Forwarded from: Harlan Carvey <keydet89@private> To: mailroomuk@private > : "Six or seven thousand organizations are paying online extortion > : demands," Alan Paller said at the SANS Institute's Top 20 > : Vulnerabilities conference in London. "The epidemic of cybercrime > : is growing. You don't hear much about it because it's extortion, > : and people feel embarrassed to talk about it." > > If they don't like to talk about it, where does the figure of 6 to > 7000 come from? Agreed. And I have to wonder, as well...why isn't the media asking this question? It's not a biased question at all, to ask where the numbers come from. In fact, by not asking the question *and* by referring to Mr. Paller as an expert, isn't that demonstrating bias? > : "Every online gambling site is paying extortion," Paller asserted. Note: "asserted". This makes you wonder...how accurate is this assertion? Does Mr. Paller have inside information? Look at it this way...if Mr. Paller has some sort of relationship w/ online gambling sites, might they then feel somewhat betrayed (and exposed) by his making this statement? Wouldn't his professional reputation with them suffer? Therefore, one should expect that his assertion is just that...an assertion. > And if these sites aren't doing that, and they aren't reporting the > crime then they deserve what they get. Paying off the DDoS crews is > only encouraging them. Exactly. One would expect that since $40K greatly exceeds the Attorney General-mandated threshold of $5K, such things would be reported. > If it is that fullproof[sic] of a money making scheme for them, why > are they going to stop? True. Excellent question. I have to wonder why the author doesn't seem to have asked that question. > : Paller called for tech companies to do better. Do better at what?? I think it's a fairly pretty belief that most companies need to do a better job of securing their (information) assets, but when an "expert" calls for companies to do better, wouldn't it be a good idea to be a little bit more explicit? > : He said that security vulnerabilities are vendors' > : responsibility to fix and that their products should reflect the > : suggestions associated with the SANS top 20 vulnerabilities > : list. I'm not sure that I agree with Mr. Paller...I think that his comment feeds off of the atmosphere of tranferring responsibility, rather than accepting it. Security vulnerabilities in products may be the responsibility of the vendor to fix, but shouldn't those who use the products understand their strengths and weaknesses, and design their infrastructure to mitigate the weaknesses as much as possible? > Uh.. how do the SANS Top 20 vulnerabilities affect or mitigate DDoS > attacks? The 10 windows and 10 unix are fairly specific, and none of > them cover protecting against a DDoS attack. This 'news' piece > quickly becomes a glorified product pitch. No kidding! ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------ _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Oct 20 2004 - 01:05:04 PDT