Social Engineering

Cyberbullying, anonymity, and censorship

Michael Den Tandt’s recent column in the Vancouver Sun is rather a melange, and deserves to have a number of points addressed separately.

First, it is true that the behaviours the “cyberbullying” bill address, those of spreading malicious and false information widely, generally using anonymous or misleading identities, do sound suspiciously close to those behaviours in which politicians engage themselves.  It might be ironic if the politicians got charged under the act.

Secondly, whether bill C-13 is just a thinly veiled re-introduction of the reviled C-30 is an open question.  (As one who works with forensic linguistics, I’d tend to side with those who say that the changes in the bill are primarily cosmetic: minimal changes intended to address the most vociferous objections, without seriously modifying the underlying intent.)

However, Den Tandt closes with an insistence that we need to address the issue of online anonymity.  Removing anonymity from the net has both good points and bad, and it may be that the evil consequences would outweigh the benefits.  (I would have thought that a journalist would have been aware of the importance of anonymous sources of reporting.)

More importantly, this appeal for the banning of anonymity betrays an ignorance of the inherent nature of networked communitcation.  The Internet, and related technologies, have so great an influence on our lives that it is important to know what can, and can’t, be done with it.

The Internet is not a telephone company, where the central office installs all the wires and knows at least where (and therefore likely who) a call came from.  The net is based on technology whish is designed, from the ground up, in such a way that anyone, with any device, can connect to the nearest available source, and have the network, automatically, pass information to or from the relevant person or site.

The fundamental technology that connects the Internet, the Web, social media, and pretty much everything else that is seen as “digital” these days, is not a simple lookup table at a central office.  It is a complex interrelationship of prototcols, servers, and programs that are built to allow anyone to communicate with anyone, without needing to prove your identity or authorization.  Therefore, nobody has the ability to prevent any communication.

There are, currently, a number of proposals to “require” all communications to be identified, or all users to have an identity, or prevent anyone without an authenticated identity from using the Internet.  Any such proposals will ultimately fail, since they ignore the inherent foundational nature of the net.  People can voluntarily participate in such programs–but those people probably wouldn’t have engaged in cyberbullying in any case.

John Gilmore, one of the people who built the basics of the Internet, famously stated that “the Internet interprets censorship as damage and routes around it.”  This fact allows those under oppressive regimes to communicate with the rest of the world–but it also means that pornography and hate speech can’t be prevented.  The price of reasonable commuincations is constant vigilance and taking the time to build awareness.  A wish for a technical or legal shortcut that will be a magic pill and “fix” everything is doomed to fail.

CyberSec Tips: Email – Spam – Phishing – example 3 – credit checks

A lot of online security and anti-fraud checklists will tell you to check your credit rating with the credit rating reporting companies.  This is a good idea, and, under certain conditions, you can often get such reports free of charge from the ratings companies.

However, you should never get involved with the promises of credit reports that come via spam.

Oddly, these credit report spam messages have very little content, other than a URL, or possibly a URL and some extra text (which usually doesn’t display) meant only to confuse the matter and get by spam filters.  There are lots of these messages: today I got five in only one of my accounts.

I checked one out, very carefully.  The reason to be careful is that you have no idea what is at the end of that URL.  It could be a sales pitch.  It could be an attempt to defraud you.  It could be “drive-by” malware.  In the case I tested, it redirected through four different sites before finally displaying something.  Those four different sites could simply be there to make it harder to trace the spammers and fraudsters, but more likely they were each trying something: registering the fact that my email address was valid (and that there was a live “sucker” attached to it, worth attempting to defraud), installing malware, checking the software and services installed on my computer, and so forth.

It ended up at a site listing a number of financial services.  The domain was “simply-finances.com.”  One indication that this is fraudulent is that the ownership of this domain name is deeply buried.  It appears to be registered through GoDaddy, which makes it hard to check out with a normal “whois” request: you have to go to GoDaddy themselves to get any information.  Once there you find that it is registered through another company called Domains By Proxy, who exist solely to hide the ownership of domains.  Highly suspicious, and no reputable financial company would operate in such a fashion.

The credit rating link sent me to a domain called “transunion.ca.”  The .ca would indicate that this was for credit reporting in Canada, which makes sense, as that is where I live.  (One of the redirection sites probably figured that out, and passed the information along.)  However, that domain is registered to someone in Chicago.  Therefore, it’s probably fraud: why would someone in Chicago have any insight on contacts for credit reporting for Canadians?

It’s probably fraudulent in any case.  What I landed on was an offer to set me up for a service which, for $17 per month, would generate credit ratings reports.  And, of course, it’s asking for lots of information about me, definitely enough to start identity theft.  There is no way I am signing up for this service.

Again, checking out your own credit rating is probably a good idea, although it has to be done regularly, and it only really detects fraud after the fact.  But going through offers via spam is an incredibly bad idea.

CyberSec Tips: Follow the rules – and advice

A recent story (actually based on one from several years ago) has pointed out that, for years, the launch codes for nuclear missiles were all set to 00000000.  (Not quite true: a safety lock was set that way.)

Besides the thrill value of the headline, there is an important point buried in the story.  Security policies, rules, and procedures are usually developed for a reason.  In this case, given the importance of nuclear weapons, there is a very real risk from a disgruntled insider, or even simple error.  The safety lock was added to the system in order to reduce that risk.  And immediately circumvented by people who didn’t think it necessary.

I used to get asked, a lot, for help with malware infestations, by friends and family.  I don’t get asked much anymore.  I’ve given them simple advice on how to reduce the risk.  Some have taken that advice, and don;t get hit.  A large number of others don’t ask because they know I will ask if they’ve followed the advice, and they haven’t.

Security rules are usually developed for a reason, after a fair amount of thought.  This means you don’t have to know about security, you just have to follow the rules.  You may not know the reason, but the rules are actually there to keep you safe.  It’s a good idea to follow them.

 

(There is a second point to make here, addressed not to the general public but to the professional security crowd.  Put the thought in when you make the rules.  Don’t make stupid rules just for the sake of rules.  That encourages people to break the stupid rules.  And the necessity of breaking the stupid rules encourages people to break all the rules …)

CyberSec Tips: Email – Spam – Fraud – example 4

Sometimes it’s pretty easy to tell a fraud.  Some of these guys are just lazy:

> From:               “PINILLA, KARINA” <pinillak@friscoisd.org>
> Subject:
> Date sent:          Mon, 2 Dec 2013 22:05:05 +0000

> Do you want your X-mas money and bonus for gift,if Yes contact me at this email:
> david.loanfinancialcomany12@gmail.com

You don’t know this person.  No subject for the message.  No explanation of why they are going to give you money.  (Although the name chosen for the email would seem to indicate that they want to emulate a pay-day loan company–which are pretty much rip-offs anyway.)  Poor grammar and spelling.

A while back someone seriously theorized that this lack of care might be deliberate.  Only stupid people would fall for a “come-on” like this, and it would be easier to defraud stupid people.  Unfortunately, as the song says, the world is full of stupid people …