Since the terrorist attacks on September 11, 2001, computer security has taken on some new meanings. The first is positive. As part of a global tightening of belts and rolling up of sleeves, there emerged several outreaches designed to provide security training and certification to folks in all walks of life, from the consumer being alerted about identity theft, to the soldier and sailor and weapons scientists taking greater precautions with items of national security, to the common person on the street gaining a heightened awareness of hackers and crackers and cyber attackers. Gradually this new emphasis on computer and network safety has percolated down to the ordinary user’s computer in the den or living room. And because it really is a small Internet, and what affects one usually affects all, the safer individual users are, the safer the Net is for everybody.
Unfortunately, in return for a perception of security, both physical and on the Internet, some computer users have begun to accept unprecedented compromises in privacy as being part of the price to be paid to counter an envisioned terrorist threat associated with computer usage. In return for a feeling of "protection" with vague ties to national defense, more and more of what used to be private data and folks’ own business is now available for inspection by corporate and legal observers. Giving up the proven checks and balances that are the underpinnings of a free society may do more harm than good. Recent reports, such as a summer 2003 incident in which one or more airlines turned over to a contract firm working for the Department of Defense the transaction records of a half million passengers for use in an experiment on database profiling, have demonstrated that relaxed restraints against law enforcement agencies can lead to egregious actions. Numerous press reports have indicated that the expanded powers granted to law enforcement agencies in the name of homeland defense have resulted in those powers being used increasingly to investigate and prosecute crimes under laws not related to homeland defense at all. This, in turn, has resulted in a mini-backlash designed to rein in the security promoters, heightening the debate.
Possibly in response to a perceived decrease in privacy, a large number of new laws have come into play that attempt to protect individuals against widespread dissemination of personal information and regulate the creation and exchange of financial information regarding corporations. These new laws have long names, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Family Educational Rights and Privacy Act (FERPA). These laws make it a crime to reveal personal information gathered in the course of doing business, and often require the reporting of computer crimes that were formerly swept under the carpet to avoid embarrassing the agency or company allowing such a lapse.
The ordinary user, such as the salesperson or secretary who logs on in the morning and shuts down at night, would rather not think twice about security. In fact, she might not think of it at all until a worm or some other attack affects the machine on which she has to work.
Some of the most invasive computer attacks against individuals may not involve infecting a computer, but merely listening to one. With machine patience, sniffers and database programs can accumulate data about peoplelots of peopleover as long a time as is needed to gather enough information to make an attack. Usually, the attack takes the form of making credit card purchases, or applying for credit in the name of the victims whose details have been pieced together. Such crimes, often called identity theft, can be devastating. It is not that the victim is always left liable for the fraudulent purchases; consumer protection laws and the rapid closing of accounts help a great deal to prevent that. It is that the victim may be left unable to exercise his own credit, or establish more because vendors can’t easily be sure if any new transactions after the ID theft is reported are being made by the customer or by the thief. And it is highly likely that the victim will be unaware of any of these activities until the damage has been done.
Now that it increasingly impacts the average user, public awareness of computer security has risen dramatically. Computer security has hit the newsstands, with more and more articles warning the public about viruses and other perils. The media also describes an increasing array of preventatives, ranging from changing network habits to adding firewalls and intrusion protection systems. Mix in the specter of terrorism, and the stakes get even higher.
Kaynak: Computer Security Basics, 2nd Edition