FEEDBACK: Expert: Online extortion growing more common

[InfoSec News <isn () c4i org>]

Forwarded from: Harlan Carvey <keydet89 () yahoo com>
To: mailroomuk () zdnet com

> :  "Six or seven thousand organizations are paying online extortion 
> :  demands," Alan Paller said at the SANS Institute's Top 20 
> :  Vulnerabilities conference in London. "The epidemic of cybercrime 
> :  is growing. You don't hear much about it because it's extortion, 
> :  and people feel embarrassed to talk about it."
>
> If they don't like to talk about it, where does the figure of 6 to
> 7000 come from?

Agreed.  And I have to wonder, as well...why isn't the media asking
this question?  It's not a biased question at all, to ask where the
numbers come from.  In fact, by not asking the question *and* by
referring to Mr. Paller as an expert, isn't that demonstrating bias?
 
> : "Every online gambling site is paying extortion," Paller asserted.

Note: "asserted".  This makes you wonder...how accurate is this
assertion?  Does Mr. Paller have inside information?

Look at it this way...if Mr. Paller has some sort of relationship w/
online gambling sites, might they then feel somewhat betrayed (and
exposed) by his making this statement?  Wouldn't his professional
reputation with them suffer?  Therefore, one should expect that his
assertion is just that...an assertion.

> And if these sites aren't doing that, and they aren't reporting the
> crime then they deserve what they get. Paying off the DDoS crews is
> only encouraging them.

Exactly.  One would expect that since $40K greatly exceeds the
Attorney General-mandated threshold of $5K, such things would be
reported.

> If it is that fullproof[sic] of a money making scheme for them, why
> are they going to stop?

True.  Excellent question.  I have to wonder why the author doesn't
seem to have asked that question.

> : Paller called for tech companies to do better.

Do better at what??  I think it's a fairly pretty belief that most
companies need to do a better job of securing their (information)
assets, but when an "expert" calls for companies to do better,
wouldn't it be a good idea to be a little bit more explicit?

> : He said that security vulnerabilities are vendors'
> : responsibility to fix and that their products should reflect the
> : suggestions associated with the SANS top 20 vulnerabilities 
> : list.

I'm not sure that I agree with Mr. Paller...I think that his comment
feeds off of the atmosphere of tranferring responsibility, rather than
accepting it.  Security vulnerabilities in products may be the
responsibility of the vendor to fix, but shouldn't those who use the
products understand their strengths and weaknesses, and design their
infrastructure to mitigate the weaknesses as much as possible?

> Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS
> attacks? The 10 windows and 10 unix are fairly specific, and none of
> them cover protecting against a DDoS attack. This 'news' piece
> quickly becomes a glorified product pitch.

No kidding!



=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."

"The simplicity of this game amuses me. 
Bring me your finest meats and cheeses."
------------------------------------------




_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/