Sorin Mihailovici is making a movie about the Nigerian scammers.
419: the Nigerian Scam is about the scam e-mails that people receive daily. The Internet is flooded with e-mails promising money-making business proposals, lottery win notifications, and fabulous inheritances. This is the story of how one man’s involvement with such an Internet scam ruined his life. Before I started shooting, I myself exchanged a few e-mails with real scammers from Nigeria and Ivory Coast. They even send me “documents” certifying all kinds of positions and deals that they have. The inclusion of this real correspondence with the scammers gave an added level of realism to my film.
— Heckle Spray
I hope the movie goes viral, goes on CNN all major news outlets so that people will be cautious about the traps set on the web’s ruthless anarchy. The price of true freedom only available in the newly discovered digital landscape.
While I don’t think an ‘eye for an eye’ type justice will come to all of the third world country online scavengers, I do believe there is hope for potential victims. My hope is in the spark of awareness that can be ignited by media like Sorin Mihailovici’s movie or this little blog. If I can help even one person NOT send a penny to an online liar, then I feel like these words I publish are worth it.
*O.k. This one is pretty funny. Number one “Congratulations” is spelled wrong. But the funniest part is that the IRS does not give money for surveys. They do not care that much about what we think. BTW, if you have this email the links and surveys are phishing sites*
Subject: IRS Online Survey ID :
Date: Tue, 21 Oct 2008 17:07:34 -0400
You’ve been selected to take part in our quick and easy 9 questions survey
In return we will credit $90.00 to your account – Just for your time!
Please spare two minutes of your time and take part in our online survey
so we can improve our services.
Don’t miss this chance to change something.
To participate in this survey Click Here
This notification has been sent by the Internal Revenue Service,a bureau of the Department of the Treasury.
© Copyright 2008, Internal Revenue Service U.S.A.
▪ If you received this message in your SPAM/BULK folder, that is because of the restrictions implemented by your ISP
▪ For security reasons, we will record your ip address, the date and time.
▪ Deliberate wrong imputs are criminally pursued and indicted.
Survey ID :
HA! They almost got me! I had a $150.00 USD check ready made out to “Corporate Compliance”. The envelope was wet with my spit and just about to be sealed until I read the print in bold at the bottom:
Requirement code 3001. This is a Solicitation for the order of goods or services, or both, and not a bill, invoice, or statement of account due. You are under no obligation to make any payment on account of the offer unless you accept the offer. Requirement B&P Code 17533.6This Product or service has not been approved or endorsed by any government agency, and this offer is not being made by an agency of the government..
Translation: You don’t HAVE to send us money.. we are not affiliated with the government.. we just want your money.. our service is that we are asking for money. *SCAM*
Annually, I have to file documents to keep my corporation compliant with state & federal law. Although I know this is something that can be done online with my state (Colorado), I usually procrastinate until I completely forget about it. So it is convenient to get the occasional mail reminding me to file. The state usually send a post card with a reminder and a link to their .gov site. The “Office of Corporate Compliance” sends a message telling you the importance of filing your “Annual Corporate Minutes”. They offer to do it for $175 (check or money order). The only problem is that states don’t require minutes filed with them. You are supposed to keep minutes, and other corporate records.. but they are not submitted anywhere. My state requires a re-statement of my Articles of Incorporation (annually over the ‘Net).
I’ll hand it to them, “Office of Corporate Compliance” seal looks authentic at the glance. Once I found out that this was indeed a scam, I realized that they could be doing this in EVERY single state and making a small fortune. If you Google it, you’ll see that they really are doing it all over the nation. They’ve probably been doing it for years.
My question is, how and why has this been allowed to flourish. Each state puts out some sort of can response about it:
Recently, an entity calling itself “[STATE] Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous [state] corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, [state] corporations are not required by law to file corporate minutes with the Secretary of State.
Why can’t the state governments come down on this 50 state scam? Perhaps “Corporate Compliance” wording is such that there is nothing the states or any other government can do ANYTHING about.
Heres how I think their scam works:
1) They set up a P.O. Box in each state with corresponding state header on envelops and letters.
2) Search each states corporate data base for corporations with the status (delinquent or non-compliant.. this means the corp. in question did not restate their annual articles of incorporation.)
3) They send the appropriate state letter to the delinquent corporations
4) The corporation pays and send to the P.O. Box that is already typed on the self addressed envelop inside
5) The P.O. Box forwards to the real address of the creators of this system (or franchisers)
Reverse PO Box Lookup
US Post offices will disclose the forwarding location of corporate entities PO Box. So I think I will do one and advertise them right here on this site. I think that there is only one company (or group) behind this mail fraud.
