Palo Alto and Unifi

I.e. Adventures in Networking

I don’t have a lot to say right now, other than I spent *hours* trying to get my new Palo Alto to work with the Unifi Suite.

Little did I realize that Unifi’s concept of “Native VLAN” means it is going to strip the VLAN tag of the “Native VLAN” off the 1Q header, and the Palo Alto doesn’t have a concept of the “Native VLAN” which means, when it gets an untagged packet it sends it to the primary interface (not any of the sub-interfaces).

The fix:
– Create a Network Profile that has no native VLAN and tag the VLAN specifically destined for the Palo Interface.

I’m dropping this note here, b/c I could not find ANYWHERE on the internet that explained this, I had to piece it together based on lots of different documents around how Unifi, Cisco, Palo, etc. work.

Plus, I’ll probably forget this next week when I go to try and configure my next interface.

09/24/2023 – Also found out the hard way that the IP addresses set on the interfaces themselves have to have a net mask added, or apparently they consider themselves in a network all to themselves, and won’t route traffic. I think, after troubleshooting, I realized that it is because this is acting both as the IP of the interfaces, and the gateway address for the interface.

At least I can happily say …. it wasn’t DNS!

Angry businessman png giving speech

Building GnuDisassembler for Ghidra on Kali 2020.3

Let me save you all an hour+ of your life. 

Grab the latest version of Ghidra: https: https://ghidra-sre.org/

Use the Ghidra GUI to install the GnuDisassembler and the SleighDevTools.

Install the following dependencies to Kali:

flex

bison

texinfo

zlib1g-dev

grade

Download the latest binutils source into your ~/.ghidra/ghidra_<version>/ directory.  Link for the right version can be found in the build.gradle file in that directory.

Set your GHIDRA_INSTALL_DIR to the location of your ghidra install (mine was /opt/ghidra/ghidra_<version>.

Check your version of gradle:

gradle –version

Compare the version of gradle Kali installed, to the required version listed in the /Ghidra/application.properties file from the source for the version of ghidra you installed.

Kali installed version 4.4.1 for me, but the minimum for gradle for ghidra 10 is 6!!

If there is a version difference, download the binary for the right version of gradle and use that to run your build command..

Sad to say, I spent over an hour trying to debug completely ambiguous errors from gradle (e.g. Could not find method get() for arguments [] on platform ‘linux64’ of type org.gradle.platform.internal.DefaultNativePlatform).

gradle build

Enjoy!

General thoughts on OpenSource Software

While having conversations with a couple friends the last few weeks, I came to the conclusion that there might be value in writing down some of the ideas I have floating around in the big tin-can on my shoulders, as it relates to opensource software (oss).

Or, then again maybe not.

Regardless, I took a few minutes to jot down some thoughts. This list is by no means exhaustive, it’s just a quick brain dump around what comes to mind when I think about using oss in the enterprise.

Talent implications:

There are some definite and perhaps obvious implications to attracting talent when it comes to participating in the oss community.  First and foremost, it is an easy way for an organization to market itself, its culture, its people and its technology capabilities. Secondarily, in my mind, developers that engage with the oss community show an increased dedication and passion for ongoing learning and development outside of the 9×5. So participatory individuals definitely represent a type of individual I want to have in my organization.

Technology practices:

OSS can be fickle, as it involves many people with diverse backgrounds and perspectives agreeing to agree. 😊

When using oss, I would suggest setting up a company repository where oss and dependencies are curated and maintained as approved for corporate use. In addition, I would also recommend blocking teams from using external repositories, in order to manage and mitigate various risks based on company appetite.  JFrog Artifactory is one such example of a solution that can be used for a corporate repository.  

The link below gives a brief example of what can happen if you aren’t careful in how you manage the repository in the oss world.  😳

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

In addition, in order to maintain bench strength, autonomy, ensure continuity, and enforce corporate quality gates, it is also important to not become reliant on compiled binaries; as such, I would ensure the company has the toolchains and configurations to compile source code into binaries in a CI/CD type of model.

