PR Newswire
Virtual-Strategy Magazine (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
Aurich Lawson

Let's say you work for a government agency and it becomes apparent that many computers on your network may be infected with some malware. What do you do? Well, if you're the Economic Development Administration, you cut your network off from the rest of the world, hire an outside security contractor, and then physically destroy $170,500 worth of equipment.

Peter Bright brought us the whole story in US agency baffled by modern technology, destroys mice to get rid of viruses. Naturally, this kind of knee-jerk reaction baffled and astounded many of our readers. "Dammit. I'm searching for an appropriate facepalm pic, but there are so many and none are adequate for this," Caedus wrote. LigerRed also sought to forcefully apply face to object in an expression of frustration. "I literally just facedesked," Red wrote.

Other readers were mostly astonished by reports that the EDA's path of destruction extended to the mice that the administration's employees used. "Ah, the scorched earth mouse pad policy. There's just no telling where an infected mouse might point, you know" ColinABQ wrote. maxp0wer was concerned about the EDA's outside security contractor, who seemed to know little about pest removal. "Despite spending all this money, the mouse infestation persists!" p0wer riffed.

Read 14 remaining paragraphs | Comments



IOActive Expands by Opening New Office in South Africa
IT Business Net
Tweet this: #IOActive expands its operations and opens new office in South Africa. http://bit.ly/1abIjBR #infosec. Supporting Quotes. Jennifer Steffens, chief executive officer for IOActive. Our move into South Africa helps us to better service our ...


What if online scammers weren't sure whether the user account they are targeting is really yours, or whether the information they compiled about you is real? It's worth considering whether decoy online personas might help in the quest to safeguard our digital identities and data.

I believe deception tactics, such as selective and careful use of honeypots, holds promise for defending enterprise IT resources. Some forms of deception could also protect individuals against online scammers and other attackers. This approach might not be quite practical today for most people, but in the future we might find it both necessary and achievable.

Human attackers and malicious software pursue user accounts and data on-line through harvesting, phishing, password-guessing, software vulnerabilities, and various other means. How might we use decoys to confuse, misdirect, slow down and detect adversaries engaged in such activities?

Black-Ops Reputation Management

One example of using deception to control what information is visible about a person online is described the article Scrubbed, written by Graeme Wood. It details the shady practice of "black-ops reputation management." The article discusses one firm's services to drown out negative news about their wealthy clients by publishing flattering, but often misleading or untrue information. The firm builds "white-noise websites, engineered to drown out an ugly signal and designed perhaps less for discerning human readers than for search-engine robots, which organize and curate all the information users discover via search."

These practices are often aimed at bumping negative stories about the client off the first page of search engine results, since few people look beyond the first page when casually looking for information about the person. Reportedly, this "black-ops" service costs $10,000 per month and involves "mining the client's history of publication and philanthropy, then pumping up the volume to drown out all else."

Such services sometimes include the creation of positive, but fake online personas that use the client's name. This way, one could never be certain whether the flattering information referred to the doppelgänger or the real person whose reputation needed a boost.

The article's author "imagined a future in which rich people create dozens of scapegoats for themselves, like Saddam Hussein with his body doubles." I am wondering whether similar techniques could be used for good—to help protect people against online scams and attacks—without being expensive.

Honeypot Email Addresses for Catching Spammers and Misdirecting Attackers

One example of a basic deception practice employed by some individuals today involves using a unique email address for every service with which the person signs up. If the person starts receiving spam on one of those email addresses, he or she can easily determine which service leaked or misused the address.

A more technical variation of this technique, called spamtrap, employs honeypot email addresses that are created for the sole purpose of luring spammers. As the Wikipedia article explains, this address is typically only published in a manner that's not directly visible to humans, so that "an automated e-mail address harvester (used by spammers) can find the email address, but no sender would be encouraged to send messages to the email address for any legitimate purpose."

Given the popularity of email as an initial attack vector, individuals could safeguard themselves by using different email addresses for different online services. Moreover, they could purposefully expose some email addresses that are not used for important, personal communications. Any correspondence sent to these addresses can be assumed to be malicious. An extra step might involve setting up fake social networking profiles for these addresses.

Decoy Social Network Profiles

The wealth of personal details available on social networking sites allows attackers to target individuals using social engineering, secret question-guessing and other techniques. For some examples of such approaches, see The Use of Fake or Fraudulent LinkedIn Profiles and Data Mining Resumes for Computer Attack Reconnaissance.

Setting up one or more fake social network profiles (e.g., on Facebook) that use the person's real name can help the individual deflect the attack or can act as an early warning of an impending attack. A decoy profile could purposefully expose some inaccurate information, while the person's real profile would be more carefully concealed using the site's privacy settings. Decoy profiles would be associated with spamtrap email addresses.

Similarly, the person could expose decoy profiles on other sites, for instance those reveal shopping habits (e.g., Amazon), musings (e.g., Twitter), skills (e.g., GitHub), travel (e.g., TripIt), affections (e.g., Pinterest), music taste (e.g., Pandora) and so on. The person's decoy identities could also have fake resumes available on sites such as Indeed and Monster.com.

Realism of Decoy Online Personas

If decoy online personas become popular, attackers will become more careful about profiling victims to flag fake data. This in itself might be a good thing, because such activities would increase attacker's cost, which some consider a worthy accomplishment for any defender.

With time, the defenders will need to ensure that their doppelgängers appear realistic, for example by demonstrating a steady stream of updates on decoy profiles and activity streams. This could be accomplished and automated with specialized tools. Such tools would build upon the capabilities of social media management utilities like HootSuite. A honepot online persona might even have a phone number and an inbox, provided by tools such as Google Voice. The tools might further add realism to the decoy by automatically responding to the attacker's calls, emails and chat messages.

Using decoys to protect online identities might be an overkill for most people at the moment. However, as attack tactics evolve, employing deception in this manner could be beneficial. As technology matures, so will our ability to establish realistic online personas that deceive our adversaries.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has completed its purchase of InCycle's InRelease business unit, announced in June, and is now deploying the software to offer DevOps capabilities to its Visual Studio and Team Foundation Server users.
AT&T plans to acquire Leap Wireless, operator of the Cricket prepaid mobile service, in what would be the latest consolidation of the U.S. mobile industry.

SANS Has Added Online Training Event to Support Training Budgets without ...
IT Business Net
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

In the week ending 13 July - Hardware destruction, OS switcharound, Open Source laptops, Android code-signing holes, shiny new Chrome, vulnerability custody fights, language surveys and zombie backdoors

These phones have features that radically exceed not only those of other phones but also those of other consumer devices. That's why Mike Elgan calls them 'superphones.'
Internet Storm Center Infocon Status