Who is Corporate Compliance Filings, Inc?
I did a Google search for the company and came up with only one organization named Corporate Compliance, the name The Office of Corporate Compliance asked to be put on the checks. The only way they can cash the check is to have an actual corporate entity. Here it is: http://www.corporatecompliance.com/ –> Although there should be a crime against having a terribly shitty 90’s site, I can’t yet pin the scam to these guys… I simply don’t have any evidence at all pointing to this particular site.
When I did a search on the New York business database (where this 90’s Internet Corporate Compliance is from) I noticed that their were two entities with that name: CORPORATE COMPLIANCE FILINGS INC. (foreign entity) & CORPORATE COMPLIANCE LTD (domestic). But then I noticed that Corporate Compliance Filings Inc. is also in the California business database, Colorado business database and all the others.. each one does not list other entities or foreign entity as the registered agents in an attempt to avoiding naming individuals.
If you search the databases you’ll see that they use: CORPORATE COMPLIANCE FILINGS INC., Corporation Compliance Recorder, CORPORATE COMPLIANCE CENTER
Colorado Corporate Compliance
The Colorado Secretary of State’s office has recently become aware that an additional entity, “California Corporate Services”, has mailed solicitations titled “Annual Minutes Disclosure Statement” to businesses in Colorado. These solicitations are similar to those mailed to businesses by “Colorado Corporate Compliance” and “Board of Business Compliance” titled “Annual Minutes Disclosure Statement” or “Disclosure Statement”. These solicitations offer to process corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitations, Colorado corporations are not required by law to file corporate minutes with the Colorado Secretary of State’s Office.
California Corporate Compliance
In very fine print, the document usually has a disclaimer, such as:
“CA Business & Professions Code Sec 17533.6 This service has
not been approved or endorsed by any government agency, and
this offer is not being made by an agency of the government.”
California Corporate Headquarters, Compliance Division
CALIFORNIA CORPORATE COMPLIANCE
3053 Freeport Blvd #310
Sascramento, CA 94518
State Corporate Compliance
916 J Street
Sacramento, CA 95814-2703
form was 4780C
Corporate Compliance Filings
9175 Keifer Blvd # 336
Sacramento, CA 95826
California Corporate Headquarters
2443 Fair Oaks Boulevard #539
Sacramento, CA 95825
Massachusetts Corporate Compliance
Recently, an entity calling itself “Massachusetts Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous Massachusetts corporations. This solicitation offers to complete corporate meeting minutes on behalf of the corporation for a fee. Despite the implications contained in the solicitation, Massachusetts corporations are not required by law to file corporate minutes with the Secretary of State.
Georgia Corporate Compliance
Secretary of State Handel Alerts Corporations to Potential Scam
Atlanta, GA—Recently, an entity calling itself “Georgia Corporate Compliance” mailed solicitations entitled “Annual Minutes Disclosure Statement” to numerous Georgia corporations. This solicitation offers to complete corporate meeting minutes on behalf of the Georgia corporation for a fee. Despite the implications contained in the solicitation, Georgia corporations are not required by law to file corporate minutes with the Secretary of State.
New York Corporate Compliance
Texas Corporate Compliance
Recently, an entity calling itself “State Corporate Compliance” mailed solicitations entitled “Annual Corporate Minutes Compliance Filing” to numerous Texas business entities. This solicitation offers to complete corporate meeting minutes on behalf of the Texas business entities for a fee. Despite the implications contained in the solicitation, Texas business entities are not required by law to file corporate minutes with the Secretary of State.
Oregon Corporate Compliance
Better Business Bureau takes a look at Corporate Compliance
Privacy is dead and getting deader. So who killed it? We did. We killed it with our nature. We like our tools & technology. We can’t go without our GPS, SIM card loaded cell phones. We don’t really think about how cell Phones can be easily tracked and tell so many intimated details about where you are and who you’re talking to.
We love convenience so how can we go without our Google, Yahoo, MSN searches and our access to the Internet. Never mind the fact that all of these entities track or even record (and send to the government) every thing we do online.
Our nature places privacy last on the list, and convenience and comfort in the top five. I’m not looking down my nose at you. I’m guilty of all of the above privacy sins. I’m not judging your search engine usage or saying you should switch to anonymizers and clusty.com or go phone using an untraceable credit card.. I’ve got my tin foil hat in storage next to my year supply of MRE’s and shot guns.