Security of open source:

On the upside, oss allows for easier identification and crowdsourced remediation of vulnerabilities; however, on the flip-side, it is easier for hackers to identify vulnerabilities, fingerprint companies using the oss, and subsequently exploit vulnerabilities, without disclosing them.

Thus, it is important to have a solid program in place for monitoring for emergent vulnerabilities and patching in a timely manner, especially for externally facing solutions. This also drives back to the discussion of having a centralized repository for curating approved oss.

Licensing models:

I’m not a legal expert by any means but know enough to state that careful considering needs to be made as it relates to the usage and mixing of different license models in the oss and proprietary world. 

As an example, some license models cannot be combined with others and some licenses like “copyleft” licenses are viral (to a greater or lesser degree) and may require disclosure of source even for derivative or combined works.

In addition, there are nuances and interpretations related to words like “propagate” or “distribute” when modifying oss.  As an example, using it on your internal corporate network may have different implications compared to embedding it into a website and having people remotely access it, which may also be viewed differently than using it in the mobile app and putting it in an app store.

Cost factors:

OSS has many cost factors, but I saved cost for last because it is tired to all the previous discussions. While the initial investment is often lower for an individual package, taking on maintenance and support for more complex oss packages will likely increase the TCO and have a negative impact on opportunity cost over time, as you will have teams that will need to continue to maintain and provide upkeep for what is likely to be a commodity for the organization – rather than focusing that same time slice on things that are of a competitive advantage.

Summary

A quick wrap up. I am a huge proponent of both the concepts and implementations of oss, however, I often see companies going down the route of oss because it is perceived to be “cheaper”. While, in some cases, that may be true, especially for smaller companies with very limited IT budget and a high tolerance for risk.

My advice is to think through the risk and exposure around the use of OSS for the company, and then compare what it would take for investments to make oss elevate to the same first class citizen as internally developed software. That’ll give you a head start on understanding the TCO and opportunity costs of using oss in the overall aggregate of your technology economy.

Finally – while I admit, I really haven’t read much of it, this looks like a great resource. https://opensource.org/faq

My hope is that you will find ways to manage the corporate risk, and still commit to engaging with, and supporting the OSS community!

As always, I am happy to learn from others, so if you have a perspective you’d like to share on oss – feel free to reach out to me and engage.

Meeting a legend! Kevin Mitnick.

23 years ago, on Feb 15th, the worlds most famous hacker, Kevin Mitnick, was apprehended in NC after years on the run from the FBI.  Prompting many, many young hackers and computer enthusiasts (including yours truly) to take up the mantra “Free Kevin”.

A little over 28 years ago, I started my own journey into information security (thankfully never pursued by the FBI), and much like Loyd Blankenship (Hackers Manifesto), Kevin had a profound impact on my young security career.

Today, not only did I get see Kevin in action (POC exploits), but I got to say hello and shake his hand. I didn’t even think about taking a picture, I just wanted to shake his hand; but I’m thankful, someone there said “would you like a picture”.

Thank you anonymous picture taker!

Layer 8 security: hacked by email.

Last week I received a letter in the mail claiming to be from the city of Suffolk.  They want me to pay a tax on my cars.  The tax is less than $100, but you know what; I already paid a fee to register my cars.  Perhaps the request is legit, but it seems just a little bit suspicious.  What if that letter came through email with a link to click for me to make a PayPal payment?  Is email any more secure than the US Postal service?  How do you know the letter, or the email, that claims to have come from a certain person actually came from that person.  The postal system, like the internet is kind of the wild, wild west.

There are plenty of technologies that can help solve this issue – if someone expresses interest, I would be happy to dig into those technologies in the near future.  However, as a quick way to raise your awareness of the dangers of trusting email (or snail mail) without a discerning eye, pop over to the New York Times and read the post about the Magazine Publisher that just lost 1.5 Million dollars due to an email scam.

The short story:

Someone hacked into the email of the CEO and sent an email to the Accounts Payable department to wire 1.5 million dollars to an offshore Chinese bank account.

The dutiful employee complied.

