Information Security News mailing list archives
FEEDBACK: Expert: Online extortion growing more common
From: InfoSec News <isn () c4i org>
Date: Tue, 19 Oct 2004 21:39:48 -0500 (CDT)
Forwarded from: Harlan Carvey <keydet89 () yahoo com> To: mailroomuk () zdnet com
: "Six or seven thousand organizations are paying online extortion : demands," Alan Paller said at the SANS Institute's Top 20 : Vulnerabilities conference in London. "The epidemic of cybercrime : is growing. You don't hear much about it because it's extortion, : and people feel embarrassed to talk about it." If they don't like to talk about it, where does the figure of 6 to 7000 come from?
Agreed. And I have to wonder, as well...why isn't the media asking this question? It's not a biased question at all, to ask where the numbers come from. In fact, by not asking the question *and* by referring to Mr. Paller as an expert, isn't that demonstrating bias?
: "Every online gambling site is paying extortion," Paller asserted.
Note: "asserted". This makes you wonder...how accurate is this assertion? Does Mr. Paller have inside information? Look at it this way...if Mr. Paller has some sort of relationship w/ online gambling sites, might they then feel somewhat betrayed (and exposed) by his making this statement? Wouldn't his professional reputation with them suffer? Therefore, one should expect that his assertion is just that...an assertion.
And if these sites aren't doing that, and they aren't reporting the crime then they deserve what they get. Paying off the DDoS crews is only encouraging them.
Exactly. One would expect that since $40K greatly exceeds the Attorney General-mandated threshold of $5K, such things would be reported.
If it is that fullproof[sic] of a money making scheme for them, why are they going to stop?
True. Excellent question. I have to wonder why the author doesn't seem to have asked that question.
: Paller called for tech companies to do better.
Do better at what?? I think it's a fairly pretty belief that most companies need to do a better job of securing their (information) assets, but when an "expert" calls for companies to do better, wouldn't it be a good idea to be a little bit more explicit?
: He said that security vulnerabilities are vendors' : responsibility to fix and that their products should reflect the : suggestions associated with the SANS top 20 vulnerabilities : list.
I'm not sure that I agree with Mr. Paller...I think that his comment feeds off of the atmosphere of tranferring responsibility, rather than accepting it. Security vulnerabilities in products may be the responsibility of the vendor to fix, but shouldn't those who use the products understand their strengths and weaknesses, and design their infrastructure to mitigate the weaknesses as much as possible?
Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS attacks? The 10 windows and 10 unix are fairly specific, and none of them cover protecting against a DDoS attack. This 'news' piece quickly becomes a glorified product pitch.
No kidding! ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------ _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
Current thread:
- FEEDBACK: Expert: Online extortion growing more common InfoSec News (Oct 20)