It’s not hacking if users’ privacy settings are searchable, right? It depends on who you ask. Current Facebook privacy settings come with a recommendation that urges users to leave their pages searchable to everyone.

The logic behind this is as follows: “If you’re visible to fewer people, it may prevent you from connecting with your real world friends.”
But staying searchable has led to the harvesting and publication of information that includes names and profile URLs for over 100 million Facebook users.

Skull Security and Information Distribution

Ron Bowes of Skull Security did some simple reconnaissance on Facebook for some hard data to use in his research on how people choose passwords. Ron is working to figure out how many usernames are based on people’s given names (jsmith is a popular choice). By proving that usernames and passwords can be easily extracted from basic information, Ron hopes to teach people how to make their accounts more secure.

In the Facebook incident, he collected only names (which could be actual names or usernames) and URLs of all searchable profiles (about 1/5 of Facebook users), then posted the information as a 3GB file that could be downloaded by anyone with Internet access.

Facebook spokesman Andrew Noyes has said that this information could be collected from any phone book, but the URLs collected couldn’t be extracted from the White Pages. Finding these URLs could be a frustrating trial-and-error process based only on names from a phone book, but thanks to Ron, they’re now accessible to anyone who’d like a neatly packaged list of searchable Facebook users.


The Problem with Being Searchable

Contrary to Facebook’s recommendations, users might consider changing their privacy settings to “unsearchable.” Here’s the minimum amount of information that can be gathered from a profile: name, profile picture, gender, and networks.

Facebook reserves the right to keep this information visible on every account, and accessibility can only be limited through the “searchable/unsearchable” setting. So with a URL provided by Skull Security, anyone can now view this information unless these accounts’ users make them unsearchable.

The problem with this is that advertisers are extremely interested in what seems like basic information because they can make surprising inferences based on the simplest data.
The best-case scenario, then, is more targeted advertising. The degree of potential damage depends on searchable accounts’ other privacy settings.

For example, if you can be searched and you’ve made your list of friends accessible to anyone, your friends’ information is now accessible even if they’ve made their accounts unsearchable.


Deciding on Your Privacy Settings

If you’re on Facebook, go to “Account” and “Privacy Settings” to edit your preferences. If you click on “View settings” under “Basic Directory Information,” you can preview your profile to see how it looks to someone who isn’t on your friends list. You might be surprised at the amount of information that’s accessible.

Change your “Basic Directory Information” to control how searchable you are, who can send you friend requests and messages, and who can see your friend list, education, work, current city, hometown, interests, and other pages (choices are Everyone, Friends and Networks, Friends of Friends, or Friends Only).

Under “Sharing on Facebook,” you can customize the rest of your settings, which are organized under the topics “Things I share,” “Things others share,” and “Contact information.”

Even if you’re not concerned about your own information, it’s courteous to protect friends and family by selecting “Friends Only” for accessibility to your friends list, family, relationships, and everything under “Things others share.” At the very least, accept Facebook’s loose minimum recommendation for privacy settings. You can select “Recommended” under “Sharing on Facebook” to do this.


This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Talkback and comments are most welcome

Related posts
Keeping unneeded sensitive data off your computer
Personal data - Publish only what you can afford to get leaked
Privacy Ignorance - Was Eric Schmidt thinking?

During everyday work our computers collect all kinds of information: E-mail is received, browser history is recorded, files are created. In all this exchange, a significant amount of sensitive data can be collected, even without intervention of the user (CC in e-mails).

Most of this data is not of much daily use to a user, and is in fact a liability. It is a very good practice to check what information has the computer gathered over the course of the daily work, and clean out the unnecessary sensitive data.

The definition

First, let's define sensitive data. University of California defines sensitive data as

Information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the reputation, constitute an unwarranted invasion of privacy

The test

Everyone's first reaction is: 'This can't happen to me!'. It is well known that a lot of computers get sold with huge amounts of sensitive data still on them. So we performed a simple test: We ran the tools on the laptop of a university assistant professor. These are the results:

• 3 of his credit card numbers were saved in the browser history
• 7 e-mails containing lists of students social security numbers were discovered in e-mails from Student Services where the user was placed in CC, and only briefly read.
• 4 files with home addresses of project team members and partners were discovered, from a project that has ended 2 years ago.
  

Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers

The tools

This definition makes a great point: If you don't work with it, remove it! To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data. Bear in mind that no tool can determine conclusively what is or is not sensitive data, but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data.

We have compiled a list of 3 tools that can help you in discovering potential sensitive data on your computer. The tools are ordered in alphabetical order and each is presented with it's own pros and cons.

Identity Finder

• Commercial application that can be used to find sensitive data, as well as providing other functions such as protection of identified files.
  
• Pro: Apart from standard credit card numbers or SSN, it also searches for the string password: and thus can find a lot of cleartext stored passwords. It is quite efficient in it's search and offers quick solutions, like destruction of identified files with sensitive data, or protecting data. It is also capable of searching Outlook PST files. The enterprise version apparently works with web sites, but Shortinfosec was not able to test this functionality
• Con: It is a commercial application, so you need to pay for it :)

senf

• A simple Credit Card Number and Social Security Number search tool from the University of Texas designed to look for Social Security Numbers and Credit Cards.
• Pro: Nearly no configuration effort, just start it and send it searching.
• Con: Not useful for anything except SSN and Credit Card Numbers.

Spider

• A very good open source tool for finding sensitive data.

  

• Pro: Allows great flexibility of searches and is quite near the range of a commercial application. Although not as easy to use as a commercial counterpart, since it supports search for regular expressions, you can search for nearly anything. It is of searching Outlook PST files. Also, it is capable of searching web sites, which functions quite well.
  
• Con: you need to know regular expressions to make the most of it, and the presentation of results is not very clear, especially in Outlook PST files
  

Conclusion
The sensitive data scanners are a very useful set of tools. Although they are all plagued with huge numbers of false positives, they also find the really nasty forgotten sets of data which everyone will be better off without.
So, a periodic scan for left over sensitive data is a very good practice to maintain security of your computer. This is even more true for enterprises, where this check-up should become part of the regular security awareness program and security check of corporate computers. A home user can achieve excellent results with open source tools, but for enterprises which require centralized management and reporting, a commercial solution may be an option.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop

The security and privacy risks of social networks were the hot topic of many forums and experts for years. And it appears that the worst fears are now materializing - not only someone can troll for your personal data, they can now purchase it!