The problem here is not that someone hacked the CEOs email, this type of stuff happens every single day in the real world.  The problem is that the receiver on the other end didn’t apply any type of analysis or intelligence to the request (e.g. is this risky, is this unusual?).  It is interesting to note that the “CEO” sent a second email to Accounts Payable.  This second employee thought “Hey, this seems odd, maybe I should double check with the CEO”.

Result: 1.5 Million dollars saved.

Who knows, perhaps a 1.5 million dollar transfer request through email was a normal day in the Accounts Payable office of Bonnier Publications.  If so, shame on them (see the opening paragraph).

Summary:  Enterprise organizations need to eliminate email from their business processes, both from an efficiency and a security perspective.  As an individual, you need to approach email with a certain amount of discernment, even if they appear to come from a trusted individual (see the opening paragraph).

I promise not to send you email from your boss asking you to buy lunch for the office: but I can’t speak for everyone.

Asking a few additional questions might just save your company 1.5 million dollars.

Remember: Security is everyone’s responsibility.

Is security your responsibility? The case of the insecure security system.

I have recently contracted with a local security company to install a fairly extensive security system into my home. The system cost thousands upon thousands of dollars, and is made by one of the top brands in home security systems. This system provides full automation, including video monitoring and recording with coverage both outside and inside my home. I have large screen TVs that display every angle at the touch of a button, I have programming interfaces which allow me to extend the capabilities of the system limited only by what I am able to cook up in today’s Z-wave enabled IoT platforms. I can monitor my home from my bedroom or 2,500 miles away – it makes no difference. This is the ultimate enabler for the security conscious home owner.

There is however, one big problem about my home security system… the system is not secure.

Wait, what? I am saying that one of the top brands of home security companies is putting security systems onto the market that are not secure? Yes, that is what I am saying: my home security system has not been designed by the manufacturer nor configured by the installer in a secure fashion. In essence, the moat around my castle has multiple unprotected drawbridges by which a minimally savvy technical person could enter and plunder booty. My booty.

Interestingly, the installer has taken a fairly disinterested stance stating that technology changes so fast and they can’t be expected to understand how to secure computerized and network devices. I feel their pain. The manufacturer will (once I contact them) undoubtedly take the position that there are WAYS to secure the system, so the problem is due to the lack of knowledge and understanding of the installer. The homeowner is a consumer and expects that the security system they have contracted out for, will allow them to secure their homes. Everyone has been fooled.

Unfortunately, they are all right and all wrong at the same time. There are technologies and architectures that could be layered on the home security system that would ALLOW the installer to install and configure the security system in a secure fashion, and the homeowner should be savvy enough about their own personal security that they should spend some time asking questions and understanding the technology they are using. And yet, there is a significant lack of knowledge that intersects between understanding how information security and physical security need to coexist.

This has got to change.

This past week, I spent the week at Gartner’s 2015 Risk Management Summit. Gartner has decided it is now time to stress the fact that Physical Security and Information Security need to work together for the health and safety of the world. This is exacerbated by computerized healthcare devices, and computerized cars; and it is only going to get more and more challenging and risky as the physical and digital worlds amalgamate.

So, here is the question: when someone exploits the weaknesses of my home security system and breaks into my home and destroys or plunders whatever it is that I hold dear… who is responsible? Is it the manufacturer that has created a system that can easily be poorly installed and configured, is it the installer who trusts the manufacturer and knows only how to crimp the wires and program the interface, or perhaps it is the homeowner who has put their trust in the installer and only knows how to click a few buttons?

The answer is “yes”: the security of the home system is the responsibility of the installer, the manufacturer and the home owner.  It comes down to this:  trust, but verify.

Security is everyone’s responsibility.

Check back in a few weeks; once I have an opportunity to secure the vulnerabilities introduced by the manufacturer and the installer; I plan on documenting what the issues were, and if you have this security system, what you can do to protect your home, and more specifically, the types of questions you should continue to ask yourself as your digital lines continue to blur.

It is all about education.

