https://getit.orgTransforming the Planet – Energy for all – Communicatons for all

Victimize one to victimize another is one interesting characteristic of cyber-crime over physical world crime. There is the victim of the crime (i.e. the one who lost the money) and the victim who unknowingly gets used to execute the crime. These unknowing victims range from home computers which have been botted, to Service Provider’s whose bandwidth is used, to company computers who are broken into, to people who get duped into being eMules. Brian Krebs of the Washington Post’s Security Fix blog (‘Money Mules’ Help Haul Cyber Criminals’ Loot) has a really nice write up on eMules, how the crime operates and the consequences to the people who are used for the crime. What we’re seeing is a major characteristic of the cyber-criminal economy (i.e. the miscreant economy).

What is scary with this characteristic is that the victims used to execute the crime are being held liable. We’ve seen this where the industry blames the people owning violated computers. We’ve seen it with eMules (read Slashdot’s commentary on Brian Krebs’ article). We’ve seen it with Phishing. It seems that our law enforcement and liability practices are focusing on the tool of the crime vs the perpetrator of the crime.  So these tools of the criminals are dual victims – the criminals use them to perpetrate the crime – then law enforcement holds them liable for the crime. A shield for the criminal. Low hanging fruit for law enforcement. 🙁

In other word, I feel no security pain. If I feel no pain, then security is not a top priority for me. But if I let my investors and customers know that I’m not putting security at the top of my list, they will think badly of me.

It is the essential security trap – if you are a security professional and do your job well, then your management ask you “what are you doing?” When they see no impact to their business – feeling no pain – management assumes that the security risk is minimal. Yet, when something does happen, management slams the security professions demanding “why didn’t they do something to prevent the pain!?!”

The consequence is that way too many organizations put the word “security” into their marketing literature – to do otherwise would garner criticism. Yet, if you dig to find out the “beef” behind the marketing, you find hype and redirection.

We are in for a interesting year. Lots of marketing hype. Lots of press hype. Yet the cyber criminals stay under the security pain threshold – making good money.

A new white paper is out – Botnets: The New Threat Landscape White Paper. While this is a vendor paper, Namit Arora (with help from Martin Pueblas and Roland Dobbins) did a good job list out one vendor’s anti-Botnet tool kit.

It is worth the read so people know what tools are available.