Saturday, February 17, 2007

Honeypots

A honeypot is a type of trap. Originally, it was a pot full of honey that was used to trap a bear because the bear couldn't get its paw out of the trap. There are two types of modern honeypots by definition. The first honeypot variant is a trap to catch malicious software or computer intruders. The other honeypot variant is a trap used to catch, kill, compromise, or create a spy using sex. I believe I've found a variation of the two. Everyone knows that a bit of fibbing goes on in dating web sites. A weight described as "average" either means average or "extra padding" depending upon the person. "Extra padding" translates to overweight, although I've had a date in which the lady was REALLY overweight. One can live with little white lies and such. It's part of the game. Unfortunately, there are two other elements creeping into dating sites. There are the con artists who are preying upon the lonely. These are generally easy to spot. They aren't who they say they are and a lot of them claim to be Americans, but sooner or later, you find that they live in Eastern Europe or Africa. The sites police these people rigorously since they are bad for business. However, there's another element that's trickier and perhaps even tolerated by the site owners. These people pose as the free subscribers. Generally free subscribers have few privileges and if one needs to interact with them, one has to do it through another means such as email or IM. And with IM, you generally use an email address as your irc account username. So, free subscriptions on dating sites gives one almost instant access to people who will give away their email address for the possibility of a date.

Do you see where I'm going with this? Spammers, or people who sell email address lists to spammers, are using dating sites to gather legitimate email addresses. It's simple, it's free, and it's self verifiable, and there's no way to get caught unless they monitor your usage. Chances are that they'll keep you on because they want to impress people with the number of subscribers to their dating site. I've seen the same woman's picture on three different profiles on one site, two in the U.S. (different states) and one in Europe.

Now, let's take it up a notch. What if the entire dating site is one big honeypot, completely illegitimate? I've pretty much found one that's based in Belgium. Google "sex personals and beyond" for the curious. It appears to be completely fraudulent. The ratio of men to women is greater than 5:1, and I'm guessing 90% of the paying women subscribers are phony and that's probably an overly generous assessment. It's the perfect online honeypot. It lures male subscribers with promises of romance and sex. They try to keep them hooked with one liner email replies from fictional "paying" female subscribers. There are many, many more free subscribers than paying subscribers who are female. Most of them appear to be fictional constructs used for gathering email addresses.

The problem is that what I've just described isn't unusual behavior any more for any dating site. It probably comes down to degrees, from mostly legitimate to thoroughly illegitimate. No dating site is transparent due to privacy issues (stalkers) and they are all the perfect cover for scam artists and email address harvesters. The only people who could tell us have no economic or business incentive to disclose how many of their clients or subscribers are real people looking for romance or a date. So, you could describe any of the worst offending dating web sites as a third variant of honeypot, or as a money scam and email address trap at best.

Wednesday, February 14, 2007

Admiring Evil

I was watching Syriana the other night. I realized that I was upset by the implication of the movie, but it's true. American interests may not be in the best interests of another country, but are such evil actions ever justified? Our foreign policy works against us in the Middle East. Why enforce a shortsighted policy that will hurt us in the long run? In a village or small tribe, if the group prospers, so does the individual. The opposite is just as true as well. Does this scale? If the entire planet can be considered a village, is it true then? To prosper at the expense of all others is an offense in a village or small tribe. It used to be called antitrust and against the law in this country. It's just business if you are Microsoft. Why do we admire Microsoft for being despicable and criminal? Is there a difference between my country right or wrong, and my government right or wrong? Rome is admired and mourned, but Rome could never last because it was too ruthless, too brutal and too greedy. Will America be known as the latest Rome?