I’m just pointing out the facts. We give our privacy away, to companies, the government and other organizations.
What is a bit bothersome to me are laws that allow the abuse of what we are willing to give in trust. The protection of the data we entrust to companies, federal, state and local government should not be allowed to be misused neither by
Violations of the 4th Amendment (use of your online history without probable cause) nor by criminal hackers and/or companies selling your information to the highest bidder.
Fair laws that are in favor of the buyer adherence to the 4th Amendment. I don’t think this is a reasonable request. I think the CIO’s who implement opt-out letters sent to clients expect some amount of respect for the information they put out.
Would be pissed if his financial information was stolen.
I’ve been reading Ray Kurzweil’s The Singularity is Near. Its been blowing my mind. Its a detailed account of how, when and why artificial intelligence will out do humanity (as it is now) in every way in about 20-30 years.
The book is the real deal. Its over 600 pages with 100 pages of notes. Its a college course and a 10 course meal.
The first thing you have to realize about Ray is that he is not some kook with a sci-fi idea. His ideas are NOT some sci-fi “original movie” trash cooked up by a team of ex-dungeon master, fanboy geeks. Kurzweil is a world class inventor who created the first omni-font optical character recognition system. He is the brains behind text to speech, and next generation of music synthesizers (the one that are able to sound like any instrument).
He is the father of the Law of Accelerating Returns that details about the exponential growth of technological progress and change.
So far, the most startling idea I’ve read in his book is something I read from a Vernor Vinge article a few years back. Eventually, computers will be sentient and a trillion times smarter than us. I’m not just being sarcastic and throughout ridiculous numbers (bajillion kajillion) to get an over inflated point across, I mean LITERALLY the will be a trillion times smarter. If you subscribe to the Howard Gardner theory of Multiple Intelligence computers will able to out do us on everyone of them (plus a plethora of some we don’t yet have the capacity to conceive of). If that doesn’t stir you.. how about this? They will eventually build systems (AI) smarter than themselves. That is when they will be so far beyond us that we (in our current capacity) will not be able to comprehend them fully.
Kurzweil is definitely not gloom and doom. He does not predict (for example) that the machines will send Arnold Schwarzenegger back to 1984 to kill Sarah Connors (Linda Hamilton is still safe). In fact, the book is about “when humans transcend biology”.
Now just think about that… “transcend biology”. It gets me thinking of some sort of “Ghost in the Shell” type world where most people are cybernetically enhanced in a hundred ways. Ghost in the Shell is among my favorite anime franchises because it goes to great lengths to describe its cybernetic world. The singularity is a reality in the world of Ghost in the Shell.
Its a world in which an AI can hack and/or possess anyone/thing with a cybernetic central nervous system. A world where the line between physical and virtual are blurred by visual enhancements and the definition of humanity must be expanded to allow people who are now 90% robotic.
What do I think the Singularity will mean to security? That is a bit of a ridiculous question. Its like asking.. if the sun explodes, what will happen to all the plants. The answer is the same thing that will happen to all of humanity. Perhaps the sun exploding is a bad analogy.. because I don’t think the Singularity will feel the sudden need to enslave all humanity, turn us into batteries and lock us in a matrix like virtual world. I think it will be more of a collaboration between super computer and abacus, Rancher and cattle, Shepard and sheep but not at all like master and slave (well at least not a BAD master). Those of us unwilling and/or unable to change will be like a novelty item, neo-Amish. The Singularity will hack us and herd us like consumer, technology dependent sheeple we have become. And we will do nothing but smile and enjoy our everyday prices.
Speaking of novelty, I can help but think of Terrence McKenna’s mention of an acceleration of everything in his Timewave Zero theory.
The graph shows at what times, but never at what locations, novelty is increasing or decreasing. According to the timewave graph, great periods of novelty occurred about 4 billion years ago when Earth was formed, 65 million years ago when dinosaurs were extinct and mammals expanded, about 10,000 years ago after the end of the ice age, around late 18th century when social and scientific revolutions progressed, during the sixties, around the time of 911, and with coming novelty periods in November 2008, October 2010, with the novelty progressing towards the infinity on 21st December 2012 – wiki
The rate of change is both inevitable and necessary to our nature.
