June 13, 2005

Killing for Pennies, and is AOL, the "gateway drug", cause or cure?

News in virtual gaming property continues to madly echo real life, as a man in China was sentenced for killing a friend after the latter sold his sword for a knight's ransom - 7,200 Yuan (473). As readers will know, this follows on news of a single island being sold for a fortune and the outrage of cyberspace imitating life (fraud, murder, rape, verbal abuse, hit & run driving discussed in To Kill an Avatar).

A paper at Economics & Security conference on stock market effects from vulnerability announcements got some press.

(to follow: "security isn't working" and the LexisNexus hack...)

When I read that they'd measured a 0.2% drop in Microsoft shares after a vulnerability announcement, I immediately thought this was suspicious. How can the market respond to known news so stupidly? Commentary here is more incisive and critical, pointed to by Adam. Bad news effecting stock prices is a well studied phenomena; there are some other studies on vulnerability and hack announcements.

Rumour of "security isn't working" continues to circulate. Here's a post by Marcus Ranum that tries to draw some conclusions on why security expenditure is sky-rocketing and security is getting worse. Pointed to by Tao. Of course, the conclusions will be easy to disagree with - Marcus assumes binary security values not risk values - but the logic he uses to get to his conclusions is good.

And more on security - if you ever wanted to understand hackers as your threat, have a read of the Wired article on the LexisNexis hack (this is the one where a cop's laptop was breached and this led to getting access to celebrity files and so forth...).

For those who already know what hacking is about, I'll leave you with these choice snippets which address lousy security. The big question - what do we do about lousy security? Is it a fact of life or something we must eradicate? Cause or cure?

Database Hackers Reveal Tactics By Kim Zetter

...

Hacking began with AOL

Cam0 is also a suspect in the recent security breach of socialite Paris Hilton's T-Mobile account and was investigated last summer after admitting to Wired News that he hacked America Online and stole AOL Instant Messaging screen names, among other exploits. He has yet to be charged for the AOL breaches but told Wired News on Monday that the AOL activity, which he began in 1997, was the "gateway drug" that emboldened him and other members of Defonic Crew to graduate to other hacking projects.

"If there was a security breach (at AOL), we were all a part of them.... That's how we all started," he said. "We all met up on AOL breaking into their crap. If it wasn't for AOL none of this (LexisNexis stuff) would have happened."

"Shasta," a hacker who knows Defonic Crew but isn't a suspect in the LexisNexis breach, said the success of the AOL breaches made Defonic Crew careless about not covering its tracks in LexisNexis.

"It made them feel invincible," he said. "And they weren't worried about getting caught."

They naturally are circumspect in the face of possible consequences.

"I really wish that I hadn't been able to get access to (the LexisNexis database)," said the 20-year-old, who lives in Rhode Island and goes by the name "Krazed." "Curiosity gets you in trouble."

....

"You start looking at an account that's been logged into 500 times and generated 9,000 reports, for example, that's a lot of information (to examine)," Sibley said. "I'm just saying it's not one group that's compromised LexisNexis. Their security is really bad. This isn't a situation where you're talking about needing an uberhacker to compromise (the system). Their passwords weren't as secure as your average porn site. I think it didn't take a genius to break them. Although I think the way the hackers did it was creative. We'll give them style points."

Copyright 2005, Lycos, Inc. All Rights Reserved.

Posted by iang at June 13, 2005 12:12 PM | TrackBack
Comments
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.