Slashdot Mirror
2005 a Bad Year For Security
Greyfox writes "According to CNN, 2005 was a record year for security breaches, with cybercrime netting an estimated $105 billion and the Department of Homeland Security getting its cybersecurity budget cut 7%, to $16 Million. Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it."
2005 also saw the largest use of computers on the network... so as a result the crime-rate onthe internet too go up.
So what do these guys actually do? Hunt eOsama bin Laden on the intarwebs, along with other famous cyberterrorists?
Well really.. Its not their job to secure our computers, is it?
Governments, Not paying attention to things until something bad happens; See also September 11, 2001
And of course, for developers with proven records in secure systems design and implementation.
There are no karma whores, only moderation johns
$105 billion is more than the trade deficit between the US and Japan, in other words a VERY significant chunk of change. How much of this damage was "real" as oppossed to existing in name only? How did they manage to calculate such a number, and what is the overall effect on the economy? Who are the real winners and losers in this battle?
Monstar L
2006 - record year for security ...
2007 - record year for security
2008 - record year for security
2009 - record year for security
2010 - record year for security
Do you get the point?
When will programmers start writing secure code? When will we stop hearing "security is hard" or even worst "security is impossible"? When will people start demanding that programmers write secure code?
Local mathematician here to update. We're still working on it. Sorry about the delay! We'll have security soon.
Who said "SONY ROOTKIT" ?
is a record year for security incidents. I don't forsee this chaning next year, either.
SecureThe.Net - Practical Resources for Securing Systems
Agents acting on behalf of the very highest level of the United States Government creating such problems to distract citizens from other problems, and to soften them up for fear-induced manipulation.
Perhaps dollarwise, yes. Dangerwise, no. I don't think any Federal agents ever had to face off with any Columbian coderunners in some remote jungle on the ass end of the world. Illegal drugs aren't going to fall off the top of the charts anytime soon just because some douche in the Treasury Department says so.
Furthermore, nine times out of ten, companies and individuals who fall for scams or suffer identity theft had it coming for total lack of judgement in how they used their personal information online or how high of a priority properly implementing security measures were for them.
The SLASHDOT effect!
Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it. What do you expect? the way Congress works, nobody gets credit for *preventing* a problem. They only get attention for a fast response after everything all goes to hell.
The theory of relativity doesn't work right in Arkansas.
I'm not surprised. From what I hear, viruses/trojans/cyber attacks are increasingly done for profit only and not fame. And boy, money does talk... in this case, it's 105 billion doing the talking. And t3h h4x0rz are listening.
Meanwhile, a 7% drop in budget for cybersecurity under the dept. of Homeland Security! To how much? A billion, you say? Nope... 16 million. Ouch. I don't think that's nearly enough money... not by a longshot. And what about terrorist attacks on our nations internet infrastructure? I'm sure that's been considered by the terrorists.
Doesn't sound like a good situation to me, not at all..
-PlxBlu
1. Enron: investigations into Bush admin involvement looming.
2. Image: Puppet-Prez viewed as embarrassment and liability by own nation.
3. Oil: 'nuff said about that.
4. "New Pearl Harbor": Military-Industrial-Security complex losing ground, needs new bogeyman.
As for the department of Homeland Security getting a budget cut. Well is it even its task? Isn't credit card fraud something for the FBI to tackle? And social security number fraud would probably fall under either your social security agency or the IRS.
The securing of military IT would be a task for the military and I think the NSA does something with it as well. The US seems to have so many agencies to keep it secure that I cannot remember them all.
So is that 16 million perhaps the budget for the departments of homeland security OWN security? Do they really have to keep the entire US of A safe with that money or just their own network.
I like a panic story as much as the next guy but at least give me some basis and do not just trow some random numbers around.
