Recently, I read an article that began “We don’t know how many dot-com companies will survive, but we do know which ones they will be.” The author went on to give his views of the critical success factors for e-commerce, many of which I agree with. But if I made my own list it would read simply: security, privacy, security.
Face it. Nobody wants to take unnecessary risks. And people are waking up to the incredible potential for privacy invasion as we bank, trade stocks, read books, and maybe even consult medical experts on-line
As we get more and more reliant on on-line services, we really don’t know what’s going on in the minds of hackers. But here’s a clue: a press photo from the DefCon hacker convention in Las Vegas shows a smiling young fellow wearing a T-shirt that says “My Only Crime is Outsmarting You.” There’s no doubt that he and his friends will be there every step of the way, looking for the holes in every new on-line service and e-commerce site.
Given that there are folks like this running around it’s kind of entertaining to read the “Is Internet Shopping Safe?” blurb on the homepage of www.cduniverse.com. It includes the following reassuring promise: “We use Netscape’s Secure Commerce Server technology, which encrypts your order information, keeping it private and protected…It is actually safer to transmit your credit card info over the Internet than it is to use your credit card around town.”
They also note that the security system used is the same one employed by the Wall Street Journal and other fine companies. Of course, anybody who reads the Wall Street Journal might recall an article last January that began: “NEW HAVEN, Conn. (AP) — A computer hacker stole credit-card numbers from an Internet music retailer and posted them on a Web site after the retailer refused to pay a $100,000 ransom…”
Yes, the very same CDUniverse on-line shopping service fell victim to a 19 year old Russian hacker named “Maxim” (at least that’s who he says he is) and inadvertently compromised the credit card numbers of its customers. Now, I’m not saying that you shouldn’t give your credit card number to CDUniverse, or that they should be eternally penalized for this one security breach. But we do need to do some serious thinking about computer security, and how we’re going to earn and maintain public confidence.
Earlier this year, I had the privilege of chairing the International Summit on Cybercrime, sponsored by the National Institute for Government Innovation (www.nigi.org) in Washington, D.C. It brought together law enforcement experts from the FBI, U.S. Customs Service and many local police agencies. I was tremendously impressed by the progress they’ve made in learning about computers, but also by the wide range of security sophistication. So while the “top guns” are picking apart hard disks bit by bit looking for obscure bits of evidence, some state and city police departments are just “thinking about” establishing a cybercrime unit. They also report that, although they’re spending most of their time now on issues like child pornography and Internet harassment, they fully expect “economic crime” to be the next big challenge in on-line policing.
This growing awareness of information security issues is a very positive development. But I do see a problem looming. Some of the most advanced and creative thinking about security is happening within the walls of academia, while the real world problems are being tackled on an “ad hoc” basis by law enforcement officers, corporate security folks and consultants. If only there was a way to bring these resources and problems together. I’m happy to announce that this is actually happening, through an exciting new venture called the eSecurity Innovation Center. The founding partners are the University of Calgary (my own employer) and Jaws Technologies Inc. The Center is planning a very active program of research, education, training and product testing, all focussed around computer security. And we’re looking for partners who share our interests.
Here’s our vision for the eSecurity Innovation Center, and a brief status report. It will include:
a physical facility for security research and education. We’ve leased 2,400 square feet in the brand new Calgary Innovation Centre, just across the street from the University of Calgary’s soon-to-be-opened Information and Communications Technology building. This strategic location will allow the Center to straddle the worlds of academia and business. We’re outfitting it now with the latest computer and communication security gear and we’re eager to talk to partners who want to see their products represented in the Center. We see it as a high-tech battleground where the best computer security defences are pitted against the nastiest computer invasion techniques. It will be a place to try out the latest security tools, in an environment where you’re not jeopardizing your corporate resources. We’ve designed the facility to be flexible, attractive and “bulletproof.”
The Center’s academic program will provide top-notch courses and seminars as well as security-related certifications that have previously not been available in Canada. This will allow Canadian companies and organizations to carry out this training without expensive out of country travel.
The Center will be home to a world class publication, the International Journal on CyberCrime. We’ve already published our first quarterly issue, and it contains articles ranging from “The Reliability of the MD5 Hash Algorithm” to “Be Aware…Laptop Theft.” It’s a highly readable yet technically accurate journal and free sample copies are available from the Center (see contact information below)
We’ve also designed a virtual presence. We know there are already many excellent security sites, such as www.securityfocus.com and www.sans.org. Rather than compete with them, the eSecurity Innovation Center will create new value especially in the areas of computer forensics, cybercrime prevention and security policies.
Would you or your organization like to be involved on the ground floor? If so, the person to contact is Caroline Baynes at Jaws Technologies Inc. She can be reached at [email protected] or 1-888-301-5297. We’re proud and excited about this venture and sincerely believe it will advance computer security practice in Canada. But we can’t do it alone, so please let us know how to make it a success.
Dr. Keenan, ISP, is Dean of the Faculty of Continuing Education at the University of Calgary and teaches a course called Hot Issues in Computer Security.