Slashdot Mirror
2005 a Bad Year For Security
Greyfox writes "According to CNN, 2005 was a record year for security breaches, with cybercrime netting an estimated $105 billion and the Department of Homeland Security getting its cybersecurity budget cut 7%, to $16 Million. Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it."
2005 also saw the largest use of computers on the network... so as a result the crime-rate onthe internet too go up.
Governments, Not paying attention to things until something bad happens; See also September 11, 2001
$105 billion is more than the trade deficit between the US and Japan, in other words a VERY significant chunk of change. How much of this damage was "real" as oppossed to existing in name only? How did they manage to calculate such a number, and what is the overall effect on the economy? Who are the real winners and losers in this battle?
Monstar L
They have XxOsama69xX on their buddy lists... what more do you want?
All my base are belong to them.
- 11011
Perhaps dollarwise, yes. Dangerwise, no. I don't think any Federal agents ever had to face off with any Columbian coderunners in some remote jungle on the ass end of the world. Illegal drugs aren't going to fall off the top of the charts anytime soon just because some douche in the Treasury Department says so.
Furthermore, nine times out of ten, companies and individuals who fall for scams or suffer identity theft had it coming for total lack of judgement in how they used their personal information online or how high of a priority properly implementing security measures were for them.
The SLASHDOT effect!
Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it. What do you expect? the way Congress works, nobody gets credit for *preventing* a problem. They only get attention for a fast response after everything all goes to hell.
The theory of relativity doesn't work right in Arkansas.
I'm not surprised. From what I hear, viruses/trojans/cyber attacks are increasingly done for profit only and not fame. And boy, money does talk... in this case, it's 105 billion doing the talking. And t3h h4x0rz are listening.
Meanwhile, a 7% drop in budget for cybersecurity under the dept. of Homeland Security! To how much? A billion, you say? Nope... 16 million. Ouch. I don't think that's nearly enough money... not by a longshot. And what about terrorist attacks on our nations internet infrastructure? I'm sure that's been considered by the terrorists.
Doesn't sound like a good situation to me, not at all..
-PlxBlu
As for the department of Homeland Security getting a budget cut. Well is it even its task? Isn't credit card fraud something for the FBI to tackle? And social security number fraud would probably fall under either your social security agency or the IRS.
The securing of military IT would be a task for the military and I think the NSA does something with it as well. The US seems to have so many agencies to keep it secure that I cannot remember them all.
So is that 16 million perhaps the budget for the departments of homeland security OWN security? Do they really have to keep the entire US of A safe with that money or just their own network.
I like a panic story as much as the next guy but at least give me some basis and do not just trow some random numbers around.
What exactly is lumped into that 105 billion dollar figure. Every bad check? Counterfit credit cards? Stolen Half-Life keys? And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security? Or more likely, all of them for different parts of it?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
We've still got overall internet usage increasing quite a bit every year, so just like everyone else, more criminals are getting online. There are so many aspects of the internet which have yet to be discovered by organized crime factions that find flaws in social systems to make money all the time, and it would be natural to assume that they will be discovering new criminal ways to make money on the internet over the next 5-6 years at least.
Not until we reach some sort of plateau in internet usage growth can we even start expecting cybercrime figures to start going down, but at the moment it's a growing market, and one which is largely untouched by organized crime and thus probably still rather ripe.
Phishing, fraudulent Ebay auctions and Nigerian lottery scams have nothing to do with poorly-written code. They have to do with poorly-thinking brains. The Internet makes a great place for fraud because you don't know who you're communicating with. Some people haven't grasped that concept yet. I guess they don't give sermons about that stuff.
In a related story, cybersex as increased as well.
"How did they manage to calculate such a number"
o n.html )
Its actually fairly easy to calculate this number.
First, pick a LARGE random number. This number should be roughly equivalent to the biggest number you can think of. Next, multiply this number by 4. Finally, divide by a suitable power of 10 so that the number doesn't seem too impossible.
More seriously...
I recommend people to check out attrition.org's Statistics section ( http://attrition.org/errata/statistics/introducti
One section I feel obligated to quote is:
"One of the largest things media outlets use to back their claims are statistics. It is absolutely incredible how many times a media outlet will quote a statistic and not credit where it came from. Further, they are fond of taking creative liberty with how they quote the article to suit their needs.
These stats cover damage to systems, percentage of intrusions, and everything else. There are simply too many instances of suspect statistics as they relate to the computer security industry to read, match and provide analysis of them all." (from http://attrition.org/errata/stats.html )
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
My information got compromised twice. The first incident was with eCheck (used at the time by Scottrade), which got hacked into. The other incident was with Colorado Technical University, in which an employee inadvertently mailed out an attachment with a roster of students. This roster included my whole life basically. Perhaps until there is some general law of accountability e.g. SOX, GLBA, or HIPAA companies and institutions will take protecting information more seriously? Perhaps when the cost of security is less than the legal suits that will follow the incident, they will be more proactive? The hacking incident might have been more difficult to guard against, but the email incident could have easily been prevented with something like Entrust.
For Christ's sake, this kind of bitching is the exact reason you guys have ended up with that Patriot Act mess. For a start, rejoice that they've scaled Homeland Security back. It means that they're actually admitting that there's less terrorist threat than before, and that they're not trying to maintain the police state indefinitely.
As for the government not taking security seriously until something bad happens to it... all I can say to that is a big loud fart, since for the last five years of my life, which is a good 25%, not to mention the most recent 25%, all I've known is government obsession with security. It leaks down too. Businesses stop you taking photos of their buildings by means of scary guards, "because of terrorism".
