security

According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.

A couple of his comments are good, though:

"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."

I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.

Another point, made by David Weinberger is particularly interesting:

"Younger people violate older people's idea of proper behavior when it comes to privacy,"

Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?

----

More on Facebook:

• Facebook open to ID-theft
• Howto use Facebook to gather Intelligence, Part 1
• Howto use Facebook to gather intelligence, part 2
• Facebook exploited

If you are in need of root password to the LiveCD *nix distro you just downloaded, this resource may be of help for you.

I know I need them from time to time, and usually when I do, I miss a "one-stop-shop" like this one :)

Thank you Benny!

Bruce offers a well worth read on CCTV today.

This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work!

In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books.

So let’s get on with it!

1. Set up an email box on Yahoo, Google or similar tool

This is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help.

Get back here and move to step two when you are done!

Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one!

You do not want to use your own name, though, but you knew that, right?

2. Get a Facebook (or pick any other social networking site) account

Just register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility.

TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure.

Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!

3. Set up a group on Facebook

And yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!!

Give it a winning title - Free gift! Or: Free trip to Dubai!

Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached!

So, now you got a group on Facebook. Time to use it!

4. Add a prize!

When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:

Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic.

And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win.

Period.

5. Ask for something simple/cheap compared to the prize

By asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.

So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:

And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!

6. Collect and use

Now you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool.

And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers.

So start selling it to the highest bidder!

And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side!

The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there?

Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim!

This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access.

The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side...

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

Following this Security mindset by Bruce Schneier, Alex Hutton adds some very insightful thoughts.

Where Bruce focus on "is it possible" and "how can I do that", Alex adds the equation of probability. "Yes, it is possible, but how probable is it?"

I am a great fan of Alex, and reading this post and his replies to the comments reminds me why!  

Gnucitizen established a new community project called House of Hackers. The purpose is to create an area where 

"...support the hacker culture, mindset, way of life, ideologies, political views, vision, etc."

If you are into hacking, and interested in keeping with the community, I suggest you pop over and take a look.

Just a few hours ago, the Tromsø airport in Norway was evacuated due to a hand grenade found in the luggage (Norwegian link).

The hand grenade was found in the hand luggage of a passenger moving through security. I can only imagine the eyes of the security clerk who discovered it.

Eyes Wide Open comes to mind. Certainly, the Big Red Button was very close indeed.

ALARM!

The hole airport was evacuated, secured and shut down.

Only to be reopened 25 minutes later, when the Grenade was discovered to be a belt buckle!

I got a feeling that the security clerk would wish to move forward and dismiss this event as an error. I for one will go on and order a couple of belts. Imagine the disorder to be created if these buckles keeps trying to enter the airports around the world!

Obviously, when it becomes customary to wear and carry grenade look-a-likes as belt buckles, it will be much easier to bring actual grenades hidden as a buckle. So, sometimes soon, I predict the politicians to enforce a

"No Grenade look-a-like Belt Buckles allowed on Airports!"

---

Edit: Just read about the complete opposite experience at the Digital Soapbox! Thanks, Rafal! 

Yesterday, the subway system in Oslo was put out of order by way of a low-tech sabotage.

10s of thousands of commuters where delayed for hours - all due to a person throwing a bicycle directly on the electrical power tracks at Majorstua station.

What makes this interesting?

Two things IMO.

• It does not take high-tech attacks to bring high-tech to a halt. From this we can learn that you need to consider also low-level, low-tech incidents when you do your risk assessment and planning
• The crisis respond team acted quickly and efficiently - using a well prepared contingency plan - reducing the impact on business, and reducing the delays for the travelers. From this we learn that having a crisis team and a contingency plan is key to success.