He that's secure is not safe - Benjamin Franklin
LulzSec is a group of hackers who have been causing mayhem throughout the internet recently. Ask sony, Fox, FBI, CIA, SOCA and you'll know. LulzSec has an anthem, a logo and an official website where all the data hacked so far (or so we know) is available for download. They are also being referred to as gray hat hackers since they do not hack for personal gain but to disclose vulnerabilities.
They have come out in open and after every successful attack they claim responsibility and share their sarcastic comments. Its their way of having fun. The name says it all "Laughs @ security". LulzSec says that they do these things because they find it entertaining. Their idea of having fun might sound weird or downright un-acceptable to some but then they aren't the one's who vouch for internet security protocols being followed and refer to people making such protocols as clowns, victims as peons and themselves as lizards.
I won't be judgmental here endorsing or opposing what they do, how they do and why they do but what concerns me as an internet user is how trustworthy are the security claims made by the organizations asking for confidential information.
And I'm talking of some big names here !
Is our online data safe? Are all the internet security claims made phony? Do I even know if my personal data has already been compromised? Do you think every hacker announces everything they've hacked? LulzSec claims not to. What this effectively means is that its highly probable that your facebook, twitter or google mail account has already been hacked and some one is eavesdropping on your data waiting for the right moment to strike. Techies call it man-in-the-middle attack.
Needless to say, we need to exercise more caution. But how ? We already follow the instructions provided to us while registration/login/signup. What can we do if someone hacks the server itself. Are there any laws to sue the company with which I had an account that got hacked. May be there are. But you see the companies cleverly wash their hands off any such mishaps by inserting some clause in their "Terms of service and user agreement".
There is one such warranty disclaimer clause in Sony playstation end-user agreement as well which states that sony doesn't claim any responsibility for "unauthorized access to or use of our secure servers or any and all Personal Information that is not submitted using a secured transmission".
I'm positive that most of the gamers registered with the web-site must have simply pressed the accept button caring less to read this agreement. At the same time making such clauses a part of agreement simply implies that the companies themselves don't have faith in security measures being followed. End-users need to be more careful as well and make sure they read the agreement before accpeting them. But still I feel that some documents are ridiculously large with such important clauses embedded deep inside them in some twisted (sometimes cryptic) language.
I feel that companies need to be more responsible towards the end-users and there should be some standard body which should regulate and monitor the types of clauses being put into such agreements. This standardization body must come up with standard templatized agreements for gaming websites, bank account websites social networking websites etc having some inherent clauses which all the these websites should abide too. Further the agreements could be of varied security levels such as classI, class II, class III and so on. Class I being the most secure type of agreement whereby the organization adheres to all the inherent clauses being laid down by standrad body and class III being the least secure whereby organization declares that they don't adhere to any standrad clause and have their own conditions in the agreement as is done currently. Also when these software agreements open up in our browser all classes should follow some standard colour coding schems. For instance class I might have green color and class III might have red so that we immidiately know the level of confidence that we can have in that website.
This won't prevent such cyber attacks but surely will make end-users more aware of what they are getting into and make the organizations more liable.
LulzSec is a group of hackers who have been causing mayhem throughout the internet recently. Ask sony, Fox, FBI, CIA, SOCA and you'll know. LulzSec has an anthem, a logo and an official website where all the data hacked so far (or so we know) is available for download. They are also being referred to as gray hat hackers since they do not hack for personal gain but to disclose vulnerabilities.
They have come out in open and after every successful attack they claim responsibility and share their sarcastic comments. Its their way of having fun. The name says it all "Laughs @ security". LulzSec says that they do these things because they find it entertaining. Their idea of having fun might sound weird or downright un-acceptable to some but then they aren't the one's who vouch for internet security protocols being followed and refer to people making such protocols as clowns, victims as peons and themselves as lizards.
I won't be judgmental here endorsing or opposing what they do, how they do and why they do but what concerns me as an internet user is how trustworthy are the security claims made by the organizations asking for confidential information.
And I'm talking of some big names here !
Is our online data safe? Are all the internet security claims made phony? Do I even know if my personal data has already been compromised? Do you think every hacker announces everything they've hacked? LulzSec claims not to. What this effectively means is that its highly probable that your facebook, twitter or google mail account has already been hacked and some one is eavesdropping on your data waiting for the right moment to strike. Techies call it man-in-the-middle attack.
Needless to say, we need to exercise more caution. But how ? We already follow the instructions provided to us while registration/login/signup. What can we do if someone hacks the server itself. Are there any laws to sue the company with which I had an account that got hacked. May be there are. But you see the companies cleverly wash their hands off any such mishaps by inserting some clause in their "Terms of service and user agreement".
There is one such warranty disclaimer clause in Sony playstation end-user agreement as well which states that sony doesn't claim any responsibility for "unauthorized access to or use of our secure servers or any and all Personal Information that is not submitted using a secured transmission".
I'm positive that most of the gamers registered with the web-site must have simply pressed the accept button caring less to read this agreement. At the same time making such clauses a part of agreement simply implies that the companies themselves don't have faith in security measures being followed. End-users need to be more careful as well and make sure they read the agreement before accpeting them. But still I feel that some documents are ridiculously large with such important clauses embedded deep inside them in some twisted (sometimes cryptic) language.
I feel that companies need to be more responsible towards the end-users and there should be some standard body which should regulate and monitor the types of clauses being put into such agreements. This standardization body must come up with standard templatized agreements for gaming websites, bank account websites social networking websites etc having some inherent clauses which all the these websites should abide too. Further the agreements could be of varied security levels such as classI, class II, class III and so on. Class I being the most secure type of agreement whereby the organization adheres to all the inherent clauses being laid down by standrad body and class III being the least secure whereby organization declares that they don't adhere to any standrad clause and have their own conditions in the agreement as is done currently. Also when these software agreements open up in our browser all classes should follow some standard colour coding schems. For instance class I might have green color and class III might have red so that we immidiately know the level of confidence that we can have in that website.
This won't prevent such cyber attacks but surely will make end-users more aware of what they are getting into and make the organizations more liable.
Uncertainty is only certainty there is, and knowing how to live with insecurity is only security - John Allen Paulos
No comments:
Post a Comment