Post by Roland PerryPost by Jethro_ukI grew up amongst policemen, and heard a lot of tales. They had a
formative impact on my upbringing in that I firmly believe that
criminals, by choosing to be criminals haver demonstrated a less than
average intelligence (which the police generally seemed to believe).
Have you told that to the tinfoil hat brigade who insist that criminals
will instantly circumvent any technical measure measures to track/
intercept their online communications; and the other criminals busy
hacking the comms data warehouses (which I have no reason to suspect
they've been successful at, the last 15yrs since RIPA brought them into
prominence).
Probably the most pernicious myth is that "criminals" form a
homogenous group.
Jethro's comment is generally true of what might be described as
common or garden criminals - the sort who burgle houses, ramraid shops
and steal cars. The people committing these crimes are often doing so
because they lack the nous to get a decent job. That's why
technological measures to combat them are, on the whole, very
effective - both burglary and vehicle crime have been significantly
reduced by better domestic and vehicle security.
However, it's generally not true of what's often termed "white collar"
crime. These are people who are intelligent enough to get a decent
job, and intelligent enough to modify their criminal behaviour in
order to combat detection and prevention techniques. A classic example
of this is illegal imagery (eg, child porn) - there's little evidence
that law enforcement is succesfully reducing the incidence of this
kind of crime. Far from it, in fact, the media headlines are all about
how it's getting worse.
Hacking, too, is a much misunderstood crime. The belief that "we
haven't been hacked yet, so we're safe" is one of the most dangerous
to hold. In reality, most major data breaches have not come from
highly targetted attacks from the outside, but from scattergun attacks
that just happen to trigger an unpatched vulnerability or from an
insider with legitimate access (or, at least, relatively easy
illegitimate access) to the material. The TalkTalk and TK Maxx
breaches were both in the former category, most of the stuff published
by Wikileaks is in the latter.
TalkTalk is actually a very good example of how a good security record
can lead to complacency. At the start of 2015, TalkTalk could have
boasted that it had been in operation for at least 15 years without a
data breach. By the end of that year, that reputation had been well
and truly trashed. And one of the key reasons it had been trashed was
that TalkTalk was still relying on systems that, by then, were well
out of date. Which, in turn, was because TalkTalk had a good record on
security, and was under the misapprehension that its defences were
tried and tested.
As the IRA used to put it, the hackers only have to be lucky once. The
defenders have to be lucky every time. I can't predict which
organisation will be the next major victim of a hack, or when it will
happen. But I know that it will. And I know that the organisation
which suffers it will almost certainly be one which is currently
telling people that it has a good track record of data security.
Mark