PayPal is a great tool for many of us, and as with all great tools, they become targets for criminals. And since it usually is so much easier to fool a person than a full-fledged security enabled tool, phishing attempts are going on all over.

And to no surprise, I am not free from the attempts. This one I got today:

And as you can see, the e-mail is well written, and seems quite believable. At least it does to me. Except when they want to me send a full copy of my passport, and a bank statement! Hello! Wait a second. There are no reasons why PayPal would want - or even need that.

So, I decide to visit PayPal just to make sure. I type (yes, type) the address in my browser, and log in. Surely enough, nothing is wrong.

Next, I visit the security center of PayPal, and forward them the e-mail I got. The good thing about PayPal is that they do take these things seriously, so when I sent it, I received an answer only a few hours later (and this is during working hours in Europe!)

Their answer is:

I suggest you keep an eye out for Phishing attempts to your PayPal. Take the PayPal Fight Phishing Challenge. And stay on alert at all times. These things get more and more realistic by every day, and you need to check things before your click or answer such emails.


What are your experience with phishing? What did you do? How did you discover it?

I got this e-mail from Alan Shimel today, explaining about changes to the Security Bloggers Network feed that I am part of:

I have been a member of this blogging network for quite some time now, and I have met some other great bloggers out there. I have also reached new readers and created some stir from time to time.

I am very happy to see Alan putting in the time and effort to keep this network alive! I think it is a great resource for many people.

(Since the new location is not yet ready, there will be no link...)

Yes, I admit it. I am an addict to myself. Or at least my blogs and sites linking to me. So when someone links to me, I usually get a notice (using Snarfer), and I usually take a look (unless I know the source to be one of the harvesting sites out there).

No change with that this morning, so I head out to the blogosphere enjoying the attention I get. Yes, I like attention. Had not noticed, had you?

And surely enough, a link back to my blog showed up. This time, the link comes from the Stepstone IT CEO Blog, which seems to be fairly new. Not only does Nauman Kuraishi link to my post on WIFI security in his first post - something I enjoy very much on its own.

He goes beyond. He mention my post in the same sentence as he links to Wired and BBC. And he says these sites offer some:


I am bewildered. I am honored. And I am very happy.

On a sidenote, this happens the same week as I am introduced as the Information Security GURU (!!!!!) at the Norwegian school of Management (BI). What a week!

Yes, I am an Eminem fan. I will meet him someday, and tell him that I think he have done a great job!

My closet cleaning is not of this kind, however, I am working my way through my RSS feeds. And one of the things that is backlogged is the opportunity to give you - yes, YOU, a full pass to the CSI 2008 conference, taking place in DC (guess that means Washington DC for us Other People).

But - to get the FREE pass, you need to help me clean the closet. I would like you to help me find the worst post on my blog. Bring it out to the light, and post your comment below. I will choose one of the posters (that is you) as the winner on wednesday 12. november. Yes, it is a short notice. But if you plan to go, or is in the area anyway, this is a great saving.

The rest of you will get a 25% discount.

So - bring out your vacuumers and help me find the worst post on my blog!

Go on! I will not bite you!

This post over at Secure computing is a must read if you want to understand more on how cyber criminals work and make money.

The article is very well written and easy to understand!

Joe Webster had a lovely post today! In his own words:



I think you are spot on, Joe!

Impersonation has a long tradition - just look at comedians, actors, crooks and intelligence workers. Impersonation used to require special skills, sometimes even special looks, and the risk could be very high. Well, maybe not for the comedian, as he/she would most likely only risk not getting the laughs, and some embarrassment.

 

Imagine a crook impersonating you. He enters the bank and tries to lift some cash off of your account. If he is not convincing, with the right looks, and saying the right things, he would not succeed. What is more, he would risk not be allowed to leave the bank, and be jailed.

 

Today things are different. New technologies always create new opportunities. Not only for you, but also for the opportunist. You can see that in the social media today, as you could see it in every technology in the past. Consider these examples:

 

• Using car to run from a heist (robbery to the rest of us) – imagine the opportunity the cars made for crooks when the police only had horses. On the downside, only few people had cars then, and you did need fuel and other supplies.
• Phone line hacking (Phreaking): Using blue boxes to avoid getting a phone bill. With the growth of the electronic switchboards came the tools to exploit them. Very low risk, easy to use (if you knew your way around electronics) and free.
• Weapons technologies – just consider what happened when gunpowder where developed. It turned the world up-side down.

 

Today (2008), the social media is under attack. And Twitter is one of many tools used. Why? It requires very little skills – if you can turn on a computer and surf on the net, you have the skills necessary to exploit the social media.

