Men, Bicycles, Russian Girls, and Spam

Adventure into the male psyche that helps spammers make money.

By Eh’den Biber

This is the story of the spam email, the vulnerabilities it exploits, and the remediation actions required to it.

 

How we got here?

As was written many times in the past, the internet was never designed to be internet, it was intranet from a trust perspective – and protocols RFCs that were developed on top of it never imagined that it will run on dog collars. I kid you not.

Modern email systems can be configured pretty effectively to block most of the spam. You want to do it not only because it’s a great way to make employees click on links that might lead them to bad places, it’s also because the sheer amount of storage these annoying things require. So technically we can and should talk about the wide list of controls that you could and should implement in order to stop major amount of shit from hitting your fan. We can talk about how to configure the bastioned email gateways in another time and on the way there you want to listen to some good advice I hereby give you Wolfgang Goerlich:

When Spammy met Harry

For this section, I will focus on the human element. Assuming a spam email managed to pass the spam filter you will assume that no person in his right mind will go to the spam folder and open emails in it, right? Well, if we did our work correctly, they shouldn’t. However, spam filters are not bullet proof, they do fail from time to time, and many people, including yours truly, had to learn it the hard way. My CISA certification got lost because I didn’t receive the notification to report CPEs on time, and when I tried to contact ISACA and ask them to update it I had to fight for months, ask for a favour from a friend who worked at the ISACA board (yes!) and even after all of that they then refused to accept my CPEs. It was not nice, and if anyone who is a member of ISACA and can help me here, I will be happy to know about it! (Dream on, baby!)

The true fact is that most people will go from time to time to check their spam emails. Actually, as the spam filters getting better and the amount of spam that pass the filters is lowered, why shouldn’t you? If you see one message sitting in your spam folder it is worth a chance to check it. The behaviour pattern that spammers are utilising is our “Dopamine Slot Machine”, which creates everything such as our addiction to our social media feed. People go to spam mailboxes. It’s an evolutionary fact, because if it wasn’t true spammers wouldn’t be reaching the required mass to operate from a financial standpoint.

And in any case, we always need to remember the statistics: idiots outnumber by a far stretch the Neil Degrasse Tyson of the population.

 

 

With that said, the scene is ready for the spam message itself.

Junk email - dating site

Why it works?

The email subject is:

How does it feel to be a loved one? I wish to feel it someday.

First, a comment, and a very important one.

We assume that to feel “being loved” someone else must do it (to us), not via us loving others. The truth is that you truly feel being loved only when you love someone else unconditionally. It’s a strange thing, totally counter intuitive. As Justin from “Smarter Every Day” said about the backwards brain bicycle: “Once you have a rigid way of thinking in your head, sometimes you cannot change that, even if you want to” – it’s true in bicycles, and it’s true in our perception of love.

 

Back to our story: when we open the email, we see we got a message from “a girl” name Tatyana, from Russia. Not a woman – a girl. Are you adopting a child? Not, and we are not in Japan (at least up to 2014), so stop trying to look for girls!

You learn it is a smart “girl”, middle class, a doctor from Russia. Doctor to what? We have no idea. How old? We don’t know, and we don’t mind she doesn’t tell. Hint to the Casanova – if a woman trying to hit on you, and she tells you about herself and do not mention an age it’s most likely not a woman. A real woman will always tell her real age – minus a decade or two.

She mention that she’s from Bryansk. You never heard of Bryansk which make sense because many Russians don’t even know where it is. Who cares, she’s a girl, right? And she is lonely!

Then she tells you she was dreaming of meeting a stranger from another country because she saw it in films.

OK – summary: a woman who refuse to admit how old she is, who calls herself “a girl” (which means he has severe maturity problems), and who is dreaming to meet someone from another culture, think that’s it is going to work because we all know Hollywood makes ONLY documentaries. Right? And until now not even a sign of alarm to you? Don’t you even think “how the heck she found me?”, or question the fact the email comes from Poland, but how could you tell if you never took the time to learn domain suffix meaning?

Great, let’s continue! Then she tells you she found a website “where thousands of young women like me had registered and found the love of their life”.

HOLD ON.