Myspace is selling data through the reseller InfoChimps. The data that InfoChimps has listed includes 'user playlists, mood updates, mobile updates, photos, vents, reviews, blog posts, names and zipcodes.'



So, for everyone that still has some illusions: On the Internet, you should only post data about yourself that you want distributed, or at least which won't hurt you in any way when they get leaked.


Talkback and comments are most welcome

Related posts
A Simplified Analysis - Can you Forge a Biometric ID?
Privacy Ignorance - Was Eric Schmidt thinking?
Google Voice - No Privacy Remains?

Security of biometric ID's like biometric passports is a very frequent topic of discussion and we all know there are issues. But most of those issues are related to encryption, materials and generally anything that requires a lot of technical knowledge.
Here is an example of the possibility to create a fake Biometric ID with very little technical knowledge. In order to understand this possibility, we need to discuss the 2 biometric elements within the ID:

1. Facial information
Each biometric ID contains a very clear and accurate photo of the owner of the ID. And facial recognition is used in a lot of systems, most frequently in organizations which require non-intrusive identification - like casinos and some border controls. So facial recognition systems are quite common and commercially available.


But facial recognition has an inherent weakness - it cannot be calibrated to 100% accuracy. This is simply because some features of your face can actually change at a daily basis: facial bloating, skin discoloration, acne, minor injuries. So the facial recognition system needs to be flexible - most facial recognition systems are set-up to match at around 70-80%

2. Fingerprints
Fingerprints are also stored in the biometric ID, with most ID's storing only one or two fingerprint - the index finger of the right hand or the fingerprints of both index fingers. It is common knowledge that fingerprint readers can be easily fooled, with very simple and available methods. One simply lifts the fingerprints and creates a copy using photoshop, laser printer and gelatin or wood glue. Here is an example of a simple fingerprint lifting method - the first step in recreating a fingerprint.
So far, these two elements may be fooled, but how can we create a fake biometric ID with such information?

Technically, it is very very difficult to modify a manufactured biometric ID into a fake one, which was the initial idea.
But what if you can alter the input data into the process of creating a new legal biometric ID? The process is quite simple:

1. The seller of fake ID must create the fake ID for a person that has similar facial features to him/her, so the facial recognition software matches the expected 70-80% similarity. To match a seller and a buyer with sufficient similarity, you can use a public web site http://celebrity.myheritage.com/FP/Company/try-face-recognition.php
   
2. The seller will prepare fake fingerprint covers of the buyer and attach them to his/hers fingers.
3. The seller simply enters the appropriate authority and applies for the biometric ID. He/she gets photographed and the fingerprints get scanned on a scanner that is in front of a bulletproof glass (to isolate from the flu). These authorities are staffed by overworked people and there is usually a lot of commotion, so very few people will ever notice your fake fingerprint covers. Oh, and the application software rarely compares the previous fingerprints with the currently scanned ones
   
4. If all goes well, the seller will receive an original ID which contains a face of the seller as well as his/her personal information, but the fingerprints are of another person - the buyer. The buyer can now take that ID and actually pass most control checks.
   
5. For all legal purposes such an ID is very much a fake, and there is no way to prove that the seller faked his/her information - even if the fake fingerprints are found on file, how will you prove that the seller faked his fingerprints?

Easy, isn't it?
What's your opinion? Can this method actually work?

Related posts

Eric Schmidt said in a CNBC special recently that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place!”

And yet the reaction to this flagrant ignorance of basic privacy is met with mixed reactions. Some are criticizing, others are agreeing. Garett Rogers at ZDnet is even brown-nosing at Google's CEO for some reason with a statement I couldn't agree with him more!


It would have been easy to just start ranting about the generic ignorance of Eric Schmidt for anything private. But i wanted to see what will the google engine do with something that I don't want anyone to know, and yet i could't prevent it from happening - ILLNESS

I created a series of e-mails which i exchanged between two gmail accounts. It took 3 e-mails for gmail to suddenly start offering me anti-allergy bracelets, and refer me to doctors in their adsense. Now, google engines know that I have an allergy. Here are the transcripts - word for word of those e-mails

I appologize for not being on time, but i had to visit a doctor
Apparently, i have developed some form of allergy. I will need to be treated with anti-allergy drugs for some time.

They are still investigating which medicine is the best

See you around
---------------------------------------------------------------
Bozidar
I am very sorry about your situation. I have had some rash issues myself some time ago, and I got prescribed Singulair and Alavert. Maybe you should mention those to your doctor as possibilities

Be safe
---------------------------------------------------------------
Alavert is for allergies. So i'll be mentioning it to my doctor

Thanks

All it takes is 3 very short texts for google engines know that you are ill. And those may be e-mails you exchanged with your physician. It is quite obvious that the automated engines use this information - i got relevant commercials.

So I would ask Mr Schmidt:

• Nobody chooses to be ill, and information about health is exchanged via e-mail, so now Google knows it. So, please answer - what Google won't do with this information?

And I will ask Mr Brin and Mr Page:

• Do you support that the CEO of your company stated that it's our fault that Google knows something that is very private and confidential?

Talkback and comments are most welcome

Related posts
No Privacy - Saw You Cheating on Image Search
Google Voice - No Privacy Remains?

After the first article on the GenApple site - which promotes itself as the first information brokerage, Shortinfosec secured an interview with the founder of GenApple - Mr. Mark Hanson.

In a summary, the service will need polishing, and GenApple will need to tweak procedures and operating rules as they go along.

There may be security and privacy concerns - we are sure that the law enforcement agencies will be very interested to peek into the information being traded, as well as who is trading it. Also, on the other side of the coin - the information brokerage may be a place where illegal information is traded, so GenApple will have to be very careful to walk the thin line between trading of illegal material and the pressure of law enforcement to know everything.