 

Take this example with Sarah Silverman. Anyone could do that. All you need is an email to sign up with, and as we know, emails are freely available. 

 

And as before, we need to understand the technology from all sides in order to protect and manage it.

 

Take the cars above. When the police did not have cars, the crooks had a better position. Then the police started to use cars, and the crooks added stronger engines and better drivers. The police had to do the same. At some point, they reach the maturity point, and the technology acts as an equalizer instead of being the differentiator it was initially.

 

The same is with the phreaking example above. The phone companies needed to replace the expensive and slow service that the manual switchboards where (I know, the employees usually where extremely quick…but they still where not able to compete with automatic switchboards). In came the automatic switchboards, using electronic switches. Surely, smart engineer understood the technology, and where able to exploit it simply by building a device that sends the right kind of signals to the switchboard, thus tricking the switchboard into setting up phone calls without charging the exploiter.

 

As the exploits grew in popularity, the phone companies engaged in a battle that is still taking place. And in parallel, the commercialization of Internet began. And Internet created new possibilities to exploit.

 

Let’s get back to 2008.

 

I continue to see people advice others to take control of their internet presence by registering to this site and that site. I do not think that is the right strategy for protecting your online (and to some extent offline) ID and credibility.

 

If I where to register my name on every tool, website, social media site on the Internet, I would spend all my time doing so. That is just not feasible. And it would be plain stupid. Because by spending all my time registering and monitoring these options, I would not have time to do my job, and live my life. And if I cannot live my life, why should I protect it?

 

Another point is that by registering on every site available – or even just a selected few – I would make my self so much more available to be exploited. Imagine this scenario: you get an invitation by someone you know, to join a network/site/tool you never heard about. You join, and by doing so, you give away personal information to someone you do not yet know if you can trust. And believe me, these invitations have been around for a while, and more will turn up.

 

Personally, I have selected a few sites I have registered to. And yes, I do consider a few others from time to time. I am considering Twitter for one atm. But one thing that has changed since I first experienced Internet commercially in 1994, is that I no longer thrive to be a first mover.

 

With the increased risk of getting harvested, I am now very careful with the tools and sites I adopt and use. Not only because I am worried about someone stealing my info, but also because I now maintain a profile that people trust in. I do not want to ruin that if I can help it.

 

Thus, today I follow these rules:

 

• Never be the first to register (unless it is for testing purposes to help a few, selected contacts)
• Never invite others to join (unlike a few years ago, where I helped spread the word about Plaxo, LinkedIn, Xing and others).
• Never accept the first invitation (if one or only a few of my contacts use it, it is unlikely to add value to me. When momentum is created – i.e. when more than only a few contacts use the tool, I will take a look and consider it for adoption. But not before).
• Make up your own mind. (as in not letting everyone else telling you where you need to have a profile, what you should do, and how you should do it)
• Be responsible (as in accept the risk, and take your precautions).

 

What are your rules of using the Social Media? Do you have any? Do you care? What are the sites you consider a must? Which sites do you avoid? Why?  

The other day, I received an email claiming I had been selected for inclusion in a very exclusive directory called Emeralds Who’s Who. My immediate reaction was to send it to junk. Then my eyes caught a glimpse of Roer.com – the brand name of my company.

The company where established in Norway back in 1994, and I also brought it with me when I lived in France for several years during the Dot.com period. Thus, the email was able to get under my guard simply by putting my company name and France into the body of the email. This was enough to catch my attention, and I started to read the full content of the email.

According to the email, I was a very accomplished business man. And to be honest, I am tempted to agree. I have had a lot of fun, and true, I have accomplished big things. But I usually do not brag about it, so not many people know.

Reading on, I learned that the

Who would not love to be part of that, huh?

They go on telling me about how the members help each others, creating business opportunities worldwide. Being an entrepreneur, global networks are always of interest.

A few lines of further reading bring on the sales message. One of the most useful sales tricks in the world of sales is to create a reason for hurry. Create a short-term offer or an opening that will close within a few days or hours. And make sure your client realizes the hurry. Yes, I am a sales professional with more than 20 years of sales experience. Yes, I conduct sales trainings.

Yes, I can recognize when someone is trying to pull my leg. Thus, I dismissed the time frame – as in my experience, if you want to buy something, you will usually be able to negotiate the same deal anyway.

Reading on, I learn that there is no charge for being considered into the Emeralds Who’s Who. That is nice, but I get the feeling that after the consideration is over, there might be charges.

Now I can click on a link, or copy-paste it into a browser, and they will take me directly to the application. And surely enough, a reminder of the hurry I am in if I want to be in the next annual publication. Signed by Anthony Miller, Research Director.

