Such a good-looking example of phishing

Take a look at the phish below. In fact, take a look at the source. Anything trigger an alarm?

You can dig and whois against careerbuilders.com, and do the same against icbrd.com, which supplies many of the images used. Apparently this arrangement is legit, with icbdr.com providing hosting for Careerbuilders.

But there it is, right in the open: mailto:MarquitaSilvermangh7472we@yahoo.com.  Why in the world would anyone working for a company (strangely undefined) with a “high performance business strategy” (I’ll bet) be using Yahoo mail? And notice that the real instructions are to “send us [your personal info] via email.”

We are fortunate, in this case, to see some truly terrible Engfish give away the game. We can’t always count on that. So be aware of the other give-aways that might appear on phishing expeditions like this.

What is the real Control you should be using? Restricting the initiation of communications to one-way. Sure, let Careerbuilder keep sending you notes and such. Just *never reply to them*. Instead, initiate contact from *your* end for any true conversation, **always**.

Here’s what I got:


This popped in to my email today.  It is so poorly written I am almost tempted to respond…

X

From: Ann Lauren [mailto:MarquitaSilvermangh7472we@yahoo.com]
Sent: Tuesday, January 11, 2011 9:37 AM
To: X
Subject: CareerBuilder \ For X. Job Offer




Message from Job Poster

CareerBuilder: Assistant Manager Position

Dear X.

Our company is cheerful to propose you our new vacancy. Our team is making a search for Assistant Manager in your city. Hereby we are all excited about the contribution that you could fetch up to our firm.

To begin with, we would like you to discover in summary about our activity. Our enterprise is concerned in a global management consulting, outsourcing and providing IT service.

Combining wide-world experience, total possibilities across all industries and business functions, and extensive research on the world’s most successful companies, we cooperate with the customers to promote them as high-performance businesses. Our “high performance business” strategy implies our expertise in consulting, technology and outsourcing to make clients perform at the perfect level so they can create stable value for their customers and shareholders. Using our industry knowledge, service-offering expertise and technology capabilities, we identify new business and technology trends and develop solutions to assist the customers all around the world. It`s significant that we have many clients located in the USA.

Your base compensation package comprises a monthly salary of $4500 payable biweekly, full medical and dental coverage through our company’s employee benefit plan. At the beginning you will have to cover the 2-week training period, at the end of which you would get paid $1800.

Here is the description of the suggested position:

  • Keeping up correspondence with the local customers
  • Announcement of information to partners
  • Carrying out administration work
  • Conference calls arrangement between the company and clients
  • Analysis, systemization and exploration of complex data
  • Organization of payments straight from clients to our free-lancers by means of international money transfer systems
  • Reckoning up expenses of the company
  • Drawing up tax reports and reports of internal use

Our Assistant Manager should be a gifted diplomatist and an adept in the following fields:

  • Computer skills
  • Usage of Microsoft office programs

Working timetable: from 9 a.m. to 3 p.m. including 1 hour of a break Monday through Friday.
To accept this position please fill out the following facts and send to us via email:
1. Your complete name
2. Your cell #
3. Landline #
4. Your e-mail

We would be glad if you choose our outstanding team to be with and we are induced that you would play a key role in our company’s growth and prosperity. We are waiting for your response,

HR Dept.

You are receiving this employment opportunity email because you uploaded your resume on CareerBuilder.

If your employment status has changed or you no longer wish to receive these emails, you can update your privacy and communication preferences from your resume by logging onto CareerBuilder.com:
http://www.careerbuilder.com/jobseeker/emails/emailsubcenter.aspx

Or you can Block this employer from viewing your resume and sending you candidate emails.

This email was sent from Account ID NKCMAKTRAGJ335R9Y5G and by this logged in User 9A8JZUB1YZLI9EOFULY

DISCLAIMER
Please be aware that the content of this email has not been reviewed or approved by CareerBuilder and is in no way endorsed by CareerBuilder. You are solely responsible for any response you choose to provide to this email and you do so at your own risk. If you have questions regarding the legitimacy of the position being offered please contact the CareerBuilder Trust and Site Security Team by submitting your inquiry to: TSST@careerbuilder.com Please also review common scams and tips for protecting yourself on CareerBuilder’s Fraud Page. If you have questions or comments for and CareerBuilder, please use our feedback form.

So close, and yet so far.

Gartner: Leaks of confidential information “almost inevitable” for every organization

I work on a lot of Policy and Procedure projects, and lately I’ve been thinking about how often I run into phrases like “threat of virus attacks.” Viruses are clearly a front-line worry for organizations, and certainly they haven’t gone away.  But remember your careful Greek parsing of causality: Anti-virus is necessary for security (at least arguably), but it is not sufficient all by itself.

Personally, I’m much more worried about data loss. That’s especially true with the research firm Gartner’s proclamation that these leaks are “almost inevitable.” See the ComputerWorld article, “Wikileaks incidents stoke IT security angst” at:

http://www.computerworld.com/s/article/353209/WikiLeaks_Triggers_IT_Security_Angst

Anyone who has studied the workings of exploit toolkits like BackTrack knows how even trivial information can be used to find a weakness. Sensitive business information offers even greater threats. Perhaps the best line in the piece:

a Gartner Inc. bulletin said that leaks of confidential information — either by insiders or hackers — are “almost inevitable,” so organizations should expect that any memo they create could be disclosed.

Did you get that? Any paper or digital document can and likely will be used against you, in court or surreptitiously. Don’t ask me how I know this.

 

Mac OSX Hints

Yes, I do love Unix. And I feel the same about Linux, or maybe better. I like Mac a whole lot for many reasons, and I’m a little put off for a few reasons. I even like some features of newer Windows, though it’s not a favorite platform of mine.

