Schneier on Security
A blog covering security and security technology.
« The Life Cycle of Cryptographic Hash Functions |
| My Next Book: Title and Cover »
June 21, 2011
The Problem with Cyber-crime Surveys
Good paper: "Sex, Lies and Cyber-crime Surveys," Dinei Florêncio and Cormac Herley, Microsoft Research.
Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
I've been complaining about our reliance on self-reported statistics for cyber-crime.
Posted on June 21, 2011 at 5:58 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
45 and two sevenths percent of statistics are made up including the ones about cyber-crime
In the UK 13:00 news it's been anounced that the UK's Scotland Yard (Met Police) E-Crime unit working with the US FBI has done a takedown on a supposadly senior LulzSec member.
The 19year old male was arrested in Essex UK this morning.
Oh it should be mentioned that the Met Police have been quite aware of many of the "Anonymous" associates in the UK since before the cerfuffal with the arest of the WikiLeaks founder...
With regards my above of the take down of a LulzSec/Anonymous hacker, he appears to be not very anonymous in that (if it is him) all his details have been posted at,
Which is going to make life very interesting for the authorities in many respects...
You must have made that up. "Real" statistics wouldn't mix fractions and percentages... they be displayed as decimals ;)
@Clive et al.,
A 19 year old master criminal eh - only just old enough to vote and drink (and not old enough to drink if he goes on holiday to the US... but he wont get in there ever again).
Sadly its a given that the police will claim he is the most important hacker ever, while the hackers will say "who is he?"
I notice, LulzSec are also saying they didnt hack the Census, despite reports claiming they did.
The only thing I can say in LulzSec's defence (if it is even that) is that they have lightened up the whole information security arena for a while. Police and journalists are showing themselves to be woefully behind the times, and the hacks themselves are generally based on 10 year old exploits....
Sad part is that governments and big businesses are missing a key point, I feel, being made by Lulzsec hacks: The way some (read: most) companies are handling the security of their user and customer data is criminal in and of itself. People trust their information with these companies and expect better security than what they have. I cannot condone the actions of Lulzsec but I do hope that information security, and lack there of, begins to get the publicity it deserves.
OT, re. Lulzsec:
The whole UK census thing is quite intriguing...
(for those who are unaware, there was a Pastebin press release purporting to be from Lulzsec, denials on Twitter & subsequent deletions of tweets, I think after the arrest mentioned above)
Not sure whether there even has been a hack, and if so whether Lulzsec are involved, but it's mightily interesting, especially in context of the recent Lockheed Martin attacks/breaches in the US.
Certainly makes me even more glad I refused to fill it in, anyway.
Apologies GreenSquirrel, didn't see you'd already mentioned the alleged census hack.
Personally I find Lulzsec pretty funny; I guess they appeal to my childish, anarchic side. They are drawing attention to serious issues (anyone remember infosec getting anywhere near this much mainstream press, *ever*?), and doing it in a humorous way.
More power to 'em, I say.
"... not old enough to enough to vote and drink (and not old enough to drink if he goes on holiday to the US... but he wont get in there ever again"
Err that's exactly where he is going (but not on holiday). It appears his name address and other details where released by other Anonymous goup members back in early May.
From what is comming out he is going to be shipped out to the US under the "terrorist clauses" of the extradition treaty that Tony Blair signed in without looking at. So the FBI just have to say "he's a criminal" and have him extradited from the UK irespective of if he has broken any laws in the UK or else where in the World.
So in effect this makes him the first "official cyber-terrorist".
However it's not as though he is unknown to Essex Police, they have raided the house before. If you search on one of the addresses you will find that his elder brother and mother have drugs related convictions. Both are also apparently "disabled" as they are claiming state benifit,
Interestingly there are other phots on the net showing them walking around in the open showing no sign of the claimed disability.
After having had time to have a dig through the Internet, it's almost as though Ryan Cleary is being set up.
All his details etc have been posted up on various sites, some even before he allegadly "outed" Anonymous.
I suspect we are going to hear quite a bit more in a few days as as "NASA Hacker" Garry Mckinnon has shown the only way to fight the US extradition is by using the press,
And to do that you need to get the press on your side.
