Category Archives: Prevention

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading

Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.

-jsq

PS: Seen on BoingBoing.

The Flaming Black Swan of Hinckley

suicideexpress.jpg They didn’t see it coming, because they were looking the other way:

Speaking of wildfires, my book of the day is Under a Flaming Sky: The Great Hinckley Firestorm of 1894. It is the sharply written story of a how a Minnesota town of 1,200 was devastated by a catastrophic firestorm that came raging out of the nearby woods with tornado-class winds and a 300-foot wall of fire, killing 436 people.

Book du Jour: Under a Flaming Sky, Paul Kedrosky, Infectuous Greed, October 3, 2007

Wikipedia says it burned 200,000 acres and some sources say 800 people died. Some people who lived jumped into wells or ponds or the river, or caught one of two trains that made it out of town.

So what was it that burned?

Continue reading

APWG in Pittsburgh and Fraud in Japan

gm2007logo.jpg The Anti-Phishing Working Group is having one of its periodic member meetings, this time in Pittsburgh. Probably I shouldn’t report too much detail, but I’ll say that interesting things are going on worldwide that may spread to other countries. For example, in Japan it seems that fake programming sites are more popular than phishing. Also, if I heard correctly, most phishing in the Japanese language originates from phishers in Japan. This would make sense, since it’s very hard for foreigners to write well enough to pretend to be Japanese. So that one probably won’t spread too widely, but the fake programming scam could.

My favorite is the history attack. World War II ended on 15 August 1945 in Japan, so a timeline of that war can get a lot of hits on a war’s end link in August of any year. Who would have known history could be so popular?

Meanwhile, during Carnival in Brazil, nobody reports malware, so there’s a dip in measurements…. Then and the rest of the year, sophisticated personalized social engineering attacks seem to be popular in Brazil.

-jsq

Count ‘Em All By Hand

ButchHancock.gif I admire Matt Blaze, and I only hope he was being sarcastic in the entire post in which, after pointing out that California just decertified three major voting machine manufacturors due to massive security problems, he wrote:
How to build secure systems out of insecure components is a tough problem in general, but of huge practical importance here, since we can’t exactly stop holding elections until the technology is ready.

The best defense: Ad hominem security engineering. Matt Blaze, Exhaustive Search, 6 August 2007

Well, yes, yes we can. Continue reading

ROI v. NPV v. Risk Management

southwestcfo.jpg There’s been some comment discussion in about security ROI. Ken Belva’s point is that you can have a security ROI, to which I have agreed (twice). Iang says he’s already addressed this topic, in a blog entry in which he points out that
Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.

ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007

Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI. Continue reading

Punching Hornets

napoleoninrussia.jpg What do science fiction writer William Gibson, global guerrilla theorist John Robb, libertarian Republican presidential candidate Ron Paul, and the late historian David Halberstam agree about?
Still, it is hard for me to believe that anyone who knew anything about Vietnam, or for that matter the Algerian war, which directly followed Indochina for the French, couldn’t see that going into Iraq was, in effect, punching our fist into the largest hornet’s nest in the world.

The Late Halberstam’s Final Verdict on Bush: “He’s No Truman”, by Adam Howard, alternet.org, 5:38 AM on July 5, 2007.

One could add Napoleon in Russia and the British in America. Funny how fighting in Russia in the winter wasn’t like Italy in the summer. Continue reading

Wildfire Myopia

smoke.gif It looks like technological security isn’t the only kind disorganized in government. The latest GAO report about wildfires seems like more smoke than fire:

This testimony summarizes several key actions that federal agencies need to complete or take to strengthen their management of the wildland fire program, including the need to (1) develop a long-term, cohesive strategy to reduce fuels and address wildland fire problems and (2) improve the management of their efforts to contain the costs of preparing for and responding to wildland fires.

For cost-containment efforts to be effective, the agencies need to integrate cost-containment goals with the other goals of the wildland fire program–such as protecting life, resources, and property–and to recognize that trade-offs will be needed to meet desired goals within the context of fiscal constraints.

Wildland Fire Management: A Cohesive Strategy and Clear Cost-Containment Goals Are Needed for Federal Agencies to Manage Wildland Fire Activities Effectively, GAO-07-1017T, U.S. General Accounting Office, June 19, 2007

How about a strategy for integrating wildfire planning into subdivision planning, or cost allocations from homeowner wildfire insurance?

Continue reading

Smashing Hornets

wasp nest on window Fox News discovers hammering wasps:

If you get stung by a hornet, it makes sense to see if there’s a hornets’ nest near your home and, if there is, to exterminate it. It doesn’t make sense to forge out looking for hornets’ nests anywhere you can find them, smacking them with sticks. You’re bound to get stung again.

Straight Talk: Paul Has a Point, By Radley Balko, FOXNEWS.COM, Monday, May 21, 2007

Well, in an online op-ed, at least.

Continue reading