11 October 2004 Up to 7,000 companies worldwide are paying organised criminals ‘protection money’ to ensure their web sites are not compromised, an independent security expert claims.
Alan Paller, director of research at the SANS Institute, an independent vulnerability assessment organisation, also said these companies – including many online gambling sites – are paying an average of $40,000 to prevent hackers from revealing their customers’ personal information or bringing down their web site with a denial of service (DOS) attack.
DOS attacks work by using a matrix of thousands of remotely controlled computers – known as a “bot net” – repeatedly trying to access a web site until its bandwidth is exceeded.
“Most people pay because they don’t think law enforcement can stop it,” Paller told an audience of corporate security chiefs and industry experts, as the US-based SANS Institute launched its annual “Top 20” areas of IT systems’ vulnerability. He noted that the FBI had been unable to prevent three DOS attacks on its own web site and criticised vendors who claim their tools can prevent such strikes: “They only work until the attack gets bad.”
Paller lamented the absence of information in this area, with most victims understandably reluctant to discuss their own security failings. “Most people are ignoring an epidemic of crime,” he said. “You don’t hear much about extortion because the reason it is working is [that] people don’t want other people to hear about it.”
Paller presented the UK’s National Infrastructure Co-ordination Centre (NISCC) with a “security leadership award” for its work in confidential information sharing and collaboration between security vendors, public authorities and end users. Government-funded NISCC has a remit to co-ordinate the defence of the UK’s critical national infrastructure, liasing with public and private organisations to ward off the threats of electronic attack.
In accepting the award, NISCC director Roger Cumming said the organisation’s task was “never-ending” but said he would continue the programme of “outreach” by issuing security alerts, predicting vulnerabilities and helping with technical responses to threats.
Cummin added to Paller’s comments on extortion, noting that there was “an enormous amount” going on, and voiced concern that “some of the techniques just used to make money now could be used to attack critical national infrastructure”.
The Top 20 vulnerability list, which began three years ago and comprises two top 10s for Windows and Linux/Unix systems, is used by organisations to prioritise their efforts to close the most dangerous holes first. New entrants this year include flaws in instant messaging in Windows and version control systems in Linux.