Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISN] Expert: Online extortion growing more common

from [InfoSec News] Network Security [Permanent Link]
Subject: Re: [ISN] Expert: Online extortion growing more common
Date: Mon, 18 Oct 2004 01:23:40 -0500 (CDT) 
Forwarded from: "security curmudgeon" <jericho@attrition.org>

: 
http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349_3-5403162.html
:
: By Dan Ilett
: Special to CNET News.com
: October 8, 2004
:
: "Six or seven thousand organizations are paying online extortion
: demands," Alan Paller said at the SANS Institute's Top 20
: Vulnerabilities conference in London. "The epidemic of cybercrime is
: growing. You don't hear much about it because it's extortion, and 
: people feel embarrassed to talk about it."

If they don't like to talk about it, where does the figure of 6 to
7000 come from? Is there any real basis for this number or is this a
complete ballpark guess based on a few news articles mentioning it?

: "Every online gambling site is paying extortion," Paller asserted.
: "Hackers use DDoS (distributed denial-of-service) attacks, using 
: botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"

Seems like that kind of money could buy you a pretty fat pipe to sit
on and would potentially mitigate all but the hardcore attacks? Or let
you hire someone that is familiar with such attacks to help you better
prepare for them? Or encourage your ISP to buy more bandwidth or hire
someone that can help address the problems?

And if these sites aren't doing that, and they aren't reporting the
crime then they deserve what they get. Paying off the DDoS crews is
only encouraging them. If it is that fullproof of a money making
scheme for them, why are they going to stop? If law enforcement is
involved in the case it seems like they will have a significant chance
of determining who is involved the first time they monitor a company
paying off the attackers.

: Paller called for tech companies to do better. He said that security
: vulnerabilities are vendors' responsibility to fix and that their
: products should reflect the suggestions associated with the SANS top 20
: vulnerabilities list.

Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS
attacks? The 10 windows and 10 unix are fairly specific, and none of
them cover protecting against a DDoS attack. This 'news' piece quickly
becomes a glorified product pitch.

: "Applications breaking after patching is the operating system vendor's
: fault," he said. "They tell developers to build applications on
: unprotected systems. But the other half of the game is that application
: vendors should have to test their products on safer systems. You do 
: that with procurement."

Yes, get more money and then spend it on an organization such as SANS
i'm guessing. 

*yawn*



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISN] On Trial - Prosecuting cybercrime puts your organization--and your security--on the hot seat., InfoSec News
Next by Date:  [ISN] NSA plots software center, InfoSec News
Previous by Thread:  [ISN] Expert: Online extortion growing more common, InfoSec News
Next by Thread:  [ISN] Linux Advisory Watch - October 8th 2004, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]