Who will shave the barber, is the answer that surfaced when someone asked me a question about the source and solutions related to Cyber Crime.

Note – The findings are a result of my personal research. They are in no way directly or indirectly connected to employment terms with any of my current/previous employers. The tools/products are the properties of respective companies and the names are deliberately masked. References available on request. Thanks to Amit Yadava (QA Manager EMC), Vivek Sharma (Test Manager TCS), for their reviews. My special thanks to Sangeetha Rai (Director IQNavigator), who played the biggest part to bring this piece to life.

who will shave the barber - we need better tools
who will shave the barber – we need better tools

Uncensored Version | Who will shave the barber

 

Who will shave the barber, is the answer that surfaced when someone asked me a question about the source and solutions related to Cyber Crime

Note – This piece was originally written for LinkedIn. A lot of content had to be shaved off. The current article is uncensored.

The Past

Unlike the notion that many carry, viruses were initially discovered in the telecom domain somewhere in 1960s. The objective was driven more as a passion/intellectual challenge than evil intentions. Phone hackers(also known as phreakers) would break into phone networks to make free International calls

Computers, at least initially were never meant to be used in daily lives. They were mostly targeted for “Elite Organizations”. The creative minds would struggle to gain access to computers, which was mostly a shared resource. MIT had a similar hacking group, which used it as an Information sharing platform. In the month of Feb’ 76, Bill Gates became aware that a pre-market copy of the software was being circulated. He wrote an open letter to the group, noting that they could no longer continue to produce and or distribute the software without making a payment. The same year, Steve Jobs also introduced an Apple computer with similar terms.

Categories – broadly, there were two categories with loosely defined boundaries –

  1. Hacker Community – The hacker community had many elite geeks, who always took pride in making or breaking the computer programs. They would research and experiment to do things in different ways and successes were shared at a common platform. It was a hacking community for good. One of the serious after-effect of the License Raj was the fallout of hacking groups.
  2. Activists/ Anonymous – it was an activist group with a core objective of exposing wrongdoing. Julian Assange, founder of WikiLeaks is a celebrated personality and a role model for many. The targets, at least initially were random/or wherever there was a suspicion. This particular community faced the sledgehammer. A few recent events prove that a lot of rogue elements have entered in this area and number of controversies have been on the rise.

As the seriousness as well as intellectual challenges that hackers took pride in depleted, others, including some evil intentions with business objectives chipped in.

The hacking was limited to Viruses and Trojan horses, and spam, which is no longer the case.

Transitioning Snapshot

  1. Early Era – primary driven for challenge, fun, experimentation, and research
  2. Current Era – mostly driven by malicious and/or criminal intentions

Current State –

The domain is not limited to Viruses alone and has migrated to variety a of other areas including malware, identity thefts, spam, credit card frauds, web server hacking (targeting Government, military, corporate networks etc.), phishing etc. to name a few.

Why are we Here –

  1. Rat Race Called IT –Various vendors, with an intention to stay ahead in competition, continue to release software, that is not market ready and/or not thoroughly tested.
  2. Microsoft Windows – the most popular Operating System is also the most vulnerable. No one seems to have taken a serious note of what once the most popular Windows Expert Charles Petzold wrote – Windows is a complex system; putting a programming layer on top of the API doesn’t eliminate the complexity it merely hides it. Sooner or later that complexity is going to jump out and bite you in the leg. A little google research would reveal everything.
  3. Whistleblowers are severely punished and the benefit of doubt goes to the mightier.
  4. The Judicial Laws in and around the Cyber Space are either not there, or still in the process of evolution.
  5. Engineering Standards – in the standard engineering lifecycle, software application is typically tested in the final phase (before the release). That said, even if someone points out a showstopper bug, it is either going to get discarded/deferred or in the worst case, the reporter will face the razor. Even if the Organization intends to address/fix the issue, production costs will multiply that will shave off the profits.
  6. Cellphone – customers buy one and before they realize, it consumes significant bandwidth/ airtime for performing various updates (without permission), and make the customers pay for it. Tracking the activities and selling the data to third party vendor etc., are only some of the activities that follow.
  7. Virus creators were initially driven by intellectual challenges and solutions, which did not lastlong. In recent times, it is rare ( but certainly reproducible) to see the security products start propagating infections, in case a subscription is not extended. Pretty much everyone (myself included) knows what goes inside a virus, and have the capacity to detect it in seconds but don’t report it due to the fear of corporate bullying. On the other hand, no one knows where to report, which Government, which Cyber/Crime Law etc.
  8. Evaluation Software Licenses also have a truth attached. There are some (not all), which start infecting the computer in case the subscription is not purchased after the expiration of evaluation period.
  9. Pre – Installed Anti Virus Software – Computers and laptops come with pre-installed with Anti Virus Software with a limited subscription period. What happens after the subscription period is over? Ever tried un – installing after the subscription period?
  10. Skill Sets – Most of the hackers, as of today are half skilled and typically referred to as script kiddies. Unfortunately, they are the most brutal. You know the famous saying-Half knowledge can be fatal.
  11. The Wireless Transition – Before one could realise, the world had already transitioned to Wireless. The early days were alarming as one would see access points in open mode all over the place including airports, shopping malls to name a few. Fortunately, not many knew about technology and an awareness drive seem to have saved enormous potential losses. We are still nowhere close to where it should be. Wireless security standards are based on deep dive specifications of IEEE. There are design issues and then there are implementation issues.The biggest lapse is process, which is reactive.
  12. Terrorist Groups – deliberately left blank
  13. Deep Web – deliberately left blank

A few References and Proofs

Here is a list of 4 incidents (worth mentioning), that I experienced as an end user –

1. I once ran into some issues and requested a friend for help. He purchased a software (accompanied with a boot disk) and could successfully clean the system. Later while handling over the software to me, he cautioned me to either –

  • Uninstall the software before the expiration date or
  • Extend the subscription well before the expiration date

The events that followed were astonishing. Yes! I neither un-installed nor extended the subscription. The result, “the software started propagating/releasing viruses”. That was my first shock and now I am acclimated to it.

