Entries Tagged as 'Security'

Ethical “White Hat” SEO Spam

An email box folder of spam messages.
Image via Wikipedia

Sometimes, I find spam absolutely hilarious.

I mean, check this one out that came through our small business accounting software site. What really got me was the fact that it was sent from a gmail address and the reply to: field was the same gmail address. What’s even more interesting is that the actual address has always been a gmail if you do a search for this fellow, and the addresses just change. Seems rather “phishy” to me. Here’s the actual content of the spam email:

We would like to get your website on first page of Google.
All of our processes use the most ethical “white hat” Search Engine Optimization techniques that will not get your website banned or penalized.
Please reply and I would be happy to send you a proposal.

By now, if you haven’t junked it or laughed at it and then junked it, you would need to realize a couple things. First is that while white hat SEO is a great term, it doesn’t really fly in the face of those that have no inkling of what it is. The second is that spamming someone’s forms really isn’t considered “ethical” by any means so it doesn’t give credence to your SEO tactics. Last of all? Really. If you expect people to take you seriously for SEO, then you need to get a real website, with a real company name and be able to show up on the first page of Google for “best SEO company“. Let’s face it. If you’re truly good at what you do, you’d be there wouldn’t you?

Reblog this post [with Zemanta]

Be Wary in Job Searches

Maximizing Your Job Search Workshop
Image by danieljohnsonjr via Flickr

If you’re one of the many that are searching for positions on the Internet and probably sending your resume along on those job sites, be wary. One of the latest scams that has been broadcast in the past six months through security firms has been an increase in identity theft through job postings.

Think about it. You’re desperate to become employed again, you hand over your social security number, name, address, and all sorts of other identification materials to a “potential” employer just to realize that they don’t exist. My suggestion? Do your homework.

While you might not stop every sort of theft, providing due diligence will greatly decrease the risk of being taken for a ride. See if that person actually represents the company that they claim they are. Are they overseas and using a local number to contact you? Do they represent a placement agency? Perhaps you’ve never even heard of this business that they claim is several miles from your house and it’s not in the phone book. There are always signs to these sorts of scams.

If you don’t, you take a great risk. If you do, you minimize that risk. And best of luck on your search.

Reblog this post [with Zemanta]

Why Isn’t Direct Mail Regulated Like Spam?

Junk Mail
Image by >fiasco via Flickr

I never did understand why direct mail never came under as much scrutiny as spam. Everyone has an issue with spammers, but most actually just suck it in and deal with direct mailers.

Now let’s be honest, if you look at both sides, they operate under the same concept but just in different mediums. Direct mail uses the postal service, while spammers use the Internet. You have no say in either thing on whether or not you get it, and both are trying to sell you something. And just like having an inbox, if you have a mailing address, you will get some regardless of how hard you try to keep it completely hidden.

So my question is… why isn’t direct mailing under similar rules as the CAN-SPAM Act? Why is it that we have to suck it up and deal with this type of marketing tactic and not the other? It seems like they would fall under similar regulation rules since the difference really only being that one being electronic and the other is physical. In fact, now that I think about it, I’ve even taught the concept of emailing with the analogies of home addresses.

I suppose it’ll never be changed, but one can always wonder since both are annoyances in most people’s lives.

Reblog this post [with Zemanta]

Thank You Microsoft for Spam

microsoft-live-spam I love it when companies send you spam in the form of “no, it’s not really spam, and we really know that you had clicked this, but we want you to click it off so we can send you more spam” type of spam.

I mean, seriously. Do they think that you opt-out of the marketing and promotional materials because you’ll want to be reminded that you had opted out? Uhh. No. Sorry, Microsoft. That’s definitely a spam-fail on your end. Reminding me, that I opted out of your spam, means that you basically did not abide by my preferences of not bothering me with promotional offerings. And yes, I consider the fact that administrative type emails of promotional offerings to be under promotional offerings and not under critical administrative messages.

I wonder what brilliant person came up with that one. Hey! Let’s spam all the people that don’t really want spam with a message that says… hey, we wanna send you spam, but we can’t because of your preference! To add insult to injury, they add on a note that talks about how they respect your privacy and have a link to their privacy statement.

Sometimes, it definitely makes you shake your head and wonder what goes on in those ivory towers.

Use of Proxy Servers Could Increase Jail Time

Eternal privacy
Image by Nano Taboada via Flickr

The United States Sentencing Commission has voted but I haven’t found anything on what they’ve actually decided.

Basically, there was legislation put out there that was written in too broad of a format where it said that any sort of proxy server use could increase jail time up to 25%. Now, in essence, the way it’s worded would mean that proxy server use seems to be a secondary offense if you use it for means of hiding yourself to do illegal deeds. And knowing that there are things such as bouncers, and darknets, there’s definitely a reason for this from a law enforcement perspective. But on the flip side, if you strictly say that there is jail time in direct relationship with proxy server use, then that’s completely incorrect and then you render the that argument invalid since there are many uses of proxy servers including those of privacy concerns.

From my perspective, I believe that there’s more to it than meets the eye. It’s not just privacy that I would worry about for your average Net surfer but the fact that translation servers like the one used by Google, is technically a proxy server since it can translate websites and redirect. This means that as a proxy, the host website sees Google instead of your IP address and thus is in a “proxied” fashion. Would you jail those that use translations? What about other means of redirection that are legitimate? Thus, I believe that using the terminology as proxy servers by itself would be too broad. There has to be some sort of offense tied to the use to cover illegal means.