Once again, security is a piss ant in relation to the upcoming changes predicted by these modern mathematical prophets, but I will say this lately things in the Certification & Accreditation world have been changing drastically every 6 months, with each changes bringing in a wave of rumor of yet MORE change. The current rate of change is keeping me very employed.
Broadband Internet Security, Certification/Security+/General Security Concepts/Malware, Computer Security, Computer Security/Home Computer Security, Encryption, Internet and Information Technology Security, Main Digg, Network Management, security, Security Awareness, System security engineering
The primary challenges of Internet security have everything to do with balancing accessibility and functionality with the three pillars of information security: confidentiality, integrity and availability.
The Internet has become an in disposable tool for research, commerce, art, education and virtually every part of modern life. It was the inquisitive, intelligent, intuitive and creative nature of humanity that created the Internet and its those same qualities that put individual systems linked directly to the Internet in peril. The three pillars of information security are at stake for all systems with connectivity to the Internet. The challenge is in the implementation of the necessary security controls to achieve those three pillars.
Confidentiality pertains to protecting sensitive information. Sensitive information can be anything from private user information to classified defense data. Many organization live and die by the protection of proprietary information from competitors. During wartime, the armed services literally LIVE or DIE based on how well certain sensitive information is guarded. In the US Department of Defense is called Operational Security. Since the Internet is a critical part of the DoD (and defense organizations around the world) the confidentiality is a HUGE challenge for their Information systems exposed to the Internet. Some of the threats to there systems include: social engineering, leaks of information and accidental release of sensitive data. All of these threats can be enabled via the Internet.
Organizations must educate their user who have access to sensitive information. I’ve heard some security professionals say that educating users is bad.
But if your users have access to sensitive information (and need to have that access to do their jobs) it is imperative that they not only know WHAT is sensitive, but WHO it can be give to, WHEN it can be shared, HOW it can be share and WHY it can be shared.
Data integrity is very important to all systems passing data on the Internet. Integrity has to do with whether or not the message on the other end of your connection is the same one you actually sent. Whether its your passwords being passed to your bank or the DoD passing data over the Internet, the integrity of the data is imperative. Its often taken for granted until, we are sending an email and the receiver says they got the email but the message can’t be read. Sometimes if the messages integrity is garbled or malformed it simply won’t reach its destination. If the integrity of a message can not be protected in some way or verified and checked, it is possible for someone to intercept your message, alter it, and send it on its way. Integrity is especially critical in banking and financial transactions which is why encryption and authentication take on such an important role for sensitive transactions such as ATM withdrawals, and online banking.
The challenge to maintaining Internet integrity is to ensure that link is encrypted when necessary.
If there is no availability there is no mission, no business, no functionality. One of the major challenges of Internet security has been Denial of Services attacks. A Denial of Service attack is when your system on the Internet (or within a network) is flooded with useless traffic such that no one else (not even you) can use it. With a misconfiguration, a denial of service can happen by accident. Its important to test the availability of an online system. Its also a good practice to see what kind of availability and access you are giving. After all, too much availability can compromise the security of your system.
Most challenges of Internet security can tie into one or more of the big three: confidentiality, confidentiality or availability. With those in mind most challenges can be overcome. But the double edged sword of security.. the very nature of it on the Internet is to constantly change and evolve with the Internet. The constant change of threats to those three aspects of security is perhaps the biggest over arching challenge.
I just wanted to share my eHarmony experience with the world so that unsuspecting single women can be alert to this kind of dating scam. This scam was pretty smooth…to an extent. It didn’t work on me but I don’t want anyone to fall for it.
Here’s the story. I was a member of eHarmony and was matched to a nice man with similar interests, etc. We went through the eHarmony process and eventually started open communication on our own. We communicated through email, yahoo messenger, and later by phone. This process took months. He said he lived in Tampa and had a little boy. His wife had died tragically during childbirth. This man claimed to be a vet who worked as an independent contractor for the World Animal Health Organisation. He had just recently moved to Tampa he said. He said he was Greek but went to college in England. I live on a farm and know a lot about animal health, plus I am scientist currently working in the health care industry. I am educated and somewhat bright.
