[ISN] Expert: Online extortion growing more common

InfoSec News isn at c4i.org
Sat Oct 9 05:02:14 EDT 2004 

http://news.com.com/Expert+Online+extortion+growing+more+common/2100-7349_3-5403162.html

By Dan Ilett 
Special to CNET News.com
October 8, 2004

"Six or seven thousand organizations are paying online extortion 
demands," Alan Paller said at the SANS Institute's Top 20 
Vulnerabilities conference in London. "The epidemic of cybercrime is 
growing. You don't hear much about it because it's extortion, and 
people feel embarrassed to talk about it." 

The SANS Institute, based in Bethesda, Md., offers training and 
resources related to information security.

"Every online gambling site is paying extortion," Paller asserted. 
"Hackers use DDoS (distributed denial-of-service) attacks, using 
botnets to do it. Then they say, 'Pay us $40,000, or we'll do it 
again.'" 

Paller added he was concerned that the same techniques used for 
extortion--that is, DDoS attacks--could easily be used to target 
organizations in the critical national infrastructure. 

Roger Cumming, the director of the U.K.-based National Infrastructure 
Security Co-ordination Centre, shares Paller's concern. 

"There's an enormous amount of extortion," Cumming said. "We are 
concerned...(that) the technologies of extracting money could be used 
to endanger the (critical national infrastructure). One of the things 
we are talking about is how to mitigate that threat." 

Paller called for tech companies to do better. He said that security 
vulnerabilities are vendors' responsibility to fix and that their 
products should reflect the suggestions associated with the SANS top 
20 vulnerabilities list. 

"Applications breaking after patching is the operating system vendor's 
fault," he said. "They tell developers to build applications on 
unprotected systems. But the other half of the game is that 
application vendors should have to test their products on safer 
systems. You do that with procurement." 

A representative for at least one prominent British gambling site said 
that he would rather not comment on the whole issue. 

Dan Ilett of ZDNet UK reported from London.

More information about the ISN mailing list