Saturday, February 10, 2007

Flags of Our Fathers

I bought Flags of Our Fathers the other day. It's an excellent film. Surprisingly, it's more an antiwar film than a war film. I urge people to rent or buy the DVD and watch it. It's a sad movie and it shows the hypocrisy of the wealthy and powerful, the guilt the survivors feel because they are alive and their closest friends are dead, and it shows what men have to do to survive under conditions no one should have to endure, but somehow they do. I really want to see Letters from Iwo Jima more than ever to see the other side of the story. I already know the ending. The past is dead and buried, but I wish to know their stories none-the-less, for they were once flesh-and-blood men with lives and passions and feelings. All of them, American and Japanese deserve to be remembered.

Criminal Justice System is Broken

Child pornography law is designed to prevent the exploitation of children by malicious and perverted adults. But now, two children who were stupid enough to document their intimacy by taking a picture of it and transferring the picture from the cell phone to a computer were found guilty for violating the law designed to protect them. I concur with the dissenting judge's opinion. If the teen had tried to sell the image or some such, all bets would be off, but it appears that she made the mistake of saving the moment for posterity only. Parents, if your kids do something like this young girl, save yourself a lot of trouble and just destroy the evidence and find an appropriate punishment for the child. Otherwise, you might be paying a hefty legal bill and buying a new computer all because your teenager took a picture he or she shouldn't have and the State had nothing better to do than charge your kid with distributing child pornography even though they themselves produced it and no adults were involved.

Helpful Tips to Protect Yourself Online

I seldom give advice here. This blog is more for illumination and knowledge, but I am seeing trends which bother me. More and more, the security burden is being shouldered by the user and not the service provider. Also, a lot of the security measures we are seeing deployed are useless (TSA anyone?). You jump through hoops to enroll in online banking, or some such service, and all that "protection" gets undone when someone acquires your username and password and suddenly your hard earned money has been wire transferred overseas. Your bank approved of the wire transfer without notifying you even though you never do business there. Their excuse is that it was the correct username and password for the account, but they never checked the IP address that transaction came from, no matter that it originated in Russia or Romania. They also didn't check your transaction history either. So, for those who care (and even those who don't such as Linux and Mac users), here are some tips to protect yourself online.

1. If you have a DSL or Cable Internet service, go buy a cable/dsl router like the Linksys BEFSR41 (I am not endorsing Linksys, though I like their products). Install it between your modem and your computer. Make sure that you know your modem's IP address (In MS Windows, open a command prompt and type ipconfig /all. The gateway address will likely be your cable modem's internal IP address.) Write or copy that information down before you install the router. My ex-wife's DSL modem had the same IP address by default as the Linksys DSL router I bought her. Whoever thought that up was not very bright. If your DSL/Cable modem comes with it's own builtin firewall, then lucky you.

2. Use Firefox or another third party browser instead of Internet Destroyer, er Explorer, and keep it up-to-date.

3. If you are really paranoid, go to www.vmware.com and download VMware Server for free. Install it. Then go to www.knopper.net and download the Knoppix Live CD image. You can install Knoppix from the image file through the virtual CD-Rom drive. You will need to create a 3-4 GB virtual hard disk. Once you have Knoppix installed on the virtual machine, take a snapshot of it. After creating the snapshot, surf the Internet to your heart's content from the virtual machine. If the virtual machine gets compromised, roll back to the snapshot.

4. Only use your real browser for your online banking if they require a MS Windows browser version. If your bank is dumb enough to require a Microsoft only solution and they use Microsoft web servers, then you might want to find another bank that uses a more Web neutral solution. I am not knocking Microsoft. They have been good to me in the past, but their products are the common and easy targets for crooks. A bank that is locked in with Microsoft is over reliant on Microsoft's security for their protection, and it means that they haven't thought the online security issues through. Chances are that they went with convenience instead of security. There's a truism in IT circles, "No one ever gets fired for buying Microsoft."

