Top>Education>Security of the Internet Society Discussed from the Viewpoint of Information Education and Literacy
Nobuo Chikuda [profile]
Nobuo Chikuda
Associate Professor of Information Engineering and Systems Science, Faculty of Commerce, Chuo University
From this year, Tama Campus of Chuo University offers the class titled Internet & Information Security as an elective subject that can be studied by students of any courses. (Elective subjects are non-credit ones that can be attended regardless of credit limits.)
Since I am a lecturer of this class, I would like to talk about the Internet and its security.
One of the reasons why Chuo University adopted a subject about the Internet and its security as an interdisciplinary class is that modern people use the Internet and cloud computing systems for accessing information on a daily basis, and a variety of troubles have been reported.
Such troubles occur to not only students, but also other individuals and various organizations, including governmental offices and private firms, before they notice, and some of them are covered by the mass media.
Examples of these troubles include:
Such troubles are frequent like traffic accidents, causing some people to lose their jobs, be expelled from their schools, incur damages to their assets, and harm them mentally.
In order to avoid them, guidance and education are considered necessary.
Every time these troubles occur, intellectuals mention the importance of information literacy (in a broad sense), including Internet literacy, in the mass media, etc.
Information literacy is interpreted variously, but its general definition is the ability to research, collect, select, edit, utilize, and transmit information. In a nutshell, it is the ability to process information.
Modern people live in the information society, which is not limited to computers and the Internet, and are required to have the ability to process information appropriately in order to survive. Accordingly, this ability is considered to be the same as reading, writing, and arithmetic in Japan, and so the word literacy, which means the ability to read and write, is used.
As mentioned above, this ability is indispensable for living in the modern society, and so its importance is significant. However, if the level of information literacy is elementary, it is difficult to avoid troubles with that skill in the real world.
Like daily traffic accidents cannot be prevented by elementary-level skills for reading, writing, and arithmetic, Internet-related troubles in the present age are difficult to avoid with information literacy.
Let me discuss some troubles that have occurred recently.
The officials of the Ministry of the Environment, etc. used Google Groups, the service of Google, at the time of negotiations for international treaties, etc. because they cannot use governmental systems outside Japan for security, but they mistakenly set their information to be accessible by anyone, and then their notes including the contents of negotiations, etc. were disclosed to the world.
There have been many troubles similar to this case.
Assuming that the officials did not know the basic settings for accessibility and this caused this trouble, what they required was information literacy.
This is true from one aspect.
However, the essence of this problem is that the Japanese governmental systems cannot handle confidential information outside Japan, although it is necessary to use it overseas, and so the private open information service was used.
In principle, officials should not share highly confidential information through such a private information service.
Google, which is a U.S. company, cannot reject any requests from the U.S. government, and the U.S. government will call for the cooperation of Google, if necessary, for the sake of its national interests during negotiations for treaties, etc.
Once they upload the documents for negotiations to the Google service, the information becomes accessible by the government of a foreign country. This is a blunder in information management.
Regardless of the settings for accessibility, the Japanese government failed to manage the information properly. Unless we correct it, the instructions for setting accessibility do not prevent the disclosure of documents.
According to news reports, etc., the systems of each ministry prohibit any access from the outside for security. Overseas government officials need to consult with their superiors and bureaus, etc. in Japan about negotiation contents, assuming that the contents are kept confidential. If there are no functions to deal with this situation, this problem is not caused by individuals, but the specifications of ministerial systems, and so it is meaningless to blame the officials, who cannot share confidential information due to the poor governmental systems.
Furthermore, it is true that accessibility should always be specified properly, but we need to be aware that currently available online services may be modified by the companies that offer these services anytime, changing their contents and settings, etc.
Actually, Google has revised the rules for offering services unilaterally to a significant degree.
When rules are revised, it is not easy to change currently used email addresses. In the case where users use the function to share data in the networks, etc., when rules or settings are changed unilaterally, most users cannot adjust them easily.
