[SecurityRatty] tag: takes

Stolen Credit Cards account for 59% of online criminal activity

Fri, 28 Nov 2008 13:09:24 +0000

Please dont become a statistic in this area.
Be careful online, make sure the site is safe and make sure your computer security products are up to date and functioning properly.

clipped from www.crime-research.org

Symantec takes cybercrime snapshot with ‘Underground Economy’ report

The “Underground Economy” report contains a snapshot of online criminal activity observed from July 2007 to June 2008 by a Symantec team monitoring activities in Internet Relay Chat (IRC) and Web-based forums where stolen goods are advertised. Symantec estimates the total value of the goods advertised on what it calls “underground servers” was about $276 million, with credit-card information accounting for 59% of the total.

Forensic genomics

Thu, 27 Nov 2008 12:58:58 +0000

I recently presented a paper on Forensic genomics: kin privacy, driftnets and other open questions (co-authored with Lucia Bianchi, Pietro Liò and Douwe Korff) at WPES 2008, the Workshop for Privacy in the Electronic Society of ACM CCS, the ACM Computer and Communication Security conference. Pietro and I also gave a related talk here at the Computer Laboratory in Cambridge.

While genetics is concerned with the observation of specific sections of DNA, genomics is about studying the entire genome of an organism, something that has only become practically possible in recent years. In forensic genetics, which is the technology behind the large national DNA databases being built in several countries including notably UK and USA (Wallace’s outstanding article lucidly exposes many significant issues), investigators compare scene-of-crime samples with database samples by checking if they match, but only on a very small number of specific locations in the genome (e.g. 13 locations according to the CODIS rules). In our paper we explore what might change when forensic analysis moves from genetics to genomics over the next few decades. This is a problem that can only be meaningfully approached from a multi-disciplinary viewpoint and indeed our combined backgrounds cover computer security, bioinformatics and law.

(Image from Wikimedia commons, in turn from NIST.)

Sequencing the first human genome (2003) cost 2.7 billion dollars and took 13 years. The US’s National Human Genome Research Institute has offered over 20 M$ worth of grants towards the goal of driving the cost of whole-genome sequencing down to a thousand dollars. This will enable personalized genomic medicine (e.g. predicting genetic risk of contracting specific diseases) but will also open up a number of ethical and privacy-related problems. Eugenetic abortions, genomic pre-screening as precondition for healthcare (or even just dating…), (mis)use of genomic data for purposes other than that for which it was collected and so forth. In various jurisdictions there exists legislation (such as the recent GINA in the US) that attempts to protect citizens from some of the possible abuses; but how strongly is it enforced? And is it enough? In the forensic context, is the DNA analysis procedure as infallible as we are led to believe? There are many subtleties associated with the interpretation of statistical results; when even professional statisticians disagree, how are the poor jurors expected to reach a fair verdict? Another subtle issue is kin privacy: if the scene-of-crime sample, compared with everyone in the database, partially matches Alice, this may be used as a hint to investigate all her relatives, who aren’t even in the database; indeed, some 1980s murders were recently solved in this way. “This raises compelling policy questions about the balance between collective security and individual privacy” [Bieber, Brenner, Lazer, 2006]. Should a democracy allow such a “driftnet” approach of suspecting and investigating all the innocents in order to catch the guilty?

This is a paper of questions rather than one of solutions. We believe an informed public debate is needed before the expected transition from genetics to genomics takes place. We want to stimulate discussion and therefore we invite you to read the paper, make up your mind and support what you believe are the right answers.

Zermatt is now Geneva Framework

Wed, 26 Nov 2008 11:41:00 +0000

For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products:

Geneva Framework: a .NET class library called Microsoft.IdentityModel (basically it's an updated Zermatt)

Geneva Server: This is essentially ADFS v2, built on top of the Geneva Framework

Geneva CardSpace: This is CardSpace v2.

This link takes you to the "Geneva" landing page at Microsoft, where you'll find links to all of the bits, as well as the whitepaper v2. The new version of the whitepaper was co-authored by myself and a PM on the Geneva Framework team, Sesha Mani, who added a bunch of new details based on the PDC version of the framework.

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

Symantec takes cybercrime snapshot with 'Underground Economy' report

Sun, 23 Nov 2008 21:00:00 +0000

The criminal market online for buying and selling stolen credit cards, pirated software and information about financial accounts is thriving, according to a Symantec report published Monday.

Opinion: Obama's Blackberry Is No Security Threat

Thu, 20 Nov 2008 02:00:00 +0000

A lot of the stories about President-Elect Barack Obama possibly having to relinquish his BlackBerry when he takes office Jan. 20 are, for a variety of reasons, just plain dumb.

Presented By:

Expedition Week Continues Tonight

Seven nights of one great discovery after another continues tonight at 9P e/p only on National Geographic Channel. From the ancient pyramids to the ocean depths, from lost cities to outer space, travel with the latest generation of intrepid explorers as they make one great discovery after another. Expedition Week, only on National Geographic Channel.
www.natgeotv.com/expedition

Ads by Pheedo

CISSPs Lend me your ears

Tue, 18 Nov 2008 01:15:31 +0000

Art of Information Security endorses Dan Houser for (ISC)² Board of Directors

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.

Passion

Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor - as a “giver” - to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting - a professional roundtable that attracts practitioners from across the state.

Governance and Guidance

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs.

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²: https://webportal.isc2.org/custom/votenow.aspx

Cheers, Erik

CISSPs… Lend me your ears…

It's all about getting the job done, unfortunately

Mon, 17 Nov 2008 10:09:00 +0000

Managers expect users to meet certain performance levels. Users, being human, do whatever it takes to meet management's expectations. So why, when we don't provide an alternative, do we bemoan continued bad behavior.

Attacks On Banks

Mon, 17 Nov 2008 03:15:09 +0000

This article provides an overview of the methods currently used by cyber criminals to attack financial institutions and banks in particular. It reviews general trends and takes how malicious programs ...

Events per Second the difference between a target and an assurance

Sun, 16 Nov 2008 21:00:00 +0000

We’ve been getting a good few questions recently about how many Events Per Second a SIEM product support. Well, that depends on a few factors:

The transport – processing Syslog events takes up a heck of a lot less processing power than collecting from a Windows box. Same with collecting data over an ODBC connection.