exploit

Earlier this week, I received a new wall post on my Facebook profile. Now, I do not use Facebook a lot – I mainly maintain a small network to test and research this trend – so receiving a wall post was kinda fun.

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

 

Many of my readers are curious about hacking, testing and the ins and outs of setting up a security testing facility.

So here goes a nice white paper authored by Harry Bulbrook at the Durham Technical Community college, explaining how to set up a secure lab for testing and learning. It is a year old, but it still is a great resource that enables you to easily set up and maintain your lab without interfering with your production network.

I have strong feelings against abuse. And when I see young people falling for simple tricks and ending up as victims, I have to speak up.

Internet has revolutionized the way we communicate and how we network between people. I should know, I use tools like LinkedIn, Xing and Facebook actively. In a market there will always be companies that pushes the line. In Norway, one such site is Camfight / Penest.no, which I have covered in the past.

Last week, a girl was featured on national TV. Her story is as follows:

When she was 14, she met a guy on Internet. The boy was a couple of years older, and convinced her to strip for him on webcam. The girl was in love, and believe him to be too. She obeyed his request.

As soon as the stripping was done, the boy ended all contact. Some time later, the video with the girl stripping shows up on Internet. Without her consent.

Her friend turned their back to her, and she ended up having to relocate and change her name.

 

As tragic as this is, this kind of stories are only starting to surface. When you are young, you do not have the experience, knowledge and understanding necessary to safely use the technology. He*k, many adults lack the very same requirements.

To add to experience, "Line" got no support from her school nor from the police.

I believe that this serves to show how vulnerable young people are, and how wrong things can end up. It never pays to be naive. And when in doubt, say NO!

 

The Gen-Y has taken over the Internet. They are moving on to Web 2.0. Interaction, sharing and taking part is more important than quality control and security considerations.

The latest addition is Reddit - the link-sharing website where you can promote your own content, and have potentially millions of readers value it. If you are lucky, your story makes it to the top.