Domain: econinfosec.org
Stories and comments across the archive that link to econinfosec.org.
Stories · 3
-
Business Is Booming In the 'Zero-Day' Game
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services." -
ID Theft In US Continues Apace Despite Data Breach Laws
4roddas points out an article at Techworld about the continued scourge of identify theft in the US, which begins: "Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published (PDF) a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC). 'There doesn't seem to be any evidence that the laws actually reduce identity theft,' said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors. Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends." -
Schneier on Economic Insights to IT Security
Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"