The Subtle Art of Phishing

Hello,

I am Mr. Engmabork from the United Falscharsch bank in Switzerland. We recently found that you are the recipient of funds left in inheritance by an ancestor. We owe you (with principle and interest) a sum of $5,230,193.02.

To claim your right to these funds, please send us your current address, maiden name, checking account number, and social security number so we can verify your identity and wire the money to your account.

Thank You, Mr. Engmabork

Scams like this have been around for a while, and the vast majority of folk are smart enough to ignore these illicit attempts at information retrieval. Though they have worked in the past, common sense often comes into play and inhibitions prevent us from revealing data that can compromise identities.

Even phishing emails are usually identified by most as fradulent; in fact, most email filters now automatically move these scams to a special folder. But not all phishing is as black and white and as one might think.

I'm going to attempt to classify a few types of phishing from obvious to convincing. I'm only going to look at the voluntary distribution of personal data, so I'll be ignoring those that are a breach of physical security (unlocked computer) or malware/virus retrieval of data.

Chain Mail

There was once a time where you had to ask whether not a person has an email address. Now you just assume they do. A staggering majority of Americans have at least one email account, but back in yesteryear (antiquity, some might call it), phishing was still fairly common. At one point, email would circulate asking you to add some information to the letter or some poor girl with a disease would not survive. Why wouldn't you? It would be heartless not to; what harm could it do? You're then supposed to send that email to everyone you know, including the person who sent it to you. That information, no matter how small, is now distributed to broad range of strangers. All it takes is six degrees to reach everyone in the world.

Rating: obvious and relatively harmless. Oftentimes, you won't be putting your email password in the chain mail to circulate.

Business Impersonation

Another phishing scam is where an email is sent to you as if it were from a reputable company with which you subscribe. Often times, like the email to the right, it will describe some action required from a user in order to prevent charges/closing/reprimand of the account. Of course, the email will provide links so you have easy access to the website. Once there, you sign in... only you haven't noticed that the link was to a private website built to resemble that company's website, and you just entered your credentials into a phisher's trap.

Rating: fairly convincing. If you passed on your credentials to a bank website, serious damage could be done.

Social Phishing

My third example includes two very genius phishing attempts. Even I almost fell for one. Both of these statuses came from Facebook and ask for interaction with friends that you know. It's fun!

The first status had fill in the blanks that asked friends to show how much they know about you. Details included age, favorite color, pets, parents, etc. I figure any friend can get at least half correct in any attempt.

The second, and more grievous of the two, is a reference to the royal wedding in England. Oh, how quaint. In this game, you're supposed to post your royal name: something along the lines of Lord Michael Rufus-Denis. The first name is supposed to be the name of a grandparent. The surname is supposed to be your first pet hyphenated with the street you grew up on.

Do any of these "blanks" or "names" sound familiar? You guessed it. In fact, these are security questions from FACEBOOK ITSELF! (see below)

Rating: very convincing. Because there is an element of fun and nonchalance, it's quite easy to evoke this compromising information from a Facebook user. Here, common sense doesn't go as far because of the disarming nature of the prompt.

More and more, I see evidence showing that schools must educate their students on internet etiquette and security. A lot of these phishing scams are now targeting teenagers who now have some access to a parent's credit card information since cards are so easy to use online. We all have to be proactive when it comes to limiting the information we publicize on the internet, and we will have to continually adapt the methods with which we protect ourselves from voluntarily divulging information.

Stay sharp, and be on the outlook.

Manic Monday

The technology world

is staying quite busy indeed!

In news:

Google Fined $5 Million for Using Linux

In innovation:

http://www.noteslate.com/

In products:

iPad 2 vs. Motorola Zoom

For the next few days, I will be obsessed with my upcoming piano exam, so I won't be thinking too much about blog posts.

The Chiptune

For those who aren't familiar with my tastes in music, I typically listen to music somewhere in between (and including) classical and electronic. I've purposefully left this really vague. My preference for music is eclectic to say the least. I've been introduced to a great collection of music over the past few years, compliments of my friends, and artists like Armin Van Buuren Kaskade, Deadmau5, Daft Punk, Imogen Heap (& Frou Frou), Inna, (et le contraire) Massenet, Vivaldi, Holst, Fauree, etc.

Today, I discovered the classification of this genre of music, and I've become increasingly interested in this music: Chiptune. Summed up, it's video game music for the sake of the music, not the game. It started with Pixel Vision. I actually thought there was a game to go along with it (alas there isn't). The album is available for free (his own doing) here.

Another artist (to whom I credit my 'discovery') is Demoscene Time Machine. The third song on the soundcloud list actually has a video game!

I will definitely be exploring more of what's available in this genre, and I suggest you do too. They even have variants like Chipstep, the logical combination of dubsteb and chiptune.

Into the Cloud

It's been buzzing around for a while, but how applicable is it to the masses?
Thanks to a friend and peer, I've learned a little about the Amazon Cloud. Since I've had limited experience with the cloud services offered by various companies, I'll just be sticking with Amazon.

In my experience, the cloud is quite easy to work with. I used to think the cloud was only for big companies, for heaps of data processing, or hours of video rendering. While it can certainly be used for that, it can also be scaled down so that I can use an instance in the cloud for even the most mundane tasks. While I don't profess to know much, I know enough to make great headway when I have the time. Did I mention that there's a free option?

(From here on, I'll be getting technical. You can smile and nod if it's not your thing)

What skill set do I need to continue?
IMHO, you'll need to know a little something about Linux boxes: ssh, package managers, public and private keys, and other things that go along with whichever linux flavor you choose.

What does the cloud offer me? It's just some huge omniscient computer, right?
There are a myriad things the cloud has to offer you. First, a linux box of this accessibility (anywhere from the web) with such control (root access) is usually not too cheap. Amazon charges a cheap hourly rate (right now 2.5¢/hour micro instance in US-West). Second, even if we're not comparing prices, no other service gives you the ability to change your mind, shut down your virtual machine, or start a new one on a whim. Finally, the cloud community offers a series of pre-configured images for a good quick start.

Here's an example:
VPN's are precious commodity. You'll pay anywhere from $5 to $8 per month for a subscription to have your traffic tunneled to an endpoint. From security over networks (keep people from spying on you) to content filtering bypass, a VPN has a many uses. In less than an hour, I was able to launch an Ubuntu instance, login, install the correct dependencies, configure PPTP, and sign up for and configure DynDNS. Within that time, I was logged in and browsing the web securely (at least more than before).
A shout out to Peter Dikant for his guide on his personal blog. Thanks!

I think the cloud and I are going to get along quite nicely. There are so many more things to explore.

Getting Started

It's time for a new beginning. As I look toward the future, I realize that I want to document my engineering and programming feats for me to share and for others to enjoy. Hopefully, the content on this blog will hover in between casual and semi-professional.

Advise me on any content you like and want to see more of by clicking one of the feedback options one any post you read. Thanks!