Haiti Relief Scams

February 5th, 2010

It’s been a while since I talked about Haiti.

First of all, I’m delighted to report that Jeff’s father turned up very much alive.

Less happily, Tom Kelchner of Sunbelt has flagged a story in USA Today that claims that more than 170 complaints have been received by federal law enforcement agencies relating to earthquake relief scams. Scams specifically mentioned include:

  • SEO poisoning directing search-engine users towards sites laced with rogue anti-malware
  • Door-to-door collectors for fake charities
  • 419-type emails from alleged victims or officials
  • SMS scams where text messages invite potential victims to ring a number to get more misinformation
  • Similar scams using social networking sites such as Twitter and Facebook.
  • Fraudulent charity web sites.

One fake charity I found particularly galling, as a Brit, was the one that claimed to be a British affiliate of the American Red Cross. Come on, guys, we’ve had our very own Red Cross since 1870 (some years before the foundation of the American Red Cross), though it wasn’t called called the British Red Cross Society until 1905. Of course, there’s no particular reason why most Americans should know about the British Red Cross as a matter of general knowledge, but this does illustrate the importance of checking the validity of a charitable organization before you contribute to it. Of course, you also need to be sure that where the charity is real, the collection mechanism is also genuine!

USA Today recommends Charity Navigator (http://www.charitynavigator.org/) and the American Institute of Philanthropy (http://www.charitywatch.org) as a means of checking the charitable status of an organization.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Happy Birthday Dear Mikko…

January 30th, 2010

Actually, I don’t know when Mikko Hypponen’s own birthday is, but the F-Secure blog is six years old today (the first AV vendor onto the scene).

Makes me feel like a raw beginner. ;-) Though in fact, I was publishing alerts and advisories on an NHS (internal) web site in a blog-like format a year or two earlier, I think. This was before I joined the AV industry, of course (the NHS is the UK’s National Health Service).  However, even the earliest F-Secure blogs (http://bit.ly/cOvLLL) look a lot more professional than those. In my first couple of years at the NHS, I had to generate an advisory in an approved format, generate a PDF, then pass it on to someone else to post it onto a web server. That, of course, was hardly real-time. If  there was no-one around to do it or they were really busy, it might take days or even a week or two. Which was a bit of a problem at a time when fastburning massmailers and virus hoaxes could come out of nowhere and pass through the mail systems like wildfire.

In my previous job, I used to generate text files that people could access via a shell script calling lynx from the Unix command line, accessed from PCs and Macs using telnet or kermit for terminal emulation. Happily, technology has moved on.

Sandbox? We used to dream of living in a sandbox.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Educating the CIO

January 27th, 2010

Useful and lengthy comment from Rob Rosenberger added to my blog at http://avien.net/blog/?p=368.

Also a pointer to a Vmyths article from 2005 that may bring back some unhappy memories for some of us…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Unnamed App Facebook Hoax/Scam

January 27th, 2010

Flagged by Peter Kruse on a specialist list.

A hoax is circulating on Facebook, warning about a virus that is supposed to add an “Unnamed App” to the FB tabs.

SEO actually drives the incautious Googler towards fake AV.

I blogged this at some length at ESET, so I won’t repeat it all here.

http://www.eset.com/threat-center/blog/2010/01/27/unnamed-app-facebook-hoax

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

2nd Security Blogger Summit

January 25th, 2010

This is an interesting event (of which I only became aware yesterday – thanks, Julio!) taking place in Madrid on 4th February. See:

http://www.securitybloggersummit.com/ 

(It’s in Spanish, but there are plenty of translation tools around nowadays to help with that for non-Spanish speakers.)

Although Panda is organizing the event, the company is being scrupulous about keeping it vendor neutral, so I won’t be attending on this, unfortunately (it looks really interesting).

The thought did occur to me, though, that a forum where independent security bloggers, industry bloggers and the media could discuss issues and approaches would be a Good Thing: a sort of AMTSO for bloggers.

Randy Abrams and I put together  a paper for AVAR last year on “practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole” that seems quite relevant to that thought.

http://preview.tinyurl.com/ylfu3e6

Maybe I need to revisit it.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Win32/Zimuse

January 22nd, 2010

Not a Conficker-sized issue, but interesting:

http://www.eset.com/threat-center/blog/2010/01/22/bemused-by-zimuse-dis-is-not-one-half

http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Who Will Educate the Educators?

January 22nd, 2010

@vmyths, otherwise known as Rob Rosenberger, notes on Twitter that

“3doz firms THAT EMPLOY COMPUTER SECURITY EXPERTS got whacked in a zero-day attack. How about some “education” for THEM, eh?”

