[fc-discuss] Financial Cryptography Update: Killing for Pennies, and is AOL, the "gateway drug", cause or cure?

iang@iang.org iang@iang.org
Mon, 13 Jun 2005 10:21:59 +0100 (BST) 

 Financial Cryptography Update: Killing for Pennies, and is AOL, the "gateway drug", cause or cure? 

                             June 13, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000497.html



------------------------------------------------------------------------

News in virtual gaming property continues to madly echo real life, as a
man in China was sentenced for killing a friend after the latter sold
his sword for a knight's ransom - 7,200 Yuan (£473).
http://news.bbc.co.uk/1/hi/technology/4072704.stm

As readers will know, this follows on news of a single island being
sold for a fortune and the outrage of cyberspace rape in games.

A paper at Economics & Security conference on stock market effects from
vulnerability announcements got some press.  When I read that they'd
measured a 0.2% drop in Microsoft shares after a vulnerability
announcement, I immediately thought this was suspicious.  How can the
market respond to known news so stupidly?

http://infosecon.net/workshop/pdf/17.pdf
http://www.emergentchaos.com/archives/001388.html
http://www.sockpuppet.org/tqbf/log/2005/06/1-short-csco-2-publish-ios-r
emotes-3.html

Bad news effecting stock prices is a well studied phenomena;  there are
some other studies on vulnerability and hack announcements.

Rumour of "security isn't working" continues to circulate.  Here's a
post by Marcus Ranum that tries to draw some conclusions on why
security expenditure is sky-rocketing and security is getting worse.

http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2005-06/0032.ht
ml
Pointed to by Tao.
http://taosecurity.blogspot.com/2005/06/profound-words-from-past-and-pr
esent-i.html

Of course, the conclusions will be easy to disagree with - Marcus
assumes binary security values not risk values - but the logic he uses
to get to his conclusions is good.

http://www.internetperils.com/risk.php

And more on security - if you ever wanted to understand hackers as your
threat, have a read of the Wired article on the LexisNexis have (this
is the one where a cop's laptop was breached and this led to getting
access to celebrity files and so forth...).

http://www.wired.com/news/business/0,1367,67629,00.html

For those who already know what hacking is about, I'll leave you with
these choice snippets which address lousy security.  The big question -
what do we do about lousy security?  Is it a fact of life or something
we must eradicate?  Cause or cure?


===================================================
Database Hackers Reveal Tactics
By Kim Zetter

Hacking began with AOL

Cam0 is also a suspect in the recent security breach of socialite Paris
Hilton's T-Mobile account and was investigated last summer after
admitting to Wired News that he hacked America Online and stole AOL
Instant Messaging screen names, among other exploits. He has yet to be
charged for the AOL breaches but told Wired News on Monday that the AOL
activity, which he began in 1997, was the "gateway drug" that
emboldened him and other members of Defonic Crew to graduate to other
hacking projects.

"If there was a security breach (at AOL), we were all a part of
them.... That's how we all started," he said. "We all met up on AOL
breaking into their crap. If it wasn't for AOL none of this (LexisNexis
stuff) would have happened."

"Shasta," a hacker who knows Defonic Crew but isn't a suspect in the
LexisNexis breach, said the success of the AOL breaches made Defonic
Crew careless about not covering its tracks in LexisNexis.

"It made them feel invincible," he said. "And they weren't worried
about getting caught."

They naturally are circumspect in the face of possible consequences.

"I really wish that I hadn't been able to get access to (the LexisNexis
database)," said the
20-year-old, who lives in Rhode Island and goes by the name "Krazed."
"Curiosity gets you in
trouble."

....

"You start looking at an account that's been logged into 500 times and
generated 9,000 reports, for example, that's a lot of information (to
examine)," Sibley said. "I'm just saying it's not one group that's
compromised LexisNexis. Their security is really bad. This isn't a
situation where you're talking about needing an uberhacker to
compromise (the system). Their passwords weren't as secure as your
average porn site. I think it didn't take a genius to break them.
Although I think the way the hackers did it was creative. We'll give
them style points."

© Copyright 2005, Lycos, Inc. All Rights Reserved.
http://www.wired.com/news/business/0,1367,67629,00.html
=======================================================

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/