Read the full interview with Mark Hanson - GenApple's founder. For Shortinfosec, the interview was done by Bozidar Spirovski

Bozidar: Let's start with the person behind the idea - As I saw from your linkedin profile, you are just 4 years out of university. Is this your first venture?
Mark John Hanson: Yes. This is my first start-up venture. But I had the idea for this site about a year and a half ago, and have been developing it since then. We're very excited about it: The team has been working very hard and we hope to deliver a quality service that people can use, enjoy and learn.

Bozidar: Could you describe the concept a bit more, of course in layman's terms - at first glance it sounds like e-bay but for bits and bytes
Mark John Hanson: Sure: what we aspire to be is a place where people simply can buy and sell information and knowledge. At first glance, why would people pay for information or knowledge? The Internet is filled with free information, from search engines, to answer portals, to e-learning portals. However, something is missing - every person throughout their years acquire a lot of knowledge, some of it has little to no value. But every person has knowledge that they possess that another person may want---in real life to gain this knowledge there might have to be a personal relation. But with our site; we seek to create a marketplace where people for the first time can sell knowledge and information that another party may want and pay for.

Bozidar: So what you are promoting is compensation for knowledge that someone has and others require?
Mark John Hanson: exactly---right now there's lots of knowledge that is not being disclosed on the Internet because people feel it has value. For instance, there are things you are willing to blog about for free---you write about security issues. However, you're a businessman and there are many other things that you have acquired over the course of your life that you know that has real value. We seek a place where you can sell such knowledge, both privately, if you want and securely.
Yes there are many answer site, forums, etc and for many many questions, a free answer forum is good enough. However, we're not just an answer forum, we hope to be a place where a broad amount of knowledge is shared

Bozidar: You touch an excellent subject with the forums - There are commercial forums that offer some form of expert knowledge when you subscribe. These are usually quite technical and with specific target groups in mind. What is your target group?
Mark John Hanson: at the end---we hope to be the destination for any or all type of knowledge; however, starting out, we'll focus on three verticals and expand from there

• (1) stock tips and financial knowledge, we want to have a monetary focus when we start so people who have knowledge or advice about investment strategies can share. Because of US securities regulation, we'll active monitor these listings to make sure that inside information is not disclosed or sold
• (2) news freelance --- because of the nature of journalism in the US there are many reporters who are currently unemployed or underemployed. What we want is for people who are journalists, citizen journalists and so on to have a place where they can sell news stories that they'll write and the news organ
• (3) celebrity gossip and information---we wanted to have a fun and interesting vertical so people will check our site out and follow what is being disclosed on our launch.

Bozidar: The exchange of information will go through GenApple. I'll try to summarize the process as I understood it:

1. The seller offers a commodity (information) on the exchange
2. The seller deposits the commodity in the information vault
3. The buyer and seller agree on a price and transfer funds
4. The buyer pulls the commodity out of the vault
5. The buyer receives the funds after a cool down period for disputes

Mark John Hanson: Exactly: there's obviously more detail and I'll be happy to provide you with our animation intro that explains this, users can also view our "how it works" area. You are concerned with security, and this is utterly important for a business like this. Thus our website has been developed that each information vault is protected from hackers and people with bad intent. We are certified by McAfee---we also use a SSL certificate from Verisign, so immediately when people are on our site, all transactions, from a simple search are secure.
We feel that as an "information brokerage" we should treat our customers as if they're dealing with a bank or financial institution---information and knowledge is valuable. Moreover, when people sell information, they want to keep their identity private because of the nature of transaction---to us privacy is a form of security. We want people to know that if they use this site, their identity is kept safe and will not be disclose to anyone, period.


Bozidar: You use a very strong statement there "protected from hackers". In the world in which I live, something hasn't been hacked only because a hacker still hasn't found the vulnerability to exploit or the interest in exploiting it. So for argument's sake, let's say that a hacker manages to break in and he/she/they steal information or redirect funds. Do you accept any responsibility for the damages caused to the parties involved?
Mark John Hanson: I do have confidence in our site's security and McAfee secure---we will do our utmost to protect the information that people have disclosed from us---as to your question, our user agreement discloses precisely what responsibilities each party undertakes.
Bozidar: So on this particular site it is very wise to read the agreement, not just click the I Agree button?
Mark John Hanson: What we want is for every use to read the user agreement and privacy policy before they sign up---we have links to these agreements in the registration page. The reason for this is that the user knows what to expect from us and also what we expect from every user. This marketplace depends on GenApple to create a safe, easy, secure place to do a transaction.

Bozidar: In your first target group vertical you mention US regulation. On my attempt to register I saw that the registration address can only be a US address. Does this mean that every user of GenApple needs to be under US jurisdiction?
Mark John Hanson: For right now we're limiting it to the United States; however probably very soon we'll open it up to many different countries---this is party based on how we pay - we have two payment methods to pay sellers (1) PayPal and (2) a bank check mailed directly to a user's home. PayPal is not available to every country and a bank check is limited to North America.

Bozidar: Not quite - google mails checks all over the planet
Mark John Hanson: Google as a business does this---I'm not aware of a payment service that they have; however we prefer to use a Bank so our users are confident that the check they receive will be cashed. In the future---we could mail checks to users around the globe---if we reach that point, we'll be happy to provide that service

Bozidar: Let's talk a bit about the actual commodity - information what type of physical information can be stored in the data vault - text files, excel spreadsheets, images, encrypted files etc..is there a limitation? and of course, to what size?
Mark John Hanson: No limitation as to the type of files---we are looking at limitation right now---we also provide a textual entry area for people to disclose their information if it's just a short sentence. So we're still trying to set a balance and when we launch, we'll note file size limitation within the information vault.

