- "In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. While other industries stagger under the weight of recession, in cybercrime, business is apparently booming. Yet in terms of economics, there’s something very wrong with this picture. Generally the demand for easy money outstrips supply. Is cybercrime an exception? If getting rich were as simple as downloading and running software, wouldn’t more people do it, and thus drive down returns? We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it. Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around. How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable."
Monday, April 16, 2012
My Ethical Hacker students thank you for pointing out a major bank vulnerability! (Postcards from Brazil to follow...) Let's not encourage improved security here, at least until we offer to return all their bank accounts in exchange for an end to weapons development...
Computer specialist who had warned Iranian banks about vulnerability, hacks and dumps 3 million accounts to make his point
April 16, 2012 by admin
Is it just me, or have these folks missed the point? From The Tehran Times:
A computer specialist, who used to work for a PSP (payment service provider) company which offers a number of Iranian banks services for accepting electronic payments, has hacked accounts of three million bank customers to show the vulnerability of the banks to computer security threats, the Persian service of the Fars News Agency reported on Sunday.
According to the report, the hacker had provided the managing directors of the targeted banks with information about the bank accounts of 1000 customers in the previous Iranian calendar year (ended on March 19) to warn them about the susceptibility of their computer systems and networks to cyber threats.
The Central Bank of Iran issued a statement on Saturday advising the bank customers to change the passwords of their bank cards to prevent possible credit card fraud.
An official at the Central Bank of Iran also told the Persian service of IRNA on Sunday that no one has illegally accessed people’s bank accounts.
“It is possible that certain individuals have some information… but they cannot use this information until the bank cards are not in their possession,” Nasser Hakimi said.
The deputy chief of Iran’s cyber police, Mohsen Mirbahresi, also said on Sunday that there is no cause for concern because the hacker has not acquired important financial information, such as bank account numbers.
No statement about improving security? Changing passwords isn’t going to do it if the security problems aren’t addressed.
Radio Free Europe and Kabir News identify the hacker as Khosrow Zare Farid, a former manager at Eniak,the operator of Shetab payment network in Iran. According to Kabir News, Farid had previously warned the banks of the problem but got no response and decided to publish the data of 3 million accounts from ten Iranian banks.
I suspect he’s got their attention now. [Run! Bob]
The Iran Independent News Service reports that ATM’s in the country are no longer dispensing cash and that the only function working is the mode for changing the passwords.
I have a friend whose life goal is to “invent a new sin!” This, he assures me, is a way to guaranteed riches... Cybercrime isn't “a new sin.”
April 15, 2012
Commentary - Experts question validity of cybercrime statistics
New York Times: The Cybercrime Wave That Wasn’t, by Dinei Florêncio, researcher and Cormac Herley, principal researcher at Microsoft Research
This is news? You probably teach torts in the torts class. By the time you reach Privacy Law, you should recognize a tort when you trip over one. You don't teach Class Actions in that class either.
How irrelevant are privacy torts to today’s biggest privacy concerns?
April 16, 2012 by Dissent
Over on Concurring Opinions, Peter Swire explains why he doesn’t teach the privacy torts in his privacy law class. He writes, in part:
Privacy torts aren’t about the data. They usually are individualized revelations in a one-of-a-kind setting. Importantly, the reasonableness test in tort is a lousy match for whether an IT system is well designed. Torts have not done well at building privacy into IT systems, nor have they been of much use in other IT system issues, such as deciding whether an IT system is unreasonably insecure or suing software manufacturers under products liability law. IT systems are complex and evolve rapidly, and are a terrible match with the common sense of a jury trying to decide if the defendant did some particular thing wrong. [That assumes juries would not understand “here is how we protected customer privacy.” Bob]
That certainly helps answer questions I’ve raised repeatedly on this blog, as to which privacy tort might apply in a particular situation that I find disturbing or egregious. It also helps explain why I find myself turning to the FTC more to go after businesses under their authority to address unfair business practices that can harm consumers.