Temptation

No matter how tempting it is to click the links, I am a paranoid son of a b*tch. That may be what makes me good at security. So I do not click the links. Nor do I feel like taking part of a Who’s Who I never hear about before. On the other hand, there is a little voice inside saying:

I don’t know about you, but recognition is one of my main motivators. So I decided to spend a little time to look into this opportunity of fame. Perhaps it was true? Maybe finally someone had seen what I did in the past and wanted me to share that?

Another sales technique is to use the clients own motivation and need for recognition to make him feel good, and then want to buy from you. It is sometimes referred to as befriending, and is IMO a very important quality of a sales person. But, still IMO, the befriending should be honest, and truthful. After all, you want to build a relationship based on trust. So overdoing your befriending is not that useful.

Surely enough, I felt good. I had done something, and a research time had deemed what I had done as worth recognition in their publication.

Again, my paranoia forces me to do some research. I go to their website, which I find to be very pre-2000, a sure sign that they either do not know what they are doing, do not have enough money to do what they want, or that they do not care. None of which are good IMO, and I rise my guard.

I do find a physical address, some contact names and even a phone number. This is generally good, and as a result I lower my guard a bit.

Next step is to Google. I enter Emerald Who’s Who, and get an interesting list. Surely enough, the first couple of results points to their own website. Then there are several different sites and discussion boards claiming this is a scam. Many of those are years old, and the same scams are still taking place.

My guard is back up, and I start to read.

Pretty soon, I realize that the posts that are filled with poison against the Who’s Who are not a result of one or two people that are not satisfied with the services. I realize that my gut feeling was right all the time. The Emerald Who’s Who is one of several Who’s Who directories that only serve to scam people.

What I read is not fun, nor shocking.

I would normally just have deleted this email and moved on with my life. But this time I feel like I almost fell victim to a scam. And I tend to look at myself as a professional. A security professional. I should not be even remotely tempted to fall for something like this. And still I felt like this was an opportunity to get some fame and recognition.

I can only imagine how many people are falling for such scams. On the Emerald Who’s Who there is a list of Premier members (sorry, I have no idea what the pay for this). You can browse people on the list, and read about the merits of the victims. For example, you can read that a CEO (name not disclosed), enjoys golf and music, is married and has two children. And yes, full contact and website info is available. Go hustle!

Another one has a full list of accomplishments, image and contact info. Social engineering the people on these lists would be a dream!

And that is exactly what these Who’s Who directories are doing – they play you like a kid. They fool you into thinking that they care. They make you believe that what you have done means a lot to them, and that you are honored to be on their list. Most importantly, they use your own feelings and wish for recognition to charge your credit card ridiculous amounts of cash, they also put you out there on their lists to show the world how they fooled you.

So far, I have found several similar Who’s Who, and according to this great post over at Writer Beware (thanks Victoria), there are plenty of these sites. According to Victoria, these are other Who’s Who scams:

According to the comments to that post, you get the impression that there are a few people only who runs these scams, and that these people know each other, and compete. It seems like they all started in the same company, and then split up. To me it sounds like they are not happy with getting only a small piece of the cake, they all want it all.

I am not sure where they picked my name up, but it does not really matter. These days, it is extremely easy to find just about any name. And only a few minutes of research will be enough to make even the most careful ones lower their guards.

Did you fall for these tricks? How did you get out of it? What is your advice to others? When will such scams stop? How can we help each other to avoid such threats?

Today, I bring you the Guest Author Rob Rachwald who is the Director of Product Marketing at Fortify Software. Please enjoy, and share your thoughts!
--
No long ago, a senior executive from one of corporate America’s large bellwether stocks received a telephone call from law enforcement, explaining that the company had a major software vulnerability in its corporate web site. The agent described the vulnerability and its location in great detail and requested that it be fixed immediately. But he refused to disclose how he knew.

At the executive’s request, the organization’s chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign government had penetrated the organisation’s applications infrastructure and was in a position to bring it down whenever the time was deemed right.

Cyber security is no longer just the job of IT.  As the true story above highlights, cyber crime today is a silent, invisible battlefield.  The anonymity and universal access of cyberspace makes cyber crime attractive and easy.  If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers as well.

Defending against cyber crime is costing billions of dollars.  According to Gartner, organisations worldwide spent $288 billion on information security products in 2007.  The US Government is allocating $7.9 billion in 2009 for cyber security, which is $103 out of every $1,000 requested for IT spending—up 75% from 2004.  US companies spent $79 billion in 2007.

