Nigerians Just Don't Know When to Quit

This is an interesting piece of phishing here. My wife and I are looking for a new place to hang out hats as our lease is up for our apt. and we aren't too pleased with our current place. We look at a variety of places, including craigslist. Here's one that is really kind of strange.

I won't reveal the posting, but basically it was a house for rent in a city near us. It looked like a great deal (too great honestly), but I thought "why not, if it is on the up and up then we win". So I sent an email to the person without giving too much info:
Hello Nannette,

My wife and I are interested in the apartment that you have advertised on Craigslist (PostingID: xxx). We would like to view the house, hopefully soon (maybe this weekend). If you have time or need information from us, please reply, I'd be happy to provide anything necessary.

Looking forward to hearing from you,

Needless to say, I was hoping that revealing my email address wasn't too much. Hoping to hear from a nice old lady or something, here is the response that I got:

Hello Dear,

Thanks for the email. I own the house and also want you to know that it was due to my transfer to ( West Africa , Nigeria ) that makes us to leave the house and also want to give it out for rent and looking for a responsible person and God fearing person who can take very good care of the house in my absence.we are not after the money for the rent but want it to be clean all the time and the person that will rent it to take it as if it were its own.

So for now, I am here in West Africa and will be staying here for the next 3years in our new house and also with the keys of the house for rent, we try to look for an agent that we can give this documents and the keys before we left but could not find, and we as well do not want our house to be used any how in our absence that is why we took it along with
us.

We came over to Africa for a missionary work, so i hope you will promise us that you will take very good care of the house. So get back to me if you know you could take care of our house or perhaps experience you have in renting home.Hope you are okay with the price of $900 per month and the security Deposit is $500 and the first month rent will be $1,400.Get back to me with the rental application. You can go ahead and view the house but note that you will not ba able to view the inside of it because of security reason here is the address bellow:([redacted]).Please if you are ready now to occupy the house kindly provide the information below for record purpose

PLEASE TELL US ABOUT YOURSELF
Full Name_______________________________
Home Phone ( ) ________________________
Cell Phone ( ) ___________________
Date of Birth_____________________________
Current Address________________________
City____________State______ Zip______
Reasons for Leaving____________________________Rent $________
Are you married____________________________
How many people will be living in the house___________
Do you have a pet____________________________
Do you have a car____________________________
Occupation____________________________
Move In Date____________________________
Are you moving in with your furniture_______________
A picture of occupant _______________
How soon can you make the payment_____________
How soon do you want to receive the keys and the document______

pets allowed.

Thanks and Remain Blessed.

At least they made it sound like a nice old lady... [delete].

Now I'm regretting sending the message from my actual email address. Oh well, such is life. Here's the thing that I just don't get. Is someone really living there? Are they going to see a bunch of strangers peeking in their house? Is the house unoccupied? Does it even exist? My curiosity is making me want to go house hunting.
Posted on 2:46 PM by Tim Cronin and filed under , | 104 Comments »

Blogging and twittering

Hi All,

Although it may seem like I've been gone a while, I have actually been blogging elsewhere. I have been contributing regularly to blog.astaro.com. I haven't been posting here, well, because I simply don't have time for both ;o) I will see if I can repost to my blog here. Most articles are written as general commentary and tips for tech generalists that don't focus on security all day, but need to be mindful of basic security issues.

Also, I am now on twitter. Follow me @tccroninv

On a personal note, Ben is growing up way too fast. He is talking up a storm, potty training, getting really really tall and just simply being the average 20-month-old. He is the best thing ever. In the history of ever.
Posted on 1:10 PM by Tim Cronin and filed under | 15 Comments »

Going Around In Circles

Let's not start that again...

As of late there has been a heated debate among the community that various forms of standards and compliance are effective/ineffective at actually securing systems and networks. Just a quick note:

First post I read today is from Ascension Risk Management. There was a point/counterpoint that was detailed that, suffice to say, leaned towards the fact that standards and compliance are not effective. In order for something resembling standards to be effective, it must be made too narrow or not actionable. This is a good argument, but it doesn't tell the whole story.

The next blog post I read is from Emergent Chaos. This post was about the fact that after Former/embattled/kind-of/not Senator Norm Coleman's campaign's infrastructure was broken into, and there may possibly have been a breach, donors found out via Wikileaks, rather than the campaign. One quote sticks out:
We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.
So within the same day, there is one school saying that standards are ineffective and there is another stating that we need more standards in order to shuffle through the varied methods people use in regards to security related tasks. What a vicious circle.

