[ISN] Expert: Online extortion growing more common

[InfoSec News]

Forwarded from: "security curmudgeon" <jericho at attrition.org>

: http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349_3-5403162.html
:
: By Dan Ilett
: Special to CNET News.com
: October 8, 2004
:
: "Six or seven thousand organizations are paying online extortion
: demands," Alan Paller said at the SANS Institute's Top 20
: Vulnerabilities conference in London. "The epidemic of cybercrime is
: growing. You don't hear much about it because it's extortion, and 
: people feel embarrassed to talk about it."

If they don't like to talk about it, where does the figure of 6 to
7000 come from? Is there any real basis for this number or is this a
complete ballpark guess based on a few news articles mentioning it?

: "Every online gambling site is paying extortion," Paller asserted.
: "Hackers use DDoS (distributed denial-of-service) attacks, using 
: botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"

Seems like that kind of money could buy you a pretty fat pipe to sit
on and would potentially mitigate all but the hardcore attacks? Or let
you hire someone that is familiar with such attacks to help you better
prepare for them? Or encourage your ISP to buy more bandwidth or hire
someone that can help address the problems?

And if these sites aren't doing that, and they aren't reporting the
crime then they deserve what they get. Paying off the DDoS crews is
only encouraging them. If it is that fullproof of a money making
scheme for them, why are they going to stop? If law enforcement is
involved in the case it seems like they will have a significant chance
of determining who is involved the first time they monitor a company
paying off the attackers.

: Paller called for tech companies to do better. He said that security
: vulnerabilities are vendors' responsibility to fix and that their
: products should reflect the suggestions associated with the SANS top 20
: vulnerabilities list.

Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS
attacks? The 10 windows and 10 unix are fairly specific, and none of
them cover protecting against a DDoS attack. This 'news' piece quickly
becomes a glorified product pitch.

: "Applications breaking after patching is the operating system vendor's
: fault," he said. "They tell developers to build applications on
: unprotected systems. But the other half of the game is that application
: vendors should have to test their products on safer systems. You do 
: that with procurement."

Yes, get more money and then spend it on an organization such as SANS
i'm guessing. 

*yawn*