Navigation
Lijit
My LinkedIn Profile:
My LinkedIn Profile:
According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.
A couple of his comments are good, though:
"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."
I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.
Another point, made by David Weinberger is particularly interesting:
"Younger people violate older people's idea of proper behavior when it comes to privacy,"
Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?
----
More on Facebook:
If you are in need of root password to the LiveCD *nix distro you just downloaded, this resource may be of help for you.
I know I need them from time to time, and usually when I do, I miss a "one-stop-shop" like this one :)
Thank you Benny!
I have created a LinkedIn group called NorSec. The group targets security professionals in the Nordic, with particular focus on Norway.
The group is not publicly available. To be accepted you will comply with the following:
The benefits of joining the group are:
Please note - if you are not located in the area, or not in the security industry, you will not be accepted as a member of this group. There are other groups available for you!
To apply: http://www.linkedin.com/e/gis/111057/40E1791B6B9D
You may consider letting me know about your request using the contact form or my e-mail.
I have been asked to take a look at Deep Packet Capturing - a technology used to capture and store network packets. The keyword here is Capturing. The point is to capture and store networking traffic for (possible) later analysis and modeling.
One of the suppliers is Solera Networks, which offers appliances to capture and store information on your network at high speed - up to 10Gbit/s.
Why do you want this kind of tool?
So far, you have a Deep Packet Inspection tool, you save and analyze logs, and you also monitor your network. Then, one day, the police knocks on your door (or heaven forbid - the Media). Your logs and day-to-day analysis will only take you, and the police so far. You may pick up some irregularities from the past, but most likely you will not be able to rebuild and document the actual data stream. You end up with poorly documented speculations.
With a Deep Packet Capturing device, chances are that you would be able to not only figure out what when, who and what was done - but you would also be able to replay the sequence, re-analyze it, and most importantly document the whole process. In addition, you would be able to develop and test new rules for finding irregularities - without having to risk your day-to-day network flow. When your new rules are designed and tested, your can implement them.
Compliance
Compliance is still an important buzzword around the security space. One of the compliance issues requires you to save quite large amounts of data - usually from solutions and technology not designed to give you easy access to the very same data. A Deep Packet Capturing device may be an easy and cheap way to comply with such regulations.
If you are an ISP or VoIP service provider in the US, you also need to comply with CALEA. To capture and monitor VOIP data may be a challenge, and Solera Networks claim their CALEA Appliance is a low cost solution tackling this very challenge.
Virtualization
Another buzzword these days is Virtualization. Now, virtualization itself is not without risk, but considering the upside of fewer physical devices, lower power consumption and easier (at least in theory) administration, I think virtualization is here to stay. It just makes business sense.
Thus, I like the fact that some of the Solera Network devices are also available as VMWare Virtual Appliances. This also means I can easily test run these devices in my lab, if I so desire.
I like new technology and new ideas. With the low cost of storage these days, a Deep Packet Capturing device makes perfect sense to me.
It is summer in my part of the world. Sun is shining for a few hours, then rain is cooling everything back down. And when the refreshment is over, sun warms and invites us all to go to the beach and enjoy.
It surely is hard to work under these conditions!
Late last week (I was away the computer all week - only occationaly checking mail on my cellphone...puh, I am hot...), my ears picked up a heated discussion on the radio. IKT-Norge (the organization for ICT in Norway) was extremely conserned (sorry, Norwegian text) about the fact that the Swedish government decided to allow surveillance of all the internet traffic in the Swedish backbones.
IKT-Norway claimed that this would become an extreme security threat to Norway (almost all the backbones in Norway are connected through Sweden - thus most of the Internet traffic to and from Norway is routed through Sweden). And this guy Hallstein Bjerke at IKT-Norge said things like the Swedish surveillance team might pick up sensitive and secure data from the Norwegian DoD, as well as from Norwegian multinationals and oil companies.
I say: Duh - time to wake up. If you think your members are NOT evaluating risk, and taking the propper precautions when communicting over the Internet, I think you have in the wrong place.
One of the examples was that Sweden (one of two potential suppliers of new Jet-Fighters to the Norwegian Airforce) are now able to surveille and read all communications the Norwegian DoD have with the competitor Jet Fighter supplier - just by reading the emails.
HELLO!!! Do you REALLY think that the Norwegian DoD would email such information JUST LIKE THAT? Do you REALLY think that the DoD have NO CLUE WHAT SO EVER about the e-mail communication protocol? And that they have made NO precautions? The DoD in the US MADE the Internet back in the days. Norway was one of the very first countries OUTSIDE of the US to join the Internet in 1972.
What planet are you on, really?
Another example was the Oil company Statoil Hydro in Norway, and how the Swedish now may tap into all the e-mail communication they send and use.
