Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
Category Archives: Technical
Hackers reveal critical vulnerabilities in Huawei routers at Defcon
The vulnerabilities — a session hijack, a heap overflow and a stack overflow — were found in the firmware of Huawei AR18 and AR29 series routers and could be exploited to take control of the devices over the Internet, said Felix Lindner, the head of security firm Recurity Labs and one of the two researchers who found the flaws.
via Hackers reveal critical vulnerabilities in Huawei routers at Defcon – Computerworld.
According to the Huawei website, the AR series routers are used by enterprises and AR18 in particular is marketed as product intended for small and home offices.
Black Hat hacker gains access to 4 million hotel rooms with Arduino microcontroller
Bad news: With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
via Black Hat hacker gains access to 4 million hotel rooms with Arduino microcontroller | ExtremeTech.
Tatu Ylonen, father of SSH, says security is ‘getting worse’
I think it’s getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn’t the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.
via http://www.networkworld.com/news/2012/072512-blackhat-ylonen-261134.html.
Poison Attacks Against Machine Learning
With AI systems becoming more common, we have to start worrying about security. A network intrusion may be all the more serious if it is a neural net that is affected. New results indicate that it may be easier than we thought to provide data to a learning program that causes it to learn the wrong things.
Multi-platform Backdoor Lurks in Colombian Transport Site
Multi-platform Backdoor Lurks in Colombian Transport Site – F-Secure Weblog : News from the Lab.
Note how this works. The bad guys need your confirmation in order to proceed.
Microsoft Revokes Trust in 28 of Its Own Certificates
Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs”. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.
via Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost.
Making calls has become fifth most frequent use for a Smartphone for newly-networked generation of users
How long we spend using our smartphones (by activity) each day
Activity Time/day Browsing the internet 24.81 Checking social networks 17.49 Playing games 14.44 Listening to music 15.64 Making calls 12.13 Checking/writing emails 11.1 Text messaging 10.2 Watching TV/films 9.39 Reading books 9.3 Taking photographs 3.42 Total 128
via O2 News Centre.
Raspberry Pi Model A makes first appearance on camera
The board looks very similar to the Model B, but is obviously missing a few components. The good news is the board looks to have the same layout otherwise, so the same cases should work. They will just have a few unfilled holes in them.
Android app steals contactless credit card data
He told SC last month that while the weaknesses in the cards was concerning, it was not an effective means to harvest lots of credit card numbers,
However it could be attractive for unskilled users for low-scale fraud.