Re: Pricing intrusions

[fernando () pedestalsoftware com (Fernando Trias)]

But the stock trading approach is risky too. The NY Stock Exchange claims 
that they monitor every single brokerage account for suspicious activity. 
If you make money most of the time just before earning are announced for a 
handful of companies, they'll pick it up and cart you off to prison. But 
this is off topic and I digress.

I suppose the question of the value of stolen information is most important 
if you are an insurance company issuing a policy against information theft 
or loss. In that case, credit cards, phone cards and the like are valued at 
face value or the maximum liability (usually $50) and are trivial. Stock 
manipulation, blackmail, etc involve third parties and are therefore of no 
concern.

The insurance company would value intellectual property at the full market 
potential (patents, products, etc) of the information adjusted by the 
probability of the detection of theft. But the probability of the detection 
of theft, and even the probability of theft, is currently incalculable 
because of a lack of data. Companies just won't admit that they lose 
information and no one keeps accurate tabs (if I am wrong, please correct me).

But, perhaps if a few brave cash-rich insurance companies started issuing 
policies and keeping track of claims we would finally know how much 
companies really lose to cybercrime.

At 11:09 AM 10/13/99 -0400, Marcus J. Ranum wrote:
> > I'm wondering if anyone has any data on what various kinds of data are worth
> > if stolen.  (I'd like to be able to give a client some faintly quantitative
> > information on what the economic value of their information is to a 
> potential
> > intruder).
>
> I've given this topic a lot of thought in the last few years, and
> it's a toughie. Most of the ideas for making money from stolen
> information assume using the information to somehow do one of a
> few things:
>         - blackmail someone (high risk, potentially low profit)
>         - try to beat someone to a patent (high risk of legal wrangling,
>                 potentially huge profit but risk of legal wrangling tied
>                 to the size of the "take")
>         - try to steal someone's ideas for product designs (high risk of
>                 legal wrangling, potential for profit, but you also still
>                 have to do the _work_)
>         - use stolen information to do insider stock trades (near zero
>                 risk, high potential for profit) in this crime, oddly,
>                 the "victim" isn't likely to suffer very much unless you
>                 make them suffer deliberately.
>
> I figure that the last approach (stock market manipulation) is the
> best one to use, since it's got the lowest risk of getting caught,
> you can convert the information into hard cash faster, and it's
> going to be even harder to assign a value to it. Imagine if you
> could hack into the systems of an investment bank, and read their
> mail to get a jump on merger and acquisition activity? Or if you
> could get into the financial systems of a publicly traded company
> and know what their quarterly financial results looked like well
> before Wall St. did? (incidentally, I can think of ways to get some
> of that information "legally" without "hacking" but I've got a day
> job...)
>
> > I don't even know the basics like what a credit-card number or calling card
> > number is worth on the black market.
>
> A phone calling card ## is worth a few $thousand, max. Credit cards,
> probably not a lot more. The usual way of scamming a calling card ##
> is to stand at a payphone someplace and sell phone calls for $25
> apiece for as long as you want to talk, anyplace in the world. The
> calling card companies' fraud detection systems catch that pretty
> fast so you need a lot of ##s if you want to make a lot of money.
>
> I don't particularly like those kind of scams since you have to
> hang on streetcorners associating with lowlives or fencing stolen
> goods. Sitting at home doing insider trades with an online account
> in my bathrobe seems more pleasant (and it pays better).
>
> > How about someone's medical records,
> > communications with their lawyer, etc?
>
> Medical records would be useful for blackmail, I guess. But I'd
> be scared to get involved in that kinda stuff. I've watched enough
> movies to know that the proper way to react to blackmail is to hunt
> the blackmailer down and shoot them. :)
>
> A person's communications with their lawyers wouldn't be that
> interesting. A company's sure might be.
>
> The recipe seems simple: I've just outlined a few places where
> information can easily be turned into money and the kind of
> information you need. Now, do some target analysis - ask yourself
> "where does that information flow?" Then make yourself part of the
> conduit. I figured if you had a 2-way pager that let you buy and
> sell stocks you could make a _lot_ of money if you were the guy
> who inked the printing presses at Barrons' - on the average, the
> companies that get big coverage will move slightly based on
> the coverage - and a slight move is all you need.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

----------------------------
Fernando Trias                     Pedestal Software, LLC
fernando () pedestalsoftware com    Phone: +1 (508) 520-8960
http://www.pedestalsoftware.com    Fax: +1 (508) 520-8638