What this ends up meaning is I never run into some of the cool features of my Mac. Contributor subnetD dropped me a link to MacWorld’s great Mac hints site:

http://hints.macworld.com/

Very cool site; Control>Shift>Eject, anyone?

If you know of a good spot on the web (relevant to IT and/or Security and/or working in New Mexico), please feel free to submit a link either through the member “submit a link” menu or by email. Thanks!

I am accepting contributions

From time to time I’ve had colleagues give me some great articles they’ve written, many of which I’ve posted to the site, like Kirk’s great RAM Page in the A+ area. I’m opening up this space to contributions from a couple of interested parties, with of course my editorial review. Look at the grey bar at the top of this note: you’ll see the author’s name (in my case Glenn).

Some discussion is, necessarily, best kept anonymous. It may never make any difference if people know you use Barracuda appliances, but then again it may. So unless otherwise noted, these contributors will be known simply by their login names.

If you’re interested in a one-time submission, or ongoing submissions, drop me a line. This page is primarily devoted to the business of IT and working in New Mexico, but also devotes space to the interests of my IT and programming students. And occasionally mine, like my ongoing obsession with security.

Now this is a terrific idea: APC’s proximity card access control for server racks

One of my contributors, subnetD, brought this to my attention:

APC, yes the guys you know for backup power, has an access control system for racks that uses proximity cards for access. The controller itself, on the rack, offers web browser access – meaning you could find out remotely that your server room had been penetrated. You can set up access by user, card and time, for granular controls, and the logging features let you look at exactly who, exactly when.

If I were investing in one of these I’d add a web camera, because I don’t want to have to make a frantic drive to see who just tore my rack open. Read more: http://www.apc.com/products/family/index.cfm?id=347.

CompTIA Security+ Practice Question

In 2010, I passed 4 CompTIA certification exams. In preparing for the exams, I encountered countless practice questions. This one, however, takes the cake:

AAA is an acronym for which of these?

  • Rules for recovering substance abusers
  • An organization that aids travelers
  • A model for scripted internet attacks
  • None of these

-subnetD

And here goes Intel: Outsourcing chipset production to Taiwan

It may be a great investment opportunity. For months the fog has been swirling around a first-time-ever agreement for an outside company to produce Intel’s chipsets. I’ve been pretty sure it was going to be Taiwan Semiconductor. Now the website Electronista is solidifying the rumors with the article, “Intel to outsource Panther Point chipsets to Taiwan?” Read more: http://www.electronista.com/articles/10/12/31/intel.rumored.to.partner.with.tsmc/#ixzz19zjcApRq.

No big deal? No news there? Yes it is. Intel has never done this. It’s opened its own fabs overseas, but it’s never allowed outside companies actually to manufacture its products. And here open the floodgates. Because frankly, it’s much cheaper to produce product overseas. I can understand that; I just hope all these corporations understand that Americans don’t make very good consumers when they’re out of work, losing their home or working so cheaply it takes two jobs to survive.

So hey, I might be glad to see processors and chipsets become really, really cheap. But the future might not look so rosy if I were working at Intel in Rio Rancho.

Here’s hoping New Mexico’s new governor understands IT

I’m thinking a lot about an article penned by guest editor Mary Kurkjian, published in the Albuquerque Journal (http://www.abqjournal.com/opinion/guest_columns/052250582652opinionguestcolumns11-05-10.htm), titled “New Governor Needs New Management Principles.”

Kurkjian has worked in state management and has been a consultant in 38 states, including NM, so I’m willing to grant points for her authority to speak on the matter. She works her way through several very good points, including the need to appoint people qualified to manage the area of their appointment (something we’ve seen both governors and presidents fail to do), the need to establish and enforce strict professional standards (obviously NM has been aching for this for generations), and the critical need for transparency (which our new governor Susana Martinez has already addressed by her second day in office).

The one that caught my eye was this: Kurkjian suggests reviewing the state’s IT projects, and bringing down the accountability hammer on agency heads responsible to make them work. She mentions NM’s notoriety for failed IT projects, and the catastrophically-failed SHARE initiative. But I’m fascinated at the reasons she sees: under-resourcing of the projects themselves, and under-training of staff users. Why am I interested? Because that’s exactly what I’ve seen in some cases.

Yes, I’ve learned, you can indeed build your own software. If you’ve got a talented team, and management that understands that defining needs clearly and conducting frequent usability tests are critical, this is a great path. But if users aren’t involved, if people can’t understand the software on their screen, ANY project is doomed.

Since a clear understanding of what it takes to develop software in-house is not usually part of an organizational manager’s repertoire of skills, agencies are likely to be more successful at contracting software development to businesses that specialize in it. This brings other problems: some organizations can’t clearly spell out what they need, in some cases not even with crayons. They learn the hard way, by getting software that doesn’t even resemble what they really need, but nicely fits the specifications they themselves wrote.

And yes, you can buy some great software too, though that brings its own risks. Either it can’t be modified, so users have to change their business practices to fit the software, or it has to be modified, creating a long a buggy process that locks you into a single aging version of a product. Ask anyone who has implemented Indus Passport or Banner how painful this is. But it can be done.

What all this means is that NM needs more involvement from state IT departments in clearly defining needs and requirements, performing constant user testing, deciding on change orders if they are (inevitably) necessary, and managing the features and security of the software long before it’s deployed to users.

At least when it comes to the importance of this process, Kurkjian gets it:

“IT is no longer an appendage to government managemen; it is at the core of it.” – Mary Kurkjian