What exactly is lumped into that 105 billion dollar figure. Every bad check? Counterfit credit cards? Stolen Half-Life keys? And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security? Or more likely, all of them for different parts of it?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
We've still got overall internet usage increasing quite a bit every year, so just like everyone else, more criminals are getting online. There are so many aspects of the internet which have yet to be discovered by organized crime factions that find flaws in social systems to make money all the time, and it would be natural to assume that they will be discovering new criminal ways to make money on the internet over the next 5-6 years at least.
Not until we reach some sort of plateau in internet usage growth can we even start expecting cybercrime figures to start going down, but at the moment it's a growing market, and one which is largely untouched by organized crime and thus probably still rather ripe.
"How did they manage to calculate such a number"
o n.html )
Its actually fairly easy to calculate this number.
First, pick a LARGE random number. This number should be roughly equivalent to the biggest number you can think of. Next, multiply this number by 4. Finally, divide by a suitable power of 10 so that the number doesn't seem too impossible.
More seriously...
I recommend people to check out attrition.org's Statistics section ( http://attrition.org/errata/statistics/introducti
One section I feel obligated to quote is:
"One of the largest things media outlets use to back their claims are statistics. It is absolutely incredible how many times a media outlet will quote a statistic and not credit where it came from. Further, they are fond of taking creative liberty with how they quote the article to suit their needs.
These stats cover damage to systems, percentage of intrusions, and everything else. There are simply too many instances of suspect statistics as they relate to the computer security industry to read, match and provide analysis of them all." (from http://attrition.org/errata/stats.html )
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Crime involving computers has been a combination of hype and low budgets for many years - "The Hacker Crackdown" by Bruce Sterling (free online and dead tree versions available) shows what it was like some time ago and little has changed. Back then one of the high profile computer law enforcement people really wanted the budget to buy an Amiga - but I don't think that was ever approved.
My information got compromised twice. The first incident was with eCheck (used at the time by Scottrade), which got hacked into. The other incident was with Colorado Technical University, in which an employee inadvertently mailed out an attachment with a roster of students. This roster included my whole life basically. Perhaps until there is some general law of accountability e.g. SOX, GLBA, or HIPAA companies and institutions will take protecting information more seriously? Perhaps when the cost of security is less than the legal suits that will follow the incident, they will be more proactive? The hacking incident might have been more difficult to guard against, but the email incident could have easily been prevented with something like Entrust.
I've seen first hand an increase in phishing attempts this year because I've had to fix - mostly clean - more relatives' computers. More spyware too. I'd say that most of us would agree. It's a shame, really. But I'll also be the first to admit that I've earned some cash on the side because of it. It's not something I'm proud of, but it was offered. It shouldn't have to come to that. Ah well. We'll manage. More threats arise with each year. I think that has something to do with the passage of time though, no?
Fun Zoid RPG
For Christ's sake, this kind of bitching is the exact reason you guys have ended up with that Patriot Act mess. For a start, rejoice that they've scaled Homeland Security back. It means that they're actually admitting that there's less terrorist threat than before, and that they're not trying to maintain the police state indefinitely.
As for the government not taking security seriously until something bad happens to it... all I can say to that is a big loud fart, since for the last five years of my life, which is a good 25%, not to mention the most recent 25%, all I've known is government obsession with security. It leaks down too. Businesses stop you taking photos of their buildings by means of scary guards, "because of terrorism".
The real reasons it was a bad year for security are things like the first collisions found for heavily-relied-on encryption methods. You won't find that kind of stuff on CNN though.
Funny that you compare it to a "trade deficit", an even more meaningless number.
The shareholder is always right.
http://news.yahoo.com/s/ap/20051230/ap_on_hi_te/wh ite_house_bug:
3 59599
"Cookies from the White House site are not generated simply by visiting it, according to analyses by the AP and by Richard M. Smith, a security consultant in Cambridge, Mass., who first noticed the Web bug this week.
Rather, WebTrends cookies are sometimes created when visiting other WebTrends clients. Smith said his analysis of network traffic shows such preexisting cookies have then been used when visiting the White House site."