Bozidar: Well, since basically the actual information can be any type of file, you may be faced with a very unpleasant situation - the buyer agrees with the seller, transfers the funds and receives nothing useful so he disputes - or a far worse scenario: the buyer got what he requested, but he/she still wants to cheat and disputes nevertheless. How are you planning on coping with 'fraudsters' on both the selling and the buying side
Mark John Hanson: Very good point---hence our business model: as we note up front, we are an "information brokerage" --- we are dealing with the intangible unlike eBay or many site that sell tangible products---it's much harder to police fraud when dealing with the intangible. The buyer wants to know that he or she is getting what he or she is paying for and the seller want to know they're getting paid. Hence as a brokerage, we assist in every transaction, as the user agreement says, we are not a part of a transaction, but we do the following:

• (1) in every listing, potential buyers can ask the seller questions directly before they buy
• 2) the buyer can look at the seller's feedback rating and take that into consideration--with more positive feedback being good
• (3) besides the summary, there is the veracity statement, which is where the seller can state how he or she came to acquire such information or knowledge

Mark John Hanson: So up front, we want to give the buyer as many opportunities as possible to make an informed purchase. However, we go to your point--what if the seller's information is bad or the buyer unfairly disputes a transaction, hence our dispute system, which is noted in our user agreement---we take a look at the positions of the buyer and seller---and we make the final decision for them. This is a high standard, which we use to discourage buyer who unfairly file disputes. We want to protect our buyer's as much as possible, and if it seems that fraud exists, then we'll issue a full refund. Each dispute is a case by case basis---but each party agrees not to appeal GenApple's final decision.

Bozidar: A bit more on the content of information - if it is encrypted, then you may be facilitating transactions involving exchange of illegal information: like access passwords, or industrial secrets, plans to make bombs.
Mark John Hanson: yes---all valid points---this goes into our privacy policy, You certainly know the concept of a safety deposit box. We treat every information vault as a safety deposit box. If we as a service look into those vaults, then seller's may feel insecure from the get go, when people deposit into a safety deposit box, they want privacy. To combat possible illegal activities our best courage of action is thus to be diligent---any listing that we see that's suspicious (sp) will be deleted. We have on every listing page a report listing function, which any user can immediately file a report if such listing looks bad. If there is a dispute or an illegal transaction, as per the user agreement, we'll comply with governmental authorities

Bozidar: So I'll speak the lingering question on every body's mind on your launch: Will the law enforcement and intelligence agencies get full access to all information vaults? I know that your policy states that you'll supply law enforcement with information in case of investigation; But what about the broad view?
Mark John Hanson: What we're trying to do a strike a balance, which could change as the site matures. As per our user agreement, all vault are secure from us and the public unless there is a dispute or request from a law enforcement agency. We will not under any circumstance turn over private information or information vault unless forced to do so---we can only promise to take each instance as a case, and that's all I can say at this point that's not already disclosed in our user agreement, but you have a balance, seller's must be confident in a privacy transaction.


Bozidar: You gave a good argument that you as an information broker actually cannot know what all transactions are - thus you are not responsible for any wrongdoing of the users. But still, the similar argument applied to Napster and the Pirate Bay - and yet, they got sued for facilitating illegal exchange of information.
Mark John Hanson: We'll in our user agreement, if someone does do something illegal, they are liable for our defence costs. But you are correct, there might be people who do illegal things. We'll do our very best to create the best marketplace possible.

Bozidar: Are you actually worried that it may come to GenApple being sued for situations similar to Pirate Bay? They did claim plausible deniability but are now in prison.
Mark John Hanson: All I can say is that we drafted our user agreement with your question(s) in mind, but I cannot speculate what'll happen in the future---no one knows

Bozidar: Mark, i want to thank you for all the information we got on this interview. One last question - what does GenApple stand for?
Mark John Hanson: Yes--hehe--every Internet company needs a name that's short and memorable--the root "Apple" comes from the fruit of the tree of knowledge of good and evil. I was looking for adjectives because obviously Apple is taken. I did find the "gen" is British slang for information, hence the word genapple.

Do you like this product? What security concerns might you have on GenApple? Please add your 2 cents in the comments.

Related posts
GenApple - First Glance at the First Information Brokerage

Google is announcing a new service - Google Voice. Apart from the automatic transcripts of voicemail, call filtering and other user benefits, the service will give Google access to enormous amounts of information about your life - including recordings of your voice mail.

Of course, the Google creed is - Do no evil! But let's dig deeper into what Google will get their hands on:

• Records of voice mail calls, with automatic transcription - Google will have the voice AND a searchable text of your messages, possibly even your calls at some point
• Voice imprints of all the people who called you - and they can match those imprints to a source phone number.
• FULL listing of your incoming call list - since Google Voice is a service integrated with Grand Central (Google Number) which creates one single number and when the caller rings that number, you can select up to 6 phones to ring simultaneously.

The reason for all this is simple - profit. The Google Voice service will be free and Google will try to insert ads - first in the transcripts and then possibly even in the audio segments of the conversation.

I have no objection to the efforts of Google to make a profit - especially since they offer a free service for this.
But the amount of information that is going to be collected in this way will soon rival a system popularly known as ECHELON - a highly secretive grid of US and UK government datacenters and communication hubs used to intercept, process and analyze electronic communications.

So instead of having to spend billions of dollars to set-up and operate huge datacenters and hundreds of employees, the NSA, FBI, CIA and all other 3-4 letter agencies will just use USA PATRIOT Act or something similar to 'ask' Google for access to all recorded.
And it's not only the government that will try to get their hands on such info. I suspect that Google Voice will become a target of all kinds of hacker groups, intelligence agencies and generally anyone trying to extract possibly useful info from the archived data.

So next time you are phoning someone, first thing you do is ask the person on the other side - are you on Google?

Talkback and comments are most welcome

Related posts
Hunting for hackers - Google fraud style
Nobody's safe - Google's personal data stolen

During a business e-mail communication a lot of people tend to include non-business related information. Such unrelated information is usually generic info about the senders company but it can expose the company to unwanted risks of social engineering attacks or reduction of competitive advantage.

Here is one of the less disastrous e-mails that drop in my mailbox. It is anonymized so it will be recognizable only to the author - should he choose to read this post.



Analysis
Let's analyze the information and it's relevance to the possible attacker:

1. The confidential content of the message can be fake - the sender dropped an entirely fake information to create the appearance of great importance. While such information cannot be used in creating an attack, it is a great weapon in discrediting the company. All the attacker needs to do is to continue the communication and draw out more such e-mails. Then, it's just a matter of 'leaking' such e-mails to the public with appropriate commentary and reference to any commercial promise of their product.
   
