*We don't see a new computer-crime invented every day.
Here's a new one: "vishing." –Vishing – Criminals Exploit VOIP Phone Calls
(July 18 2006)
Criminals are sending emails asking people to call an 800 number where their personal information is taken through touch-tone dialing. The technique has been dubbed "Vishing" because it combines email requests with VOIP phone services that can appear to be in any city, regardless of where the criminals are located.
Another scam uses only telephones - bulk dialing, warning of fraudulent credit card use, and then requesting credit card and security code information. Again effectiveness of the attack relies on the VOIP capability allowing the call to appear to come
from any city.
http://news.bbc.co.uk/2/hi/technology/5187518.stm
[Editor's Note (Northcutt): While it is certainly true that just about
anyone can sign up for a VOIP account like skype and that it is possible to spoof caller ID, this is not a technology based scam; this is a lack-of-awareness scam. If someone calls you, or leaves you a number to call them, that is not a good reason to give them your personal details about your credit card and bank account. Further, if your bank issued your credit card they certainly already know the security code on the back of the card. This would make a good awareness Tip of the Day: If anyone ever contacts you about your credit card, thank them, hang up, and call the number on the back of your credit card.]
(((Actually, at the rate things are going, we pretty well DO see a new computer-crime invented every day. For instance, the following activity isn't called a crime, because it's security guys doing it – selling news of new vulnerabilities on eBay. I think the good old term "protection racket" could be stretched to cover this. Imagine if someone came to your parked car and said: "I know what's wrong with your keys, and you don't. Can I have fifty bucks?")))
MISCELLANEOUS
–Vulnerability Auctions Killing Responsible Disclosure
(July 19 2006)
Selling vulnerability research to the highest bidder instead of
disclosing them responsibly to the affected vendor is a rising trend.
Observers believe that more researchers will sell their research as
demand and pay rates increase. One person asked rhetorically, "If I have a choice between a nice mention from Microsoft for responsible disclosure, or paying off my mortgage, which one do I choose?"
[Editor's Note (Northcutt): This has been going on for a very long time of course, but what is changing is that it is getting more organized and more visible. And it isn't just hackers, security companies are also bidding for these vulnerabilities. Here are a couple of interesting links including a blog from 2005 and story about an auction on Ebay that was shut down:
http://www.zerodayinitiative.com/
http://www.securityfocus.com/news/11363
http://www.matasano.com/log/2005/12/phreakonomics.html ]
(Schultz): The trend of vulnerability information being for sale to the highest bidder will only get worse over time. Trying to suppress the public disclosure of new vulnerabilities through various methods has not proven very successful, and money is a powerful motivator. The only real solution is for vendors to eliminate bugs in their products in the first place through use of systematic software development methodologies.]
