“The democratization of the Internet has allowed remote criminality”
© design: Station-Sud
Just before the 2012 I&C Research Day on computer security, on June 21st, we had the chance to ask Professor Jean-Pierre Hubaux a few questions about Internet security and cybercrime. He gave us his point of view regarding this hot-button issue.
Why should the average person be concerned about computer security?
Prof. Hubaux: The danger for the average citizen is ever-present as long as he is connected! Two specific and distinct threats exist that derive directly from the continuing development of information technologies and communication networks: cybercrime and attacks linked to privacy.
The most well-known example of cybercrime is “phishing.” It consists of enticing a victim to give her personal information (e.g. banking information) by means of an email that uses a cleverly forged copy of her bank’s website in order to empty her account.
As for the attacks linked to privacy, we are more and more likely to give personal information online or via our smartphones, but people do not fully understand the consequences of their actions. The citizen is all the more vulnerable, as the access to information is asymmetrical: what can one do against organizations that collect data from or on him? Here, legislation is fundamental, as who has access to information has access to power.
Can we assess the effects of cybercrime?
Prof. Hubaux: Symantec, the worldwide leader in the market of antivirus software, announced that it had blocked 5.5 billion cyber-attacks in 2011. The Business Software Alliance (BSA) reported that computer software piracy caused a worldwide loss of 59.2 billion Swiss francs in 2011. In Switzerland, the total loss is estimated to be CHF 550 million.
Who are the hackers and what are their motivations?
Prof. Hubaux: A typical portrait of a hacker doesn’t exist, other than the fact that he is probably a computer science fanatic. Hackers can have diverse motivations. Some will launch denial of service operations - generally, the flooding of a network by a deluge of requests - for the fun of the challenge and/or self-aggrandizement. Others may have political intentions. For example, the group Anonymous – whose members wear a characteristic mask that we use for the poster advertising our I&C Research Day on June 21st – is an undefined cluster of activist hackers. The phenomenon of “Hacktivism” justly refers to hackers who operate for geopolitical reasons and who tend to attack governments’ websites, for example. Who are they? How can we locate them? These are very difficult questions. The democratization of the Internet has allowed remote criminality, especially from countries where both corruption and insecurity are high. Consider it another element of globalization.
What are the pivotal events in the history of computer security?
Prof. Hubaux: Two historical examples that are widely considered clear events of cyberwarfare are the huge Internet blackout that happened in 2007 in Estonia and the sabotage of the nuclear centrifuges in the Bouchehr nuclear power plant in Iran by a worm (Stuxnet) in 2010.
In particular, this sabotage resulted in a delay of the Iranian nuclear program. It’s pretty clear that here we are talking about major geopolitical stakes. As to the Internet blackout in Estonia, it was caused by repeated attacks by hackers on the country’s main websites. A historical fact: Estonia called upon the EU and NATO to take firmer measures against what it considered “a new form of terrorism.”
What will be the challenges of tomorrow in computer security?
Prof. Hubaux: The major challenge is to create systems in which security and protection of privacy are present right from the outset. The stake is to anticipate hackers’ potential attacks; they are bursting with creativity to find the deficiencies in machines and systems! It is our role to identify the weak points upstream.
Finally, I would like to add that, as we speak, the EPFL servers are in all probability under attack! In fact, continuous attacks reach our servers. Luckily, they are outfitted to thwart these malicious operations. The average citizen is more vulnerable: it is not uncommon that their computers are used without them knowing by hackers who use them to commit larger spectra attacks. This phenomenon is called a “botnet” (or networks of “zombie” machines), which is comprised of a large number of private computers that have been co-opted – all without their owners knowing! - using a virus, to reach and infiltrate the computer servers of an organization or a firm. We are all interconnected, for better or for worse.
To know more, join us at the I&C Research Day on June 21st: http://ic.epfl.ch/researchday2012
