October, 2008

This post over at Secure computing is a must read if you want to understand more on how cyber criminals work and make money.

The article is very well written and easy to understand!

Impersonation has a long tradition - just look at comedians, actors, crooks and intelligence workers. Impersonation used to require special skills, sometimes even special looks, and the risk could be very high. Well, maybe not for the comedian, as he/she would most likely only risk not getting the laughs, and some embarrassment.

Imagine a crook impersonating you. He enters the bank and tries to lift some cash off of your account. If he is not convincing, with the right looks, and saying the right things, he would not succeed. What is more, he would risk not be allowed to leave the bank, and be jailed.

Today things are different. New technologies always create new opportunities. Not only for you, but also for the opportunist. You can see that in the social media today, as you could see it in every technology in the past. Consider these examples:

• Using car to run from a heist (robbery to the rest of us) – imagine the opportunity the cars made for crooks when the police only had horses. On the downside, only few people had cars then, and you did need fuel and other supplies.
• Phone line hacking (Phreaking): Using blue boxes to avoid getting a phone bill. With the growth of the electronic switchboards came the tools to exploit them. Very low risk, easy to use (if you knew your way around electronics) and free.
• Weapons technologies – just consider what happened when gunpowder where developed. It turned the world up-side down.

Today (2008), the social media is under attack. And Twitter is one of many tools used. Why? It requires very little skills – if you can turn on a computer and surf on the net, you have the skills necessary to exploit the social media.

Take this example with Sarah Silverman. Anyone could do that. All you need is an email to sign up with, and as we know, emails are freely available. 

And as before, we need to understand the technology from all sides in order to protect and manage it.

Take the cars above. When the police did not have cars, the crooks had a better position. Then the police started to use cars, and the crooks added stronger engines and better drivers. The police had to do the same. At some point, they reach the maturity point, and the technology acts as an equalizer instead of being the differentiator it was initially.

The same is with the phreaking example above. The phone companies needed to replace the expensive and slow service that the manual switchboards where (I know, the employees usually where extremely quick…but they still where not able to compete with automatic switchboards). In came the automatic switchboards, using electronic switches. Surely, smart engineer understood the technology, and where able to exploit it simply by building a device that sends the right kind of signals to the switchboard, thus tricking the switchboard into setting up phone calls without charging the exploiter.

As the exploits grew in popularity, the phone companies engaged in a battle that is still taking place. And in parallel, the commercialization of Internet began. And Internet created new possibilities to exploit.

Let’s get back to 2008.

I continue to see people advice others to take control of their internet presence by registering to this site and that site. I do not think that is the right strategy for protecting your online (and to some extent offline) ID and credibility.

If I where to register my name on every tool, website, social media site on the Internet, I would spend all my time doing so. That is just not feasible. And it would be plain stupid. Because by spending all my time registering and monitoring these options, I would not have time to do my job, and live my life. And if I cannot live my life, why should I protect it?

Another point is that by registering on every site available – or even just a selected few – I would make my self so much more available to be exploited. Imagine this scenario: you get an invitation by someone you know, to join a network/site/tool you never heard about. You join, and by doing so, you give away personal information to someone you do not yet know if you can trust. And believe me, these invitations have been around for a while, and more will turn up.

Personally, I have selected a few sites I have registered to. And yes, I do consider a few others from time to time. I am considering Twitter for one atm. But one thing that has changed since I first experienced Internet commercially in 1994, is that I no longer thrive to be a first mover.

With the increased risk of getting harvested, I am now very careful with the tools and sites I adopt and use. Not only because I am worried about someone stealing my info, but also because I now maintain a profile that people trust in. I do not want to ruin that if I can help it.

Thus, today I follow these rules:

• Never be the first to register (unless it is for testing purposes to help a few, selected contacts)
• Never invite others to join (unlike a few years ago, where I helped spread the word about Plaxo, LinkedIn, Xing and others).
• Never accept the first invitation (if one or only a few of my contacts use it, it is unlikely to add value to me. When momentum is created – i.e. when more than only a few contacts use the tool, I will take a look and consider it for adoption. But not before).
• Make up your own mind. (as in not letting everyone else telling you where you need to have a profile, what you should do, and how you should do it)
• Be responsible (as in accept the risk, and take your precautions).

What are your rules of using the Social Media? Do you have any? Do you care? What are the sites you consider a must? Which sites do you avoid? Why?  

The other day, I received an email claiming I had been selected for inclusion in a very exclusive directory called Emeralds Who’s Who. My immediate reaction was to send it to junk. Then my eyes caught a glimpse of Roer.com – the brand name of my company.

