Intrusion Detection Systems mailing list archives

Re: Pricing intrusions

From: stuart () SiliconDefense com (Stuart Staniford-Chen)
Date: Wed, 13 Oct 1999 17:31:13 -0700




"Marcus J. Ranum" wrote:

<Marcus's other options for his career in crime deleted :-)>

I figure that the last approach (stock market manipulation) is the
best one to use, since it's got the lowest risk of getting caught,
you can convert the information into hard cash faster, and it's
going to be even harder to assign a value to it. Imagine if you
could hack into the systems of an investment bank, and read their
mail to get a jump on merger and acquisition activity? Or if you
could get into the financial systems of a publicly traded company
and know what their quarterly financial results looked like well
before Wall St. did? (incidentally, I can think of ways to get some
of that information "legally" without "hacking" but I've got a day
job...)


If you made too much profit, you would probably show up on the SECs radar
screen looking like an inside-trader.  Once their attention was attracted to
you, they might figure out the rest.

I don't even know the basics like what a credit-card number or calling card
number is worth on the black market.


A phone calling card ## is worth a few $thousand, max. Credit cards,
probably not a lot more. The usual way of scamming a calling card ##
is to stand at a payphone someplace and sell phone calls for $25
apiece for as long as you want to talk, anyplace in the world. The
calling card companies' fraud detection systems catch that pretty
fast so you need a lot of ##s if you want to make a lot of money.


I have heard anecdotally, that folks with a stolen credit card number
typically just stick a few small transactions (~$50) on it.  So that places a
rough upper bound on the value.  But this is crappy data (I heard it from a
bank security officer but I can't remember who) - I was hoping someone knew
something more authoritative.


A person's communications with their lawyers wouldn't be that
interesting.


The other side in the suit might not think so.  I know of someone who
successfully guessed her husband's answering machine password (it was their
son's name).  Every evening through their divorce, she would call up and
listen to all the messages his attorney left on his machine.  People involved
in suits sometimes get very angry and lose most of their restraint
(especially divorces).

Stuart.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)

Current thread:

Anomaly detection [was Re: Assessment tools/Scanners], (continued)
- - - Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 11)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Pricing intrusions Stuart Staniford-Chen (Oct 12)
    - Re: Pricing intrusions Marcus J. Ranum (Oct 13)
    - Re: Pricing intrusions Fernando Trias (Oct 13)
    - Fragmentation Question Greg Shipley (Oct 13)
    - Re: Fragmentation Question Dug Song (Oct 14)
    - Re: Pricing intrusions Ryan M. Ferris (Oct 14)
    - Re: Pricing intrusions Stuart Staniford-Chen (Oct 13)
  - Re: Assessment tools/Scanners Greg Shipley (Oct 11)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 11)
    - Re: Assessment tools/Scanners Greg Shipley (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Re: Assessment tools/Scanners Dug Song (Oct 12)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 12)
    - Introduction mcondy (Oct 12)
    - Re: Assessment tools/Scanners Ryan M. Ferris (Oct 13)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 13)
    - RE: Assessment tools/Scanners Bill Royds (Oct 11)

(Thread continues...)