431 million adults, $388 bn, marijuana, cocaine, heroin – cybercrime adds up to just an EFSF per year according to the folks at Symantec:
For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).
The research methodology:
Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).
Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).
20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?
StrategyOne – Evidence-based communications:
As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.
As to the methodology of the report, which is by the way not available as a PDF:
- A list of questions asked is not attached.
- Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
- Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
- Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
- Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?
Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.
In Germany, there appears to be a hidden, implicit, rarely outspoken two-track system:
- the show-off doctorate with little scientific value and
- the real scientific doctorate based on dissertations that actually contribute to scientific knowledge.
The show-off doctorate is the product of the high social value of a doctorate in Germany, incompetence, co-optation or naiveté (in dubio pro latter) of supervisors and university bodies conferring doctorates, combined with some trickery of eager climbers. […]
Here some of my notes on the ongoing ENISA debate in Brussels.
Currently, there are bunch of proposals in the loop, thrown in by the European Commission. (The parliament itself can still not issue their own initiatives. All they can do or rather: after Lisbon, the parliament can at least alter existing paragraphs, though it can’t add new ones.)
In the loop:
[…]
Well, I shouldn’t make these all-encompassing headlines, after all, forcing me to write way too long texts. Anyhow. I’ve been in Belgium a couple of weeks ago, used the opportunity of proximity for a Brussels visit. The first glaring characteristic of Brussels is the scent of Waffles all over Midi station. It is like any station comes with a little suprise for its passengers. At Luxembourg station, the on which neighbours the European Parliament, the party in control of the facility equipment opted for an acoustic treatment: Abba’s “The winner takes it all.” For sure she does. (Which reminds me of “Mamma Mia”: Meryl Streep has quite a voice, by the way.)
The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however […]
As Chris Marden puts it:
“So the governments of the West are at least rhetorically in favour of a free Internet…”
Rhetorically. The difference between the Council of Europe and the core of the European Council though is that only the latter is of substantial relevance for immediate political and legislative outcomes outcomes. Plus: a CoE is quite different from the “goverments of the West.” […]
I guess when average media consumer hears “cyber-defense centre”, she likely has Star-War-ish control rooms in mind,. Now, starting today, Germany has its National Cyber Defense Centre. It is located in the offices of the Federal Office for Information Security (BSI), which reports to the Federal Minister of the Interior. Not much of a surprise, any Quite some headlines in national media for a 10-persons task-force. (Sources: FAZ, Ministry of the Interior, both in German)
[…]
Yokai Benkler, A Free Irresponsible Press: Wikileaks And The Battle Over The Soul Of The Networked Fourth Estate, forthcoming Harvard Civil Rights-Civil Liberties Law Review, 66 pages (benkler.org)
It forces us to ask us how comfortable we are with the actual shape of democratization created by the Internet. […]
“The threat is there to see and if the worst were to happen…” (Donald Rumsfeld, Feb 2003)
Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.
Menaces, threats, risks, dangers require responses, yet which? […]
I couldn’t possibly comment:
We’re delighted to tell you that in late 2012 Netflix will be bringing to our members in the U.S. and Canada exclusively “House of Cards,” the much-anticipated television series and political thriller from Executive Producer David Fincher and starring Kevin Spacey. We’ve committed to at least 26 episodes of the serialized drama, which is based on a BBC mini-series from the 1990s that’s been a favorite of Netflix members. (Netflix)
Or, maybe: If you’ve ever wanted the essence of politics, the schemes, the manipulation, the games, the viciousness, condensed into a timeless, enthralling play, enjoy Ian Richardson performance as Francis Urquhart, a modern mix of the Shakespearean figures of Richard III. and Macbeth, who succeeded Margaret Thatcher as Prime Minster. (IMDB)
Some of the political wisdoms the series conveys:
- Power and its volatileness: “fear that this might be the day we wake to find the magic gone” (youtube)
- Political loyalty: “a helping hand in these rather trying days” (youtube)
- Leaking: “beware of an old man in a hurry” (youtube)
- Social responsibility: “let’s give our young people a chance to learn self discipline, again” (youtube)
- Power, terrorism and leadership: “Deeper than honour, deeper than pride, deeper than lust, deeper than love is the getting of if all. The seizing and the holding on.Tthe jaw is locked, biting into power and hanging on. Biting and hanging on.” (youtube)
- Trust and power: ” But they all, all of them, betray us eventually. They love us, but not quite enough. They trust us, but not quite enough. And we trust them to be entirely human, meaning less than trustworthy. Which means we cannot entirely sleep. As the cat’s eyelids flicker, some part of us must stay awake, always, ready, as the coiled spring is ready.” (no link here, alas)
- Role of a parliamentary majority leader: putting a bit of stick about
In February, the Dutch Ministry of Security and Justice released its “National Cyber Security Strategy (NCSS) – Success through cooperation.” (govcert.nl) Section 5.4, “Response capacity for withstanding ICT disruptions and cyber attacks”, is particularly interesting and highlights the ongoing transformation of the organisational landscape. While the strategy’s briefness makes a refreshing change for lazy readers like us, is also raises a couple of questions.
