companies have been disturbingly silent about cyberattacks on their
computer systems — apparently in fear that this disclosure
will unnerve customers and shareholders and invite lawsuits and
unwanted scrutiny from the government.
In some cases, such silence might violate the legal obligations of
publicly traded companies to share material information about their
businesses. Most companies would tell investors if an important
factory burned to the ground or thieves made off with hundreds of
millions of dollars in cash.
Maybe it’s better to have a prescribed burn of released breach information
than to have a factory fire of unprescribed released information.
As more companies come out of the closet about their Internet security
being compromised, still more start to admit it.
But many (perhaps most) don’t even know.
Fortunately, there is a way the public can get a clue
even about those companies.
Most treat online attacks as a dirty secret best kept from customers,
shareholders and competitors, lest the disclosure sink their stock price
and tarnish them as hapless.
However, as some companies come out of the closet about this (Twitter,
Facebook, Apple, etc.) and such
revelations become more common, the threat of looking foolish fades
and more companies are seizing the opportunity to take the leap in a
“There is a ‘hide in the noise’ effect right now,”
said Alan Paller, director of research at the SANS Institute, a
nonprofit security research and education organization. “This
is a particularly good time to get out the fact that you got hacked,
because if you are one of many, it discounts the starkness of the
Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27
CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.
CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.
CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.
Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.
Earlier this week, the SEC announced new rules that require mining
companies to start reporting any fatalities and all major health and
safety violations, mine by mine, in their quarterly and annual financial
reports. The filings are mandated in the wide-ranging Dodd-Frank Wall
Street Reform and Consumer Protection Act, which Congress passed to try
to increase corporate accountability.
The rules take effect 30 days after publication in the Federal
Register. They require companies to report within four days any
“significant and substantial” violations, citations, flagrant
violations and imminent-danger orders issued by the federal Mine Safety
and Health Administration.
Coal operators must also include the dollar value of proposed fines,
whether the company has been or may be designated a pattern violator
by MSHA, and any pending cases with the Federal Mine Safety and Health
Stop-eCrime aims to reduce electronic crime by increasing transparency
of information and communications technologies.
Born out of 2010 meetings organized by the Anti-Phishing Working Group
and the IEEE Standards Association,
Stop-eCrime has already been
working on ecrime event data exchange standards and protocols, as well
as operational protocols for dealing with computers compromised by ecrime.
Now Stop-eCrime wants you to help tie these technical and operational
levels together into an ecrime detection and response system
coordinated among the public, business, academia, and government.
There’s plenty of work to be done on technical standards and
operational protocols (such as glossaries, metrics, and monetary
effects), plus Stop-eCrime needs educational materials and marketing
to explain incentives for everyone to participate in reducing ecrime.
RIPE-NCC is the oldest of the Regional Internet Registries (RIRs),
and RIPE is the deliberately unorganized association of interested parties
that meets twice a year and holds discussions online in between.
It’s a mix of operations, research,
Topics range from obscure details of deploying IPv6 to organizational
proposals such as what I was talking about.
430 people attended the meeting in Rome, which was quite a few more
than the dozen or two of the first RIPE meeting I went to many years ago.
Interesting questions were asked.
I may blog some of them.
Such experiments can draw on fifty years of social science research
and literature, first crystalized as Social Comparison Theory
by Leon Festinger in 1954,
that indicate that making personal reputation transparent changes personal behavior.
More recent research indicates that the same applies to organizations.
Using anti-spam blocklist data, it is possible to make E-Mail Service Provider
(ESP) behavior (banks, stores, universities, etc., not just ISPs)
in preventing or stopping outbound spam transparent,
and this paper is about experiments to see how the resulting reputation
actually changes ESP behavior.
In RIPE Labs, here’s a paper on
Internet Cloud Layers for Economic Incentives for Internet Security
by the IIAR Project (I’m the lead author).
Anti-spam blocklists and law enforcement are some Internet organizational
layers attempting to deal with the plague of spam, so far reaching
a standoff where most users don’t see most spam, yet service providers
spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.
A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.
In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.
In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.