Bit.ly Fantasizes of Combating Twitter Scams

Posted on Tuesday December 8 2009 by ljh

Copyright © What The Hell? Security

If you believe that Bit.ly is going to solve their shortened URL problem the way they intend to, have I got a story for you.

[Sidebar:  It's completely safe to click on those links in the previous paragraph.  If you don't believe me, click on "View -> Page Source" in your browser's menu bar and read the HTML for yourself.  Line 237, give or take.  Where it says <A HREF= ... well, never mind.  It's complicated.]

So I had this great money-making idea the other day.  It required an accomplice, so I recruited my good friend Felonious Link. You may have heard of him — the heir apparent of the Anchor Tag fortune.  He obviously doesn’t need the money, but what the hell, he owed me a favor.

Link and I make a good team.  Whereas I’m a pathological liar, Link is one crafty sonofabitch.  First off, he’s a real mealymouth.  Ask him a complicated question and he’ll usually do something lame like point here.  And while you can usually count on him to tell enough of the truth that it qualifies, from time to time he’ll slip you a real mickey.  The kind, by the time he’s done, that makes canceling your 30% APR Visa seem more compelling than it already is.

The scam was absurdly simple.  Like shooting phish over at barrel.com.  All I did was have Link draw up a bunch of signs and hang them on busy street corners.  They read “Brand new shortcut to your bank!  Follow this arrow!”

Here’s where it gets tricky.  The arrows <snigger> all pointed to the drive-up window at the abandoned Fraudburger restaurant, which I’d tricked out to look like just like a real bank’s drive-up window.  I’m talking complete with  lollipops and dog biscuits.  The cars lined up for blocks to do business with me.

Wait — if you think that’s funny, wait until you hear how the banks responded.  Instead of hiring companies to hang truthful signs around town, they hired ones that go around scribbling “We warn against following this arrow!” on top of mine!  Can you believe it?  Yeah, so can I.  Those sign-scribbling companies have freaking amazing marketing departments.

But lucky for me nobody has caught on yet.  I mean, think about it.  Each day they focus my bad directions is a day they don’t focus on their good directions.  I’m pretty sure I can keep them distracted for years.  Hell, if the sign scribblers keep at it, I just might pull off another fifteen!   Gawd forbid they ever figure out that the Web needs a way to publish truthful links…

Filed under: fraud, hypertext, phishing, soapbox | Leave a Comment »

Blocking Dirty Bits Not As Good As Identifying Good Bits

Posted on Thursday December 3 2009 by ljh

Copyright © LJH

John Pescatore makes a point about warning vs. blocking bad links.  But here’s the thing about links:  We’re thinking about them all wrong.

Now, of course there are bad links.  They end up on blacklists.  Let’s pretend they’re more than marginally useful.  (If you have issue with that statement, go make friends with somebody in the blacklist business and ask them.)  Bad links aren’t the problem.  That I’m addressing here I mean.

The problem is the way we think about all the other links.  You know, the complement to the bad links.  Not all of which are good.  Only we treat them all as good by virtue of keeping them off blacklists.  Get it?

What’s missing is a whitelist.  But not the kind of whitelist we’re used to thinking about, like the one that confines your kid to age appropriate sites.  The kind that:

  • confines itself to the links that matter.  Meaning, by and large, those pertaining to commerce
  • brokers facts, not supposition.  Blacklists are chock full of URLs that have been deduced as dangerous.  For anything new that surfaces, we’re never quite sure unless an expert trained in the art proclaims it so
  • is sanctioned by a trustworthy entity whose business it is to sanction

Said another way, what we need is a certified whitelist for commerce. One that complements, not unseats, blacklists.  In thinking about it this way, we end up a trifecta classification system:  the bad, the good, and the fraud neutral.

Now that would be useful.

Filed under: fraud, hypertext, phishing | Leave a Comment »

Where The Hell Is The What The Hell?

Posted on Sunday November 29 2009 by ljh

Copyright © What The Hell? Security

Where the hell Is the What The Hell?  Implying the What The Hell? that used to lead the headline of each post.

Anyway, that’s where it is.  And I hope you get what I mean, because there’s no way in hell I’m going to redundantly explain my erstwhile titular redundance.

Filed under: none | Leave a Comment »

What The Hell? Phishing & Malware Misdiagnosis P2

Posted on Monday November 23 2009 by ljh

Copyright © LJH

Referring to my previous post, here is the skinny on my Anti-Fraudulent Hot Dog Vendor Detector.