The company where established in Norway back in 1994, and I also brought it with me when I lived in France for several years during the Dot.com period. Thus, the email was able to get under my guard simply by putting my company name and France into the body of the email. This was enough to catch my attention, and I started to read the full content of the email.

According to the email, I was a very accomplished business man. And to be honest, I am tempted to agree. I have had a lot of fun, and true, I have accomplished big things. But I usually do not brag about it, so not many people know.

Reading on, I learned that the

Who would not love to be part of that, huh?

They go on telling me about how the members help each others, creating business opportunities worldwide. Being an entrepreneur, global networks are always of interest.

A few lines of further reading bring on the sales message. One of the most useful sales tricks in the world of sales is to create a reason for hurry. Create a short-term offer or an opening that will close within a few days or hours. And make sure your client realizes the hurry. Yes, I am a sales professional with more than 20 years of sales experience. Yes, I conduct sales trainings.

Yes, I can recognize when someone is trying to pull my leg. Thus, I dismissed the time frame – as in my experience, if you want to buy something, you will usually be able to negotiate the same deal anyway.

Reading on, I learn that there is no charge for being considered into the Emeralds Who’s Who. That is nice, but I get the feeling that after the consideration is over, there might be charges.

Now I can click on a link, or copy-paste it into a browser, and they will take me directly to the application. And surely enough, a reminder of the hurry I am in if I want to be in the next annual publication. Signed by Anthony Miller, Research Director.

Temptation

No matter how tempting it is to click the links, I am a paranoid son of a b*tch. That may be what makes me good at security. So I do not click the links. Nor do I feel like taking part of a Who’s Who I never hear about before. On the other hand, there is a little voice inside saying:

I don’t know about you, but recognition is one of my main motivators. So I decided to spend a little time to look into this opportunity of fame. Perhaps it was true? Maybe finally someone had seen what I did in the past and wanted me to share that?

Another sales technique is to use the clients own motivation and need for recognition to make him feel good, and then want to buy from you. It is sometimes referred to as befriending, and is IMO a very important quality of a sales person. But, still IMO, the befriending should be honest, and truthful. After all, you want to build a relationship based on trust. So overdoing your befriending is not that useful.

Surely enough, I felt good. I had done something, and a research time had deemed what I had done as worth recognition in their publication.

Again, my paranoia forces me to do some research. I go to their website, which I find to be very pre-2000, a sure sign that they either do not know what they are doing, do not have enough money to do what they want, or that they do not care. None of which are good IMO, and I rise my guard.

I do find a physical address, some contact names and even a phone number. This is generally good, and as a result I lower my guard a bit.

Next step is to Google. I enter Emerald Who’s Who, and get an interesting list. Surely enough, the first couple of results points to their own website. Then there are several different sites and discussion boards claiming this is a scam. Many of those are years old, and the same scams are still taking place.

My guard is back up, and I start to read.

Pretty soon, I realize that the posts that are filled with poison against the Who’s Who are not a result of one or two people that are not satisfied with the services. I realize that my gut feeling was right all the time. The Emerald Who’s Who is one of several Who’s Who directories that only serve to scam people.

What I read is not fun, nor shocking.

I would normally just have deleted this email and moved on with my life. But this time I feel like I almost fell victim to a scam. And I tend to look at myself as a professional. A security professional. I should not be even remotely tempted to fall for something like this. And still I felt like this was an opportunity to get some fame and recognition.

I can only imagine how many people are falling for such scams. On the Emerald Who’s Who there is a list of Premier members (sorry, I have no idea what the pay for this). You can browse people on the list, and read about the merits of the victims. For example, you can read that a CEO (name not disclosed), enjoys golf and music, is married and has two children. And yes, full contact and website info is available. Go hustle!

Another one has a full list of accomplishments, image and contact info. Social engineering the people on these lists would be a dream!

And that is exactly what these Who’s Who directories are doing – they play you like a kid. They fool you into thinking that they care. They make you believe that what you have done means a lot to them, and that you are honored to be on their list. Most importantly, they use your own feelings and wish for recognition to charge your credit card ridiculous amounts of cash, they also put you out there on their lists to show the world how they fooled you.

So far, I have found several similar Who’s Who, and according to this great post over at Writer Beware (thanks Victoria), there are plenty of these sites. According to Victoria, these are other Who’s Who scams:

According to the comments to that post, you get the impression that there are a few people only who runs these scams, and that these people know each other, and compete. It seems like they all started in the same company, and then split up. To me it sounds like they are not happy with getting only a small piece of the cake, they all want it all.

I am not sure where they picked my name up, but it does not really matter. These days, it is extremely easy to find just about any name. And only a few minutes of research will be enough to make even the most careful ones lower their guards.