But is all this investment making an impact?  Consider:

• The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities. 
• Between 2001 and 2007 180 million credit card records were stolen.
• The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007.

What’s not working?  Businesses build applications to store, process and transact money and data for the sake of efficiency—but they often failed to properly defend these applications.  As business modernized, software security didn’t.  And hackers have sniffed out the weaknesses.  Traditional cyber defensive measures—including firewalls and anti-virus—don’t protect against data breaches. 


Application Security:  A New Business Imperative

The days of hacking for fun are over.  The new face of cyber crime has evolved in two ways:

• First, foreign governments are also after intellectual property, particularly in the military domain, and the internet is their portal into the applications and databases that hold these secrets.

Countries such as China, for example, have now become proficient in the art of cyber warfare and cyber espionage after setting up specific hacking centres to this end. North Korea, on the other hand, has invested in a hacking school, from which about 100 hackers graduate each year, while Russia fetes its cyber-savvy practitioners as national heroes. The rationale is, why invest vast sums in conventional weapons or risk international scandal if spies are discovered, when such operations can be conducted quietly online these days?

• Second, the amount of money that can be made from online fraud and theft at relatively little risk compared to operations in the physical world inevitably makes such undertakings attractive. This means that both individuals on the make and organised crime are now becoming involved.

And a very sophisticated industry is also developing around the pursuit. Consider how the opponent has mobilized:

• In recent years, a growing number of hacker match-making sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range of different skills together to target organisations more effectively.
• There are also various web sites that publish software vulnerabilities and make the hackers’ job all the easier.
• Hackers develop and sell automated hacking tools.

Business Software Assurance

The Achilles’ heel that has allowed this evolution is that applications are only as good as the software developers that wrote them.  And most of those developers are not responsible for security.

So what can organizations do to protect themselves from the hacking threat more effectively?

The first thing is to adopt a Business Software Assurance approach for information security. BSA offers a good foundation to understand what threats and vulnerabilities could impact the business and what the likelihood is of problems occurring.

BSA involves introducing a formal methodology to help to determine what the real risks are. This enables businesses to focus on their true needs by formally documenting processes in order to ensure that issues do not end up falling through the cracks. 

As part of the BSA process, it is crucial to gain an understanding of just how exposed the organisation’s systems are. The aim is to remove any flaws from the code in order to make it impenetrable to attack. More importantly, it is about adopting an inside out strategy that tackles root causes as opposed to simply employing outside in tactics that involve putting a protective wall around the problem.

As the world has moved online, it have brought all of its vices with it.  An entire economy has sprung up online to support and feed a cycle of fraud and theft that leeches untold strategic and monetary value from supposedly safe data warehouses, and costs further billions to defend against with limited effect.  The only path out of this reckless cycle is a strategy that focuses not only on the criminals that are after your data, but the vulnerabilities in your software infrastructure that they turn against you.

Websites are a vital part of any serious business. As an entrepreneur, it is very easy to think you will save some bucks by buying a cheap website from some some kid (your own, your neighbor+++), and focus only on saving cash.

This approach is wrong.

Again, this approach is wrong. Let me tell you why.

You are running a serious business, and your website is an increasingly important window towards your potential and existing clients. No, do not argue, just accept that as a fact. And your website should present you in a manner that will impose the best possible image of you towards the visitors.

If you do not agree, then you will be much better off by NOT having a website at all. If you choose that path, you can stop reading now :)

With a website, you need to make sure that it imposes the best possible image of you towards your clients, prospects and any other visitor. (Yes, I just told you above). There are a number of factors that needs to be considered with a website, and most of those things there are other blogs that covers much better. Some of the things include:

• Looks and feels - make sure you are using a design that enhances your image.
• Content - you should focus on relevant content, focusing on what you think your visitors need or are looking for. Generally, information on a website is a very cost-efficient way to communicate with your clients and should be used to the maximum effect. As an example, consider making, printing and distributing a 50 page product catalog, versus just publishing the PDF on your website.
• Platform & security - this is the purpose of this post. By avoiding the kids (your own or others) to make your website, you can make sure that you show the high level of standards you want. Use professionals, and make sure they also focus on security of the website. Today, it has become way too easy to hijack websites and use them for bad, and we all need to be responsible. After all, you would not want your customers to be attacked by someone using YOUR website, would you?

The first two points, I suggest you go elsewhere (ask your website development partner for help), but the last one you can check right away by using this quick and easy assessment from Jason. His post is well written, and easy to understand - even if you have no clue of technology or IT.

Go on! Check! And if it turns out your website is at risk, contact your supplier right away and make sure they do their job good!