Well, hold on. I’m up to Version 2.0. Before I describe that, I really should explain Version 1.0. Here’s a theoretical average day in its life.  Bear with me, there’s actually something to be learned.

  • 100 people walk past the fraudulent vendor’s hot dog cart
  • 42 buy the bait
  • 4 have their card numbers pilfered
  • 0.2 notice strange charges on their next bill
  • 0.06 bother to report it to their fraudulent hot dog vendor detective (me)
  • After 33.3 business days I discern a solid pattern of 2 reports from my clientele, so I mention it to the neighborhood beat cop
  • After 66.6 business days, the beat cop discerns a solid pattern of 2 reports from me, so he starts warning hungry-looking pedestrians

Believe it or not, this service was so effective that unimaginative copycats started coming out of the woodwork.  What the hell?  This left me no choice but to release Version 2.0, which has the following benefits over Version 1.0:

  • this space intentionally left blank

See, a Fraudulent Hot Dog Vendor Detector can only get so good.  No matter how fast it gets at detecting bad guys, they always win by definition.   You can’t detect something that hasn’t happened.  At least at it pertains to hot dogs, as one of Heisenberg’s sadly overlooked corollaries makes clear.

What hot dog eating pedestrians would really benefit from is a drop-dead simple way to identify which hot dog vendors are legitimate before they take the bait.  And what online pedestrians would really benefit from is a drop-dead simple way to identify which links and forms have legitimate destinations before they click.

Yeah, I know what you’re thinking.  SiteAdvisor does that, right?  Let’s just say that their green checkmarks are not what they appear to be.  They’re derived from — get this — a blacklist they compile from scouring Web content.  Blackish-green they are.  They don’t tell you what’s without a doubt legitimate at this very moment.  They tell you with plenty of doubt what they surmised was not bad the last time they looked.

Is it time to blacklist blacklists?  Not really.  But it is time to knock them off their pedestal and let gravity do what gravity does.

Filed under: fraud, malware, phishing, security humor | Leave a Comment »

What The Hell? Spike in Phishing & Malware Misdiagnosis

Posted on Thursday November 5 2009 by ljh

Copyright © LJH

What the hell? We have it all wrong again.

Listen up everybody. This isn’t about Facebook.

It’s like this. Consider the crime of stealing a credit card number in two scenarios, one offline and one online:

 

  Offline Online
Victim Street Pedestrian Online Pedestrian
Perpetrator Fraudulent Hot Dog Vendor* Fraudulent HTML Author
Scene Street Corner Any Website
Bait Hot Dog Link or Form
Innocent Act Handing Over Card Clicking
Criminal Act e.g. Sell copies of charge
slips to buddy		 e.g. Install keylogger and
capture card number
Heartburn Type Gastric, Financial
(order can vary)		 Financial

*Fraudulent vendor who sells legitimate hot dogs.  Not to be confused with legitimate vendor who sells fraudulent hot dogs.  That’s a whole different crime.

In the sequence of events, the only place to really solve this problem is between smelling the bait and performing the innocent act. Right? Right?

So allow me to announce my shiny new patent-pending Anti-Fraudulent Hot Dog Vendor Detector Method and Apparatus.  The features of which I describe in my next entry.

Where the hell is Ron Popeil when you need him?

Filed under: fraud, hypertext, malware, phishing | Leave a Comment »

What The Hell? Web Security Is(n’t) About The Web…Not!

Posted on Thursday October 29 2009 by ljh

Copyright © 2009 LJH

It’s easy to jump to conclusions.  I illustrated this to my youngest, who are twins, when they were five.

[Sidebar:  I wanted to do this when they were four.  But that being the year they learned that racehorses used to end their careers in glue bottles, I figured it was in everybody's best interest to hold off a year.]

    Me (high energy): Hey kids – what’s corn oil made of?
    Them (suddenly interested): Corn!
    Me: Good!  And what’s peanut oil made of?
    Them: Peanuts!
    Me: Right!  And what’s baby oil made of?
    Them: Babies…hey Mom, Dad is teasing us again!

But they got the point.  Knowing that good dadhood equals good managerhood, I figured I’d try my luck at work the next day.

