News

I received a bit of a shock recently. The company I help run launched a new online market for stocks, called Omega, and on opening day, one of our technical consultants, Norman Bates, was watching attempts to hack into the system from around the world. "Here they come!" he yelled. "Got any clients in Russia?" Bates is a scraggly IT veteran who looks a little like Willie Nelson. He's seen it all, having worked at NASA and the CIA. Along with his almost-cloned engineer son, he provides super-high-end telecommunications security consulting services.

By 10 a.m., just half an hour after we opened, we'd already had 30 unsuccessful attempts to corrupt our system. The denial-of-service attacks came from Spain, Latvia and a lot of other countries where we don't do business. Fortunately, none of our clients saw any impact from those assaults. Our chief technology officer just shrugged. It's par for the course for virtually any new Internet address.

Four years ago, I went on TV and debated Norman Inkster, the former head of the RCMP, about the safety of the Internet for financial transactions. I pooh-poohed when he said he was very cautious about using the Web for anything to do with money. Now, I'm in his camp. Yes, the Internet is useful, but it gets more complex every day, and the scam artists are getting more ingenious. So how long can the good guys stay ahead of them?

Financial institutions are tight-lipped about how much money they are losing, but a friend who consults to the U.S. government on online security, says fraudsters steal about $40 million (U.S.) a day worldwide by misappropriating personal information from bank clients. If Canada is 2% of the world economy, you figure about $1 million a day is leaking out of

accounts here. The banks won't talk about specifics, except to say that any client who has lost money has been fully reim­bursed. And each bank is likely spending tens of millions of dollars a year to protect client data.

Fraudsters siphoning money out of accounts is just one danger. Businesses that don't protect their websites with decent firewalls and regular security patch updates can easily lose all their data. My company backs up files with several secure off-site providers, and we only do business with partners who are as serious about this as we are.

Yet even the most security-conscious firms, such as Q9 Networks, a leading Canadian data and online services outsourcing company, have had their operations slowed on occasion by denial-of-service attacks. Part of the problem is that the narrowest of breaches can create huge headaches so quickly.

Early in my company's business life, an employee opened our file transfer protocol link to send some files to his home. A hacker wormed his way through as well, and our site started resending spam to thousands of other computers. We noticed the surge in traffic and closed the loophole almost immediately, but it took hours for a robotic search of our system to reveal the details of the compromise. And that was only after many of our clients' systems had designated our web address as unsafe and blocked all communication, including e-mail.

You think that kind of hacking is hard to do? Just type "hacking a server" into any search engine and follow one of the many idiot's guides on how to do it, including finding network passwords and trolling for credit card numbers. If you find the computer commands too complicated, just about any high school student could probably help you.

There is also the troublesome question of legitimate tracking of your online activity. Your Internet service provider knows how much surfing, social networking and downloading you do. New companies such as Phorm and NebuAd sell software that allows ISPs to analyze that traffic and route behavioural advertising to you. Porn lovers get porn ads, motorcycle enthusiasts get bike ads (and porn ads), and so on. Your ISP probably has a very good estimate of your age, even if you haven't told them. Think how often you log onto Facebook, compared with a typical 15- to 22-year-old.

The bottom line is that you'll have to decide what's private and what's not. And if you think all your business and personal behaviour should be confidential, then don't use the Internet.

Bates & Son are still on the job, by the way, but they don't need my company or any other putting them on the payroll as employees. The online flashlight sweeps and lock checking they do require the equivalent of a new master's degree in network engineering every year. That's all the job security they'll ever need.

E-mail Doug Steiner about his column