Hmmm... Seems they were using web bugs, cookies/etc to track "something". Now, THEY'RE being investigated.
Just the other day, in my:
http://slashdot.org/comments.pl?sid=172431&cid=14
I commented that it's not just the CIA and other spook shops that track and do things, but I hadn't considered a rogue contractor doing things on its own. Then again, this could be yet another smokescreen to make "contractors" look worse than the government and deflect public attention.
Wow! Just under 45 hours 'til the end of the year; I wonder what OTHER stories we'll see before the fireworks light up...
image word: abrade
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
>> "How did they manage to calculate such a number"
They did it in the same way that the press calculates any other number. Take the actual number, and then multiply by four to six orders of magnitude.
These are your leaders, folks. This is how they protect ya. Broadly spying on the communications of American citizens without constitutional authority? Sure! Securing the national computing infrastructure, or at least funding the incident response guys? Nahhhh, why bother.
It's hard to think of any other industry that costs society $105 billion a year but which goes unscathed, largely unregulated, the darling of the stock market and haven for some of the finest minds around, etc., etc. No the least of the difficulties with cybersecurity is that it's a world of smoke and mirrors in which nearly all the statistics are bogus and all the players claim it's the next guy's problem, not theirs.
A good example of this is the British guy who recently won a court case against a spammer, thereby setting a legal precedent (as reported on Slashdot yesterday). He managed what platoons of highly paid IT experts and IT lawyers totally failed to do. No one seemed to have asked why the finest minds of our time, blah blah, were unable to find $20 to fund a suit in the UK small claims court.
Even if the true cost is a fraction of that quoted, this is still a serious matter since it is replicated in every country where there is a worthwhile IT presence. Since the IT industry seems unwilling or unable to reform itself, perhaps governments should step in with a special tax on large IT outfits in order to fund the fighting of computer crime and a severe crackdown on ISPs who happily tolerate bot farms or software houses who knock out software full of holes. Bot/zombie farms, in particular, are the oxygen of online criminals since without them their job is a lot harder. It is almost incredible that so little has been done to choke them off.
Las qué passoun
tournoun pas maï
Why do you blame this one on Congress?
From what I see, just about everyone works that way, especially corporations. I wouldn't single out Congress on this one.
The living have better things to do than to continue hating the dead.
Why do you say that? Just curious. I'm not an economist or anything like that.
EvilCON - Made Famous by
The Garden of Ahhah (hahahahahahahaha) "It was a pretty big year for crashin' A lousy year for Cisco and vole The people gave their paychecks to crimes of phishin' It was a dark, dark night for the collection bowl."
If big boobed women work at Hooters do one legged women work at IHOP?
nm
I'm an admin-type who has to deal with the aftermath of these security problems, but I;ve always wondered who actually has the time on their hands to discover them. This is especially true for some of the incredibly obscure holes that have popped up in Windows recently.
Half-jokingly, do malevolent organizations pay a legion of nerds full-time salaries and all the Jolt they can drink to hack on code all day? Or is it lone crackers who just want to be first with a new exploit?
Even if I wasn't married or had a house to help take care of, I don't think I could invest the time required to find some of the crazy exploits that are coming to light now.
Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it.
Sure, they pay attention. They make sure they've got plenty of meaningless but showy actions and PR releases in place to convince the public that they're doing something. Just like private industry, if you think about it.
Then, when something bad happens, it's more of the same.
Meanwhile, if someone points out a real, specific problem that could be fixed, the usual response of both public and private organizations is to attack the messenger rather than the problem. And to increase secrecy, so that other problems can't be found easily and we can pretend that they don't exist.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
It may still go without saying, but the problems are still to be found with one particular vendors defects at the epicenter.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
If cybercrime got the money and attention some pot did, geeks would be in Abu Graib getting tortured by manish-looking women.
Blar.