Basically, leading Internet companies, such as Google, Amazon, and Facebook, first attract people with charge-free services, and earn an income by showing advertisements to them, etc. These companies allow users to access a broad range of data produced and inputted by other users for free, analyze and retrieve such data on a large scale, and provide other firms with the data in desirable formats, to earn money. Because of this business model, Internet enterprises hope that users provide data that can be analyzed and retrieved, and so they basically disclose the data of users in the default form. If the information of users is not disclosed, the businesses of Internet companies are faced with serious problems.
Accordingly, when using the services of these firms, it is necessary to discuss whether or not to use them while understanding this background.
The understanding of the background and the discussion on latent problems with the services seem to be outside the scope of information literacy, but information managers in charge need to be familiar with them.
Kanagawa Prefectural Police arrested a student on suspicion of forcible obstruction of business by posting a message that the student would attack a school in the webpage of Yokohama City. Since the student inputted about 300 characters in 2 seconds, false accusation was considered from the beginning, but the student was put on probation, and expelled from his college.
This crime was committed with cross-site request forgeries (CSRF). This method and its system are causing an enormous amount of troubles.
In simple terms, a third party, who is unrelated, is led to a specific URL and post a message or conduct a specific process.
Some people may conclude that “we should not click on an unfamiliar URL,” but the problem is not so simple.
The CSRF system functions through two or three stages.
First stage: Processes to be executed are put together in a URL.
Second stage: The URL is placed so that an unrelated third party can click on or access it.
Third stage: A system for accessing the URL is installed in an irrelevant webpage.
Let me describe each stage. The following descriptions are detailed ones about information technologies, but the system varies broadly and leads to a wide range of problems. I would appreciate your understanding.
First stage: Processes to be executed are put together in a URL.
This is actually the essential problem.
The exchange of data among servers, PCs, smartphones, and other mobile phones, etc. can be expressed by a URL in most cases.
For example, when you search xyz with Yahoo, the search word and the retrieving command are simply expressed by the URL http://search.yahoo.co.jp/search?p=xyz. When you access this URL, the search starts.
In other words, once a third party accesses this URL, the search page of Yahoo appears on the screen of the third party.
When the web system was first invented, developers produced the POST command for transmitting data from PCs and mobile phones, etc. to servers and the GET command for transmitting data and files from servers to PCs and mobile phones, etc.
As large-scale Internet services were offered, the capacity of a single server became insufficient, and groups of servers started to be used. Then, the method of sending data to servers with the POST command was replaced by the method of uploading data and process contents to URLs, because the processes can be carried out via any servers.
For instance, it is considered that the following URL was produced: http://www.(school office).jp/cgi.bin?(inquiry)=”*****”&(body text)=”*******”&(name) =”****,” and then the PC of the student accessed this URL, posting the illegal message, which became forcible obstruction of business. The duration of 2 seconds is enough for accessing this URL.
The problem is that this URL is a mere string of letters and so it can easily be put into an online bulletin board (second stage) and each viewer can be led to this URL when the viewer accesses an unrelated website, which is a vulnerable and has been loaded with a trap (third stage).
Probably, that student accessed a safe website he often used or another person browsed, and got trapped, posting the message that caused forcible obstruction of business.
If traps are set like this, it is impossible to avoid accessing the URL just by being careful. The functions of the browser or security software may prevent it, but their effects would be minor.
In the above case, what we should know is that unintentional operation may be conducted in the Internet and that the above described posting of the message does not mean that the student intentionally did so.
In this case, the officers of Kanagawa Prefectural Police had a misunderstanding.
Of course, some websites did not undergo the third stage, and so Internet browsers should consider what would happen when clicking on a certain URL.
However, users and administrators should be aware that some traps are unavoidable.
The present society sees advanced informatization, but this does not mean that the recognition of each individual and social system is advanced accordingly.
In addition, as shown in Case 2, the Internet technology is extremely vulnerable from the viewpoint of security, and so it is not easy to avoid troubles in the Internet.
Many people think that it is possible to avoid troubles by remembering information literacy, that is, easy rules, and using the Internet carefully, but in reality, what individuals can do is limited, and a safe environment cannot be actualized without legal and institutional protection and support.
Nevertheless, many people need to live in the present Internet society, which has some flaws, and to do so, they have to acquire more advanced knowledge than information literacy.
I would like to recommend you, who have read this, to attend the class, the Internet & Information Security.