Read more on Concurring Opinions.
Think of this as a 'rant' in graphic form, sort of a rant-o-graphic...
April 15, 2012
LLRX: SOPA’s Evil Twin Sister – CISPA
Via LLRX.com - SOPA’s Evil Twin Sister – CISPA: Well known graphic artists Jake O'Neil and Spencer Belkofer created this infographic out of a sense of urgency to visualize the salient information with as many communities as possible. This bill, the Cyber Intelligence Sharing and Protection Act of 2011, has not garnered the media coverage of the Stop Online Piracy Act (SOPA), but its high impact implications target key legal issues involving privacy and intellectual property.
This is not about reading individual emails. The software described looks at the overall semantic shifts. Are employees whose emails contained invites to local fast food joints now talk about going to the Union meeting? This is like Google scanning your emails to deliver targeted ads, only here employers are looking to see if they are the target.
"In an effort to protect sensitive data from internal security threats, some organizations are 'using new technology to look at the language of their IT staff's emails to determine whether their behavior or mind-set has changed,' the Wall Street Journal reports. Is secretly spying on and linguistically interpreting employee emails going too far in the name of security? from the article: 'I understand the need to be aware of the attitudes of workers with high-level access to data and networks, but this strikes me as creepy. What if an IT employee suddenly has relationship problems or family issues? Will they then be flagged by HR as potentially troublesome or even a data security risk? [and will HR be correct? Bob] And all without them even knowing there's a dossier being created of them and their "suspect" behavior?'"
Think of “Mom” as a codeword for “old fuddy-duddy”
So I'm not actually trying to teach my mom to use Twitter, but it makes for a nice title to this post. Mom, This Is How Twitter Works is an excellent explanation with visuals and text of how Twitter works. The post, written by Jessica Hische, explains everything you need to know about Twitter. Want to know what a reTweet is? That's covered. Do you want to know which things on your timeline can or can't be seen by others? That's explained. And just how does Twitter compare to Facebook? Jessica has that covered too.
Applications for Education
If you have ever tried Twitter, but just didn't "get it" Mom, This Is How Twitter Works is for you. If you're trying to get your colleagues to try Twitter to build their own personal learning networks online, Mom, This Is How Twitter Works could be a good primer to have them read and or reference.
For my future, e-book using students. (In Beta, less than 800 books so far...)
April 15, 2012
Directory of Open Access Books - DOAB
"The primary aim of DOAB is to increase discoverability of Open Access books. Academic publishers are invited to provide metadata of their Open Access books to DOAB. Metadata will be harvestable in order to maximize dissemination, visibility and impact. Aggregators can integrate the records in their commercial services and libraries can integrate the directory into their online catalogues, helping scholars and students to discover the books. The directory will be open to all publishers who publish academic, peer reviewed books in Open Access and should contain as many books as possible, provided that these publications are in Open Access and meet academic standards."
Geeky: So simple, no one thought to try this before? (Axiom: The best is rarely the most heavily advertised.)
Measuring Battery Capacity With an Arduino
Denis Hennessy recently encountered a problem we’ve all faced: he needed some AAs for a battery-eating gizmo, and he was overwhelmed by the choices available. Ignoring the shiny packaging and its marketing jargon, the core question was: which brand offered the best bang-for-the-buck?
Hennessy knew that the cheapest price did not necessarily mean the best value, so he did the only logical thing: pull on his Mad Science labcoat, buy samples of all the batteries, build an Arduino-controlled testing rig, and start generating data.
… Over on his blog, Hennessy has published the results of his tests of 10 different brands of battery. Most of the batteries perform about the same from 1.5V down to about 1.2V, but below that, the results diverge wildly, with about a 9x difference between the best and the worst.
[From the blog:
There’s a difference of over 9X between the best value (RS Power Ultra) and the worst value (Panasonic Evolta).