I happen to know a fair bit of how such organizations think about security. Some think they are a bit too paranoid. Companies like this one is successful due to their ability to measure and counter risks. Further, they are technology driven, and have a very clear understanding of both their core business and values, and ICT - both from a maintenance and developement point of view, AND from a security/Risk point of view.
These companies would not use Internet to send and recieve ANY (valuable) information unless they previously weighted the risks involved, and put in place counter measurements (alternative communication tools like SatPhone, encryption, snail mail and personal delivery).
These companies ARE NOT STUPID.
The third example is about surveillance of the Norwegian Governments communication with the EC. I am the first to admit that I do not know much about professional politicians. But I do find it hard to believe that there are no training; or common security awareness in the government. Yes, we do see that they post their traveling itineraries on public websites from time to time, but I am pretty sure that not even politicians would be using e-mail and other non-secure communication channels when they are discussing matter of national security. I may be wrong, of course - they are politicians after all.
The only good thing about the action taken from IKT-Norge is the fact that now more people know that:
1. Sweden has a legal manner to tap into ALL communication on the Internet (that passes through their network), thus they no longer need to hide their surveillance (the way most other countries does it),
2. regular people may (or may not) have gotten a better idea of how EASY it is to use the Internet to gather information.
Still, somehow I've got the gutfeeling that the regular users do not see the relevancy of this. After all, most act like "I have nothing to hide!", and thus allow the legal AND the illegal surveillance teams to gather extremely attractive profiles.
For companies - yes, people in Norway are naïve (in a good way, always thinking the best of people), but most companies and business people do realize that the world is smaller, and that precautions are needed.
We may be naïve - but we are not stupid.
The iPhone has become one of the most wanted devices on the mobile phone market 2008. No surprise there. With Apple's previous history of gadget success, this more or less had to happen.
And although Apple make money on these devices, Apple have decided to tap into the ongoing, continious revenue stream of their Telco partners. According to the Register, if you want to provide iPhone to your clients, you are required to add an Apple networking device in your datacenter.
At first glance, this is only to provide the customers with the services required for the iPhone to function propperly.
At next glance, you see that the device is able to capture and control the dataflow to and from any iPhone's connected through that Telco.
So what?
By controlling the actual dataflow to and from the device, Apple may now gather information, habits and control the way their users are actually using the iPhone. This also means that they may adopt content (advertisements) to the habits of the users - much like Google does on the web.
It also may enable services like pay-per-view and strict access control. As well as full monitoring of the content and communication.
According to the Register, this may become a threat to the Telco, as the Telco's themselves has been dreaming of such a tool for ages. Some have tried too - but due to too big differences on the device side, the success of identifying and controlling the content has not yet succeeded.
I think that Apple will share their technology with their Telco partners - the Telcos I know would never accept the technology partner to controll everything - unless they get revenue back.
I predict that Apple and the Telco's will walk this road hand-in-hand, all the way to the bank.
And the customers?
Nothing has really changed. You still get the bill. And you might persive the new technology as a better service to you.
Wich in my book means this is a typical Win-Win-Win situation.
And the security?
Well, you are already monitored and analyzed, so this makes no big change. The data quality is better, so the analyzes will be of a higher value, wich in turn will give you better adds!
---
Telco = TELeCOmmunication Company
In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.
This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!
Warning: This work is tedious, and requires attention to detail and long-term persistency.
BONUS: Build a complete victims profile, not only e-mails and names!
Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.
Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.
This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!
Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!
Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.
If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!
Now you have full access to all the stuff this person shares with friends.
With full access, start to add to your database the following data:
If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.
You still in there, are you?
Why would you want this kind of information about someone you do not know?
These are some of the reasons we know others use when they do this kind of exercise:
One example, found on the Register today, is lax control in banks and financial institutions:
“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”
See where I am getting? The more I know, the more I get. Now I got your money too!
Warning: Keep in mind that in some countries, what you are doing may be considered illegal.
Note: You do know what YOU share on your profile, right?
This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!
In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.
So let’s get on with it!
This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.
Get back here and move to step two when you are done!
Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!
You do not want to use your own name, though, but you knew that, right?
Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.
TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.
Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!
And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!
Give it a winning title - Free gift! Or: Free trip to Dubai!
Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!
So, now you got a group on Facebook. Time to use it!
When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:
Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.
And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.
Period.
By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.
So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:
And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!
Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.
And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.
So start selling it to the highest bidder!
And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!
The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?
Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!
The blogger is Kai Roer. He has dealt with communication and the Internet since 1994. Taking part in projects all over Europe, Mr. Roer is a renowned resource on information security, communication and security in general. As a management consultant, author and speaker, Mr. Roer has helped many a client.
Recent comments
1 week 1 day ago
1 week 1 day ago
5 weeks 2 days ago
5 weeks 2 days ago
5 weeks 6 days ago
6 weeks 1 day ago
8 weeks 2 days ago
8 weeks 2 days ago
8 weeks 6 days ago
10 weeks 18 hours ago