Slashdot Mirror
The Year of 2008 In Cybercrime
BobB-nw writes "Underground botnet markets and high-profile spam cases headlined the year in tech crime. One of the most disturbing cybercrime trends in 2008, many security analysts say, has been the emergence of a full-blown underground economy where credit card information, identity theft information, and spam and phishing software are all available for relatively low prices. 2008 also saw major developments in the cases against three major spammers in the United States."
Worse. ANOTHER stupid, mindless Networkworld slide show.
Can someone please rustle up a good old Scientology bashing article, please?
Faster! Faster! Faster would be better!
It's 2008, not 1998; aren't we done with "cyber" yet?
Quidquid latine dictum sit, altum sonatur.
Hasn't there always been an underground crime racket in things like check fraud, ID fraud, ID forging, financial fraud, theft etc. It isn't that this is an emerging market, more than it is where the old market has moved into. In the same way as Wallmart moved from the real to the virtual so are the criminals.
Sure its slightly different in that you don't get mugged and it can be better automated and scaled, but fake or duplicate passports have been around for years as has the ID theft problem. Hell in a world where Illinois can elect 4 out of 8 corrupt governors its hardly surprising that there is a problem with fraud and extortion.
This isn't news about a market that is new, its news about how existing crime organisations are going into new markets, just like the Mafia et al shifting from alcohol and protection into drugs. There has always been a problem with organised crime and there has always been an underground market for illegal information and products (after all these are just different illegal shipments).
This reads a bit like the .com stories of 1999 which said that there was a new magic economy that would replace the old one, then it turned out that mainly it was the boring old economy that worked in the new world. I'd imagine that the same is pretty true for the cybercrime world, same bosses, different henchmen who have more brains than muscles.
An Eye for an Eye will make the whole world blind - Gandhi
20 years ago, we didn't have the term "brick and mortar" to differentiate between a vendor and an e-vendor. Is it REALLY that much of a shock that the Black Market, which has been around for hundreds of years, now has an online shopping cart?
I'm not a 1337 hacker, I'm not a computer expert, and I'm certainly not savvy to the cutting edge of crime but I'm sure this isn't remotely new. Is anyone else reading this and thinking that this was the case at least as far back as 2006?
And not a word about Gary Mckinnon and the US's ongoing struggle to try and extradite him
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Yes, it does.
No operating system is perfectly secure. Even Linux, with its non-root mentality, has exploits for it. I've got 74 updates waiting for download right now, many of which are security updates. (Let's just say 1/4 for the sake of argument.)
Windows was wiiiide open for years, which is why there are so many exploits for it. We've all read the "Surviving the First Day of Windows XP" guide; we know how open that OS was. That's not to say it's the only shaky OS. It's just the most famous and the most available.
The folks who break into our computers spend and make fortunes on security. I've spent about $100 in the last 10 years securing my computer. The only things that keeps me from getting cracked are my obscurity and my neural network. In other words, I don't have anything valuable or desirable, and I'm not dumb enough to open random attachments.
Any online system is crackable, given enough time and resources. These cybercriminals have more of both than we do.
Thinking for even one second that you're fully secure because you're using Linux makes you part of the problem.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
A biggest black eye for IT is the ease with which criminals can use zappers to dupe accounting packages.
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
No, I think I'm fully secure because I:
* Run a hardware firewall between my cablemodem and my Linux box, AND an iptables firewall on my Linux box,
* Drop packets that aren't part of an established or related session (instead of rejecting them), so to most scans I'm a black hole,
* Always clear all my data when exiting Firefox, including cookies and everything else, and periodically clobber my .firefox directory with a clean version I keep handy,
* have no open ports or services that someone could latch onto (i.e. my network-facing Linux box is strictly a workstation),
* And (important!) I always -- ALWAYS -- turn off my computer AND disconnect my cablemodem whenever I'm not actively using them. In fact, my cablemodem is rather nice; it has a button on top that disconnects it, so I don't even have to pull the cable. To hack ME, you've got to know my random DHCP IP address, AND you've got to know whether I'm even online, which only happens for a couple of hours a day.
Before you get all proud of yourself for being wiser than the rest of us Linux guys, realize that using Linux or *BSD actually DOES make you more secure, because the tools available to you to secure your box are top-notch, and with a little effort, you CAN be completely secure.
Get over yourself. Do you think you're adding anything to the conversation?
The only things that keeps me from getting cracked are my obscurity
security through obscurity will never work!