They're talking about tech (data) security overall, not just the net. The losses result from a variety of problems. Identity theft is high on the list I'm sure. While the online side of this is the first thing we tend to think of, it is also occuring at the retail/mailbox/trashcan/employee level. I read a recent article which pointed out that law enforcement was only fairly recently catching on to the motivation behind one large segment of identity theft. An increasing number of meth addicts are turning to identity theft in addition to more traditional crime to finance drug purchases. An deep understanding of what is happening is essential to dealing with our problems. While efforts to go after criminals after the fact are very important, we need to go beyond that and work at many types of prevention. Education of the public, data handlers, and other areas of law enforcement are essential. Some businesses need some major changes to improve security, and they have been too slow in coming. When companies focus on profits while neglecting the public good, regulation has failed. It's partly the fault of laws limiting liability that Windows continues to be so insecure. Credit card companies seem to be too busy ripping of their customers through obscenely high interest rates and fees generated through unethical behaviours including unethical promotions, contract terms, and business practices. If the credit industry were properly regulated and having to function on more reasonable rates, they'd have more incentive to protect those profits by improving the security of the system. As it is, as long as we're healthy enough for them to feed on, they're happy. (Sounds like the Wraith??)
It is very misleading to measure what's going on here by the amount of funding to one agency. The roots of our problems go far deeper than that. What we're needing is increased insight, reform, caring, and honesty in all levels of government and throughout society. Much of what government has done through improper regulation, especially at the federal level, has permitted us to be ripped off from all directions.
The banking deregulation act of 1980 let banks profit while the public was ripped off. It cost us over $1300 PER HOUSEHOLD. The picture grows larger. Some of the bad regulation and enforcement is from political corruption. Still other regulations encourage that. The F.C.C., who has left us ripe for feeding the cable/ISP/cellular/phone companies, has also undermined a core part of our society by changing regulations in a way where commercial broadcasters have strayed far from being responsible trustees of the public interest. We ought to have locally owned licensees (living in the coverage area of stations they own). Instead we've got the broadcast counterpart of Wal-Mart. They're masking much news that matters, and pushing many bad products and behaviours. As a start, if broadcasters had to provide fair and equal political information for free (NO PAID POLITICAL ADS), we'd have far less trouble with politicians needing to sell their souls to fund their campaigns. The media is also more directly connected to some of the lower-tech scams. Has anyone else noticed all of the scammers on info-mercials? Most are not high-tech, although some hide behind satellite phones.
Changing the rules relating to advertising brought us infomercials, drug ads, and attorney ads. If station ownership was far more diverse, we'd have fewer bad regulations sneaking though while the media acts like one giant eye focusing on one thing excessively while something much worse is happening.
I think many of our problems, including financial security, are more effectively tackled through good policy than brute-force spending.
"Good God Katie! This is supposed to be a news show!" - Jim Carrey on the Today Show, as Katie goes into the usual fluff in spite of the people of New York struggling with freezing temperatures outside while having no pubic transportation.
That number is derived from a study in which they wrote down figures until one of them looked about right.
As a republican I feel it my responsibity to manufacture criminals. People need punished!
Stats...50% of the time they are boogus, 50% of the time the are made up.
"And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security?"
Its YOUR job. Not the government's.
Commercial software sellers/leasers are in a very unique position in industry where they can call their IP a "product", treat it like that in terms of profit, yet be treated differently from a legal perspective from tangible product manufacturers. They can get patents, etc, yet are under no obligation to provide any normal consumer warranty.
I think a rather interesting case could be made by some class action involving tangible manufacturers against some software company if they have been affected because of a software exploit, etc, and had to eat the "get out of any responsibility" free card that the software manufactuers enjoy and foist upon the other companies with their protected "product". I am amazed it hasn't happened yet actually. Equal protection under the law might be an avenue to explore there. If not that then perhaps an actual change to the law might be in order to force the issue. If that becomes too scary for the intangible IP peddlers, maybe they might rethink gathering up patents and calling their offerings products. Perhaps anyway. It would be interesting to watch. ACME hardware widgets vs ACME software widgets in other words. Paraphrased and slangified - "Judge, I have to provide a warranty for my widgets, why doesn't this guy? He calls it a product, it's got patents connected to it, money changed hands, we got pwned because of this patented product, so WTF is up with that "no warranty" action?"