The real reasons it was a bad year for security are things like the first collisions found for heavily-relied-on encryption methods. You won't find that kind of stuff on CNN though.
Phishing, fraudulent Ebay auctions and Nigerian lottery scams have nothing to do with poorly-written code. They have to do with poorly-thinking brains.
Phishing may not have anything to do with poorly-written code, but it does have a lot to do with poorly-designed protocols and user interfaces. Phishing is as successful as it is because
(1) Most email systems do not authenticate senders (even by hostname), so it's trivial to spoof email messages.
(2) Most web browsers expect users to parse URLs in their heads in order to determine what site they're on, and then parse hostnames (which happen to be written "backwards" compared to the rest of the URL) to determine whether to trust the site.
If protocols and software were better designed, phishing would only work on extremely gullible people.
The shareholder is always right.
It's hard to think of any other industry that costs society $105 billion a year but which goes unscathed, largely unregulated, the darling of the stock market and haven for some of the finest minds around, etc., etc. No the least of the difficulties with cybersecurity is that it's a world of smoke and mirrors in which nearly all the statistics are bogus and all the players claim it's the next guy's problem, not theirs.
A good example of this is the British guy who recently won a court case against a spammer, thereby setting a legal precedent (as reported on Slashdot yesterday). He managed what platoons of highly paid IT experts and IT lawyers totally failed to do. No one seemed to have asked why the finest minds of our time, blah blah, were unable to find $20 to fund a suit in the UK small claims court.
Even if the true cost is a fraction of that quoted, this is still a serious matter since it is replicated in every country where there is a worthwhile IT presence. Since the IT industry seems unwilling or unable to reform itself, perhaps governments should step in with a special tax on large IT outfits in order to fund the fighting of computer crime and a severe crackdown on ISPs who happily tolerate bot farms or software houses who knock out software full of holes. Bot/zombie farms, in particular, are the oxygen of online criminals since without them their job is a lot harder. It is almost incredible that so little has been done to choke them off.
Las qué passoun
tournoun pas maï
When will programmers start writing secure code? When will we stop hearing "security is hard" or even worst "security is impossible"? When will people start demanding that programmers write secure code?
- When software makers will be held liable for security holes in their products. Managers and marketing will wake up then and stop demanding ridiculously tight schedules that pretty much eliminates the time a programmer could take for code review and security measures. Until there is no $$ involved in punishing the culprit (corporation), there won't be any security improvments.
They're talking about tech (data) security overall, not just the net. The losses result from a variety of problems. Identity theft is high on the list I'm sure. While the online side of this is the first thing we tend to think of, it is also occuring at the retail/mailbox/trashcan/employee level. I read a recent article which pointed out that law enforcement was only fairly recently catching on to the motivation behind one large segment of identity theft. An increasing number of meth addicts are turning to identity theft in addition to more traditional crime to finance drug purchases. An deep understanding of what is happening is essential to dealing with our problems. While efforts to go after criminals after the fact are very important, we need to go beyond that and work at many types of prevention. Education of the public, data handlers, and other areas of law enforcement are essential. Some businesses need some major changes to improve security, and they have been too slow in coming. When companies focus on profits while neglecting the public good, regulation has failed. It's partly the fault of laws limiting liability that Windows continues to be so insecure. Credit card companies seem to be too busy ripping of their customers through obscenely high interest rates and fees generated through unethical behaviours including unethical promotions, contract terms, and business practices. If the credit industry were properly regulated and having to function on more reasonable rates, they'd have more incentive to protect those profits by improving the security of the system. As it is, as long as we're healthy enough for them to feed on, they're happy. (Sounds like the Wraith??)
It is very misleading to measure what's going on here by the amount of funding to one agency. The roots of our problems go far deeper than that. What we're needing is increased insight, reform, caring, and honesty in all levels of government and throughout society. Much of what government has done through improper regulation, especially at the federal level, has permitted us to be ripped off from all directions.
The banking deregulation act of 1980 let banks profit while the public was ripped off. It cost us over $1300 PER HOUSEHOLD. The picture grows larger. Some of the bad regulation and enforcement is from political corruption. Still other regulations encourage that. The F.C.C., who has left us ripe for feeding the cable/ISP/cellular/phone companies, has also undermined a core part of our society by changing regulations in a way where commercial broadcasters have strayed far from being responsible trustees of the public interest. We ought to have locally owned licensees (living in the coverage area of stations they own). Instead we've got the broadcast counterpart of Wal-Mart. They're masking much news that matters, and pushing many bad products and behaviours. As a start, if broadcasters had to provide fair and equal political information for free (NO PAID POLITICAL ADS), we'd have far less trouble with politicians needing to sell their souls to fund their campaigns. The media is also more directly connected to some of the lower-tech scams. Has anyone else noticed all of the scammers on info-mercials? Most are not high-tech, although some hide behind satellite phones.
Changing the rules relating to advertising brought us infomercials, drug ads, and attorney ads. If station ownership was far more diverse, we'd have fewer bad regulations sneaking though while the media acts like one giant eye focusing on one thing excessively while something much worse is happening.
I think many of our problems, including financial security, are more effectively tackled through good policy than brute-force spending.
"Good God Katie! This is supposed to be a news show!" - Jim Carrey on the Today Show, as Katie goes into the usual fluff in spite of the people of New York struggling with freezing temperatures outside while having no pubic transportation.