Did you fall for these tricks? How did you get out of it? What is your advice to others? When will such scams stop? How can we help each other to avoid such threats?

The letter I received from Emerald Who's who! Check out the blog post here and be sure to leave your comments!

I have removed the links in the post. No link-juice for Emerald!

954 Third Ave, Suite 817 , New York, NY, 10022

Kai Roer,                          I am pleased to inform you that today, October 24, 2008 Emerald Who's Who for Executives and Professionals has selected you as potential candidate into our organization to represent  Jausiers, , France. Your professional experience with Roer.com as Manager has been recognized and has qualified you to possibly be included. Emerald Who's Who is the authority for professional networking and recognition in virtually every industry across the globe. Based on the research our team and our affiliates were able to find, you are the type of professional we would like to include as part of our executive and professional organization. Our members assist each other with business and career opportunities everyday. Emerald Who's Who is consistently helping our members increase existing business, develop new ventures and acquire new contacts, locally, nationally and internationally. Should you be inducted into Emerald Who's Who, you will also be included in the 2008-2009 edition of Emerald Who's Who for Executives and Professionals. This is an annual edition of accomplished individuals across the world. Your inclusion into our organization requires that further professional information about you is provided within the next 5 days. Please note there is no charge to be considered into the Emerald Who's Who for Executives and Professionals. We have provided the below links to help you submit your information quickly and easily. Both URL's are the same, however should you not be able to click, please copy and paste #2. Please note your information will be encrypted and transferred safely over the Internet as we use, the leading security service for security and protection. Your information will also be protected once stored on our secure servers. > Click on this hyper link 1) URL removed! Or manually enter the below link into your web browser 2) URL removed! While our editorial department is continuously working on publishing timelines, I cannot assure that you will be included in our next annual publication featuring all executives and professionals like yourself. If we receive your information in the next 5 days, we can still consider your submission. Kind regards,  Anthony Miller  Research Director Emerald Who's Who for Executives and Professionals Inc. 954 3rd Ave, Suite 817, NY, New York, 10022 Emerald Who's Who for Executives and Professionals is not affiliated with Marquis Who's Who or any other Who's Who organization or publication. Thank you for your time, should you wish to no longer receive any further e-mail from us at this address, please follow the directions below.

• The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities. 
• Between 2001 and 2007 180 million credit card records were stolen.
• The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007.

• First, foreign governments are also after intellectual property, particularly in the military domain, and the internet is their portal into the applications and databases that hold these secrets.

• Second, the amount of money that can be made from online fraud and theft at relatively little risk compared to operations in the physical world inevitably makes such undertakings attractive. This means that both individuals on the make and organised crime are now becoming involved.

• In recent years, a growing number of hacker match-making sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range of different skills together to target organisations more effectively.
• There are also various web sites that publish software vulnerabilities and make the hackers’ job all the easier.
• Hackers develop and sell automated hacking tools.

Websites are a vital part of any serious business. As an entrepreneur, it is very easy to think you will save some bucks by buying a cheap website from some some kid (your own, your neighbor+++), and focus only on saving cash.

This approach is wrong.

Again, this approach is wrong. Let me tell you why.

You are running a serious business, and your website is an increasingly important window towards your potential and existing clients. No, do not argue, just accept that as a fact. And your website should present you in a manner that will impose the best possible image of you towards the visitors.

If you do not agree, then you will be much better off by NOT having a website at all. If you choose that path, you can stop reading now :)

With a website, you need to make sure that it imposes the best possible image of you towards your clients, prospects and any other visitor. (Yes, I just told you above). There are a number of factors that needs to be considered with a website, and most of those things there are other blogs that covers much better. Some of the things include:

• Looks and feels - make sure you are using a design that enhances your image.
• Content - you should focus on relevant content, focusing on what you think your visitors need or are looking for. Generally, information on a website is a very cost-efficient way to communicate with your clients and should be used to the maximum effect. As an example, consider making, printing and distributing a 50 page product catalog, versus just publishing the PDF on your website.
• Platform & security - this is the purpose of this post. By avoiding the kids (your own or others) to make your website, you can make sure that you show the high level of standards you want. Use professionals, and make sure they also focus on security of the website. Today, it has become way too easy to hijack websites and use them for bad, and we all need to be responsible. After all, you would not want your customers to be attacked by someone using YOUR website, would you?

The first two points, I suggest you go elsewhere (ask your website development partner for help), but the last one you can check right away by using this quick and easy assessment from Jason. His post is well written, and easy to understand - even if you have no clue of technology or IT.

Go on! Check! And if it turns out your website is at risk, contact your supplier right away and make sure they do their job good!

security