2. Security CompanyXYZ (name masked) – XYZ is one of the world’s largest Security Engineering Company. It has some real geeks, and at one point, was the most celebrated and respected brand. A few recent incidents include–

Un-installation Challenges – application comes bundled with laptops/computers with a limited subscription period. If the end user is not interested in renewing the subscription, he is not allowed to un-install the application. In case the end user somehow manages to remove the application, there will be surprises waiting –

It will start infecting the system releasing the viruses. In order to validate the findings perform the following actions:

  • Go to Windows Explorer and change the settings to show all files (which is by default, disabled).
  • Install an alternate AV Scanner. Update the latest definitions, and run the scanner. Ensure that the scanner is not set to delete the infected files, as default.
  • When the infections are detected, navigate to the location and see the publisher.

3. Software Plagiarism detection Application(name masked) – with the current technology trends and web content being the king, determining the originality of content is a challenge. XYZ is one of the most popular tool that checks for plagiarism. Here are the two facts that I had to learn the hard way–

  • Using the Online version of XYZ resulted in results that rated the originality of the piece. In the background, application had stored content in its own database. At a later point, the original technical content was tampered with, even if it was original. Sometime later, before giving a go ahead for Technical Conference (where it was supposed to be presented, I ran a final check on a different tool (grammarly.com). Grammarly, being the most reputed tool flagged as a dupe/plagiarised. Conducting some research revealed that the content was posted to a commercial site, with deep links to the 1st Tool, which was originally used.
  • Out of curiosity, I made a second attempt using a relatively safer approach. I downloaded the evaluation version of XYZ from the official site and did not upgrade to a paid version. My suspicion was confirmed – The Application started releasing Trojans.

4. Mobile Phones Micromax Doodle 2 – One of the most hyped and celebrated smartphones was released with 5 Star Reviews, with the following facts –

  • The wireless functionality was broken
  • The Security License App claimed that it should be either un-installed or purchased, but did not give option to un-install. The Result – Any user, who is not familiar with Android OS would not have been able to un-install the App and could be sued anytime by the vendor.
  • The vendor’s support portal did not have contact number.
  • There was an SMS number listed, which did not work.
  • There was a contact Support Department functionality, which was broken.
  • Emails sent to their Support Department were responded with pre -configured templates. So regardless of the question asked, the answer would always be the same.
  • The electronic publishers, who had given the 5 Star Ratings were contacted but no one responded.

voice of the customer

voice of the customer
voice of the customer

LinkedIn

Reference to Linkedin – Where entire content could not be published

bill gates

bill gates who will shave the barber
bill gates who will shave the barber

Source: bill gates who will shave the barber

era of blue boxes and phreaking

era of blue boxes and phreaking
era of blue boxes and phreaking

Source: Wikipedia

Steve Jobs and era of blue boxes

Phreaking and Steve Jobs
Phreaking and Steve Jobs

Source: earliest secrets behind the blue boxes

How to Un-install by John McAfee

Awareness of Security Practices

Recommendations –

If I really knew the answer, the current post would not have been written. Regardless, there are a few recommendations from me and I am hoping to hear some from the readers

  1. Awareness drive – drive awareness through forums, media channels, or whatever means of communication available.
  2. Research – Ask Questions, perform research, whenever in doubt, check out government and or other enforcement policies that deal with cyber crime.
  3. Don’t Go There – nothing is hidden in the world of web. Anything and everything that you do over the web is public. In case you are not informed about what you are doing, don’t do it. Some examples include sharing your mail id/contact details over the sites or sharing your pictures on Facebook.
  4. Engineering Processes – there is one process improvement area that might be worth considering. Security Testing, as a standard practice, is performed at the final gate (before the production release). This, by any means is of no use except to acknowledge the level of risk involved before releasing the Product. This process, by all means should be moved to early stages of Product Engineering.
  5. General Precautions
  • Keep the virus scanners patched with latest Security definitions. ‘On Access mode’ should always be in enabled state
  • Use higher levels of encryption modes in security settings
  • Keep the Bluetooth services hidden by default (especially if you are in public place)
  • Online Transactions – double check the URL before conducting online transactions
  • Don’t open the emails that look suspicious, for example job offers,
  • Don’t not keep the computer camera on in case not using it
  • Enable the safe mode in all browser settings
  • The most expensive anti virus might not be the most dependable, nor the open – source companies the least dependable. Always do some research before arriving at a conclusion
  • To ensure online privacy, use alternate browsers like Tor and alternative search engines like DuckDuckGo
  • Pre – Configured Computers and Laptops – most of the Laptops and Computers come with a pre-installed version of anti-virus. Check the validity of the scanner and the terms after the subscription has expired

6. Reporting – check the Judicial laws in and around cyber space. I was pleasantly surprised to see existing laws with well-defined hierarchies. A few notable include – www.ic3.gov, www.bbb.org, www.consumerreports.org, www.ripoffreport.com, www.complaintsboard.com, and www.complaints.com