Re: Pricing intrusions

[mjr () nfr net (Marcus J. Ranum)]

> I'm wondering if anyone has any data on what various kinds of data are worth
> if stolen.  (I'd like to be able to give a client some faintly quantitative
> information on what the economic value of their information is to a potential
> intruder).

I've given this topic a lot of thought in the last few years, and
it's a toughie. Most of the ideas for making money from stolen
information assume using the information to somehow do one of a
few things:
        - blackmail someone (high risk, potentially low profit)
        - try to beat someone to a patent (high risk of legal wrangling,
                potentially huge profit but risk of legal wrangling tied
                to the size of the "take")
        - try to steal someone's ideas for product designs (high risk of
                legal wrangling, potential for profit, but you also still
                have to do the _work_)
        - use stolen information to do insider stock trades (near zero
                risk, high potential for profit) in this crime, oddly,
                the "victim" isn't likely to suffer very much unless you
                make them suffer deliberately.

I figure that the last approach (stock market manipulation) is the
best one to use, since it's got the lowest risk of getting caught,
you can convert the information into hard cash faster, and it's
going to be even harder to assign a value to it. Imagine if you
could hack into the systems of an investment bank, and read their
mail to get a jump on merger and acquisition activity? Or if you
could get into the financial systems of a publicly traded company
and know what their quarterly financial results looked like well
before Wall St. did? (incidentally, I can think of ways to get some
of that information "legally" without "hacking" but I've got a day
job...)

> I don't even know the basics like what a credit-card number or calling card
> number is worth on the black market.

A phone calling card ## is worth a few $thousand, max. Credit cards,
probably not a lot more. The usual way of scamming a calling card ##
is to stand at a payphone someplace and sell phone calls for $25
apiece for as long as you want to talk, anyplace in the world. The
calling card companies' fraud detection systems catch that pretty
fast so you need a lot of ##s if you want to make a lot of money.

I don't particularly like those kind of scams since you have to
hang on streetcorners associating with lowlives or fencing stolen
goods. Sitting at home doing insider trades with an online account
in my bathrobe seems more pleasant (and it pays better).

> How about someone's medical records,
> communications with their lawyer, etc?

Medical records would be useful for blackmail, I guess. But I'd
be scared to get involved in that kinda stuff. I've watched enough
movies to know that the proper way to react to blackmail is to hunt
the blackmailer down and shoot them. :)

A person's communications with their lawyers wouldn't be that
interesting. A company's sure might be.

The recipe seems simple: I've just outlined a few places where
information can easily be turned into money and the kind of
information you need. Now, do some target analysis - ask yourself
"where does that information flow?" Then make yourself part of the
conduit. I figured if you had a 2-way pager that let you buy and
sell stocks you could make a _lot_ of money if you were the guy
who inked the printing presses at Barrons' - on the average, the
companies that get big coverage will move slightly based on
the coverage - and a slight move is all you need.

mjr.

--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr