There is a project called the web hacking incident database (WHID), which collects data and statistics on web-application related security incidents. I was just looking into their report called The Web Hacking Incident Database 2009 which has some pretty interesting statistics in.

In order to judge the results and statistics of this database, we have to make sure we understand the contributors and where they come from:
Therefore the output will definitely have some US-centricity but is nevertheless interesting.

There is no secret that the attackers go for money. Cybercrime came from cool to cash! If you look what the attacker did after a successful attack, this proves this statement once more:

But how do they get in? How does a hacker actually attack a Web-Application? Again, not a lot of surprise here, more a confirmation of what we know already:

I think, having SQL Injection on top should not surprise anybody who is working in this space.

So, looking at it is definitely worth in order to get a better picture from a security intelligence point of view

Roger

I was reading a paper recently, where I initially thought it is a joke (it looked scientifically, therefore I was not too scared). But as our research department did it, it is serious and really, really good – at least it definitely made me think. It is called So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users – you should read it!

Basically it focuses on the cost/benefit of advice to end-user from an end-user perspective. there are a few quotes from the paper (to tease you):

• We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective.
• A study of pass-word habits in 2007 [26] found that users still choose the weakest they can get away with, much as they did three decades earlier [45].
• For example, it makes little sense to invest e ort in password strength requirements if phishing and keylogging are the main threats. It does not pay to learn URL reading rules to recognize phishing sites when the direct losses borne by users average less than a dollar a year. It's hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives.

If you think it through – they are right. Then, they draw a few conclusions:

• Users Understand Risks better than We do
• Worst Case Harm and Actual Harm are not the Same
• User Effort is not Free
• Designing Security Advice is not an Unconstrained Optimization
• The Economic Harm of Security Advice

and then, please, read their final chapter on What Can We Do? – otherwise you will stay frustrated :-)

Roger

And the second day starts. I just met with Jeremy Kirk from IDG and it is great to see that the press is actually interested in such a conference as well.

The day today started with a long session on different initiatives against cybercrime. A lot of good information:

• Interpol offers quite some good services to the police stations across the globe: A 24*7 center to bridge between the different police forces (sometimes just to overcome language barriers), a central database to share information on crimes, etc. Additionally they train police forces on cybercrime and investigation all across the globe for law enforcement officers.
• London Action Plan: The largest network of civil authorities but it is open to participation by the industry. Even though it is called “London Action Plan” it is a global public-private partnership, formed in 2004 and covers data protection agencies, consumer protection agencies, the private sector, etc. They want to strengthen the network, increase the knowledge and share best practices and emerging threads. Basically it is about how the different parties can use their tools and knowledge in a cooperative way to conduct investigations.
• GPEN (Global Prosecutor E-Crime Network): It is owned by the Association of International Prosecutors. Basically this is a big sharing initiative for prosecutors on cybercrime. One of the kea areas is about sharing trainings packs for capacity building. Additionally, they run and website with a forum where they share approaches to cases (no sensitive information) – a fairly interesting approach. Finally, they have material they share about how to present cases in front of court (like how a botnet works, what a Trojan horse does…) like videos, presentations etc.
• InHope: InHope is a network of hotlines against illegal content like child sexual abuse image (actually the core of their work), extreme violence, racism, etc. They want to work on standardization (or best practices) how such reports are handled to make law enforcement more effective. They are covering 31 countries today and are looking into growing into more developing countries.
• Global Network Initiative: An initiative to support to freedom of expression and privacy. The challenge they want to address is the conflict global companies face, were local legislation conflicts with human rights on the Internet. So, the GNI developed a set of principles to advance human rights on the Internet.
• Anti-Phishing Working Group: This is fairly obvious what they do. A few years back, they actually organized an event in Europe (I think it was in Berlin) on how to collaborate on phishing cases. One of the projects they are running at the moment is about sharing data with law enforcement. It is basically about automated processing of e-crime data and write “the story” for the prosecutor and judge. So, it is about harmonizing databases and file format. A good idea, I am just wondering whether the law enforcement agencies will pick it up and really share the data as they do not share the data today – because they are often not allowed to share… Where they definitely will be successful is, when it comes to data on phasing cases.
• Messaging Anti-Abuse Working Group (MAAWG): This working group actually roots back in the time when e-mail came up significantly and when e-mail started to get abused. so, the working group mainly consists of ISPs as well as some security vendors as well as companies, which rightfully use e-mail for marketing purposes. So, basically it is about collaborate to fight spam (which often is one of the root of cybercrime attacks) and they have a lot of good guidelines like the use of port 25 etc.