Well, “computer security experts” is a somewhat fuzzy term, and a little pejorative: when the media use it, they usually mean themselves, or the company that supplied the press release they’re recycling. When they actually mean computer security professionals, it’s usually in the sense of “so-called security experts who can’t see what is absolutely clear to any right-thinking journalists.” A somewhat similar mindset, perhaps, to those denizens of Security-Basics who believe that anyone who has letters after his name has to be a blithering idiot with no actual security experience. No, I’m not getting into that argument again…

But let’s assume that Rob means the same group that I probably would, if I couldn’t avoid using the term: information security professionals not necessarily working within the security industry. (I know there sometimes seems to be far too many of us who are in the industry, but most of us are OK, honestly.)

A group, in fact, rather like the subscribers to the first incarnation of AVIEN: people with a wide range of job titles, skill sets and responsibilities, from independent researchers to experienced managers and system administrators to people who suddenly found themselves landed with (some) security responsibility for their company. (Yeah, me too…)

Well, it’s true: if you’re going to make people responsible for security, you do need to ensure that they already have some experience and training, or that they at least receive some training to jumpstart them into the role. Especially if, like me, you believe that part of the security professional role is to take some responsibility for the education of others. (Yes, I know that there’s a sizeable section of the security community that believes there’s no mileage in trying to educate the end-user - http://www.eset.com/download/whitepapers/People_Patching.pdf - but I’m not getting into that argument right now, either.

Before we start blaming everything (yet again) on lazy, incompetent, uneducated security experts though (and hopefully that isn’t what Rob meant), let’s remind ourselves of a few pertinent facts.

  • As my colleague Aryeh Goretsky has pointed out, banks with security guards are not immune to bank robberies. “Mitigation of risk != elimination in its entirety.”
  • When a company hires security professionals, it doesn’t necessarily mean it listens to those professionals. Especially when listening to their advice entails spending significant sums that could be better spent on upgrading the catering on the Executive floor.
  • The corollary to assuming that employing security professionals (even competent individuals with exemplary support from the Boardroom) is enough to eliminate risk, is that if some malicious actor does get through, someone has “failed” and needs to be fired. That’s just lazy thinking: not so different to giving the bank janitor a uniform, a revolver and six shells, and saying “Hey, you’re promoted: now our asses are covered.”

Let’s not forget Spaf’s first principle of security administration:

If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

That observation by Professor Eugene Spafford is as accurate now as it was when I first read it nearly twenty years ago…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Haiti: a more personal view

January 16th, 2010

Further to Thursday’s blog on the Haiti situation at http://avien.net/blog/?p=349, Jeff Debrosse, ESET’s Snr. Research Director, has put up a blog at http://jeffdebrosse.wordpress.com/2010/01/15/haiti-info-and-update/ that includes some additional resources, as regards both help resources and security information resources relevant to the disaster.

On behalf of AVIEN I’d like to express our sympathy to Jeff, whose father is currently missing in Haiti, and our hope that he’ll turn up, safe and sound, very soon.

Can I also point out that while I’m pleased to include pointers to other resources, as I mentioned in a previous blog here, I do need to be able to verify them? Sorry!

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Haiti-Related Resources

January 14th, 2010

Help resources, mostly: blogged at http://www.eset.com/threat-center/blog/2010/01/14/haiti-help-resources because there was an issue re security blogging in general to which I wanted to add my 2 cents.

If you have additional resources you’d like to see added, mail me at dharley [at] eset.com. Here are the resources listed in the blog above right now (I’ve been updating them as I’ve seen them come in.)

That first resource includes a long list of contact information for legitimate organizations working in or for Haiti. It also includes some recommendations from the FBI via MSNBC for avoiding being scammed or worse by bad actors.

Update: Tom Kelchner includes some resources for self-protection in the modestly entitled blog at http://sunbeltblog.blogspot.com/2010/01/best-advice-on-avoiding-haitian-relief.html.

The ESET blog has also been updated to include those and other resources.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Blackberry Flavour: Old Whine in a New Bottle

January 12th, 2010

Connoisseurs of hoaxes will be pleased that an old friend has turned up in a new dress for a new platform.

Oliver Devane has reported on the Avertlabs blog (wow! that’s a long URL!) that he’s received an example of the type of message that reads something like “if you get a message from [whoever] don’t open it: he’s a hacker and will bring down your system”.

I’ve seen a heck of a lot of these over the years, but this one is different in one or two respects. Most significantly, it’s tailored for the Blackberry and sent out via Blackberry Messenger. I rather like the fact that the alleged hacker is apparently female. Somehow, this seems appropriate at a time when over 50% of the US workforce is, apparently, now also female. I guess the glass ceiling is cracking: maybe it’s the cold weather.

Interestingly, Oliver suggests that the explosion of social networks may be contributing to a rise in hoaxes, chain letters and other spam, because it’s getting easier all the time to add contacts across platforms.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com