Forwarded from: Mark Randall <markusat_private> On Sunday, November 3, 2002, at 10:30 PM, InfoSec News wrote: > Forwarded from: hugginsat_private > > Let me see if I get this right > > I'm xyz bank I haven't taken the initiative to hire a security > mangaer or have hired one but, pay them minimum, they tell me I need > to fix security holes I say nah to expensive. I get hacked, my user > data base and credit card information is stolen. Numerous account > users identities are stolen but, because I report it to the FBI I > dont need to disclose it to my stake holders, or customers at will. > Hmmm! sounds great rob me again. Aww, c'mon now. It's at least a step in the right direction. I remember a couple of years ago, hearing about some eastern bank (taiwan? bankok?) that was hacked and lost $50 million. It wasn't noticed right away, but when they DID find out, all they could tell was that $50 million had been transferred to a swiss account, but within 24 hours, the funds had been further transferred elsewhere. The bank decided not to investigate further, for fear that widespread news of the hack would shake their customer's confidence and end up being more damaging. I still find it hard to grasp that something as intangible as professional reputation can tip the scales enough to let somebody walk with $50M. Anyway, my point is simply that many businesses are not going to tell their investors and/or customers anyway...and this tight-lipped stance of not reporting usually goes on to prosecutorial or investigative agencies as well. So, if they can work out an anonymous system whereby the company can at least disclose details to an investigative agency or one that can help with preservation of forensic evidence for prosecution, etc...then at least that's a step in the right direction. Sure, they're not likely to disclose such details to their customers and/or investors, but hey....what can you expect? --- Mark Randall - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 05:04:10 PST