 

 

No it is not ok to email me my Credit Card Number…

This is a copy of an actual email I had to send today…  I guess there are still a lot of people out there that do not understand the perils of the internet.

[Name removed] –

Good evening.  Thank you for emailing the rental confirmation:  however, I am surprised and disappointed that the image attached to the confirmation email contained the credit card number we used to book the rental property.  By trade, I am an information security technologist – I protect computer systems and data assets from digital theft.

Your email to my wife provided everything necessary for a digital thief to not only commit fraud against my credit card company, in my name, but it also encourages identity theft, as you included personally identifiable information and financial information within the attached image.

Unless very specific precautions are taken, email is an insecure medium and it should be assumed that the contents of email are made publicly available on the internet.

As a secondary example to underline the importance of discouraging the emailing of sensitive information, you accidentally misaddressed the email (sent to *******@******.com rather than ******@*****.com).  While the email was still redirected to a domain I have ownership in, because of my specific configuration, the email could have just as easily, sans my configuration, resulted in a scenario where my credit card was sent to some random person somewhere out on the internet.

As a necessary precaution, I now have to cancel my credit card, get a new card reissued, and go through the long and time consuming process of updating all my billing relationships – a set of tasks I had not planned on spending my evening completing.

I would recommend, in the future, that the practice of emailing sensitive information (such as credit card numbers) be eliminated from HOA procedures.

Thank you.

[Signed]

Principles of Authentication

 

Recently, I have been surprised at how little some of the application architects I interact with seem to know about the principles of authentication, and I mean, these are smart people too! When I went out to look on the internet to find some white papers I could send their way; I really found nothing of value. So, while this is in initial draft document, and I haven’t obtained any feedback from my fellow Security Architects, I am providing it here for the interested to get a better understanding of my views, as a security architect, of some of the basic principles of Authentication that I have always taken for granted.

 

 

 

Principles of Authentication

Defining a secure method of participant identification

Contents

Terms & Definitions    3

Participant    3

Identification    3

Authentication    3

Authorization    3

Accountability    3

Security Domain / Boundary    3

Claims    3

General Guiding Principles    4

Authentication of Participants    5

Three principles of Authentication    5

Shared Secret (Something you know)    5

Token (Something you have)    5

Unique characteristics (Something you are)    6

Authorization    6

Accountability    7

 

 

 

Terms & Definitions

 

Participant

A participant is an identity taking part in a business communication transaction. A participant may be represented by an end user, a target system, or even an entity facilitating the transmission of communication between two unique identities. A participant may have multiple identities within multiple security domains, but should be uniquely identified with a single identity within a single security domain. An example of participants may be a business user, a database, or a web service.

Identification

Identification is the method by which a participant asserts their unique identity within a security domain to another participant within that security domain.

Authentication

Authentication is the act of validating a participant based on the participant’s asserted claims or identity attributes. Authentication requires a shared secret between participants or attestation from a trusted source that asserts the integrity of the participant’s claims.

Authorization

Authorization is the act of approving access for an identity to a resource based on a successful authentication.

Accountability

The purpose of Identification, Authentication and Authorization is to maintain accountability tied to a unique identity within a single security domain, to ensure the integrity, confidentiality and availability of a system and its associated data.

Security Domain / Boundary

A security domain represents a functional environment that maintains a governed trust between participants either through shared secrets or through the use of another participant acting as an arbitrator to attest to the authenticity of participant’s claims.

Claims

A claim is a statement of fact about a participant used to assert an identity for authentication. A claim is usually a data artifact that is questionable in nature (e.g. I am who I say I am).

General Guiding Principles

 

  1. A participant may have multiple identities, but an identity must be unique within a single security domain.

     

  2. Identification, Authentication, Authorization and Accountability requirements should be dictated by the level of assurance within the system and the associated data classification.

     

  3. Identities must be authenticated and appropriately authorized before obtaining access to non-public data.

     

  4. Identities must be re-authenticated when crossing security boundaries.

     

     

 

 

Authentication of Participants

In order to ensure the confidentiality and integrity of business communications that contain non-public classified data, all participants within a business transaction must be authenticated before being allowed to participate within that business transaction. The foundation of authentication is based off of three primary principles where a participant asserts their claim of identity through something they know, something they have, or something they are.