Sometimes it seems like statistics has degenerated from an exact mathematical science into some braindead tool being abused by virtually anyone to try and prove whatsoever with. Sad evolution.
OT - @Clive et al
There's several other people that have recently been "doxed" as lulzsec members by th3j35t3r and some outfit called "Web Ninjas". See http://lulzsecexposed.blogspot.com/ and https://th3j35t3r.wordpress.com/2011/06/16/quick-n-dirty-just-for-clarification/ .
th3j35t3r alledgedly is a former military and lone wolf with massive amounts of bandwith (and some zero days) at his disposal which he regularly uses to DDoS jihadi and other religious fundamentalist websites (like WBC). Although he doesn't seem to have much of a problem with corporate hacks, he seems to turn on anyone messing with government infrastructure or that of outfits closely affiliated to it. Web Ninjas (duh !) equally profile themselves as cyber vigilantes.
For as far as Anonymous and its presumed spin-off Lulzsec are concerned, it is reasonably easy to get involved when hanging out on their IRC servers, preferably over a VPN since they block traffic from known Tor exit nodes. Most of the folks out there seem to be utter idiots indulging in all kinds of profanity and enjoying the delusion of elite status once they figure out how to use LOIC from their dads PC. I did however have some really intelligent conversations with a couple of channel operators when I DM'd them offering my services and explaining a bit of my IT background. Both tried to recruit me almost instantly to do some development work for them.
Personally, I believe that both Anonymous and Lulzsec are made up of a core of idealists on a mission with an army of unreliable goofy followers, while at the same time being heavily infiltrated, if not manipulated by groups and agencies with entirely different agendas. The same goes for these so-called cyber vigilantes. The shadow wars they both believe to be waging on their perceived enemies and each other are interesting to follow from a security angle as they so painfully expose many of the issues we have been warning about for ages, but ultimately may have the exact oposite effect of what they are trying to achieve.
We are already seeing numerous legislative initiatives everywhere to increase government control over the internet with as sole purpose the curtailing of free speech, free flow of information and right of assembly. To those behind them, Anonymous and Lulzsec are gifts from heaven as much as the ominous Chinese hackers we keep being told about.
@ Dirk Praet,
"We are already seeing numerous legislative initiatives everywhere to increase governmen control over the internet with as sole purpose the curtailing of free speech, free flow of information and right of assembly."
Sadly that appears to be the case. I've known for some years that the politicos were running scared of the Internet simply because it took away one of their most important tools, the ability to control / persuade the press to not bring up their previous comments and behaviour.
The result at they very least is that no politico actually says anything of any worth anylonger, and we the "prols" just get vacuous "spin" and "double speak" just as George Orwell so accuratly predicted back during WWII when working for the BBC and living in a bookshop on the corner of Pond Street just below Hampsted Heath.
George also made a series of other predictions in some of his books such as Animal Farm and 1984. Both have to a greater extent come true. Sadly he did not see just how far technology would take us in under 3/4 of a century and I suspect he would be a very sad man that "we the people" did not take his words on board.
Lulzsec and Anonymous supposedly have "joined forces" (whatever that might mean in actual practice) to gang up on government.
I got no problem with that!
Meanwhile, more importantly for one of my clients, Network Solutions got taken down twice by a DDoS. No one has claimed credit that I know of yet.
Oh, here we go!
TSA Takes Security Theater On The Road: Mobile Groping Teams Can Pop Up Anywhere
"Via Julian Sanchez, we learn that the TSA has apparently been taking its security theater on the road, with special mobile teams, as a part of its VIPR (Visible Intermodal Prevention and Response) program. These teams apparently show up unannounced, and start their usual groping and scanning procedures at bus stations, train and subway stations, and occasionally even on passenger cars."
Surprise! TSA Is Searching Your Car, Subway, Ferry, Bus, AND Plane
Actually a Google search shows this has been going on for the last two years or so.
In a severe crack that. hit gov in @ may 2006, then our pcs in nov 2006, FBI, state pc crimes
did not want my info cuz I was not cissp. Bid
security firms said they only worked w big corps. I had a small pc Corp when certs did not matter, but what u knew, could do.
as things changed I read books by u, skoudis etc. I saw things that many even cissps thought
impossible. when screen messages looked like
packs yet pc not connected, puzzling. If the geeks knew enuff to explain an intelligent reason like a illusion from a certain file set wrong, better
than calling me an idiot.
