Re: [ISN] Feds pursue secrecy for corporate victims of hacking

From: InfoSec News (isnat_private)
Date: Thu Nov 07 2002 - 02:47:20 PST

Next message: InfoSec News: "[ISN] Security UPDATE, November 6, 2002"

Previous message: InfoSec News: "[ISN] Wormholes in hacker case"
Maybe in reply to: InfoSec News: "[ISN] Feds pursue secrecy for corporate victims of hacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Mark Randall <markusat_private>

On Sunday, November 3, 2002, at 10:30  PM, InfoSec News wrote:

> Forwarded from: hugginsat_private
>
> Let me see if I get this right
>
> I'm xyz bank I haven't taken the initiative to hire a security
> mangaer or have hired one but, pay them minimum, they tell me I need
> to fix security holes I say nah to expensive.  I get hacked, my user
> data base and credit card information is stolen.  Numerous account
> users identities are stolen but, because I report it to the FBI I
> dont need to disclose it to my stake holders, or customers at will.  
> Hmmm! sounds great rob me again.

Aww, c'mon now.  It's at least a step in the right direction.

I remember a couple of years ago, hearing about some eastern bank
(taiwan?  bankok?) that was hacked and lost $50 million.  It wasn't
noticed right away, but when they DID find out, all they could tell
was that $50 million had been transferred to a swiss account, but
within 24 hours, the funds had been further transferred elsewhere.  
The bank decided not to investigate further, for fear that widespread
news of the hack would shake their customer's confidence and end up
being more damaging.

I still find it hard to grasp that something as intangible as
professional reputation can tip the scales enough to let somebody walk
with $50M.

Anyway, my point is simply that many businesses are not going to tell
their investors and/or customers anyway...and this tight-lipped stance
of not reporting usually goes on to prosecutorial or investigative
agencies as well.  So, if they can work out an anonymous system
whereby the company can at least disclose details to an investigative
agency or one that can help with preservation of forensic evidence for
prosecution, etc...then at least that's a step in the right direction.

Sure, they're not likely to disclose such details to their customers
and/or investors, but hey....what can you expect?

---
   Mark Randall

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Security UPDATE, November 6, 2002"
Previous message: InfoSec News: "[ISN] Wormholes in hacker case"
Maybe in reply to: InfoSec News: "[ISN] Feds pursue secrecy for corporate victims of hacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 05:04:10 PST