I am on the fence. I think that without standards, there are a good amount of small and medium sized businesses that would have no security or extremely lax security. Standards do help to push these organizations into doing more to protect data. On the other hand, with a competent security practitioner, these standards are simply "fill in the box" tests that people adhere to. That security practitioner is likely doing things to secure the infrastructure more than the standard accounts for.

I think standards are simply not scalable. If there must be policy, it should reflect the end result, not the means. It is better to say "you are liable for any breach that occurs" than "you are not allowed to have SSLv2 on your hosts". In this way, it should create an incentive to have network owners and operators think about how to go about security. If there's a breach, they are liable, after all.
Posted on 5:09 PM by Tim Cronin and filed under | 1 Comments »

Thoughts on Conficker


well, if you can call them thoughts

Long time since my last post. There has been a lot going on in the personal aspects of my life. One of the things that I am happy about, though, is that Red Sox baseball is now in full swing. Today is the first of the infamous Red Sox/Yankees games.

So, speaking of Conficker...

Today's game is turning out to be as hyped up with no results as Conficker. Even the blogosphere is less active about Conficker Since April 1st. Admittedly, this worm is the first really widely spread worm since my intro to the technology industry. I was expecting to hear of/see infections first or secondhand, but I have not. While I'm happy the Conficker was contained in my area of the planet, It was hyped up quite a lot.

Today's game is not going so well for the hype either. Joba Chamberlain's outing was uneventful. This is similar to the April Fools Day event. Lots of hype, but no substance. In fact, Youk was walked twice - not beaned.

All of that being said, today's game will have a winner and there will be some events that are worth cheering or booing. This is like Conficker - there is substance, but it is not in the exciting, ratings grabbing manner. Daily attendants of either will find something interesting and there will be something new to learn.

Edit: This game (and the series as a whole) was actually quite exciting. Maybe the best is yet to come from Conficker...
Posted on 9:11 PM by Tim Cronin and filed under , | 2 Comments »

Happy April Fools' day!

Quick Update: Conficker did not display "Happy Birthday Vovo!" like I had hoped. (nor did it do much at all - but that doesn't mean it is any less troublesome).

My favorite new April Fool, the funny RFC, actually make a little bit of sense this year. In the past, it told you how to send IP in the most efficient manner to how to monitor your network properly. This year it is a way to teach IPv6 and get more IP addresses out there. It is a joke, because these addresses are not "real" but it's an interesting thought. I think I will use the analogy to explain IPv6 from now on... (I'll always give credit to rfc 5514). They actually made a facebook app :o)

Google introduced an automated you for gmail, but I liked the printed and mailed emails idea better (from a previous year).

And in case you want squeeze bacon, see ThinkGeek
Posted on 10:46 PM by Tim Cronin and filed under | 2 Comments »

My Conficker Note

Sorry for not posting for a bit, my personal life has been busy lately (we moved, hopefully the last time for a long, long time.).

There has been a lot said about the Conficker (downadup, kido, april fools day worm, etc...). I can't really add anything new that hasn't already been said on the Security Bloggers Network. What I would like to say is that I hope that what it does is simply make all the infected computers say "Happy Birthday, Vovo!" because the now infamous April 1st target is my Vovo's birthday and I always for get to call. (If it does do this, I swear, I didn't make it happen...).

(Yes this is my sense of humor, and if you like it then I am your friend for life - nobody gets me :o)
Posted on 12:34 PM by Tim Cronin and filed under | 9 Comments »

"Google Hacking" made easy

sort of...

A lot of people use Google to find information on a "target" or "mark". A lot of times this is either a person, organization or machine. If your mark is a person, there is now a web service that can do this easily, www.pipl.com. The New York Times outlines this with the article When Googling a Person (or Yourself) Isn't Enough.

Okay, so these services have been around and the end of the world didn't show up. This is a typical kind of piece that is important to know about, but not to lose sleep over. The information that Pipl finds is not generated by searching databases that are normally off-limits. It does dig a bit deeper than google does by default, but all the info is still public. The bigger question when you find something about yourself that you didn't expect is how did the original recipient of this information make it public and why did I not know.

I think Pipl is a good thing because it allows average people find information that nefarious people may have found anyways. Thoughts?
Posted on 2:37 PM by Tim Cronin and filed under | 1 Comments »