure of the targeted computer.

Mr Kleintjes says police will target a named suspect's e-mails only after getting a court warrant.

They will not trawl through e-mail traffic on a network looking for suspicious correspondence, a fear sparking debate over the Federal Bureau of Investigation's Carnivore e-mail surveillance system.

Carnivore works by installing a sniffer system on an internet service provider's network, allowing it to capture a suspect's information. The FBI says it uses the programme only under court orders for specific targets suspected of major crimes such as terrorism or child pornography.

Mr Kleintjes says police here do not have the resources to trawl e-mail. Nothing will be done without a court warrant.

"They are quite intrusive powers and that needs to be justified and approved by someone else."

Mr Slane's point is that the bill allows police hacking by using search warrants as well as the more strictly controlled interception warrants which have to be issued by a High Court judge.

A search warrant could be granted by justices of the peace and would not require destruction of irrelevant records.

Otago University senior lecturer in computer security Dr Hank Wolfe says law enforcement hacking is sometimes justified by the "if you have nothing to hide, you have nothing to worry about" approach.

He says that is a manipulative technique, implying that if you want privacy, you must be doing something criminal.

"It's nonsense. Everybody has got something to hide. We are all entitled to the same human right called privacy."

New Zealand has subscribed to the 1948 Universal Declaration of Human Rights, which includes privacy as one of its articles.

Mr Kleintjes says he expects the new hacking offence will increase the electronic crime unit's workload, but "we are certainly not going to look at everyone who rings up saying that so-and-so got into my computer."

The hacker community in New Zealand is small - an estimated 20 or 30 teenagers pitting their skills against the protective walls of mainly overseas websites.

Many, like Aucklander Steven Taylor, have no interest in snooping on individuals, but are motivated by the challenge of breaking into websites.

"To outwit a highly paid employee is an amusing fact," says the 18-year-old. "In reality the only thing they [hackers] are doing is giving a couple of companies red faces."

Automatic programmes available on the internet, such as Satan, search e-commerce sites looking for weaknesses that can be exploited.

Mr Taylor says he does not use his skills to steal information for personal gain, but at a downtown internet cafe he demonstrates the thriving market in stolen credit card numbers.

On a chat room site, American credit cards are offered for trade along with verification details, bank account and social security numbers - everything you need for credit fraud.

Mr Taylor hopes to use his expertise in highlighting weaknesses to get a job in computer security.

You do not have to be an expert to become a hacker. Websites such as SubSeven provide free programmes known as Trojans which can effectively take over someone else's computer.

An e-mail is sent to the victim with an attachment containing the disguised Trojan programme. Once the attachment is opened the programme sets to work turning the host computer into a zombie, allowing the hacker to gain passwords, monitor e-mail and download files.

In a recent German case, a laptop infected with a Trojan activated a microphone to record a private conversation involving an MP which it stored and sent to another address.

In New Zealand, a managing director's e-mail about the company's takeover ended up in Russia because a Trojan program sent a blind copy to a third-party address. Unfortunately for the hacker, the address was wrong, and a bewildered recipient got in touch with the company.

Security experts say the best way to avoid becoming a Trojan victim is not to open e-mail attachments from an unknown source.

An emerging threat to privacy and your pocket are alliances between hackers and organised crime.

Last month, the FBI announced that Russian and Ukrainian hackers stole more than one million credit card numbers from 40 American online businesses, including e-commerce and banking sites.

The hackers then threatened to post the stolen numbers on the web unless the companies bought their "security" services. The FBI also believes some of the numbers were sold to organised crime groups.

New Zealand police say they know of no such alliance here, but the internet has meant physical borders no longer apply to criminals.

The Russian and Ukrainian hackers exploited known software weaknesses that could have been remedied with system upgrades freely available from suppliers.

Mr Kleintjes says many New Zealand firms are equally lax about online security.

"We sometimes get calls from people who have been attacked, and we say go and put some locks on your door - it's like saying you have been burgled while the doors are open."

For the home user, privacy is best protected by keeping passwords safe. That includes making them reasonably obscure.

Auckland woman Lisa Barber, who agreed to let the Weekend Herald find out what it could about her, was alarmed that her hotmail account was easily cracked using her middle name, which was publicly available through her birth certificate.

Otago University's Dr Wolfe says social engineering - what talkative friends and acquaintances will tell you about someone - can often unlock passwords.

To demonstrate to his class he correctly guessed "Harley" as a password for a student he found was a motorcycling fan.

Dr Wolfe says passwords should ideally be a combination of letters, symbols and numbers in upper and lower cases instead of your dog's name or favourite football player.

The most visible privacy nuisance on the web is junk e-mail, known as spam, which clutters up United States-based mail systems like Hotmail and Yahoo!

Everything from how to make millions sitting at home, to debt repayment, teenage porn, dental care and snoring remedies finds its way to your screen, thanks to a thriving e-mail list business in the US.

Spammers themselves advertise. One hopeful American seller called jodi4191 is offering 142 million e-mail addresses for $300. A similar list was advertised in New Zealand in March, offering 68 million addresses for $249.

The Direct Marketing Association says the list, offered by controversial businessman Michael Knight, is commercially worthless. The association wants to stomp on unsolicited e-mail before it gets a foothold.

Last month, it released a code of practice identifying spamming as a poor business practice. The code says e-mail marketing should be "relevant only to an existing relationship," although the definition of relevant has yet to be tested.

Association chief executive Keith Norris says that since the code was released three complaints have been made about unsolicited e-mails. They appeared to be the result of ignorance rather than flouting the code.

A more subtle consumer monitoring tool used by websites are cookies - small pieces of information, usually an identifying number, placed on your computer when you visit websites. The next time you return, the website can use the stored cookie number to customise how the site looks to suit your preferences. Cookies are also used on e-commerce sites to keep track of your purchases.

Websites can retrieve only their own cookies, meaning they cannot track your surfing activities. But last year, leading internet advertiser DoubleClick created a storm in the US when it revealed it had compiled profiles of 100,000 online users without their knowledge. It then threatened to link that information with offline personal information after buying a database marketer. The plan was shelved after a public outcry.

DoubleClick can track web surfing because it serves advertisements on a number of sites, and can send cookies from each.

Cookies can be refused by resetting your internet browser, but that may make it more difficult to visit some sites.

Dr Wolfe says he has no private internet account, does not accept cookies and also turns off programming languages such as Java and Active X which can be exploited by hackers.

He likens email to sending a postcard - anyone along its electronic route, such as internet service provider staff, can read what you write."I have no expectations of [online] privacy."

Herald Feature: Privacy

Related links