Adam Shostack, whose group blog Emergent Chaos
I quote frequently in this blog, has a new book coming out with
co-author Andrew Stewart:
New School of Information Security
We think there’s an emerging way of approaching the world, which we call
the New School.
We start with a look at some persistent issues like spam and identity
theft. From there, we look at why the information security industry
hasn’t just fixed them, and some of the data sources which we rely on
and how poor they are. We then look at some new source of data, and new
ways of interpreting them, and close with some very practical steps that
any individual or organization can take to make things better.
The New School of Information Security,
10 March 2008
I haven’t read the book yet, since it’s not published yet, but if it’s like the
material he posts in his blog, it’s a good thing.
One of his commenters doesn’t get it:
a 30 year old book about computer security and
notes that the IRS then and now doesn’t adequately protect taxpayers’
information and promises to do better.
His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)
Computer Capers: Tales of electronic thievery, embezzlement, and fraud,
by Thomas Whiteside, Ty Crowell Co., 1978
That’s why corporations fear a breach reporting reputation system.
That’s also why we need one.
Or is it really phishing when the victim first broadcasts his bank
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the
scandal of lost CDs containing the personal data of millions of Britons a
“storm in a teacup” after falling victim to an internet scam.
The outspoken star printed his bank details in a newspaper to try and
make the point that his money would be safe and that the spectre of
identity theft was a sham.
He also gave instructions on how to find his address on the electoral
roll and details about the car he drives.
However, in a rare moment of humility Clarkson has now revealed the
stunt backfired and his details were used to set up a £500 direct debit
payable from his account to the British Diabetic Association.
The charity is one of many organisations that do not need a signature to set up a direct debit.
Clarkson stung by fraud stunt,
Monday January 7 2008
He admits he was wrong, but nonetheless tries to pin the blame partly
on a privacy law:
“The bank cannot find out who did this because of the Data Protection
Act and they cannot stop it from happening again,” he said. “I was wrong
and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for
going after the perpetrators.
PS: Seen on
The U.K. Revenue ministry has been leaking massive amounts
of personal information, and now it’s affected the ruling party:
The Government will face fresh questions over the loss of millions of
voters’ personal data amid evidence the debacle has helped fuel a massive
slump in public confidence.
One poll showed those backing Labour’s ability to handle economic
problems had been more than halved to 28%, with just a quarter deeming
Gordon Brown’s administration “competent and capable”.
And another gave the Tories a nine-point overall lead, its strongest
position for 15 years, just weeks after Labour enjoyed an 11-point
advantage in the same poll.
Confidence in Labour ‘plummets’,
Friday November 23, 2007 7:03 AM
A government in risk of falling due to lack of breach security
and perceived lack of technical confidence might be what it takes
to get governments and industry to take breach security seriously.
For example by requiring breach reporting.
How to get rich quick through ecrime:
This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.
An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants
Vern Paxson, Adrian Perrig, and Stefan Savage.
Proc. ACM CCS, October 2007.
How to stop it?
Law enforcement is good, but insufficient.
Ditto traditional technological Internet security methods.
We already knew that.
Real progress will be made by disrupting the criminal economy
by poisoning trust.
Read the paper for the authors’ suggestions of Sybil attacks
and slander attacks.
Make the criminals’ identities unreliable and poison their reputations.
This is considered the paper of the year by some prominent computer
security professionals, and for good reason.
APWG eCrime Researchers Summit
has released its papers by linking them to its agenda.
Lots of interesting stuff there about phishing and website takedown,
capture and recapture, password reuse, behavorial reaction, etc.
There were also sessions on getting technology solutions adopted
and user education, but those appeared to be panels, and don’t
have papers posted.
Anti-Phishing Working Group
is having one of its periodic member meetings,
this time in Pittsburgh.
Probably I shouldn’t report too much detail,
but I’ll say that interesting things are going on worldwide
that may spread to other countries.
For example, in Japan it seems that fake programming sites
are more popular than phishing.
Also, if I heard correctly, most phishing in the Japanese
language originates from phishers in Japan.
This would make sense, since it’s very hard for foreigners
to write well enough to pretend to be Japanese.
So that one probably won’t spread too widely,
but the fake programming scam could.
My favorite is the history attack.
World War II ended on 15 August 1945 in Japan, so
a timeline of that war can get a lot of hits on a war’s end
link in August of any year.
Who would have known history could be so popular?
Meanwhile, during Carnival in Brazil, nobody reports malware,
so there’s a dip in measurements….
Then and the rest of the year, sophisticated personalized
social engineering attacks seem to be popular in Brazil.
Iang reminds me that it was on his blog, Financial Cryptography,
that I saw
the rough estimate of how much an identity theft costs, that is,
He follows up on my post of yesterday about LifeLock, discussing
a company called Integrity which insures identities in Second Life.
Or, actually, insures any lawsuits resulting from "inappropriate content",
whatever that is.
Then he gets to the real quesion:
How viable is this model? The first thing would be to ask: can’t we fix
the underlying problem? For identity theft, apparently not, Americans
want their identity system because it gives them their credit system,
and there aren’t too many Americans out there that would give up the
right to drive their latest SUV out of the forecourt.
On the other hand, a potential liability issue within a game would seem
to be something that could be solved. After all, the game operator has
all the control, and all the players are within their reach. Tonight’s
pop-quiz: Any suggestions on how to solve the potential for
large/class-action suits circling around dodgy characters and identity?
If Insurance is the Answer to Identity, what’s the Question?,
September 11, 2007
This wraps right around to the original reaction of the person from
whom I heard it (hi, Anne Marie) on a list that is silent.
I have several thoughts about this:
Since identity thieves are making many people worried
about losing control of their identities, of course
somebody has found a way to cash in on all that free publicity:
By now you’ve heard the stories about Americans whose identities have
been stolen. They’re not pretty…people working for hundreds of hours
over many years to get their lives back in order, kids not getting student loans because someone has already ruined their credit, people losing homes because thieves placed mortgages they never knew existed,
even innocent individuals ending up in jail.
LifeLock can keep this from happening to you and we guarantee our service up to $1,000,000.
I seem to recall reading that the typical identity theft is only
worth $1,000, but nevermind that.
Look who recommends it:
You’ve heard Rush Limbaugh, Paul Harvey, Dr. Laura, Sean Hannity, Howard Stern, Dr. Joy and others endorse us.
Well! None of those people would ever sell pure fear, would they?
I have to give them credit for honesty, though: LifeLock admits right out
that the main four preventive things they do you could do for yourself.
Beyond that, the main substance they seem to offer is essentially
an insurance package:
If your Identity is stolen while you are our client, we’re going to
do whatever it takes to recover your good name. If you need lawyers,
we’re going to hire the best we can find. If you need investigators,
accountants, case managers, whatever, they’re yours. If you lose money
as a result of the theft, we’re going to give it back to you.
For $110/year or $10/month, is such an insurance policy overpriced,
underpriced, or what?
What do you do with
the world’s fastest supercomputer?
Use it to follow football, of course!
Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL) which is timely considering the 2007 NFL season started on the 6th of September. The website even has the correct score, statistics, and schedule information.
Storm and NFL,
Sunday, September 9, 2007
It’s sort of like gambling on the game;
gambling that some suckers will think the site is legit.
PS: Seen on Fergie’s Tech Blog.