Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, September 07, 2006

Stolen Data’s Black MarketStolen Data’s Black Market

The targeted attack—designed to make a buck for the hacker or insider who initiates it—is in, in, in.  The “black market” for stolen computer data is growing by leaps and bounds, according to experts who study computer crime and corporate espionage.  “Before 1998, about 90 to 95 percent of all intrusions were done by individuals hacking out of curiosity,” says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix law firm.  “We’re seeing a rapid growth in cooperative attacks, where an insider works in concert with some sort of external source to make a financial gain,” says Brian Contos, chief security officer at ArcSight and author of the new book, Enemy at the Water Cooler, which outlines some of the recent trends and exploits in corporate computer crime.  “It’s not just hackers looking randomly for easy points of entry—these are attacks on specific companies.”

“We’ve seen criminals hack into hospital systems just to get the Social Security numbers of the newborns.  There’s no one, obvious group of organizations that hackers are targeting.”

There are still plenty of independent hackers out on the Web—just look at the recent Black Hat and Defcon conferences—who might sell vulnerabilities or stolen data by putting them up for auction.

Worms and viruses invented by independent hackers still make up a huge portion of the damage done to corporations each year, Pierson notes.

But the visibility of these individuals and their exploits sometimes belies the growing, but largely unpublicized threat from organized criminals who buy data from hackers or insiders and sometimes contract with them to collect data from a specific corporation, experts agree.

Pierson gives the example of stolen customer credit card data, which is sometimes handled by multiple individuals in a joint effort.  While credit card information might be collected through the collaboration of phishers and spammers, that data might then be passed to “cashers” who forge credit cards that use the numbers.  Then those cards will be passed out to a network of “mules” who use the cards for small purchases—the kind that might not be immediately detected by the victim—and thrown away.  Then the syndicate of players might sell the account information to another buyer, just as the parts of a stolen car might be resold.  A similar sort of “syndicate” might be formed to fence stolen business secrets or customer lists to competitors, or to other nations or terrorist groups, he says.

External hackers may be paid off; insiders may be disciplined or dismissed; and in some cases, the crime is never detected.  Although there are cases in which external hackers break into an enterprise they find attractive, most targeted attacks involve some help from an insider, experts say.

Posted on 09/07