So, she tells you that there is this website in which you might find even MORE desperate women who might even be able to ignore your behaviour patterns that destroyed all your previous pathetic attempts to establish a connection with a female partner? Someone who could live with your inability to show your emotions because she is a strong Russian woman who never smiles, exactly like your mother? Could it be that her city is near a nuclear and chemical waste facility, which will make her immune to the smell of your farts, and to cherish the dirt in your apartment that manage to scare away even the cockroaches?

You’re getting excited! You think to yourself “Could it be that you found a woman as desperate as you are to feel a human touch? Could it be true?”, you ask yourself.  Then she tells you: Just click below, go to the website and find me there.

“The force is with me!” you say to yourself, out loud, waving your imaginary light sword.

STOP.

Sunny boy, let me give you a small advice about women, a subject I see you might have little if any experience with. Women don’t share their man, and will shut down competition faster than you can blink. If there was a first-person shooter in which a woman hero is going on a journey to eliminate all the threats she has from other woman that might be stealing her man from her, women would have been dominating the game. If there ever be such a game, any women, even fully drunk will be able to kick your ass. Women would butcher every bitch that would come within a mile their man, if they feel there is a danger to their relationship.

 

The fact that you believe that a single woman will just share a website that will have thousands of other women that can compete with her on your heart is simply sad brother, so sad.

Please don’t click… please… ohh too late.

 

Afterthought

So yes, this is how man fall for such spam emails. And before my beloved sisters will feel they are better – oh, you’re so at risk as well. I personally know enough women who will click on a link to a fake sales site faster than men will click on links to porn sites.

Spam works because most human beings are lost in their mind. In different degrees, in different ways – but lost. Our unwillingness to admit it is in the heart of our information security problems.

And because we are all so tired to be alone.

 

 

 

Remember – security is a perception. The bigger the gap between perception and reality, the bigger the risk you are in. The solution is simpler than most people can think of, and it brings us back to the beginning of the story: until you practice giving unconditional love you are vulnerable.

Namaste

Eh’den

 

 

The Revolution

How I became part of an invisible hacking revolution.

By Eh’den Biber

Remark – In contrary to my other writings (e.g. “making privacy great again”), this is going to be an evolving story. It means that I will be continuously updating it. Also, I plan to record it as a podcast so you could listen to it rather than read it.

[Changelog]

2017-05-14 – V01 – Long Drive + The Revolution
2017-05-15 – V02 – Stealing Fire + The Guinee Pig
2017-05-15 – V03 –  Ecstasis + Lost in the Rain + The Sacred Four
2017-05-21 – V04 – Frederick + Mad Intelligence

Prologue – Long drive

13 years ago, when my youngest son Rephael was three and half years old, my ex-wife and I arrived to a Belgian hospital to hear the diagnostic of his condition. After months of observations and tests the result came in, and even though I remember everything that was said, looking back I realise that at that time I had no ability to grasp their meaning: “Your son has severe autism. It will never go away, it will not improve. You will never be able to communicate with him, you will never be able to send him to a normal school. Your son will never be able to be independent, your son will need to be in a mental institute when he will grow up.

Continue reading

Making Privacy Great Again (?) – The Blackphone Story – Part 4 – There’s a Snake in My Boot

Blackphone as an allegory to why the bad guys are winning, a step-by-step guide to unlocking your device, and to whom you should say “you’re welcome!”.

By Eh’den Biber

First of all, my apologies for the delay in writing. It was totally unintended, but life, as you all know, have a comic view of our perception that we are in control of it. We are funny.

So, back to the Blackphone. I must admit that I’m surprised with what I learned. It’s so true that until we experience something as a personal experience knowing about facts that are related to that experience are meaningless. A total colour-blindness, non-ability to grasp the vast spectrum of radiation most of us can do naturally.

But before we begin with the boot story, let me just highlight a surprising point – if you wanted a proof that no one cares about security, INCLUDING security people, take a look at the vast security reviews that were performed so far on the phone. I know, nothing out there.

Continue reading

Making Privacy Great Again (?) – The Blackphone Story – Part 3 – Being Matt Damon

The Awareness lessons Matt Damon Had Taught Me.

By Eh’den Biber

 

(This is part 3 in a series of articles I’m publishing about my investigation into the security of the Silent Circle Blackphone 2. I case you missed them, I invite you to read part 1 and part 2)…

Now that I have received the Blackphone 2 I was facing a dilemma – what would be the best way to investigate it? To answer that, I decided to ask myself what would Matt Demon do if he was me.

Continue reading