He was a very sweet guy…sent some nice pictures of himself and his son, said all the right things, wrote a lot–he played his part well. I was skeptical though for the following reasons: he began most of his correspondence when he was “out of the country on assignments”. The first “job” he spoke of was in England. I asked about his son and school and he said that he hired tutors wherever he went to educate his child during these trips because he couldn’t stand to be without him. I thought this odd since that would be extremely expensive and a difficult way to raise a child. How would this child receive credit for his education from multiple countries? hmmmm; next for a person with an advanced education it seemed his English, spelling, writing, etc. were quite poor. Now we all get sloppy during instant messaging and emailing but this was worse than expected; when asked about his job specifics he was vague–the connection would be lost, he didn’t answer or his answers were kind of “off”. I have a farm with horses, chickens, cats and dogs, I know a lot about animal health and had some questions for him and his answers were not as expected. I also received vague information on the organization he worked for; he said he had his main residence in London, England…was still in the process of getting set up in Tampa Florida.
Suddenly, he had a job in Nigeria– vaccinating an endangered species of peacock? The “reserve” was just outside of Lagos…scam city. He was charming and very attentive. Talked a good game. Claimed to be in love with me (how you can be in love with someone you never met over the internet, I’ll never know). Wanted to give me the world. Too good to be true. He even started to call. Once from England and then from Nigeria. He had somewhat of an English accent mixed with something else…the connections were always bad and he was difficult to understand. It was hard to hold a conversation. That and the time difference… we mostly stuck to email and chatting. He did make it more realistic by having a child talking and laughing in the background during one of his calls (his “son”). I wasn’t entirely convinced he was real but it he had me going to an extent. I wanted very much for him to be real. He asked me to send him something personal so he “could feel closer to me”. He wanted my iPod filled with all my favorite music or a digital camera so he could share his experiences with me (he can afford tutors but not a digital camera???. He gave me the hotel “address” to send the package too. It was a PO Box. I sent a package. It contained a little gift I had made (nothing of value) and a handwritten letter. He kept asking me what I had sent and I said it was a surprise–surprise sucker, nothing of value here.
The Nigerian thing bothered me. I started surfing the net and read about all the scams. His project seemed to take weeks. He had every excuse. He never gave much detail. I waited for the “big emergency” to come up that would lead him to ask me for money. I hoped it wasn’t true but I knew it was going to happen.
After nearly a month it happened. He claimed to have made medical mistake administering the vaccine to the rare birds. He said he made a dosage error. I asked him the specifics and sadly he didn’t know enough to answer my questions correctly. I know a lot about vaccines and birds. He claimed about 150 birds became ill because of his error and he was panicked because his career was at stake. He said he talked the reserve workers into staying quiet about this while he “contacted someone in China to request a medication that would make them better.” At this point, it was a huge joke but I kept up my side to see where it went. So sure enough, he kept quiet for a few days to make me worry a little, then told me he had sent almost all his cash to China for this medication–which much to our relief saved all of the fictional birds! Amazing! Now, however, he was broke. He had almost no money. He saved his career and reputation but he was in trouble. Couldn’t pay his hotel bills, food, transportation…what a mess. He at first claimed there were no banks (Lagos is a huge city–the commercial/industrial hub of Nigeria EVEN my bank has a branch there!) I pointed out that that couldn’t be true and then he broke down and “confessed” to me that he didn’t have any freed up cash in his London account…all of his money was in stocks and bonds! REALLY? I WAS SHOCKED! Even his credit card was no good…he had it canceled because of illegal activity (probably his). He said he didn’t have time to get a new one and besides he said “I’m in a third world country, no one takes credit cards here”. Wow, in a city of that size? Horrible. BTW, the hotel he gave me didn’t check out right. The address he gave didn’t match the address on the internet and it wasn’t in the right area of Nigeria. What could I do? He then asked for a “loan”. I told him at first I couldn’t pay but later decided I wanted to get as much info as I could from him so I could post it on every web site I could find. So I wrote a sweet letter saying I was so worried for him that I asked to borrow the money from a family member and wanted to get it to him as soon as possible. What did I need to do? He wrote back and ask for $1000 to be wired via Western Union (sound familar?). I claimed I was worried about that (gee no banks but we have Western Union hmmm)and would feel more comfortable sending the money directly to the hotel– what was that address and phone number? A phony address was given but not a phone number. He “couldn’t find it and would have to give it to me later.” I insisted that I needed it to properly send the package. Then he said “he was going to be too busy with lectures and meetings to keep a watch for it at the hotel and that I maybe should just send it to his driver (a man he has known only for a month?)” I argued that was unwise but then later asked for that name and address. I’m waiting for that to be emailed. He wanted to know when the money would be sent. I said in a few days. Then connection was lost again and I couldn’t finish my conversation. I’m not sure I’ll hear back from him now. I think he knew I was on to him. Anyway, here is what he has given me so far. I’ll bet he has 10 other women going on this same story as we speak!
