When I was little, I remember seeing an interview on television of a Chicago con man who made his living by scheming people out of their money. Back when the term was in vogue, the con man was asked to define what a ‘Hustle’ was. His reply was “Get get as much as you can, as fast as you can for as little as you can”. December is the month when the hustlers come to my neighborhood.
I live in a remote area where most of the roads are dirt, and the houses are far apart, so we never see foot traffic unless it is December. And every year at this time the con men, hucksters, and thieves come around, claiming they are selling some item or collecting for some charity. Today was an example, but our con man was collecting for a dubious sounding college fund dressed as a Mormon missionary, which was not a recipe for success. Rich had a visitor this week claiming to be a student from ASU, going door to door for bogus charity efforts. Last year’s prize winner at my place was a guy with a greasy old spray bottle, half-filled with water and Pinesol, claiming he was selling a new miracle cleaning product. He was more interested in looking into the windows of the houses, and we guess he was casing places to rob during Christmas as he neither had order forms nor actual product to sell. Kind of a tip off, one which gets my neighbors riled enough to point firearms.
The good hustlers know all the angles, have a solid cover story & reasonable fake credentials, and dress for the part. And they are successful as there are plenty of trusting people out there, and hustlers work hard at finding ways to exploit your trust. If you read this blog, you know most of the good hustlers are not walking door to door, they work the Internet, extending their reach, reducing their risk, and raising their payday. All they need are a few programming skills and a little creativity.
I was not surprised by the McDonald’s phish scam this week, for no other reason than that I expect it this time of year. The implied legitimacy of a URL coupled with a logo is a powerful way to leverage recognition and trust. Sprinkle in the lure of an easy $75, and you have enough to convince some to enter their credit card numbers for no good reason. This type of scam is not hard to do, as this mini How-To discussion on GNUCitizen shows how simple psychological sleight-of-hand , when combined with a surfjacking attack, is an effective method of distracting even educated users from noticing what is going on. If you want to give your non-technical relatives an inexpensive gift this holiday season, help them stay safe online.
On a positive note I have finally created a Twitter account this month. Yeah, yeah, keep the Luddite jokes to yourself. Never really interested in talking about what I am doing at any given moment, but I confess I am actually enjoying it; both for meeting people and as an outlet to share some of the bizarre %!$@ I see on any given week.
Here is the week’s security summary:
Webcasts, Podcasts, Outside Writing, and Conferences:
- On the Network Security Podcast this week, with Martin in absentia, Rich and Chris Hoff discuss CheckFree, Microsoft, and EMC, plus a few other topics of interest. Chris makes some great points about outbound proxies and security about halfway through, and how it would be great to have bookmarks into these podcasts so we can fast forward when he goes off on some subject no one is interested in. Worth a listen!
Favorite Securosis Posts:
- Rich: Is it too narcissistic to pick my own post? How the Cloud Destroys Everything I Love (About Web Application Security).
- Adrian: As it encapsulates the program we are working on and I am happy with the content overall, Part 4: The Web Application Lifecycle.
Favorite Outside Posts:
- Adrian: And not because the title was one of my favorite Monty Python skits, this discussion was a very interesting give and take on Pen Testing on RiskAnalys.is.
- Rich: A two parter from me. First, Amrit on Amazon AWS security. Then, Hoff on virtualized network security in the cloud.
Top News and Posts:
- A 50 BILLION dollar Ponzi scheme? How does this go unnoticed?
- The Automaker bail-out dies in the Senate.
- Hack A Day provided nice coverage on the WordPress update.
- Koobface worm targets MySpace and other social networking sites. This is the future of malware, folks.
- An Internet Explorer 7 0day on Windows XP is being exploited in the wild.
- Anton has a must read short post on HIPAA.
- HP and Symantec lose unencrypted laptops. Both companies are in the process of deploying encryption, but too late for these incidents.
Blog Comment of the Week:
Skott on our Building a Web Application Security Program series (too long for the entire comment, here’s the best bit):
Tools and plain old testing are going to run into the same void without risk analysis (showing what’s valuable) and policy (defining what needs to be done for everything that’s valuable). Without them, you’re just locking the front door and leaving the windows, and oh, by the way, you probably forgot to put on the roof.