Albert Gonzalez, the hacker who stole over 170 million credit card records from top retailers and credit card processors was sentenced to 20 years in prison a few months ago. Preparing for a presentation recently, I was reminded of just how huge the impact this hacker, working with what appears to have been a small group of accomplices, had on the US economy. As part of the court proceedings the US Department of Justice applied multiple calculations with legal precedent for estimating the losses the hacker’s exploits caused. These estimates range from $400-$780 million USD. Heartland, one of the worst affected targets, claims losses of over $130 million USD already due to legal fees, settlements, and fines.

These calculations got me thinking? How should we measure the cost of a breach like this? Most mechanisms focus on the amount of money the hacker gets out of the stolen accounts, could feasibly get out of the accounts, or in other ways try to measure direct monetary loss to the victim or gain to the hacker. But what about the tens of thousands of identities that could be stolen because of information gathered in the attacks? These soft costs seem to be the true risk of insecure software and they are much, much greater than any financial loss. Until we place some legally-relevant value on them we won't truly be able to measure the impact and justify investments to counter risk.

BSIMM2 has landed! We have excellent data on the inner workings of 30 major software security initiatives. Download the full pdf report here, or get the quick summary here. The 20 participants that have graciously allowed us to use their names are:

Recently, Internet Corporation for Assigned Names and Numbers (ICANN) approved the addition of non-Latin domain names to the Internet’s master directory of domain names. As a result, Arabic users will soon be able to access websites with URL’s written entirely in Arabic characters. Companies will be able to reach out to new audiences.

In the short term, there will be more opportunity for attackers to conduct phishing attacks against sites registered within these new domains. The domains are relatively new with a lot of unregistered space. As a result, attackers should be able to register plenty of unclaimed space for subsequent phishing attacks. With an expanded web audience and domains, the volume of phishing attacks should continue to rise.

In the long term, the security community will need to focus on finding better solutions to detecting phishing sites using methods beyond blacklisting. Blacklisting will be an increasingly unmaintainable solution to prevent users from visiting an ever-increasing and diverse set of phishing sites. Many different solutions have been proposed. Check out this article that provides a good overview of various solutions.

Here is the original article that inspired this blog post.

Technorati Tags: phishing URL domain names