[…]
The singleton entered the extrauterine sphere on a sunny Wednesday afternoon. She was coloured purple, exhausting awe-inspiring screams with all of her body tensed, her arms raised, moving and shaking wildly and her fingers crampily stretched. After half a minute or so, she quickly quieted down, ignored the blood, slime and what else her body was covered with, relaxed. She began to exertedly glance through the narrow cracks between her eye lids, aiming at grasping the situation and considering her options. Geworfenheit, thrownness, is Heidegger’s term to describe what every human being faces: “There you are, you haven’t been asked, no idea what ‘you’ is, let alone who you are and what ‘there’ is.” Naturally, she quickly went screaming again, coming up with all the strength shrouded in that 4,4 kg and 57 cm body. Positioning her on her mother’s upper part immediately freed her from those unsolvable existentialist contemplations and made her swing into the flow of life.
Some thirty six hours later her skin was overwhelmed with the influx of new hormons, as usual for babies her age. Other than in some thirteen years’ time, she didn’t care about it. Her priorities were different. We were sitting in our bed. She was lying on my legs, her head on my flexed knees, her feet pressing against my underbelly. It was around 4 a.m. She was gazing at us with her steel-blue eyes. For long minutes. Endlessly. Constantly and without interruption. Highly awake. Evaluating her situation. Facing her parents with a piercing glance as if she was pondering the trustworthiness of those whose reproductive instincts have brought her into that situation. Hopefully future will tell that she had not erred when she quietly fell asleep in that night after the first day after her birth.
The saga of disruptive publication platforms vs. intelligence intelligentsia continues. And this latest HBGary chapter is stunning on so many dimension: “Security service” companies sitting on piles of 0-day exploits, US CoC hiring security companies to investigate union’s activities, security service company compromised by social hacking, Anonymous ad-hoc creating a leak website.
“Rarely in the history of the cybersecurity industry has a company become so toxic so quickly as HBGary Federal.” (Andy Greenberg, Forbes)
Nate Anderson, arstechnica, has the story. Spy games: Inside the convoluted plot to bring down WikiLeaks
“Barr was brought in from Northrup Grumman to launch the operation. … Less than a year into the job, HBGary Federal looked like it might go bust. … And then, unexpectedly, came the hope of salvation. … That law firm was DC-based powerhouse Hunton & Williams,… [They] had a client who wanted to do a little corporate investigative work”
“But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were “astroturf” groups funded by the large unions.”
“Palantir would provide its expensive link analysis software running on a hosted server, while Berico would “prime the contract supplying the project management, development resources, and process/methodology development.” HBGary Federal would come alongside to provide “digital intelligence collection” and “social media exploitation”—Barr’s strengths.”
“HBGary had long publicized to clients its cache of 0-day exploits—attacks for which there is no existing patch”
“Ironically, when Anonymous later commandeered Greg Hoglund’s separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund’s site administrator—who promptly turned off the site’s defenses and issued a new password (“Changeme123″) for a user he believed was Hoglund. Minutes later, the site was compromised.”
HBGary’s Barr involuntarily shares details on his intelligence successes, “Final – for me. – Sun, 6 Feb 2011 00:40:11 -0500”
“What I did using some custom developed collection and analytic tools and our developed social media analysis methodology was tie those IRC nicknames to real names and addresses and develop an clearly defined hierarchy within the group. Of the apparent 30 or so administrators and operators that manage the Anonymous group on a day to day basis I have identified to a real name over 80% of them.”
