‘Security code’ window dressing

Leave a reply

[Disclaimer: you’ll probably see ads under and possibly incorporated into articles on this blog. I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…]

Fake security codes are one of the many ways in which scammers try to persuade potential victims that they genuinely represent such organizations as financial institutions and retailers who are (or should be) genuinely concerned about the security of their customers.

An instance that caught my attention todays was described on ‘Scam Interceptors’ as “window dressing”, which struck me as rather a good term for it. The scam described seemed to be (I didn’t catch the whole segment) one of those where a scammer rings the victim to tell them that their bank account has been compromised, and that they’ll need to transfer it to a safe account, or in this case withdraw their money and send it for safe keeping in another account. As described here, the scam involves at least two telephone calls, the second to reinforce the scam arrangement by having a ‘security investigator’ call immediately after the initial contact.

The security code ploy in this instance comes when the first scammer makes up a ‘security code’ – in this case the victim’s choice of a favourite colour followed by a short numeric value – which the victim can use to confirm the bona fides of the second caller. Of course, the code does no such thing: it simply confirms that the first and second caller are working for the same malicious call centre, and the ‘window dressing’ only works if the victim already believes that the caller who gives them the code is genuine. My guess is that the code may have two purposes. One, of course, is to give the victim the impression that a real security protocol is in place, to give them a false sense of security. It may also be an attempt to block an intervention by an ethical hacker by requiring them to give a security code they may not know. That wouldn’t have worked in this case, though, since the ‘Scam Interceptors’ team had been able to monitor the conversation in which the ‘security code’ was created.

As I said before, this is only one example of window dressing. The real question potential scam victims need to ask themselves is this: does the caller’s attempt to prove their own good faith really prove anything of the sort? Does it merely consist of citing easily-found information like the victim’s surname? Does it actually prove anything at all or is it just classic misdirection? The trouble is, victims are often confused by the scammer’s attempts to convince them of the need for speedy action and their fake concern (sometimes alternated with bullying).

David Harley

Scam Interceptors (again)

Leave a reply

[Disclaimer: you’ll probably see ads under and possibly incorporated into articles on this blog. I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…]

I’ve just noticed that the BBC is screening another series of this programme. On the whole, I think it does more good than harm, but I’m a little concerned that Rav Wilding, when talking to a victim or potential victim, tends to ring off and promise to ring back a little later. Granted, the programme does encourage people to use a known-safe contact number for banks etc., such as the helpline number on the back of a bank card. And it might not be safe to expect that some of the more confused victims they contact will call the programme back. But there doesn’t seem to be a published direct number for the victim to call the programme back on.

I can see why publishing a number for the programme on its web page might be inviting trouble, but promising a call back is one of the things that scammers do: after all, they may not want to risk a victim not calling back either, though for less laudable reasons. It seems to me that if you’re going to set yourself up as a go-to source of help, you have to accept that you might get some hassle from the ungodly by phone, email etc. In the security industry, it goes with the territory for reputable vendors and service providers, and perhaps the programme owes that risk to those it intends to help.

On the bright side, it was good to hear a victim wanting proof of Wilding’s identity and the programme’s bona fides, even if that was due to the prompting by their bank.

Facebook – abysmal algorithms and customer disservice

Leave a reply

[Disclaimer: you’ll probably see ads under and possibly incorporated into articles on this blog. I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…]

Facecrooks nails Facebook/Meta on (at least) two of its less attractive attributes.

Firstly, its reliance on artificial intelligence, in this case using a faulty algorithm to correct a faulty algorithm. Presumably because AI works out cheaper than human eyes for fact-checking.

Secondly, its lack of commitment to customer service. Its refusal to consider issues where it’s at fault after an arbitrary period of time is not news to me: I was previously alerted to it by a friend who cannot regain her account from the hands of a scammer because she didn’t report it quickly enough. (In both these cases, the victim simply hadn’t been aware of the problem in time to make the arbitrary cutoff date.)

I can see that there’s a difficulty in that Facebook apparently doesn’t keep data after 180 days, so the cutoff date reflects the fact that there is ‘no evidence’ on which to re-examine the case. But this doesn’t excuse inaction on FB’s part because ‘nothing can be done’. In the case of an account takeover, surely the ongoiong use of the hijacked account to send scam messages is sufficiently clear to justify remedial action. In the case of the algorithmic confusion – the victim  teaches the programming language Python and the related programming library Pandas, so the fact-checking algorithm assumed him to be trading exotic fauna – the original page data may be lost, but surely the lifetime ban on his using Meta for advertising could have been corrected?

Reuven M. Lerner’s article, as cited by Facecrooks, is here: I’m banned for life from advertising on Meta. Because I teach Python.

David Harley

That Paul Ducklin site…

Leave a reply

My areas of interest – let alone expertise – are infinitely narrower since I’m now only loosely attached to the security industry, so I won’t be slavishly following any particular site, let alone trying to track every current security issue.

