[ISN] Expert: Online extortion growing more common
isn at c4i.org
Sat Oct 9 05:02:14 EDT 2004
By Dan Ilett
Special to CNET News.com
October 8, 2004
"Six or seven thousand organizations are paying online extortion
demands," Alan Paller said at the SANS Institute's Top 20
Vulnerabilities conference in London. "The epidemic of cybercrime is
growing. You don't hear much about it because it's extortion, and
people feel embarrassed to talk about it."
The SANS Institute, based in Bethesda, Md., offers training and
resources related to information security.
"Every online gambling site is paying extortion," Paller asserted.
"Hackers use DDoS (distributed denial-of-service) attacks, using
botnets to do it. Then they say, 'Pay us $40,000, or we'll do it
Paller added he was concerned that the same techniques used for
extortion--that is, DDoS attacks--could easily be used to target
organizations in the critical national infrastructure.
Roger Cumming, the director of the U.K.-based National Infrastructure
Security Co-ordination Centre, shares Paller's concern.
"There's an enormous amount of extortion," Cumming said. "We are
concerned...(that) the technologies of extracting money could be used
to endanger the (critical national infrastructure). One of the things
we are talking about is how to mitigate that threat."
Paller called for tech companies to do better. He said that security
vulnerabilities are vendors' responsibility to fix and that their
products should reflect the suggestions associated with the SANS top
20 vulnerabilities list.
"Applications breaking after patching is the operating system vendor's
fault," he said. "They tell developers to build applications on
unprotected systems. But the other half of the game is that
application vendors should have to test their products on safer
systems. You do that with procurement."
A representative for at least one prominent British gambling site said
that he would rather not comment on the whole issue.
Dan Ilett of ZDNet UK reported from London.
More information about the ISN