Hackers Reveal Offers to Spy on Corporate Rivals – NYTimes.com
Forbes with an update Revenge Still Sweet As Anonymous Posts 27,000 More HBGary E-Mails – Parmy Olson
“Crowdleaks: HBGary wanted to suppress Stuxnet research”
“HBGary Email Viewer: Portal – AnonLeaks”
The Baltic TImes reports:
Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”
[…]
Commissioner Cecilia “Censilia” Malmström has launched the European Commission’s EU Internal Security Strategy, “The EU Internal Security Strategy in Action”. One of the five “strategic objectives for internal security” mentioned in the document: “Raise levels of security for citizens and businesses in cyberspace.”
According to her plans, Europe will have a built capabilities to smoothly respond to cyber attacks (contingency plans, sharing and alert systems) by 2013. […]
Mike Elgan compares the alleged openness of Google an with the notoriously secretive Jobsian empire. Suprising discovery is that every company has its secret sauce, the recipe of which is stored in iron boxes or, modern times, in encrypted databases:
The companies are different, and what they’re “open” about reflects that difference. For example, Trump is very secretive about pending real estate transactions, but would probably be happy to share the details of food served at one of his golf courses. McDonald’s on the other hand, isn’t all that secretive about real estate transactions but they’re very secretive or “closed” about their Secret Sauce.
In other words, companies are very closed, secretive, and controlling about the part of their business that makes the money. (via gruber)
Reminds me of the interesting question who has or wants which secret sauce in the area internet security?
Die zwei Sicherheiten einer Marke:
RIM verhandelt mit den Regierungen und die Presse berichtet von Erfolgen: RIM werde etwa Indien Tools zur Überwachung der Kommunikation zur Verfügung stellen, heißt es. Andererseits wiederholt die Firma gebetsmühlenartig, dass die Blackberry-Kommunikation sicher sei und niemand, nicht einmal RIM selbst, einen Zugriff auf die Daten habe. Wenn aber RIM selbst keinen Zugriff auf die Nachrichten der Blackberry-Nutzer hat, wie kann das Unternehmen dann den Forderungen nachkommen? … Dieser scheinbare Widerspruch lässt sich auflösen, wenn man zwischen den Blackberry-Diensten BES und BIS unterscheidet. BES ist das Produkt, dass RIM seinen Unternehmenskunden andient, BIS das für Privatkunden.
As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.
[…]
The High Tech Crime Team did the job against the unsophisticated Bredolab Botnet:
The Bredolab botnet has been busted. So said the High Tech Crime Team, part of the National Crime Squad in the Netherlands, on Monday.
According to Dutch authorities, “the botnet network used servers hired in the Netherlands from a reseller of LeaseWeb,” one of Europe’s largest hosting providers, which is working with investigators. All told, 143 servers were seized and disconnected. (informationweek.com)
Further information is provided by the Openbaar Ministerie, the Dutch top prosecution authority.
Global cooperation among police forces in cybercrime cases appears to work way better than two years ago.
The so-called Open Security Foundation has set up a publicly view- and editable database to collect and share information about, well, data losses:
DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.
May it help those virtual runaway bits to come back to their motherships. Such as:
New York breach notification: Bear Sterns – client information accidentally was viewable by 2 unauthorized firms. 442 NY residents potentially exposed. (Source)
If only Bear Sterns had exposed just those 442 New Yorkers. Anyhow. Data losses are a societal problem, especially when incidents climb up to the dimensions of the Heartland Payment Systems case with their 130,000,000 records or the T-Mobile Germany incident, which affected some 17,000,000 customers.
Cleaning my RSS-feeds inboxes, I found this little gem called “The Reign of Zeus”, written back in May, ages ago on the internet security time scale, by Anup Ghosh:
Zeus is a game changer virus for the financial services industry, and perhaps its most pernicious computer-related threat. It specifically targets banking information by users and will defeat strong multi-factor authentication (MFA) methods used by banks including hardware tokens with one-time random passwords. A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus.
Zeus is an example of the sophisticated crimeware now available to crime syndicates that are focused on illicit financial gains by capturing banking credentials. The toolkit is available for sale in underground markets and the Zeus author has even implemented sophisticated hardware licensing schemes to prevent piracy.
Not sure whether the “DRM is bad for the customer” mantra applies here.
Threat Level has an update on spear-phishing, based on data issued in Symantec’s MessageLabs Intelligence reports.