I can, however, heartily recommend this one: Paul Ducklin combines good security writing with impressive technical knowledge.

David Harley

Crypto-Gram Ruminations

Leave a reply

I’m not Bruce Schneier’s biggest fan. (Some would say that would be him…) He does, I think, suffer from the speech defect that most of us in the security community fall prey to from time to time – an inability to say “I’m not qualified to comment on that.” Well, that’s obviously not a condition unique to the security and journalistic communities. Still, he certainly knows much more than I ever did about many areas of security (not least cryptology, which has always been one of my weaker areas), and he is, in my not-always-humble opinion, particularly good on the social implications of technological issue. Which is probably why I’ve never got around to unsubscribing from his Crypto-Gram newsletter, even though I long ago stopped describing myself as any sort of security expert. (Long before I left the industry, I realized that the more I learned, the less capable I became of filling the gaps in my knowledge.) Anyway…

The latest issue of the newsletter to hit my mailbox addresses – and doesn’t claim to resolve – several issues that should concern us all.

Detecting AI-Generated Text highlights the fact that there is no reliable way to automate the distinguishing of human text from AI-generated text. Though it occurs to me that those commentators who regard AI as the death knell of mankind might wonder whether The Algorithms would allow us awareness of such an automated ability if it did exist. As it happens, I’ve been doing a little informal – not to say flippant – research into that area myself, though in areas of creativity in which I’m more comfortable these days. Here’s an article that may yet be expanded into something larger and possibly more academic: AI, creativity and music. A brief snapshot

But back to Bruce Almighty…

Political Disinformation and AI addresses critical issues in a world that is, perhaps, politically even less stable than at any previous time in my lifetime (the official Cold War included). The assertion that “Disinformation campaigns in the AI era are likely to be much more sophisticated than they were in 2016” seems particularly apposite (not to mention frightening) in juxtaposition with the next item, Deepfake Election Interference in Slovakia, suggesting that deepfake audio recordings likely to influence voting patterns were a tryout for interference in future elections – particularly next year’s presidential election in the US. There’s much more about the implications of the Slovakian deepfakery in the Wired article Slovakia’s Election Deepfakes Show AI Is a Danger to Democracy, not least as regards the difficulties faced by fact-checkers for Meta (and therefore Facebook et al.) in detecting and countering such fakery.

After these chilling discussions, the summary of various viewpoints on AI Risks comes almost as light relief, but the subject is not one to be taken lightly. In fact, none of us can afford to ignore these issues, though most of us will. Not least those of us most vulnerable to media and social media manipulation.

David Harley

Maybe I should be certified… (revisited)

Leave a reply

[Disclaimer: you’ll probably see ads under and possibly incorporated into articles on this blog. I don’t choose them and I don’t approve them: that’s the price I pay for not being able to afford to pay for all my blogs…]

…or at least put in a home for retired security pundits where someone can make sure I take my medication on time,  so that I stop pontificating about security issues even though no one is paying me to any more and I have lots of other writing projects demanding my attention. Still, after writing about Robert Slade’s work on preparing CISSP candidates for the exam they have to take as part of the qualification process, I found myself needing to revisit an article I wrote when I originally abandoned my subscriptions to the two organizations that enabled me to add three extra initialisms to my signature.

The article noted the official end of an era, though it was a very minor ripple on the surface of the Sea of Security. As of the end of August 2014, I was no longer entitled to put the initialisms CISSP, FBCS, or CITP in my signature. (In fact, I hadn’t been using those manifestations of alphabetti for quite a while before, in anticipation of that day. Or, more precisely, the 31st August.)

There’s nothing sinister about this: I hadn’t been drummed out of (ISC)2 or the BCS Institute for conduct unbefitting a computer security guru: I was simply dropping my annual subscriptions to those organizations. I was and still am in sympathy with the general aims and ethics of both organizations. There are many otherwise rational people in the security business who are dismissive of any form of certification that results in an artificially lengthened signature, but I’m not one of them. These particular initialisms acknowledge many years of working to improve the security of the organizations for which I’ve worked since 1986 and the community as a whole: I’m honoured by that recognition of whatever I may have achieved in that time, and refuse to be ashamed of having been entitled to use them. So why was I letting them go?

First, let me save you anxiously searching the web for an explanation of all those initialisms:

  • CISSP = Certified Information Systems Security Professional: a certification awarded by (ISC)2 (formerly the International Information Systems Security Certification Consortium) to security professionals who meet the required criteria in terms of knowledge (as tested by a lengthy exam), relevant experience (at least 5 years), compliance with the ISC)2 code of ethics, endorsement by a member in good standing, and maintenance of your own good standing by earning at least 20 CPE (Continuing Professional Education) credits each year and keeping up to date with the subscription fee.
  • FBCS = Fellow of the BCS Institute (formerly the British Computing Society): to quote the Institute’s own criteria, Fellows “demonstrate leadership in the profession by influencing significant numbers of professionals and/or others to achieve common goals, understanding or views within the IT profession.” So maybe all those books do count for something, even if they didn’t benefit my bank balance much.
  • CITP = Chartered IT Professional: I was actually grandfathered into this certification, also awarded by the BCS Institute, because I met the requirements for acceptance as a Fellow. I’m not sure if BCS still does that: the normal CITP process is quite stringent, and has in fact been made more demanding in recent years.