That being said, there are darknets and hosted vpns that you can use for privacy use. TOR is just one of the many. But I think that both sides have to be weighed and find the correct wording choice that doesn’t interfere with privacy, or legal use versus prevention of law enforcement to chase down those that use proxies for unethical behavior.

Reblog this post [with Zemanta]

Sniffing Out Conversations

CanSecWest banner and Dragos

Image by ggee via Flickr

At this year’s CanSecWest, researchers were demonstrating with eight dollars of equipment, they could basically read your keystrokes through the vibrations through different keystrokes and that through the same electrical grid, you could actually detect keystrokes through a D/A converter and oscilloscope.
What’s interesting is that the article talks about the NSA project coined TEMPEST, which is something that I learned about back in the 1980s. There’s a lot of different stories about how this is supposedly come to be but the point of the story was that with sensitive enough equipment, you could actually sniff out conversation pieces coming from the distortions from monitors and other types of displays. Now, from a physics perspective this actually does make some sort of sense since there are fields that would be slightly distorted from sound waves. This does change with the shift in display technologies from CRT to LCDs and plasmas. But I digress.
Now what would definitely be interesting is actually using the minute magnetic fields generated by electrical grids to track movement. That’s actually a lot easier in my opinion since the distortion pattern would be a wave running against a field as it displaces it like in water. If there is enough motion, then you could technically seek out individuals based on their electrical wiring. Theoretically anyways.
What can I say, the real information gathering stuff has always been a close second to my heart.

Reblog this post [with Zemanta]

Gaming Industry Beats Online Banking in Security

squareenix_authenticator.jpg You can’t help but be thoroughly amused at this fact.
Seriously now. All payment type things from a security perspective should be a two-factor authentication. Now, if I’m not mistaken, Bank of America does have a few different types of things going on right now that allows this, but there aren’t many banks out there that actually even look into security tokens. And definitely not quite in this regard.
So when you get to the point where the gaming industry is annoyed at the entire concept of accounts being compromised and they shift to a two-factor authentication? You just have to smile and wonder when the rest of the banking industry is going to actually care enough about their clients to protect them with more secure methods.
So when will it happen? Perhaps we’ll start seeing some actual IT security that is beyond the usual 128 bit encryption by SSL certificates. Not that it’s terrible, bad, or otherwise, but it’s always the extra mile that provides the peace of mind. And two-factor authentication pretty much always provides that factor along with the enormous mathematical pains of trying to brute force these types of entry points.
Now, surely I assume that at some point someone will figure out an algorithm to create collisions that will eventually break our current two-factor entries. But you have to look at it from a perspective of the attack being algorithmic rather than brute force since the key rotates every thirty to sixty seconds.
Kudos to the gaming industry for finally saying enough is enough. And banking people? Will we continue to hear crickets chirping away?

Pirate Bay does accounting on Twitter

It’s pretty amusing when I’m sitting here working that I happened to check one of my screens and lo and behold, I see the infamous Pirate Bay.
Wait. They’re on Twitter? Apparently. And not only that, but they’re touting the piracy of an application that everyone seems to be trying to get in the last few weeks in this field. Wow. Who knew that pirates also did accounting. Eh? Totally unethical, but it still does prove a point on why many things are going towards SaaS and free MMORPGs. It’s just behavior that you don’t have to deal with anymore.

Reblog this post [with Zemanta]

Macrumorslive.com gets hacked (NSFW)

macrumor_hack.png It seems that one of the largest rumor sites has been hacked during the keynote. At 9:24AMPST, the site gets hit with a “STEVE JOBS HAS DIED.” Then a string of profanity and spam links and other such nonsense for a good fifteen or twenty minutes before the site was taken down.
The screenshot was provided by John Brown, whom was watching it happen in real-time and happened to get a snap before the site went down.

Reblog this post [with Zemanta]

Why legal prosecution of computer crimes require superior computer forensics

It’s really unfortunate when you read stories like this. Julie Amero, a substitute teacher in the Connecticut area, has been battling the state on a porn pop-up case that landed her four felony pornography convictions in early 2007.
A team of pro-bono computer forensic experts examined a ghost image of the hard drive and found numerous errors in the prosecution’s case which lead to overturning of the trial and it went to a new trial last June. Amero plead guilty to a misdemeanor of disorderly conduct, paid a fine and is moving on with her life.
Unfortunately for this particular situation, I think that Threat Level reported on the spot. The prosecution’s technical expertise was flawed in many cases and the testimonial didn’t jive with the evidence given by what the forensic evidence provided by the hard drive. Even giving up her state teaching credentials is asking too much of someone that didn’t actually click the pop-up links from malware judging by the analysis report of the ghost image given by the defense’s technical experts.
I assume that the prosecution wouldn’t let the charges drop even due to this overwhelming evidence due to the fact that four years down the line, they had already committed to many resources that it a dropped case would have looked bad. While I’m no legal expert, I believe that the misdemeanor was a justification of internal politics that happens in all stages of corporate and government alike.
A copy of the report by the forensics team can be found here.