I met ladies in wmt who said pcs had viruses. perhaps the malware were trogan/ root kits, but
many knew. same story av software said nothing
wrong, store geeks same. how many mid to low mid folks knew? they knew not geekese. Not only us.
I knew the invader's code written someone w 20-30 yrs of coding and pc arch. I recognized pre 95
design, saw programs. Why they did not cut my pcs from their net? I had a flash in pc at time. It was not part of xp, the flash was mine. my opinion, I had the right to know contents.
I knew contents were hack files, opened them up in OO. The most dangerous person for hck is 1) I knew 2) I was insanely curious, would not give up. My gut screamed ' hope those top secret security folks know or it will be Global Econ collapse'.
number hit would be low cuz those regular fills
that know are ignored. Foe me, too much at stake. Not the FBI nor Cissps convinced me I did not see what I saw. Some answers in books for pros in assembler, C folks doing security compliance at big orgs, pc arch, etc.
I got clues from Linux geeks, engineers, one apple expert. Those were eth hackers in biz management who avoid the rate race of Corp
security. Many hide cuz they fear govt. The 'patriot. act' drove them underground. Careful to do nothing illegal, renounce it when asked
I know not how many hide, but I was left clues in odd places. I was posting, nor asked those on the sitesto fix my problem. Two yrs hcking my pcs, living in registry, still unable to get it out, one day it was gone.
Honestly, I was too close. no proof but knew locations, corps. before someone chased it out, My gut screamed danger. I was one, running too close. If I had figured out 2-3 more details, I feared perception as a threat, I quit. I used no
security tools cuz hcks made them.
Arrogant folks leave info. I was unpredictable, played head games like 'the art ofnwar'. from the
first, the crackers declared war. it was wAr. my
strategies were atypical war. I did not win, I quit. I learned a lot. After a year I was thinking like a hcker. My mind scared me. Now thinking of worse hack attacks, most think impossible, I went to an expert with, what if?
He looked like he had seen a ghost. Lived hoping
no one would think of such devious possibilities. To one not a programmer, hw expert, nor security xpert, he sadly said 'u better believe it'.
I cannot say the vulnerable cuz they are Ed Skoudis worst nightmare. Not the os, but the hw. None that make the components would fizz until
bad guys are doing it. Only apple. 2007, Jobs was hiring engineers to reverse every board chip.
Some of the flaws are obvious to a 'child's mind'.
Intel knows nada @ ram, USB engineers know that, those that make HD make that. I have no lofty position, nor certs. If I met Israel geeks, only they would listen. A More secure board is possible, but someone would have to make it. I doubt such boards would be expensive. After freaking, I thought,.,' how could it be fixed'. designs flooded my brain, wrote them down.
This society is not ready. A brilliant mathematician put this theorems, some explanations in a box. Found 300 yrs later, they groaned, 'why didn't he publish, we would be further'. They could barely grasp it. If the math guy had published 300 yrs before, he would have
been tormented dAily if not burned at then stake.
The oppression of science that goes against popular continues whether global war wing, Darwinism. The pc architecture has changed little since the 286, cept changes that made it less secure. Only an idiot would think a different one
would well received. In a greedy world, where profits are at stake, they might fight. The cracker
would think the impossible well before the denial
that preceded the righting ended.
The professor was right. He hoped no one would
think such thoughts. Now, if a novice thought them, how long? One hint. Hacking is getting something to exec it's programming or design. It is what it is capable or, not what it designed to do.
My son in security thinks ur the best.
Recently a few of my credit cards have been replaced by the my bank(s). They phoned me to ask me if I'd made certain purchases (did they authenticate themselves well? no), and I had. There was no fraudulent use of my card. So, why was my card being replaced (It's a pain due to recurring transactions), I asked?
Well, it was found as part of a database.
Okay. Whose database was compromised? I want to know, so that I can refuse to do further business with them.
They won't tell me. I'll never know it seems.
On-topic question: have I been the victim of a cybercrime? What was my loss? (At least two days of my time)
Who perpetrated this crime against me? As far as I can tell, it was the credit card company itself.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.