5. Use a mail service like Gmail and download any suspect attachments in the virtual machine. Google is pretty good about catching viruses as attachments, but they use a passive scanner and I have captured viruses and emailed them to friends for analysis and Gmail missed the malicious code and let it through! You can submit any attachment to a service such as VirusTotal which will scan the file with multiple Antivirus engines and let you know if it's suspicious. Just because it passes VirusTotal's metascan does not mean that it isn't malware. It just means that nothing suspicious was detected.

6. If you don't believe me, read this ComputerSweden article, or visit Arbor Network's ATLAS service to see how good your ISP's security really is.

Some of you will wonder why I didn't suggest buying a wireless cable/dsl router. The reason I didn't is because you trade security for convenience. Wireless devices give one freedom and convenience, but they are easily sniffed. Anyone can eavesdrop on a wireless transmission. If you have a wireless router, take the time to lock it down unless you want people to use your cable or dsl connection as a public access point. If you have a laptop and it has sensitive information on it, look into encrypting the whole hard drive, or keep the sensitive information on a USB key. Don't check sensitive financial accounts via a publically available wireless connection unless you know what you are doing.

Friday, February 02, 2007

I Have Failed

"It is natural for the immature to harm others. Getting angry with them is like resenting a fire for burning." Shantideva

"Anger is the most impotent of passions. It effects nothing it goes about, and hurts the one who is possessed by it more than the one against whom it is directed." Carl Sandburg

A few weeks ago, I had a flicker of anger. I had received an email that said I had submitted a "weak" ticket where I had flagged at least two severely bad security practices. When I talked to my immediate supervisor about it several days later I lost it entirely when talking to him although the outburst wasn't directed at him, but at the more senior managers. I look upon my job as protecting my company from exploitation and theft. At it's heart, security is about loss prevention, IT Security doubly so. But my company isn't interested in protecting systems and assets from online theft or protecting employees from themselves, it's interested in using IT Security to increase productivity by making an example of people not complying with the Acceptable Use Policy. It doesn't matter that some of the rules aren't really enforceable as they stand currently. Employees aren't allowed to shop, view porn, or use company computers to listen to music while at work, but the proxy servers which should be blocking access to these sites aren't. Then there's the question of buying a book related to your job at Amazon.com when you are at work. Is that within the AUP policy? As for porn, well, sex is hardwired into people's brains. You might as well ask people to stop breathing. If porn went away, Internet Commerce would wither and practically die, it's that profitable an industry. And it doesn't have to be a porn site, dating sites with "Intimate" sections exist.

So, management has decreed that we monitor Internet usage throughout the company and submit "sexy" tickets, cases where the violator is doing something very bad, such as viewing adult material, shopping for firearms, etc. The problem here is that we will have a few false positives, especially with firearms. This is a hunting state. You can drive 50 miles in any direction and likely find a place to hunt. I was hoping that we'd be allowed to submit tickets showing weaknesses in our security, but that is not to be. It doesn't even matter that someone who's smart can circumvent our surveillance just by using Terminal Services and surf from his home system remotely from work provided the network lets him. The system we use can't decrypt encrypted traffic. It will only catch "low hanging fruit". The people who will do the most harm it will not catch. Don't even ask about child porn. There's a Catch-22 there. If we see images of child porn while investigating a violator, technically we are violating the law as well and can be arrested. Our management is "working" on that procedure.

But I have failed - spiritually and in my duty to protect the company. I lost my temper when I discovered that even though I followed guidelines and procedure and did the right thing, it wasn't what management wanted. What really angered me is that they are changing what they want from us again. They want stories, a nice written analysis with pictures of what we find, kind of like an intelligence write up or dossier, or the kind of research report a private investigator might write for a client. But we aren't given any useful training on discerning a real from a false case. We are supposed to "know" what management wants as vague as that is. They want dirt. They want scandal. They want sex. Meanwhile, you can steal our billing software code from our development group, steal trade secrets, and what not probably without any one noticing because we are too busy looking at employees' surfing habits instead of doing what we were hired to do.

This page is powered by Blogger. Isn't yours?