The InfoSec Blog

“Cybercrime” is still Crime and “Cyberfraud” is still Fraud

Posted by Anton Aylward

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no "Royal Mail" (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk "something must be done NOW" attitude.

Here in Canada we have a criminal code. It covers fraud. We don't need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That's why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don't think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical "Ptolemaic" system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of 'perfect spheres' was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Cover of "Paper Moon"

Fraud is fraud is fraud. It doesn't matter if its perpetrated by a hustler in person as in the scenes in "Paper Moon", by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don't need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don't, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that's not what detailed, reductionist legislation is going to achieve, is it?

 

Enhanced by Zemanta

Small firms are taking fraud protection too lightly, says Visa Canada

Posted by antonaylward

 

Forty-one percent of small businesses surveyed by Visa Canada said they
don't believe data thieves and hackers will target them because of their
size.

Where have we heard that before?
Isn't there some security adage about the hackers (aka criminals) going or "the low hanging fruit" - the easy to get at stuff - first?

 

Going Rogue

Posted by Anton Aylward

In this article at TechRepublic, Tom Olzak tries to address the issue of insider threat by talking about why your employees might 'go rogue'.  I think he completely misses the point by discussing the motivation for spies and convicted traitors. This is a different class of people from toss that commit financial fraud and take revenge on employers who they think have wronged them.


Lets be fair, how many of these characteristics would have applied to people like Nick Leason, Jerome Kerviel, the rogue traders such as Yasuo Hamanaka at Sumitomo Corporation of Japan in 1998 and John Rusnak at the Allied Irish Bank in 2002, Toshihide Iguchi at Daiwa Bank, John Rusnak was a former currency trader at Allfirst bank, Matt Piper of Morgan Stanley, Anthony Elgindy, Thom Calandra and Brian Hunter - never mind the rogue executives as WorldCom, Enron and Parmalat and many other corporate and accounting scandals that were motivated by greed.

The list on the blackboard in the cartoon doesn't, I think, apply to the 'rogue traders'. It applies only somewhat to the rogue executives but it does apply more comprehensively to the spies and traitors like Ames & Early.

However Donn Parker's point that (many) white-collar criminals are led into crime by "intense personal problems" makes more sense and also applies to people such as Brian Molony at the CIBC. So I don't think this is a very good article. Donn's observation si more geenral and more useful than Tom's.

More to the point, since Tom's article fails to address issues such as senior management ignoring the business controls that are in place because the people concerned were making a profit (aka greed in high places) and because it doesn't address the issue of having internal resources where staff can come to get advice about pressing personal problems, and finally because it doesn't deal with the possible channels for ethics complaints and whistle-blowing, it fails to address its title; there is nothing here about prevention - only detection, and very limited form of detection at that.

http://news.hereisthecity.com/news/business_news/6786.cntns

Reblog this post [with Zemanta]

2006: The Year of the laptop … stolen that is

Posted by Anton Aylward

When did you last secure your laptop?

The last year seems to have been a bumper one for stolen laptops, especially ones stolen from high profile companies and which contian plenty of personal information.

Many of the companies concerned seem to think that having passowrd proetction is adequate. Others think that because the laptop was stolen "for the hardware" and not for the information on it, all is OK. A couple think that firing the person who was using the laptop makes everythng OK.

"If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Well, I don't think so.

Will things change?

At the very least, the publicity has made it clear to theives that tTell me about when you saved the company a million dollars. Or when you successfully managed the million dollar project to deployment, on schedule and on budget. The infomation on the laptop is more valuable than the hardware. This year, 2007, any thief with any sense will sell the data and throw away the laptop. Perhaps on a rubish tip - oh, I see one did that 🙂

Here is a summary of some news articles from 2006

Irony

Posted by Anton Aylward

Headline: FTC attorney's laptops stolen
http://www.presstelegram.com/business/ci_3969575

The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.

Can you spell "Irony"?
This goes a bit beyond the bare-faced incompetence that we've grown used to
and come to treat as the new security baseline at the government.

And here's another chunk of Irony:

Many of the people whose data were compromised were being investigated for possible fraud and
identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection.

But what caught my attention in this article was the following:

On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.

During the House hearing Thursday, Mike Cook, a co-founder of a company specializing in data breaches, said identity-theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed.

At that point, it's likely the thieves will have moved on having made just a few purchases so they don't attract notice and started using another victim's information.

As a result, a credit monitoring service would raise a red flag after it was too late, Cook said.

So what's the real use of this credit monitoring that the companies are handing out in the aftermath of privacy failures if its not going to protect you? "Oh, you've had your bank account emptied, your house sold, and your wife has received a divorce notice. And by the way, your credit is non existent but that may be due compute hackers...."

 

Enhanced by Zemanta