Damon A. Basinas
Age: 41 birth date 08/12/67
Son: Milo birth date 08/10/2000
Cell Phone: 234-803-347-4079
136 Gilbourne Road
Plumstead, London SE18 7NX
Nigerian PO Box 3537
Apapa, Lago Nigeria
WhiteLeaf Hotel & Suites
14 Devon Drive
Ikeja, Engu Lagos Nigeria
(this isn’t the hotel address)
Western Union site:
I have pictures too of some good looking man with a cute kid. Says he was educated at Yorke (should be spelled York) University, England. Says he has three dogs and a place in Tampa Florida. Wife died in childbirth. Mother raised him on her own in Greece. Mother died of breast cancer in 1995. He moved to England for school in 1985. It just goes on.
So everyone, be careful! Don’t EVER send money. I will post an update if he gets back to me with any more info. but I doubt I’ll hear from him. I was duped to an extent but don’t feel bad because I didn’t fall for it or lose any money. He was a great actor but just not good enough. The only thing I lost was a little time and energy. I’m know others weren’t so lucky. I’m off now to post this EVERYWHERE I can LOL.
If you are looking for real relationships online, here are some good resources on how to make it happen!
financial fraud, Identity Theft, integral computer security, Internet and Information Technology Security, Main Digg, Malware, Network Management, personal computer security, Privacy, security, Security Awareness, social engineer, System security engineering
This is a follow up to my post Why is Internet Safety Important
Dangers of the Internet are relative to the perspective of those accessing it. That is to say, on the Internet “dangers” are completely dependent on who is accessing what data from where and what their intentions are for accessing it. For example, researching a list of poisons could be a considered “dangers to the Internet” if a seriously disturbed person intends to kill his or her spouse. On the other hand, if a parent is just wondering what house hold products are poisonous with the intention of protecting her children, can that be considered a danger?
So protection from dangers on the Internet should be proactive and involve human judgment at some level. Policies must be written, planned and implemented in advanced or ad hoc to suit the environment and the users accessing the Internet. Children at a school with access from the classroom will more than likely be different from employees at a skating rink.
Even the items commonly considered dangers on the Internet relate directly to how much access individuals and organizations allow to and from the web. Common “dangers” may include (but should not be limited to) the following:
Accessibility to personal – applies to educating users on the dangers of putting personal information on the Internet and protecting organizational data bases
Sensitive data – For a school sensitive data is likely linked to the grades and personal information of staff and student, but for a business sensitive information could include proprietary information that would hurt the bottom line if it were leaked to competition.
Financial fraud & criminal hackers/scammers- This applies to educating users about criminal hacker techniques such as malware, social engineering, email and website phishing
The access of impressionable and/or psychologically disturbed individuals to potentially harmful and destructive information – This is rather subjective however it should be a concern to schools from elementary – colleges, rehabilitation facilities and mental institutions. There are ways to block certain obvious material with web-blocker type applications, but no one can stop them all. Monitoring is a must if this danger is to be handled seriously.
The risks and damage of these dangers are dependent on the environment & the users involved. It is up to the system owners to ensure that the policies are properly planned, implemented and maintained as exposure to any Internet danger can disrupt the safety, mission and/or values of an organization or individual.
That which does not kill us makes us stronger.
In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.
Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.
1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.
2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.
While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.
Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.
Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.
3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.
4. Distributed Denial-of-Service (DdoS) attacks (2000). After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.
5. Remote Control Trojan Horse Backdoors (1998 – 2000). In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.
Phlashing allows you to damage hardware over the Internet. This is something new and consists of flashing, as in changing the firmware, or computer code in chips on your motherboard, controller cards or other hardware. Since more modern systems allow flashing firmware over a network for quick updates, this is now an exploitable vulnerability. Previously, you had to “flash” those computer chips from the machine that contained them.
There are security features in hardware to prevent this kind of vandalism, but unfortunately some flaws enable hackers to flash destructively. Phlashing code has already been developed by security researchers and hackers. Phlashing attacks are not easy and will likely not be common, however its a possible glimpse of the coming storm of weapons of cyber destruction.
“Phlashing” attacks could render network hardware useless
Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP’s Systems Security Lab, has identified a potential security flaw within a network’s physical hardware rather than a typical desktop or server system. Smith’s report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as “phlashing.” – more at Arstechnica