2. The confidential content of the message is true (partially or fully) - the sender dropped a true information, trying to increase the importance of his company or trying to extend confidence in the recipient of the e-mail. In any case, this leaves a great foothold for a social engineering attack:
• The attacker can continue the communication, even returning fabricated confidential information in order to gain further trust and extract more information
• With just the information about a trip to Spain, it would be easy to craft a message from an apparently Spanish sender, referencing a meeting with the owner during such and such time. In such a message the attacker can try to receive more confidential information or build a trust relationship with the sender or others in the company.
• Information about travel of a company executive can be used to research the possible partners in Spain, and launch a social engineering attack on them.
  

Conclusion
Whatever the reason for communication, always stick to the matter at hand, and under no circumstances volunteer or drop additional facts which are not relevant to the subject matter.
For companies, the above sentence should be a part of the internal security policy and e-mail usage policy.

Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Tutorial - Measures for minimizing Spear Phishing Attacks
Example - SMTP message spoofing

In the effort to minimize costs, a lot of companies create web based forms for job application. But web hosting is mostly outsourced to hosting providers, which host hundreds of sites on the same server, thus potentially exposing the personal data of applicants to hacker attack.

Here is a blueprint design for making a web based employment application with minimal risk of unnecessary exposure of the personal data of the applicants.

The process
The corporate concept of the web based job application is using the following process:

• The applicant fills in a web form, and the information is stored in a database.
• The corporate HR operator accesses the database and applies appropriate filters to applicants to generate an automatic shortlist from competencies and education filters
• Applicant data within the database can have automatic retention setting to delete old records.
  

Summary Risk Analysis
The risk analysis of the design has the following assumptions:

1. Web hosting is outsourced
2. There is no direct link from the hosted web site to the corporate network
3. The site is hosted on shared hosting with generic security provisions provided by the hosting provider for hosted all sites
4. HTTPS is available for any web page on the outsourced hosting
   

With these assumptions in place, the main risk to the applicant data is from an attacker who compromises any of the hosted sites and gains access to the applicant database - should it be kept on the hosted servers.

Solution design
To mitigate the identified risk, the design separates the location of application form from the actual database of personal information. The entire design is presented on the diagram below, with each numbered step described in detail:

1. The applicant web form is hosted on the web hosting server. The web form is accessed via HTTPS. The applicant fills in the web form
2. The web form packages the information into an XML file which is sent as an attachment of an signed and encrypted e-mail message to the corporate e-mail server
3. The signed and encrypted e-mail message is read via an automated process, signature is verified and the message is decrypted
4. The XML file is extracted and parsed by a process on the internal application server
   
5. The parsed information of the job applicant is sent to the HR database, located within the security zones of the corporate network - no access from the outside
6. The HR operator uses a web interface to access the stored information via the internal application sever
7. The internal application server accesses the applicant data stored in the HR database
   

Conclusion
The proposed design can be used as a prototype for job application portal which minimizes risks of data theft. There can be several modifications or variants of the design to target specific requirements and expectations.

Ofcourse, this design will be disputed by most ISPs since they claim that their sites are safe.

But in a corporate environment, the corporation is responsible for protecting the personal information of the registered persons. And should a security breach occur, no amount of penalties to the ISP will reduce the responsibility of the corporation.

Talkback and comments are most welcome

Related posts
8 Steps to Better Securing Your Job Application
Tutorial - Measures for minimizing Spear Phishing Attacks
8 Tips for Securing from the Security experts
Nobody's safe - Google's personal data stolen

Free stuff is being used as a marketing or brand awareness tool, but it can be used for a much more sinister goal: It can be the tool to collect a significant amount of money via simple social engineering.

The scenario
I get offers for many products by e-mail which i mostly delete or let the spam filter take care of them. But in the past week i got bombarded from several different sources regarding one apparently free product. The sheer amount of e-mails made me read through one of them. It was an announcement for a free distribution of some SEO program.

Just for fun, I clicked on the included link, and got to a page with a style of a typical social engineering 'easy money' page. Here is the analysis of such pages.
At the end of the (very long) page i got to the real deal. They need my credit card in order to send me the free program on a DVD

• I will be charged just shipping and handling costs for the program which are $7 for US and $10 internationally, and i get free access to the service for a month.
  
• I will be billed $100 per month for the SERVICE, after the first month. I understand that I can cancel at any time right from within the site or by just logging a ticket at www.SOMEADDRESS.TLD

Wait, if it is a FREE PROGRAM delivered on a DVD with no strings attached, they can just dump it on rapidshare and let the visitors rip.

Why would they bother with all this shipping? Here is why:

The cost of one DVD, with replication, e-mail advertising (spamming), web site setup and credit card processor charges comes up to

• $2.76 per DVD for delivery in the US
• $ 4.54 per DVD for delivery outside US

So, based on the 'shipping and handling' charges, there is a profit margin on each CD of

• $4.24 per DVD for delivery in the US
• $5.46 per DVD for delivery outside US

The DVD needs to have something useful - an advertised PROGRAM . It is some program that should improve your Search Engine Optimization and can be whipped up by a programmer within 2 weeks to follow certain logic rules presented in SEO books all over the Internet.

• Cost for the software - a maximum of $1000 - on rentacoder you get that done for even less.

If 1000 people out of 50,000 e-mails bite the bait, and 1000 DVD's are distributed in US (low margin scenario), there is a profit of $3240 before taxes.

But wait, there is more!
All those 1000 people left their credit card info online in order to be charged the 'shipping and handling'. However, the agreement is that by taking this free item, these 1000 people have opted in to a monthly fee of $100 for some online service which is never really explained and can be as simple as a mailing list for 'Valuable SEO Info'. Of course, the user can opt out at any time, but for the moment he is opted in!
So, just as there are people who forget to send in their rebate vouchers, there will be people who forget to opt-out of the online service, thus getting billed the $100. I would set the percentage of forgetful people at 20%, with 25% of them having a debit card with no funds to be taken. So, out of the original 1000 people who got their wonderful DVD, we arrive at 150 credit cards that will be billed after one month.
So, apart from the initial $3240 before taxes, we get additional $14925 before taxes.