What OS does the vast majority of this 'identity theft', spam and phishing run on ?
davecb5620@gmail.com
The solution is to stop relying on Credit Card numbers for online verification. Using something like a smartcard, for each transaction, use a card-reader to generate a unique one time session-code. The transaction from the card-reader to the server is encrypted by this one-time session code. No CVC2 number, no PIN or card number need be entered or sent over the connection. To verify card present, the card generates a one-time four digit passcode that is syncronized with the server and this is typed in by the user, only then is the transaction completed. At worst all a key logger would record, is a defunct four digit code and session key.
davecb5620@gmail.com
Which is easier, trying to stem the phishing epidemic or putting away a UFO nut ..
..
"The Americans have a secret spaceship?" I ask
".. What were the ship names?"
"I can't remember," says Gary.
"I was smoking a lot of dope at the time. Not good for the intellect."
davecb5620@gmail.com
"It goes back WAY further than 2006 .. It was much easier to get away with back then it would seem as it was before the invention of that CV2 number"
..
CV2 numbers are already hacked through the use of 'bugging' devices that record card wipes and key presses, usually with the collusion of the staff.
"but essentially its the same today as it was back then
Correct, a total failure of the so-called security experts to devise a secure online commercial transaction system
davecb5620@gmail.com
"Windows was wiiiide open for years, which is why there are so many exploits for it"
How do you explain the current phishing infestation ?
'We've all read the "Surviving the First Day of Windows XP" guide; we know how open that OS was'
It's news to me that it was considered so open. I can't find a link to the original but this says that to secure XP you enabled the XP firewall. Not much of an improvement then.
"Thinking for even one second that you're fully secure because you're using Linux makes you part of the problem"
It's not my Linux getting hacked that's a worry, but the server getting hacked and my identity stolen.
davecb5620@gmail.com
While taking precautions carefully helps, nothing is completely secure. Just like careful use of a condom reduces your chances of disease and fatherhood, they are not a guarantee. What your discussing is basically the same, your putting condoms on your computer and trying to be careful with what other computers you connect too, but even that is not absolute prevention. Still if your going to do it, then it is safer with the precautions.
XP didn't always have that security center.
Before the firewall was put on by default in SP2, a fresh install of XP had - at best - 5 minutes between the time you connected it to the Internet and the time someone else had full control of your machine. It was unbelievable.
Phishing is nothing new. It's the same ancient techniques used by snake oil salesmen and corrupt businesses since we started using money as a trade medium.
You're right about hacked servers. It's a problem that won't go away until they make banks financially responsible for the security breaches.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
ECHELON? Isn't that where the government searches for words like bomb, plutonium, assassinate, and anarchy?
Also, awesome game on the C64. Wireframe 3d like Elite! but still awesome.
Basically you're just saying that you're as secure as the next guy using Windows XP with sufficient knowledge.
Nothing new there, move along.
The problem is that the majority of people having a computer connected to the Internet lack the skills to secure it no matter what OS they are running.
And before they have learned how to secure it they have already made holes in the default security in order to make, for example, a torrent client work.
...lb
...Lorenzo / I'm into kinky crustaceans. I just discovered internet praWn.
That still isn't fully secure. Not all attack vectors are covered in the 'connections incoming from the cloud' category.
Before you get all proud of yourself for being wiser than the rest of us Linux guys, realize that using Linux or *BSD actually DOES make you more secure, because the tools available to you to secure your box are top-notch, and with a little effort, you CAN be completely secure.
Get over yourself. Do you think you're adding anything to the conversation?
this is you.
Ah, but Windows XP has many mysterious services turned on all the time. A home user cannot be expected to understand what any of those services are, or why ports are open, or indeed what ports ARE.
Linux, on the other hand, tends not to behave that way. By default, the only thing Ubuntu has open is the printer port. Use Firestarter to set up a firewall and even that won't be available to the outside world.
Safer by DEFAULT.
If you want to be even safer, use OpenBSD. Those guys are just plain paranoid. I believe it's the only operating system available in which ALL the code has been audited -- and continues to be, on a regular basis.
If you think I'm doing the fanboy boogie, I'd like you to try a short experiment. Your assignment, should you choose to accept it, is to cleanly install three operating systems one at a time on a wiped, empty laptop. For each, you will connect the laptop directly to the internet (no hardware firewall -- don't cheat!), and retrieve a full set of O/S updates WITHOUT YOUR MACHINE BEING COMPROMISED. Try the O/Ses in this order: OpenBSD, Ubuntu Linux, and Windows XP.
I'm taking a shot in the dark here, but I'm guessing you won't see anything remarkable for BSD or Linux, but you'll be lucky if your XP install is even usable by the time you're done.
Let's find out! If I'm wrong, PROVE IT. Show me how tough Windows is. Tip: The average lifespan of an unprotected network-connected Windows XP box is fourteen minutes.