Browsing articles from "April, 2012"

That Time Someone Tried to Scam Me on Ebay

For years I have avoided the frenzy of selling items on eBay, but after purchasing a new iPad, I decided it was time to give it a shot. Thus, I posted my earlier generation iPad for a relatively high price and hoped for the best. I have posted the item three times now, it has sold all three times and all three times it has been a scam. The last scam attempt nearly got me, this is the story of what happened.

A few short days after posting my old iPad I got the good news that someone skipped the entire bidding process and used the “Buy it now” feature on eBay to immediately purchase my iPad. This was the first clue that something was up. My item was not by any means the cheapest iPad that could be purchased with the “Buy it now” feature. In addition, one could almost certainly have bid on an iPad and spent $50 less. Being an optimist though, I decided that my iPad had just sold and I’d move forward with the process. I immediately received a message asking for my E-mail address so the buyer could make a payment, thus I gave it (this was a mistake).

The next clue I received that something was wrong came in the form of an E-mail. Due to the fact that this was an international purchase, I had the opportunity to add an additional shipping cost. Since I was happy I sold my iPad for such I high cost, I decided to add on the relatively modest cost of $20. After I sent that to the buyer I received an E-mail letting me know that they had also looked up the cost of international shipping not to the UK where they were located but rather to Ghana West Africa, where the buyers wife was. My iPad would of course be a birthday present and the faster I could send my iPad the better. Clearly this was a scam and I had already come to terms that my iPad did not actually sell when something odd happened…I received a note notifying me that I had received a PayPal payment.

To be fair, I got this message while I was rushing to an airport for a four day trip so my immediate thought was, “Crap, there is no way I’m going to be able to get this out in a timely manner.” It wasn’t until I got home from that trip that I took a closer look at the message I was supposedly receiving from PayPal.

A few things stuck out. First, the buyer paid more than the extra $20 I had asked for, second some of the grammer was a little off, e.g. “You have ‘gotten’ funds.” I therefore went directly to my PayPal account to check to see if I received the money…I did not receive any payment. I took another look at the message telling me I had received a payment and low and behold, the message came from a ymail.com account. That’s right, a Yahoo account posing as a PayPal one. As one last piece of review I took a look to see if the user had any positive reviews. Not only did they not have any reviews, their account was created the day of purchase. Clearly a scam.

The moral of the story is this, cover all your bases when selling items online and be certain you have the money before you send anything…Anyone want to buy an iPad?

Intelligence Is Not Knowing an IP Address

Intelligence is not an IP address. Let me say that again, intelligence is not an IP address. As of late there seems to be a fad for big data analytics and intelligence gathering, unfortunately as of currently the output of most of these activities seems to be simply finding IP addresses. Creating the capability to build a blacklist is not the equivalent of gathering intelligence.

Intelligence has been defined as the “capacity for learning, reasoning, understanding, and similar forms of mental activity; aptitude in grasping truths, relationships, facts, meanings, etc” (dictionary.com). the key focus in this definition is the capacity for understanding, in terms of information security, the capacity for understanding stems primarily from the knowledge of malicious actors within the threat environment in combination with knowledge of one’s own internal environment. The combination of knowledge and understanding in these two disparate environments is an understanding of what is commonly referred to as threat.

An understanding of threat is a key component of the risk equation, yet unfortunately for many years developing that understanding has been very difficult as intelligence processes were typically truncated if not altogether immature. Thus, most organizations were not creating a full “understanding” of the threat that their organization faced. Instead most organizations were operating with a minor level of knowledge based on a precursorsy amount of information.

Last year in 2011, or year that is commonly referred to as the year of the security breach, enterprises and small to medium businesses began to realize exactly what the value of intelligence really is. As a direct result many vendors began developing solutions for delivering “intelligence.” unfortunately, the vast majority of these vendors are utilizing processes that similarly to enterprises, are truncated in nature.