"Six or seven thousand organizations are paying online extortion demands," Alan Paller said at the SANS Institute's Top 20 Vulnerabilities conference in London. "The epidemic of cybercrime is growing. You don't hear much about it because it's extortion, and people feel embarrassed to talk about it."
"Every online gambling site is paying extortion," Paller asserted. "Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"
Paller added he was concerned that the same techniques used for extortion--that is, DDoS attacks--could easily be used to target organizations in the critical national infrastructure.
Roger Cumming, the director of the U.K.-based National Infrastructure Security Co-ordination Centre, shares Paller's concern.
"There's an enormous amount of extortion," Cumming said. "We are concerned...(that) the technologies of extracting money could be used to endanger the (critical national infrastructure). One of the things we are talking about is how to mitigate that threat."
Paller called for tech companies to do better. He said that security vulnerabilities are vendors' responsibility to fix and that their products should reflect the suggestions associated with the SANS top 20 vulnerabilities list.
"Applications breaking after patching is the operating system vendor's fault," he said. "They tell developers to build applications on unprotected systems. But the other half of the game is that application vendors should have to test their products on safer systems. You do that with procurement."
A representative for at least one prominent British gambling site said that he would rather not comment on the whole issue.
Dan Ilett of ZDNet UK reported from London.
