I looked over the FBI’s Internet Crime Complaint Center’s annual report covering 2009. There wasn’t a whole lot that was interesting (electronic crime is on the rise), but one thing caught my eye. One page 6 there is a chart showing the number of cases divided up by the monetary loss associated with it. Only 7.5% of the cases involved damages of more than $10,000 and only 1% involved damages of over $100,000. Gone I suppose are the days of the million dollar heists, replaced instead by the facilitation of many smaller crimes. The scammers are only making money because they steal in bulk.

Bank of America recently discovered that one of its employees had planted malware on some ATMs and had stolen a little over $300,000. Two very obvious countermeasures come to mind – use embedded devices instead of COTS, and whitelisting. There is really no reason that arbitrary code should be run on an ATM, and therefore there’s no reason to allow it.

According to Symantec, Cybercrime is now the number 1 crime in terms of profit, having recently passed Illegal drug trafficking.

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

The DoJ wants private corporations to more openly disclose cybercrime when it occurs. This is one of the major differences between the way government works and the way private industry works. (I’ve got information security in both, and it’s something I’d noticed a long time ago). In government, there is a strict procedure and a chain of reporting for everything, and one of the main focuses is openness. Individuals in government are rarely accountable as long as they follow the correct procedures. (In other words, the “I was just following orders” argument has worked countless times inside the beltway). In the private sector, the main focus is profit, and people are held accountable for what occurs, even if they feel they did nothing wrong. Reputation loss is a serious concern, and corporations are loath to report information breaches. This is one of the reasons data breach laws have been necessary – without them private entities would rarely disclose when something bad happened. Now the DoJ and FBI want corporations to disclose even more so that it can allocate it’s crime fighting abilities correctly. While this is clearly a laudable goal (and crime fighting is one of the major responsibilities of a modern government), private entities will not comply unless they are either required to by law (like the breach notification laws), or have a compelling financial interest (as in the case where they believe the authorities can help recover lost assets).

Why am I only finding out about this now (also reported by wired)?

Oleksandr Dorozhko hacked a system containing information on IMS health that would negatively affect their stock price. (Or, possibly, someone else hacked the system and gave him the information). He invested in puts and netted himself about $300,000 in one day. The SEC noticed and tried to block it, but the court has ruled that a hacker is not an insider, and therefore insider trading does not apply. Mr. Dorozhko gets to keep every cent of his admittedly ill-gotten gains.