So, we all know about the security scammer now, and the different ways he is working to defraud innocent users and steal their data and money. It has been quite an experience tracking this scam down and getting all the facts right (from the technical aspect of inspecting the keylogger and binaries used to sniff your data, to actually communicating with the scammer and getting his take on things).

Nevertheless, I must say that I appreciate the consistency in which our scammer (I’ll call him Fadzil Mahfodh as that’s his real name) has been trying to mask his wrongdoings. From trying to go around the facts and divert us to other software:

To “bragging” about his skills and the fact that his scripts are “leet” enough to get past some people:

And finally to the obvious – throwing a fit and trolling – initially by threatning to post my picture and CV on adult websites (what would my CV be good for on an adult site anyway??? must be a Malaysian thing ):

All of which has been accompanied by adding my picture to his website (wow! I’m famous now!):

Getting it removed by the Google Blogger DMCA team, opening up a new blog site to accompany the specific “hack wpa without a dic” post along with my picture, and making some cosmetic changes to the site, removing the FBI log (which has been replaced with a larger DHS logo), and adding a disclaimer at his website stating that this is all a mistake, that I have been trying to pressure him into criminal actions, and that he has all our communications logged and will be happy to use it to prosecute. Too bad this has been removed from his site before I had a chance to document it – but trust me it was there! Pure epicness!

Now, I know – it’s not really fair to pick on these guys that hard. That’s why I’m leaving this to the Malaysia CERT (as you may have noticed, 1337 Fadzil forgot to proxy his connections to this blog and his IP has been logged on all comments and relevant hits on the site), to figure out how to handle. I truly hope that his suggestion to use the details provided on his paypal account and bank account will actually yield some results, and wish our friend the best of luck in his endeavors in the security business (although I highly doubt he’ll be at DefCon later this week).

Below are attached some of the additional supporting materials for the sake of fully disclosing all the communications with Fadzil.

Apache-access-log_FILTERED, Fadzil-chat, karma-decoded.sh, bg2-decoded.sh

Related posts:

1. How [not to] scam security people
2. The Turkish hack and another case for IL-CERT
3. Identity crisis

The question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

I’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

Related posts:

1. Practical vs. Regulatory – the votes are in!
2. Who owns your online identity? Facebook squatters on the rise
3. Being in the middle (or: things we didn’t manage to learn in a decade)

I have just read a couple of excellent posts (on SquaredPeg, and InsideFacebook) that talk about something I have been preaching for a while – your online identity and how easily it can be manipulated (or falsely created). The posts talk about Facebook groups and accounts that have been created for the class of 2013 for quite a few colleges in the US. While in fact none appeared to be legitimately affiliated with the incoming class at any of the colleges

Motive? In this incident, it’s mostly marketing – getting ahead start on the right audience can go a long way nowadays.

This is not the last of it. In what may have been the first more publicly exposed online identity “squatting” (remember the domain name cyber squatters of the 90s…) I do expect a lot more to come on that front. So , if you haven’t got a Facebook/LinkedIn/MySpace/ Bebo account yet,  you probably want to make sure you get one soon enough. You’d never know who may be creating an online persona of yourself now. The implications are grave; just thinking of what kind of damage someone could do if he was to create an account for me, connect to my friends and business partners, and start communicating on my behalf is mind-boggling.

So don’t just be safe out there. Be out there!, that is to say, knowing what’s out there under your name is the first step in protecting your online identity.

Update (12/24/08): As noted to me by my colleague Andrew Lindell, this is also true for your real identity as it is manifested online in other means. For example – online banking, bill payments, and online credit card management. If you do not have an account for these – get one now! It’s overly simple to obtain a bank statement or a bill, and use it to set up online banking on your behalf. Even if you don’t plan to use online banking – get an account, put a decent passowrd on it and tuck it away. That way you can be sure that noone can create that account for you using some old banking statement!

Related posts:

1. Christmas shopping online – make sure you get what you PAY for
2. Identity crisis
3. Blocking Facebook? Not popular, and not effective