Monday, 24 October 2016

Referer Spam

So I noticed some interesting referral URLs in my access stats that are serving malicious redirects. It seems that legitimate sites have been found to be vulnerable to open redirects, and that some bot or other is simply visiting websites while setting the referring URL to be the vulnerable page. Then when unsuspecting webmaster clicks through to see why their page is linked to from said site, they are greeted with some delightful porn, or maybe even some tasty malware. Example URL:

http:// www dot dolcifirme dot com dot au/scripts/redir dot asp?link=http:// dkmhab dot xyz

Nice one, spammer scum, and thanks for giving me something to write about, not to mention a great example to talk about next time someone asks why open redirects are such a big deal.

I owe you one!

Saturday, 22 October 2016

Tao of Cyber Part I

Into a soul absolutely free
From thought and emotion
Even the tiger finds no room
To insert his fierce claws

Interpretation: The tiger in this case is the cyber criminal. Your personality is your vulnerability. Your likes, dislikes, interests, pet hates, your emotional response to events, emails, phone calls, physical interactions, incidents, and conversations. Even the people you know and care about, work with, or love, expose you to a potential for social engineering, either directly or by association.

Unless you are a recluse, hermit, self-loathing, bipolar, split-personality schizophrenic, or psychotic, drug addicted social reject, you will not be able to free yourself from this vulnerability. Even then no one is immune.

Taoism might be able to help, but true dedication to the path to enlightenment is incompatible and irreconcilable with modern day life. So how do you go about protecting yourself from social engineering while still having a "life", in the 21st century sense? For me, this is not always straightforward.

From my experience, there are likely several stages of a career in Cyber. These stages can be visualised as a diminishing sine wave, with an Y axis of "paranoia".

To begin with, you will no doubt see things in your line of work that open your eyes to the techniques that cyber criminals use. This will make you paranoid for a while.

Later, you will see how careless and dismissive the general population are in their online habits, without any negative repercussions. This will make you relax somewhat, perhaps too much. Perhaps you will rationalise the reduced security as operating appropriately within the current threat landscape, or level of risk.

Inevitably, you will see some bad shit go down, affecting real people, maybe some people that you know, maybe even you. This will send your sine wave back up to a heightened level of security again.

Over time, you might realise that actually, the repercussions of that last incident didn't really affect people too badly. Within a few months, everyone stopped talking about it. And no one died. This will help you to relax again.

Eventually, you will find a baseline of secure practices that are not so difficult to live with, that you can get used to and make part of your daily operations. This might include the use of multi-factor wherever possible, a password manager with unique passwords on all sites, using pseudonyms on facebook, sticking camera lens covers on your devices, using Tor for sensitive browsing or security research, regularly checking your credit report, signing up to haveibeenpwned, etc.

You will still be wondering if you are doing enough... should you also be using a VPN with Tor? Should you configure a VPN gateway at home for streaming video sources? Should you encrypt your disks at the expense of performance? Do you establish and regularly test an emergency secure data destruction procedure?

If you're not buying or selling drugs, viewing or distributing illegal porn, offering DDoS or hitman services, then the extra effort of such measures is probably unnecessary.

But you must still be aware of these procedures, because you might find that you do need them one day and, of course, they are also the methods that your adversaries will be using.

To conclude with a real life rationalisation of the opening poem excerpt: we are only human. Very few of us go to the extremes necessary in the pursuit of enlightenment, thus sacrificing what makes us human. You must do what you feel is right to protect yourself in your world. Not everyone becomes celibate, carries a gun, or studies martial arts to extreme levels in order to defend themselves against a gang of drug dealers, or a state-sponsored hitman. Likewise, not everyone implements secure online practices to a level that would protect them from a determined cyber attacker or opportunistic cyber thief.

You only need to be secure to the extent that makes you feel comfortable, and that is the end of the matter. When you, or someone you know suffers a cyber attack, you might decide to up your game a little bit. And so your sine wave of paranoia propagates.

Of course, working and researching in cyber leads to an increased risk profile, and increased baseline level of paranoia. You really should practice what you preach, because it doesn't look great for a security professional to suffer a security breach.

Sweet dreams!