What I liked with this network sharing workshop is that I never heard from any of the networks “we are the ones” but much more: We want to collaborate and not duplicate efforts – a great position we need. If you want to get an overview of the different networks which exist, the Council of Europe has a good overview: Anti-cybercrime networks, organisations and initiatives

The afternoon was about effective measures against sexual exploitation and abuse of children on the internet. I was fairly new to this theme. So, there are a few key findings for me:

• Just access for children to law enforcement is a huge problem. But there are initiatives to address this – for children which are most exposed like children without parents as well.
• This is a very big social problem. It is not necessarily a legal challenge (which it is as well but there are guidelines for it) but – again – how can a victim really execute the rights?
• There is a lot of interesting (and shocking) information available on the website of EPCAT International: http://www.ecpat.net/EI/EI_publications.asp

So far it was – as always – a very interesting and valuable conference. I am not sure whether I can write about tomorrow as I will be in a panel on the Cloud in the morning and then on the road

Roger

I was looking at some research done by Forrester which could be interesting for you as well. They try to lay out the landscape with regards to data protection for you and it looks fairly compelling. So if you are interested in the situation of the different Privacy laws across the globe and how Forrester sees them, the map you can access there is fairly good (even though I cannot judge whether the content is accurate).

The real interactive map can be found here: Do You Know Where Your Data Is In The Cloud?

Roger

A few years ago, the Budapest Convention on Cybercrime was signed within the Council of Europe. Since then it was ratified all across the globe by a lot of countries or at least used as the base for legislation. Since a few years as well, the Council of Europe is organizing a conference on Cooperation against Cybercrime, called Octopus.

We actually had a very good first day and there are a few conclusions I can draw after the first day:

• Cloud Computing is mentioned very often by the government officials. Listening to the discussions so far (we did not specifically talk about the Cloud yet, this is to be done on Thursday morning) I am not clear whether all the involved parties have the same view on the Cloud and the impact of the Cloud on the legal and law enforcement landscapt. This is a big problem I guess as this would be the basis for the development of joint activities. There is a lot of education and knowledge transfer to be done.
• All across the board, there is a willingness to cooperate – at least on the working level. There are two challenges with that. If you talk to prosecutors and judges, there is still the challenge that they need to be neutral but on the other hand need to work with the private sector. A balance still to be figured out. Additionally, I am unclear how far the politicians really realize the need for international collaboration on such challenges. This is something we as citizens need to push – politicians are elected locally :-)
• There are a lot of great police officers, judges, prosecutors in the countries – I am often amazed seeing what they do and with which passion they do their work. We – as the industry – have to make sure we do our best to help them to get the right legislation in place and we have to help them to get the right partnerships in place.
• There was remarkable discussion today: A country asked how they could work with international police forces. Somebody then answered: Your problem is that there is no cybercrime is in your country. The answer: That’s not true, there is a lot. So basically the statement was that there is no law which makes it illegal to commit cybercrime – and therefore there is no cybercrime in this country. We need the countries to ratify (or at least follow the principles of the) Convention on Cybercrime as a basis to then train Law Enforcement and finally prosecutors and judges – to make cybercrime “a reality” in all the countries.
• There are different organizations in countries, which all play different roles and sometimes different organizations claim to be “the single point of contact” like police, CERT etc. The role of police, policy makers, CERT, critical infrastructure, private sector etc. have to be clear.

Probably the best thing for me I heard was that Microsoft was very often mentioned as a role model for collaboration between public and private companies! It seems that our work more and more has impact.

If you want to look into this live, there is a live stream from room 1 at least: http://tv.coe.int/webcast/ (there are two). On Thursday from 10:00-12:15 (GMT+1) there will be presentations and a panel then I am sitting on about Cloud Computing

Roger