Take for example, a person (participant) may walk up to the security guard of an organization (participant) and say (claim), “Hello, my name is Jack, please let me in”. While Jack has identified himself, there has been no assertion made proving his claim. The security guard may now ask Jack to enter his personal identification (PIN) code (something he knows), may ask him swipe an RFID badge or present a driver’s license (something he has), or may ask him to have his retina scanned (something he is), in order to provide access for Jack to the building.

After authenticating Jack, the security guard provides him with a badge that will attest to Jack’s authorization to be inside of the building. Jack has now crossed the security boundary of the outside world, into the organizations world. Jack as a participant, now has two identities, his identity associated with his license, and his identity associated with the badge he was provided.

In this scenario, we have identified the three principle foundations of Authentication: 1) something you know, 2) something you have, and/or 3) something you are. Additionally we have identified both direct and indirect forms of authentication, and have illustrated the principle necessity of a security boundary for appropriate authentication and authorization.

All three authentication principles, as well as the concepts of direct and indirect authentication and security boundaries are discussed within the remainder of this document.

Three principles of Authentication

Shared Secret (Something you know)

A Shared Secret is one of the foundational principles that often drives authentication. The secret represents information maintained between two participants that can be used to uniquely identify one or both of the participants within a security domain.

Within the example above, a shared secret was previously configured between the organization and Jack, such that, if Jack was able to provide that shared secret back to the organization, the organization could be reasonably sure that Jack was indeed who he claimed to be. In this scenario, as the organization was able to verify Jack’s claim directly, this was a form of direct authentication.

Token (Something you have)

A token is another form of authentication that represents a claim or a collection of claims that can be used to attest to a participant’s unique identity within a security domain. Tokenized authentication is based on a predefined trust between participants or security domains.

Within the example above, we identified multiple types of tokens that Jack may use. The first type of token was an RFID badge issued by the organization. Because the organization has a direct means to authenticate Jack based on a previously established relationship, this is another example of a direct authentication.

The second type of token discussed was Jack’s license. If the guard chose to authenticate Jack on the license he presented, the guard would be confirming Jack’s identity based on the attestation provided by a trusted third party (another participant). As the guard’s knowledge of Jack relies on the attestation of a third party, this is referred to as indirect authentication.

Within the context of our example, the security guard can use the indirect authentication method to verify Jack’s identity. As there are no current trusts established between the building security system and the license issuing authority, Jack will cross a security boundary, and this indirect authentication cannot be used to grant authorization for Jack to enter the building.

Thus, the security guard must, based on his indirect authentication, provide Jack with a set of claims that are understood within the organization itself, so Jack can be directly authenticated within the building complex. This repacking of claims from one authentication participant to another authentication participant is often referred to as Federated Authentication.

The organization may also implement another security framework in which a trust could be established between the security domains of the organization and the license issuing authority, such that Jack could authenticate to the organization’s security system directly using his license. This authentication framework is a form of pass-through authentication.

Unique characteristics (Something you are)

A unique characteristic of a participant is another form in which a participant may be identified. Unique characteristics of a user might include facial recognition, fingerprinting, voice recognition or retina scanning. Note that this form of authentication is typically used to authenticate user participants as it is arguably easier to replicate the “unique” characteristics of a non-biological entity.

 

Authorization

Once a participant has been uniquely identified within a security domain, the participant that is facilitating the business communication must make a decision as to whether or not an authenticated identity has been approved to operate on a secured resource. The discussion of detailed authorization requirements are outside of the scope of this document, however, future documents may be written to address authorization specifics in more detail.

Accountability

The primary goal in providing identification, authentication and authorization is to ensure accountability throughout a business system or organization. Thus, it is incumbent upon a system that has first identified, authenticated and authorized a participant to access a business resource to keep proper records of what the participant has done with their granted access. The decision of detailed accountability requirements are outside of the scope of this document, however, further documents may be written to address accountability specifics in more detail.

