Failures of Information Security: Observing the World and Asking Why

By Adam Shostack and Andrew Stewart, Addison-Wesley Professional |  Security, data breach, information security

Although Y’nin and his gang were eventually caught, it is much harder to catch an electronic thief than a robber in the physical world. Investigating a burglary might take the police an hour or perhaps a day. An electronic break-in executed across international borders might require months or years of investigation. Only a few national police agencies take on cases that require such an investment of time and effort, whereas anyone connected to the internet can now attack computers around the world. In some of these countries, laws about electronic crimes might not be clear, or there may be no effective local law enforcement to make an arrest. Is it illegal to send email spam from China? What happens if an attacker launders his attack through a computer in Nigeria? Some large companies are dedicating resources to helping police forces investigate attacks that matter to them, but it is not clear if this strategy is a good investment. Another challenge for law enforcement is that the skills required to investigate computer crime quickly go out of date because of the rapid advance of technology. If an officer learned to develop latent fingerprints thirty years ago, that knowledge is still valuable in investigating crimes. In contrast, the ability to perform a forensic investigation of a computer that runs Windows 95 is of little use today.

Because attackers can carry out attacks in a highly automated way and because they are unlikely to ever be caught, online crime is attractive to criminals not just in Turkey, but everywhere. American brokerage houses have found themselves losing millions of dollars to schemes in which criminals use other people’s money to “pump and dump” the stock market. The scheme starts when a thief buys some thinly-traded penny stock. The thief then breaks into the victim’s bank account and uses the person’s money to buy up that stock. The stock rises in price, and the thief then sells his holdings in the now-inflated stock, leaving him much richer and the victim much poorer. (If the thief is clever, he might even set up automated sale orders. The link between the thief and the automated selling of the stock is hard to prove, as is the fact that someone gained illegal access to the victim’s account.)

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question