There is no incentive for any government policing agency to lobby and work towards total secure code for "the public". They are just as much in the rooting business as any other black hatter out there. Having well secured code in the general public's hands is counter productive for the total information surveillence society from their POV. For themselves, yes, for everyone else, nope. And the different agencies spy on each other as well, so there ya go, a situation that enforces the status quo of insecure software in general terms.
Where the hell is Tom Clancy and his NetForce when you need this shit? along with Team RAINBOW and Jack Ryan....
I'm sure most of that figure is made up by the **AA in terms of 'pirated intellectual property' and has nothing directly to do with security at all.
I call shenanigans on this article.
Those numbers appear to be made of PURE foo foo dust.
td
hard core geek-ware
. . . how do they know how much money drug lords make? Are they somehow monitoring ALL the drug deals and not making a move to stop drug deals that they KNOW ABOUT?
How do they know how many drugs are sold - surely not every drug user or dealer gets busted. . .
www.linuxpenguin.net
Simple. They ask insurance companies. If you thought insurance companies only controlled access to the law, healthcare and retirement income, you'd be much mistaken. Their marketing departments don't just churn out statistics to scare folk - they're an essential part of any developed country's economic planning.
The winners are people who run insurance companies. You can guess who the losers are.
The Bushies and NSA/CIA et al really would love to have prevented 9/11 but you know, they lacked resources.
All these sweeping new powers and the dismemberment of the Constitution is unfortunate but necessary to protect the chiiiiiiiildren.
Right.
It has been noted more than once that should the software companies writing code become obliged to pay for the damages caused, the price of such software would sky rocket, as the development times will. And this won't be implemented in any one single country, since the developers there would be put at a great disadvantage. The chances of such idea becoming law universally, of course, are infinestimal.
:)
On an somewhat unrelated note, free software seems to be naturally exempted from this, and is thus allowed to be all buggy and exploitably, thus losing somewhat of an edge against commercial software... so I'm not all that sure it's the direction where the wind blows right now
Comment removed based on user account deletion
Personally I am far from defending the poor programming practices and irresponsible coding; in fact, when I actually worked as a programmer, way back in early 90ths (and there weren't many of us in post-Soviet Russia then), I used to be very keen on the code quality and beta-testing. In fact, the hardest thing I get to do in my projects is persuading people to actually use some beta-testing in them. (You don't really want to know how the money is earned in IT business here these days...)
The problem that I am referring to has nothing to do with defending the bad coders and incompetent designers. It is about the inertia that the first-to-market and vendor lock-in concepts developed in the IT world. You cannot just stop a car by pressing a button, no matter how good your brakes are. And with the whole sector's business models built around faulty in this way models, I'd say it's not going to happen.
The instant the law that makes corporations liable for damages caused by malfunctioning of their software, everybody just plain stops selling software -- or get sued to bankruptcy. And that means lots of people lose jobs, nasdaq crashes, economies get another kick in the head they need so much right now etc.. Nobody in their right mind would want to do that.
That's why I don't expect a revolution anytime soon, and there doesn't seem much to be done about it.
I don't know about all states, but California requires companies to admit any case where personal information may have been leaked, as opposed to being somewhat optional before. And since large companies tend to do business in California (along with the other states), we've had more disclosures.
And of course, there are the other common sense reasons too -- more computers, etc..
When the US has a "trade deficit" with Japan, Japanese companies or individuals have to be doing something with the extra money -- either investing in US companies (creating a "capital surplus") or allowing another country to import from the US (creating a "trade surpus" with a country other than Japan). The latter is sometimes called a trade triangle.
I'm not an economist either, but that's the explanation I remember from my an econ class I took a few years ago.
The shareholder is always right.