Someone is always watching the watchers

[Short Snippet from this weeks course paper]

With the continued increase of the connectedness of humanity through the internet, coupled with the increase of opportunity to facilitate and hide malicious digital actions, the perpetration of digital crimes is on the rise. However, being that we are in a war against the criminals, and one in which we are rapidly losing ground; it seems all-to-appropriate to relinquish our reticent nature as the good-guys and look to examine ways in which we can fight fire with fire. Online Digital Forensic capabilities provides one of the means to increase our effectiveness through extending the reach of individuals with specialized skills, providing technological capabilities to analyze data in real time, and increasing the speed of data acquisition.

[However, this weeks course work reminded me eerily of] some of the central themes espoused by George Orwell in 1948 when he wrote his exceptional work titled 1984. Through this monumental work, Orwell describes a dystopian type world where there is physiological, psychological, and sociological paralysis brought on by the persistent concern that Big Brother is watching. I could not help but reminisce over the fears held by protagonist Winston that the Party would discover his thought crimes.

On-the-other-hand, as an individual who has been involved in some fashion or another, for over 15 years in the field of information security, I understand, full well, the importance of investigatory needs to protect the innocent from the guilty. These needs often require searching and viewing personal information that suspects believe to be private.

Yet, those of us involved in the societal war surrounding information security, those in a position of authority, and those whose responsibilities involve writing the laws that protect and serve, must not forget the adage attributed to Benjamin Franklin stating that those who give up their fundamental freedoms to obtain temporal safety deserve neither freedom, nor safety (Franklin & Franklin, 1818). And so we must remember that we are also consumers, and reside within the same economy of human existence as our suspects, and therefore, it is prudent to remember that someone is always watching the watchers.

References

Franklin, B., & Franklin, W. (1818). Memoirs of the life and writings of Benjamin Franklin. London: Henry Coulburn.

Internet beware – it all started with the letter E

I started using the internet almost 20 years ago; and while I was a minor, with no job, I gained internet access in sometimes nefarious ways.  I spent my time on the internet staying out of trouble (or not getting caught), but let’s just say that I was no Angel, and my purpose for being on the internet was to learn as much as I could. 

As a result of the last 20 years of active involvement in security, I have learned to think like the criminals, and know how to attack and protect against their wily ways.  As a result, you would have a very hard time finding someone as paranoid and cautious as I am on the internet. However, this afternoon, I was a victim of Internet fraud.  Take a few minutes to listen to how I fell victim, and how I responded. 

Hopefully, the information presented here will help make you even more cautious as you fire up your browsers and go strolling down the streets of the ghetto at the midnight hour, in the pitch black.

Victims of Internet fraud often fall into two categories: those who are not paying attention (inattentive), and those who are uninformed (ignorant).  In my case, it was a combination of both.

When working on the Internet, my fingers and I have this agreement:  I think, and they type.  There really isn’t a lot of surface level communication that goes on between my fingers and brain.  I can be talking to someone about one thing, thinking about something else, and typing a third, and completely unrelated thing. 

The Inattentive phase

Sometime this afternoon while trying to deal with some online marketing things I have been doing, yelling at my boys to stop yelling at each other, and thinking through issues of regulations around export controls, I opened up my internet browser and typed in Facebook.com.  The only problem is, My fingers rebelled, ever-so-slightly, and they misplaced the E.

At the same time, as my fingers are misbehaving, somewhere out on the internet, an attacker is sitting and patiently waiting with a domain registered to a very slight variation on the name of Facebook.  This server domain name (it’s like the computers postal address) is registered in Tijuana Mexico but the traffic is forwarded to another domain registered in Panama City.  That domain is hosted on a server in the Bahamas. 

As I’m flipping through different browser windows, I come back to my “Facebook” page, and see that it is displaying a "survey" which purports (although never directly states) that it is from Facebook.  The survey, a three question survey, was filled with questions like "what do you think about social networking, do you think it brings you closer to friends, do you have any suggestions for us to make it better".  After 30 seconds, I was complete, and ready to be directed back to Facebook (or so I thought), and then the site showed a screen that said "put in your phone number to register for a giveaway".