So, to answer the question “why was I dropping my subscriptions?”, I first have to make a confession. I didn’t maintain those subscriptions out of some purely altruistic desire to further the aims of (ISC)2 and the BCS, though of course I’m happy that my money went towards the attainment of goals that I’m generally in sympathy with. But – shock! horror! – my primary aim was to demonstrate that I had certifiable skills and acknowledged achievements that gave me credibility in the eyes of my peers and enhanced value in the job market. Like most people, even the good people who run (ISC)2 and the BCS (not to mention other organizations like ISACA and SANS), I had to make a living, though I’m fortunate in that I was able to do so by doing work that I enjoyed and (I like to think) for which I have – or at least had – some ability. Over the last year of my subscription, I made a cost/benefit analysis (as all CISSPs are taught to do!), and while the cost of those subscriptions wasn’t high, the benefits (to me personally) were not what they were:

  • I was already past the age where I could, if I chose, have been drawing my state pension. When either ESET – where I still held the title Senior Research Fellow – or I chose to terminate our current arrangement, it was unlikely that I’d look for another job. (I didn’t!) If I had, it probably wouldn’t have been in security. And if it had been in security, it certainly wouldn’t be the sort of managerial role where being a CISSP is often sine qua non.
  • I hadn’t been seriously engaging with BCS for some time, at any rate not at the level where being a Fellow mattered. And I didn’t see myself as a candidate for the sort of academic milieu where being FBCS might carry weight.
  • I no longer found it amusing to flaunt my alphabetti on those lists where it’s assumed that anyone with the letters CISSP after their name must be either a cheat or an idiot with delusions of grandeur and competence. Or, according to one person who commented on one of my articles for ESET, as compensation for underdeveloped genitalia. I can’t imagine how he knew. 😉
  • I actually have certifications that don’t entitle me to a string of acronyms or initialisms. Not that I was ever likely to look for work as a security auditor (for instance) at this stage, but it was time to relegate all this stuff to my c.v., which I haven’t needed for a long time now and don’t anticipate needing much in the future. And wikipedia, maybe. 🙂

So from then on, I had to stand or fall by the quality (or lack of it) of my published work. But then, most of the time, I always did. And if I feel the need to expand my signature, I’ll have to fall back on my humble BA. (Now that’s a qualification I am proud of, having completed it under stressful circumstances: that is, as a new parent with a full-time job.)

I probably won’t return to the topic of certifications, though I addressed it at some length in a chapter in the AVIEN Guide,.

Robert Slade – help with studying for CISSP

Leave a reply

[This was originally posted to the Geekpeninsula blog, but since this is rediscovering its identity as a security blog, I’m putting it up here too.]

I dropped my subscriptions to (ISC)2 and the BCS Institute some years before I retired from the security industry. Not because I have the traditional hacker’s hatred of formal qualifications, but because I knew that when ESET and I parted company I wouldn’t be looking for work in security again, and if I did, I wouldn’t be interested in the sort of administrative role where certifications like CISSP (Certified Information Systems Security Professional) are often sine qua non.

Nonetheless, I still feel that (ISC)2 does a darn good job of giving IT security professionals the opportunity to demonstrate their competence by meeting the strict criteria necessary to put the letters CISSP (among others) after their name, and I haven’t forgotten how demanding the exam was!

I actually went that route for two main reasons: one was the fact that when I was in the later stages of my security work for the UK’s National Health Service, I was given the opportunity to be sponsored for CISSP certification*, and I knew that it was likely to help me find another job in the same area. (As it happens, I eventually found myself working in the much more specialized antimalware industry as a consultant for ESET, but I certainly don’t regret taking the opportunity to refresh and extend my knowledge far beyond the borders of malware, which had already become one of my specialities. (I don’t think that it did ESET any harm that I was able to write on their behalf with some pretence of authority about a wide range of issues, either.)

The other factor was that I was already well acquainted with the work of Robert Slade, my longtime friend and sometime co-author on Viruses Revealed, who has done a great deal of work for (ISC)2 and had certainly made me aware of the advantages of qualifying as a CISSP.

While Rob is, as he puts it, “ostensibly retired” (after nearly four years, I too still find myself unable to stop writing about security altogether!), he’s in the process of making available some vital information that any CISSP candidate will surely appreciate in the form of bitesize videos. As well as providing links for all that information (and other sources), he’s also summarized the reasons why a security professional should consider CISSP certification in a hugely useful blog article here: CISSP seminar (free!)

Highly recommended.

David Harley 

*As it happens, I also got the opportunity to qualify as a BS7799 auditor, but I never actually made use of that qualification. Still, I used to be able to sound as if I knew something about it. 🙂