Saturday, February 17, 2007
Do you see where I'm going with this? Spammers, or people who sell email address lists to spammers, are using dating sites to gather legitimate email addresses. It's simple, it's free, and it's self verifiable, and there's no way to get caught unless they monitor your usage. Chances are that they'll keep you on because they want to impress people with the number of subscribers to their dating site. I've seen the same woman's picture on three different profiles on one site, two in the U.S. (different states) and one in Europe.
Now, let's take it up a notch. What if the entire dating site is one big honeypot, completely illegitimate? I've pretty much found one that's based in Belgium. Google "sex personals and beyond" for the curious. It appears to be completely fraudulent. The ratio of men to women is greater than 5:1, and I'm guessing 90% of the paying women subscribers are phony and that's probably an overly generous assessment. It's the perfect online honeypot. It lures male subscribers with promises of romance and sex. They try to keep them hooked with one liner email replies from fictional "paying" female subscribers. There are many, many more free subscribers than paying subscribers who are female. Most of them appear to be fictional constructs used for gathering email addresses.
The problem is that what I've just described isn't unusual behavior any more for any dating site. It probably comes down to degrees, from mostly legitimate to thoroughly illegitimate. No dating site is transparent due to privacy issues (stalkers) and they are all the perfect cover for scam artists and email address harvesters. The only people who could tell us have no economic or business incentive to disclose how many of their clients or subscribers are real people looking for romance or a date. So, you could describe any of the worst offending dating web sites as a third variant of honeypot, or as a money scam and email address trap at best.
Wednesday, February 14, 2007
Saturday, February 10, 2007
Flags of Our Fathers
Criminal Justice System is Broken
Helpful Tips to Protect Yourself Online
1. If you have a DSL or Cable Internet service, go buy a cable/dsl router like the Linksys BEFSR41 (I am not endorsing Linksys, though I like their products). Install it between your modem and your computer. Make sure that you know your modem's IP address (In MS Windows, open a command prompt and type ipconfig /all. The gateway address will likely be your cable modem's internal IP address.) Write or copy that information down before you install the router. My ex-wife's DSL modem had the same IP address by default as the Linksys DSL router I bought her. Whoever thought that up was not very bright. If your DSL/Cable modem comes with it's own builtin firewall, then lucky you.
2. Use Firefox or another third party browser instead of Internet Destroyer, er Explorer, and keep it up-to-date.
3. If you are really paranoid, go to www.vmware.com and download VMware Server for free. Install it. Then go to www.knopper.net and download the Knoppix Live CD image. You can install Knoppix from the image file through the virtual CD-Rom drive. You will need to create a 3-4 GB virtual hard disk. Once you have Knoppix installed on the virtual machine, take a snapshot of it. After creating the snapshot, surf the Internet to your heart's content from the virtual machine. If the virtual machine gets compromised, roll back to the snapshot.
4. Only use your real browser for your online banking if they require a MS Windows browser version. If your bank is dumb enough to require a Microsoft only solution and they use Microsoft web servers, then you might want to find another bank that uses a more Web neutral solution. I am not knocking Microsoft. They have been good to me in the past, but their products are the common and easy targets for crooks. A bank that is locked in with Microsoft is over reliant on Microsoft's security for their protection, and it means that they haven't thought the online security issues through. Chances are that they went with convenience instead of security. There's a truism in IT circles, "No one ever gets fired for buying Microsoft."
5. Use a mail service like Gmail and download any suspect attachments in the virtual machine. Google is pretty good about catching viruses as attachments, but they use a passive scanner and I have captured viruses and emailed them to friends for analysis and Gmail missed the malicious code and let it through! You can submit any attachment to a service such as VirusTotal which will scan the file with multiple Antivirus engines and let you know if it's suspicious. Just because it passes VirusTotal's metascan does not mean that it isn't malware. It just means that nothing suspicious was detected.
6. If you don't believe me, read this ComputerSweden article, or visit Arbor Network's ATLAS service to see how good your ISP's security really is.
Some of you will wonder why I didn't suggest buying a wireless cable/dsl router. The reason I didn't is because you trade security for convenience. Wireless devices give one freedom and convenience, but they are easily sniffed. Anyone can eavesdrop on a wireless transmission. If you have a wireless router, take the time to lock it down unless you want people to use your cable or dsl connection as a public access point. If you have a laptop and it has sensitive information on it, look into encrypting the whole hard drive, or keep the sensitive information on a USB key. Don't check sensitive financial accounts via a publically available wireless connection unless you know what you are doing.
Friday, February 02, 2007
I Have Failed
"Anger is the most impotent of passions. It effects nothing it goes about, and hurts the one who is possessed by it more than the one against whom it is directed." Carl Sandburg
A few weeks ago, I had a flicker of anger. I had received an email that said I had submitted a "weak" ticket where I had flagged at least two severely bad security practices. When I talked to my immediate supervisor about it several days later I lost it entirely when talking to him although the outburst wasn't directed at him, but at the more senior managers. I look upon my job as protecting my company from exploitation and theft. At it's heart, security is about loss prevention, IT Security doubly so. But my company isn't interested in protecting systems and assets from online theft or protecting employees from themselves, it's interested in using IT Security to increase productivity by making an example of people not complying with the Acceptable Use Policy. It doesn't matter that some of the rules aren't really enforceable as they stand currently. Employees aren't allowed to shop, view porn, or use company computers to listen to music while at work, but the proxy servers which should be blocking access to these sites aren't. Then there's the question of buying a book related to your job at Amazon.com when you are at work. Is that within the AUP policy? As for porn, well, sex is hardwired into people's brains. You might as well ask people to stop breathing. If porn went away, Internet Commerce would wither and practically die, it's that profitable an industry. And it doesn't have to be a porn site, dating sites with "Intimate" sections exist.
So, management has decreed that we monitor Internet usage throughout the company and submit "sexy" tickets, cases where the violator is doing something very bad, such as viewing adult material, shopping for firearms, etc. The problem here is that we will have a few false positives, especially with firearms. This is a hunting state. You can drive 50 miles in any direction and likely find a place to hunt. I was hoping that we'd be allowed to submit tickets showing weaknesses in our security, but that is not to be. It doesn't even matter that someone who's smart can circumvent our surveillance just by using Terminal Services and surf from his home system remotely from work provided the network lets him. The system we use can't decrypt encrypted traffic. It will only catch "low hanging fruit". The people who will do the most harm it will not catch. Don't even ask about child porn. There's a Catch-22 there. If we see images of child porn while investigating a violator, technically we are violating the law as well and can be arrested. Our management is "working" on that procedure.
But I have failed - spiritually and in my duty to protect the company. I lost my temper when I discovered that even though I followed guidelines and procedure and did the right thing, it wasn't what management wanted. What really angered me is that they are changing what they want from us again. They want stories, a nice written analysis with pictures of what we find, kind of like an intelligence write up or dossier, or the kind of research report a private investigator might write for a client. But we aren't given any useful training on discerning a real from a false case. We are supposed to "know" what management wants as vague as that is. They want dirt. They want scandal. They want sex. Meanwhile, you can steal our billing software code from our development group, steal trade secrets, and what not probably without any one noticing because we are too busy looking at employees' surfing habits instead of doing what we were hired to do.