Conclusion
The analyzed model is not a direct scam for all legal purposes, since it delivers a product which is free, and you have been informed of the additional charges that will be incurred after 1 month of usage of the 'service'.
On the other hand the product is promising a MONSTROUS income from Internet sites, which in 99.999% WILL NEVER HAPPEN.
At any rate, be very careful. THERE IS NO SUCH THING AS FREE LUNCH

Talkback and comments are most welcome

Related posts
Internet Social Engineering - Avoid Con Tricks

I got a response from Matt at Whisperbot regarding my post Whisperbot - No thanks, I'll use e-mail.
You can read the reply here, it's the third reply on the post

Regarding the previous post, I would like to clarify that I have no interest to attack the Whisperbot service, and I hope that their team will use my analysis to improve on the service.

Here is a deeper analysis of my points with references from the Whisperbot reply

1. Message transport in cleartext
Actually, there is an https secure version at https://www.whisperbot.com

• Although there is a https site, the default service is on a cleartext http site. And most users will always use the default service without even bothering to look for the https variant. Whisperbot is offering confidentiality, so a default encrypted channel is a must.

2. Message is stored on Whisperbot servers with unspecified and not very reliable security measures
Yes, its in a database, of course. But, I rebut that its not secure - I'll happily share with you the database content and I'll let you see if you can decrypt it. Everything - from message to email address is encrypted - and we're not talking md5 here ;-)

• First, MD5 is a hashing, not an encryption algorithm. And since it's nearly non-reversible for long messages (the rainbow tables will be enormous) you can't use it. The whisperbot service obviously uses reversible encryption, and I have no intention on disputing the strength of the encryption (although they won't publish the algorithm). What I am disputing is the fact that the whisperbot servers also hold the encryption/decryption keys, since the servers present the message in cleartext to the recipient. So, the first risk are disgruntled administrators who can leak or steal the key database. Also, as an attacker, I would direct my efforts at tapping/stealing the key database. Just publishing the key database without any actual stolen message will be annihilating to the whisperbot service, since it is based on trust of the users.

3. Security is based on obscurity
There is an option to use a passphrase - so, even if someone else gets the link, they can't read the message without the passphrase.

• I stand corrected as long as Whisperbot MANDATES a passphrase on every message. As long as the service maintains the current solution, it's still just using security by obscurity.

4. Message retention cannot be controlled
Agreed with the need for a delete button of sorts - right now, we just trim the message after it's been read and stored for a period of time.

• Instead of a delete button, i would suggest an automatic erase after the presentation of the message - this will reduce the database capacity requirement but will increase the I/O load on the database. Whisperbot will probably be going with the 'pruning' option first at times when the servers are at minimum load. While this option is good for the servers, it's not as secure as an auto-destruct method.

Talkback and comments are most welcome

Related posts
Whisperbot - No thanks, I'll use e-mail.

Whisperbot is a new free service that claims it delivers confidential messages to your friends without e-mail.
According to their own site, they say: Stop using e-mail for your confidential messages!

While this is a nice slogan to have on a site, we say, stick to e-mail and add encryption.
Here is why Whisperbot should be avoided for any confidential messages:

1. Message transport in cleartext - the submitter and the reader are accessing the 'confidential' messages via HTTP protocol by default - thus any typed and read content is open to sniffing and archiving via proxies
   
2. Message is stored on Whisperbot servers with unspecified and not very reliable security measures - supposedly, Whisperbot stores the messages in encrypted format. This cannot be confirmed, but even if it can, since the message is presented to the recipient in the original form, the message is stored in reversible encryption. Thus, the security of the message is the same as a safe full of money with the key left in the lock.
   
3. Security is based on obscurity - the main point of the security measures of Whisperbot is that the path to the message is unique and not known to anyone except the recipient. But the path to the message is sent to the recipient via cleartext e-mail, which can be captured and read at any number of places on the path of the e-mail message.
   
4. Message retention cannot be controlled - the message is kept on the Whisperbot servers for an undisclosed amount of time, thus opening it up to the possibility of a later access by someone else.

With the above deficiencies in full swing, i would trust Whisperbot with confidential messages as much as i would a IRC chat room.

Instead, for confidential messages you should rely on e-mail, with the added security of GNU Privacy Guard (GPG)

Talkback and comments are most welcome

Related posts
3 Controls to Secure Corporate Off Computers
Example - SMTP message spoofing
No Privacy - Saw You Cheating on Image Search
Creating secure CD/DVD media for transport usingTruecrypt

What is the next big privacy issue? Image Search. But not the current image search, which actually searches through the file names and meta data, but actual, pattern matching image search.

The issue of pattern matching between images regardless of perspective and color has been an academic issue for a long time, and has found application in OCR systems, fingerprint identification and some high cost expert systems. For the enthusiasts, here is a good article on the math behind image search Bayesian geometric hashing and pose clustering .

While the technology has been in research for more then 20 years, the current trend is turning towards image and video search, not for academic reasons - but for profit. Paul Murphy did a critique on the current state of search and the golden opportunities .

Yes, matching an uploaded image to a database of images and videos and returning similar items is a very valuable and profitable technology - just imagine the amount of commercials that can be targeted in such a way!

So it is safe to say that with the current advances in processing power, storage and network bandwidth, image search will happen, quite fast. It will probably deliver a lot of benefits apart from profits for the search engines, like

• Pattern matching for obscure symbols or painting styles across many publications and museums
• Searching for your lost brother on the Internet by uploading his child image
• Even in kidnapping cases, for searching across the vast data sets of video surveillance in hotels, train and bus stations, airports, etc..
  