    Me (high energy): Hey staff – what’s operating system security made of?
    Them (suddenly interested): Operating systems!
    Me: Good!  And what’s network security made of?
    Them: Networks!
    Me: Right!  And what’s Web security made of?
    Them: Web…hey CEO, Boss is teasing us again!

Silly me.  I mean, we all know that Web security is made up of SQL injections and cross-site scripting and hostile javascript and stuff like that.  Not of Web.  Right?  Right?

Not so fast.  OWASP rightly calls out those problems as Web Application Security issues.  Not Web Platform Security issues.  Web Platform Security issues, if we admitted they existed, would pertain to…well…the Web platform.  The cornerstone of which is hypertext.  The security of which is non-existent.

Hypertext Sand

See where I’m going with this?   Here:  Hypertext Sand cannot support the weight of Trillion-Pound Savings & Mall.

Which leaves us with three options:

  1. Shore up the sand, or
  2. Try a different building, or
  3. Abandon the marketplace altogether

Number three is a dumb idea of course; that would be throwing the shoping cart out with the bankwater.  Number two is nearly as dumb; non-Internet consumer services like AOL and MSN had to jump on the Internet bandwagon in the mid 90’s just to survive, and those that didn’t will be unearthed in sixty million years as fossil fuel.

That leaves number one: shoring up the sand.   Security-enhanced hypertext: the wave of the Web future.

Filed under: hypertext, security humor, soapbox | Leave a Comment »

What The Hell? Give ‘Em the Security ROI Finger

Posted on Tuesday October 6 2009 by ljh

Copyright © 2009 LJH

My previous entry likened security to an opposable thumb on the hand of reliability.

This metaphor is also helpful when somebody asks you the dreaded “So, what’s the ROI on security?”  Just hold up your palm and say “20% of this.”

And if it’s your CFO asking, be sure to point out which finger you don’t mean.

Filed under: security humor, soapbox | Leave a Comment »

What The Hell? Security is All Thumbs!

Posted on Tuesday September 29 2009 by ljh

Copyright © 2009 LJH

Here’s a perspective on security that always nets the biggest win:  Don’t objectify it. If you’re looking for five digits, odds are you really want a hand.

Security, forever the opposable thumb, is indeed separable from the hand of reliability.  (It’s also what distinguishes our software from that of non-primates…but I digress.)  Separable from its neighboring four fingers of availability, scalability, performability and resilience.

Naturally, a grafted thumb forever impairs the hand.

Filed under: soapbox | 1 Comment »

What The Hell? The Web Isn’t Supposed To Be Secure!

Posted on Monday September 28 2009 by ljh

Copyright © 2009 LJH

There’s a really good reason that Web security is such a pain. It’s not supposed to be secure.

Sorry to break it to you, but hypertext was thirty years old before we decided to use the Web as a platform for commerce.  That’s, what, three years longer than the span between the launches of MS-DOS 1.0 and Windows 7.

Plenty of time to work out a few security kinks, if there were any.  But there aren’t, because security was out of scope when hypertext was designed.  As it remained when the Web was designed.  As it remains today.

So happens when you run a multi-trillion dollar marketplace atop an insecure platform?  Phishing is what happens.  Drive-by malware.  Fraud.

When you think about it, if there’s anything remarkable about Web fraud, it’s that we experience as little of it as we do.

Filed under: fraud, hypertext, malware, phishing | Leave a Comment »

What The Hell? 8 Skills of the Hellacious CISO

Posted on Monday September 28 2009 by ljh

Copyright © 2009 LJH

CISOs, let’s face it, are a dry breed.  But some really know how to raise hell.  In a good way.  Here are eight skills to, ahem, emulate.

1. Abate - The bad rep security has among people who like to deliver projects on time.

2. Automate – In-house.  Because some problems, vendors just can’t solve.

3. Delineate – Isn’t afraid to say “Improving the security of  _____, while desirable, is admittedly beyond the scope of this project.”

4. Disappropriate – Surrenders a slice of the security budget for the greater good.

5. Elucidate – Pick a policy.  Any policy.  Unhesitatingly rattles off the business driver behind it — without uttering the word security.

6. Pollinate – Exports a security engineer to the networking team.   Imports a database engineer to the security team. Antonym of Isolate.

7. Resonate – Promotes the flavor of security that blends with the established grain of the business.  Antonym of Intimidate

8. Violate – Occasionally does this to a security policy when it just makes sense to.

Filed under: soapbox | Leave a Comment »

Next Page »