“Eh, I suppose if Facebook wants to spend $300 out of it’s billions of dollars to give away an iPhone, my 3GS could be upgraded. Besides, what’s sensitive about my phone number, it’s on the do not call registry, and I could change it at any time for $30 dollars.”  This is what is going through my mind, as I’m continuing to yell at my boys who are yelling at each other, and at this point almost coming to blows; while I work on some marketing material and skip back from the BIS page on export controls.  After putting in the phone number, I got a text message saying "this is the code you need", and subsequently the web page prompted me to enter the code. 

“Yeah, sure, I guess”, – that’s what went through my mind.  I mean, really, what harm can come from putting in a code they just sent to my phone – there is nothing personally identifiable about that…

The Ignorance Phase

What I didn’t realize is that in the world of Cell Phones there is a whole billing infrastructure with the cell phone companies that if someone text’s you a code through the phone company, and you then give them that code which they represent to the phone companies, that equates to an electronic signature, and the phone companies then assume that you are agreeing to be billed for a specified amount (or a reoccurring specified amount).

So here I am, I have this “digital signature” in my hand, and on the next page there is a big spot to put in your code and some tiny itty bitty print – that no one ever pays attention to, right?  I typed in the code and hit submit; and the page came back and said “I’m sorry, this offer is full, would you like to see another one”?  At this point I was like “WTF!"?”.

I skimmed the page and saw the “very fine print” that said, “by entering this code you are registering for a monthly service plan for free ringtones”.  No big deal though, right; the page said that I couldn’t be entered because the deal was already full, and I should try signing up for another one.

The Response

So, I wasn’t paying attention, and I didn’t know how cell phone companies support billing services through text messaging.  But at this point, I already knew I had fallen for a scam.  So what did I do?

The first thing I did was get right on the phone to AT&T.  To hell with this company that just told me they couldn’t sign me up because they’re register was full (and I do not mean that euphemistically either) – I knew I couldn’t trust that as far as I could throw it. 

I immediately got on the phone with AT&T and had them reverse the charges and cancel the reoccurring charges.  I have an appointment with their fraud department tomorrow (they were closed today), so that I can give them as much information as possible so that they can prevent this from happening to other people.  Which leads me to my second step – I told everyone I know about it.  Sure, in the end, there might be someone who is going to say “Haha, you gots pWned” – but my response would be STFU (that’s more euphemistically).

You see, these people prey on the lack of communication; they prey on the fact that by jumping through multiple international boundaries they are all but assured they will never be pursued.  They prey on the fact that the cell phone company can just write off a couple million dollars in fraudulent charges.  And yet, the worst thing I could do is not tell everyone I know to keep an eye out, so that they too, are not victimized.

Which comes to the third and final thing I did.  I went to the Internet Crime Complaint Center (http://www.ic3.gov/default.aspx) and the FTC Complaint Center (https://www.ftccomplaintassistant.gov/) and filled out their complaint forms.  Sure, as small as this fraud attempt was, they could care less; however, perhaps these people have been defrauding individuals out of millions of dollars, perhaps every little bit of evidence they collect increases the chance that that’ll go after these guys.  But in reality, it just gave me a great feeling to tell on them!  LoL

So Remember

In the end, as a consumer surfing the internet (as you likely do – if you are reading this), keep the following in mind:

  • Suspect everyone;
  • Trust no one;
  • Verify, verify and Verify;
  • Pay attention;
  • Educate yourself on the technology you use;
  • Decrease the possibility that the crime lords will collect anymore money: tell everyone;
  • If you think you were the victim of internet crime, act immediately!

You know, these guys are smart, they’re never going to catch them, even if they go after them.  So in the end, I just tell myself that somewhere in the world, there is an internet crime lord who is having a beer on me.  Drink it up buddy, because it’s going to be awfully hot in hell!  Winking smile