But it will also enable a huge amount of privacy breaches and dangerous situations, like:

• Jealous girlfriend/boyfriend may use the search to sift through MySpace and YouTube videos of parties looking for possible indiscretions of the partner
• Sexual deviants may use the online video and image archives to search for their preferred type of targets
• Criminals will be able to look for a multitude of photos and blueprints of a possible target (a local bank building) by having only several photos and a sketched schematic of the publicly accessible part of the building
• Identity theft attackers to find actual persons the target is working with or being familiar with, to prepare a better attack
  

We are becoming a very networked world, with direct and online access to ever vaster set of information.
So just be prepared to tell the truth to your wife when you come home from work, because soon she'll be able to Google you at the local bar with friends instead of a late night at the office


Related posts
Internet Social Engineering - Avoid Con Tricks
8 Tips for Securing from the Security expert
Risk of losing backup media - real example
8 Steps to Better Securing Your Job Application

Talkback and comments are most welcome

Most of all Internet Marketing and Sales content is a very dubious selling scheme. While not directly a security issue, all these sites have characteristics of Confidence tricks - A subset of Social Engineering that merit analysis, so they can be identified and avoided.
Let's use the same tactic of actions to help the visitor protect himself, and differentiate real deals from scams:

1. Analyze the content.
2. Identify their goals.
3. Question their promises.

1. Analyze the content:
The common characteristics of immediately visible dubious sites are:

• No site structure or organization - everything is blasted on the title page. These sites don't have a meaningful structure, menus, links or sub levels, nor any real readable content. They instantly remind of a commercial, where everything needs to be communicated within a time frame of 10 seconds.
• Large and contrasting font, delivering a message sounding like "You can do this too" - The actual message varies, but always boils down to "I have done it, you can do it too"
• Messages appealing to laziness and promise of easy money - These sites always stress that all achievements will be made from the comfort of your home, or in your free time, or while you sleep.
• Frequent use of key words that make the reader imagine a better future - money, saving, earning, improve, change...
• Success or Character References from unknown sources - John Doe from Down Under, SomeCounty, OtherState is thanking the author for the great success he achieved using this miraculous system. This statement is usually accompanied by an obvious clipping from a family or wedding photo of some unknown person.
• References to "actual" weekly or daily income that should look like a real sum - The sites drop numbers which are not rounded, since rounded sound too fake. Instead, you'll see a lot of $7,431.51 a week or something similar
• Actual Images of Success - Images of the site author leaning on a brand new BMW or Mercedes parked on a street or driveway in front of a mansion. Similar to this, images of large office with the author sitting at a huge desk, or an image of a beach with the author suntanning while supposedly money is pouring in.
• Invitation to action on every second paragraph so you can start your success - Frequent occurrence of a statement like: "Just buy this for a small price of $79.99 and you'll earn within a week"

2. Identify the goal of the site:

There are 2 major goals that the authors of such sites are attempting to achieve:

1. Sell some unknown product or service (CD/DVD/Book/Pamphlet/Training)
2. Collect valid email data for spamming purposes or sale of targeted leads (mostly used for offers of credit by loan sharks or for real estate scams)

3. Question the promises in the offers:

As in all education about social engineering, the solution to avoid these "attacks" is to avoid implicit trust and question everything :

• If you see an image presenting a pyramid structure of people or objects, RUN LIKE HELL - pyramid schemes don't work for you. Don't even hope they will work for you! You have much better odds at blackjack then in a pyramid scheme!
• Are these references actually real? - Who are these people, and did they actually write the reference? Simply disregard such claims, it takes too much time to verify them and they are too easy to be faked (Photoshop).
• Do these pictures have any merit? - Last time you checked, once you lean on a parked car and take a photo of yourself, the car instantly becomes yours. Using this method, I became a proud owner of a Bentley Continental, 2 Carreras, Lamborghini Diablo and several BMW's. Yeah, right!
• Who actually makes $7,431.51 a week? - Very very very few people in the world. A person earning $19,000 per year is in the top 11% of the world population. So, yes It is NOT possible to sit on your ass and earn that amount per week, no matter what they tell you.
• If this product can make my car achieve a 100 mpg, why isn't it on the title of TIME magazine? - There is a process by which a real idea gets used - first you patent it, then you offer it to the big manufacturers and present it on innovation conferences. Pretty soon, SCIENCE, NATIONAL GEOGRAPHIC and a lot of others write articles about it, and the big manufacturers negotiate the purchase of the patent. If instead you find the product just on the Internet, the author is either unbelievably stupid, or he just hopes you are unbelievably stupid.

Related posts
Preventing Online Credit Card Theft - Revisited
Control Delegated Responsibility


Talckback and comments are most welcome

Here is another example that even the largest companies cannot be safe from information security breaches, especially when using partner companies with lesser security:

According to a report by ZDNet Australia, an undisclosed number of personal data records were stolen from Colt Express Outsourcing Services.

The company provided HR services for Google, CNET and other large companies - the stolen records are of employees of these companies. The breach was actually a physical burglary, but obviously targeting data instead of funds.

Actually, according to statement made by the CEO of Colt Express Outsourcing Services, they are in financial difficulty, so the MOST VALUABLE ASSET they had were the personal records of employees of large companies.

While measures are being taken to protect the employees from identity theft and fraud, it becomes apparent that companies need to strongly address not only their security, but the security of their partners.
The incident of Citibank where the PIN's were most probably stolen from a partner company, also underlines the same requirement.

To reiterate the measures of protection, which although not foolproof actually to minimize the risk towards your business and personnel:

• Always agree on security levels for infrastructures and processes of your business partners.
• Make periodic audits that the agreed levels are respected and enforced.
• Maintain vigilance on your information in the wild - the faster you identify that some information is in the wild, the less impact it will have on your business.

Related posts
Risk of losing backup media - real example

Citibank PIN Heist - Sources of Security Breach

8 Tips for Securing from the Security expert

Talkback and comments are most welcome

Citibank ATM's become the target of fraudulent withdrawals by at least two men this February. Allegedly, the entire incident was related to a computer security breach into Citibank's servers that process ATM transaction.

This is a first time that actual major financial fraud is related to a computer security incident. However, Citibank denied that any of their systems were compromised.

The Threat Level Blog of Wired magazine is following the story with a new development, in which new frauds are appearing and Citibank is replacing ATM cards to a number of their customers. In the letters sent to customers, Citibank is explaining the replacement with an "identified data compromise involving the credit and debit card payment system used by a third party ATM network"

Naturally, both Citibank and the authorities will not reveal details of the problem until it has been rectified, and even then certain elements may not be disclosed to the public. This series of events sheds a light on a different and largely omitted aspect of data security:

1. Another organization's lapse in security can caused you a lot of grief and negative exposure
2. Security breach of your information can easily be caused by a business partner whose security is not up to expectations
3. The attackers will not always approach you, in order to steal from you

In today's networked business, there is no foolproof protection for your information. But in order to minimize the risk towards your business, exercise the following simple rules:

1. Always agree on security levels for infrastructures and processes of your business partners.
2. Make periodic audits that the agreed levels are respected and enforced
3. Maintain vigilance on your information in the wild - the faster you identify that some information is in the wild, the less impact it will have on your business

Related posts

Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Last week Bill C-61 was introduced in the Canadian parliament. Supposedly it protects digital media from copyright infringement. The danger in that law will not serve only to protect the copyright of music and video files, but will possibly hamper the usage of legally purchased material.

Here is a flagrant example. The Bill C-61 grants the copyright holders the right to demand damages from anyone who bypassed any sort of encryption, with a few exceptions regarding interoperability, encryption research and security.

• 3v3n v3ry l4m3 3ncrypt1on.

If this bill is passed into law, and that you managed to read the above sentence, the author can claim that you breached an encryption algorithm, and sue you for $500 per infringement.

While the Dmitry Sklyarov incident should not be repeated, we can expect a lot of confusing and debatable infringements, like

• Transferring your legally purchased music from a CD to your IPod
• Playing a region 2/3/4/5/6 DVD that a visitor/tourist/student purchased legally and brought with him for his personal use
• Using copy/paste from electronic books for quoting within research papers

So, if this bill is passed into law, here are several scenarios which can happen

• Within the borders of Canada any company having a product with a ridiculously stupid or vulnerable encryption algorithm will be able to sue a the user who bypassed the vulnerability for his own use.
• Even if such vulnerability is identified by a security expert, it may not be treated or corrected by the manufacturer, since they will deem to be protected by the letter of the law.
• Even with the exceptions regarding interoperability, encryption research and security, Ethical security experts may be weary of analyzing and publishing vulnerabilities, since if they are challenged, they will need to prove their intent and that they didn't use the vulnerability for ANY infringement.

Related posts

Risk of losing backup media - real example

8 Tips for Securing from the Security expert

TrueCrypt Full Disk Encryption Review

5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Continuing the discussion about securing your backup media in transit, here is a tutorial on how to create a very secure media for public transport.

The target is to create a CD/DVD media that will contain a highly protected sensitive information. For this example, the sensitive information is a System State Backup of a Domain Controller, as per the example in http://www.shortinfosec.net/2008/06/6-steps-to-securing-your-backup-media.html

The process is as follows

1. Create a Truecrypt encrypted volume. Use dual encryption with different algorithms. The example uses Twofish-AES combination.
2. Name the volume file using a non-descript name, and protect the volume using a strong password.
3. Repeat steps 1 and 2 two more times, creating volumes of similar or same size as the first one, with similar file names.
4. The process in the example creates the files aws.ade, asq.dew and awd.adss
   
5. Mount one of the volumes (the example uses aws.ade volume) and save the sensitive file inside the volume.
6. Dismount the volume and burn all three files aws.ade, asq.dew and awd.adss to a CD
7. Place the CD inside a tamper-evident envelope with non-repeatable serial number and record the serial number.
8. Send the CD by courier. Call the recipient via a cell phone call and dictate the decrypting password and the file name containing the encrypted data.
   

Here is a video clip demonstrating the process of creation of secure media, using Truecrypt




Related posts
Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

I got reactions from readers regarding my Spear Phishing post, that creating a perfect spoofed e-mail representing the manager is impossible. Although I agree with this opinion, I must stress that the attacker can create a near perfect spoofed message.

Here is how:
All he needs is an open relay mail server - a mail server that will accept and relay e-maiil messages regardless of sender and recipient parameters.
Then, he needs to telnet to port 25 of this server (SMTP port) and send the following set of commands:
helo server
mail from: sender@frauddomain.com
rcpt to: recipient@targetdomain.com
data
This is a customised fraud message

Regards
Fraudster
.

After each message, the server will reply with appropriate acceptance codes. The . on the last row is not an error, that is the message end delimiter.

Using this method, the attacker will not be able to spoof ONLY the IP address of the SMTP server that relayed the message. Although this information is contained in the message header, very few people are trained to read it, and it is quite difficult to train non-technical personnel to read the header.

Here is a video clip demonstrating the spoofing process


Related posts
Tutorial - Measures for minimizing Spear Phishing Attacks

Talkback and comments are most welcome

The average resume of any person contains a significant amount of personal data that is submitted in good faith to persons and companies that we rarely know. This is especially true when applying for a position through a recruiting agency. While most agencies have strictly legal business goals, there can be some malicious or alternate motives involved. Therefore, certain amount of due diligence must be exercised before submitting your resume.

Example Scenario
A subsidiary of Shortinfosec Democorp - Shortinfosec Human Capital publishes the following ad in the papers, on Monster.com and Linkedin.com

Shortinfosec Human Capital is evaluating applications for the position of
The Manager of Information Technology for a reputable Telco company.

The successful applicant must have at least 7 years experience in Information Technology, specifically in telco IT ops infrastructure with BSS system on Oracle Databases and IBM Storage Systems, with a minimum of 3 years experience in position in which he/she was responsible for team management.

We offer a very competitive compensation package.

Analysis
This is an opportunity to which a very large number of applicants will jump to. The ad contains a filtering factor, which targets the position to a specific group - a telco company whose Billing System database system is Oracle, and the Storage System is IBM.

Within 2 weeks of the post, Shortinfosec Human Capital has a names, addresses, emails, phone numbers, entire CVs of employees of several companies who have the described infrastructure.
If Shortinfosec Human Capital is on the level, it will select a candidate and destroy all other records.

If Shortinfosec Human Capital is just a front, here are the grim options:

1. The ad is a front for analysis of employees that are ready to jump ship, or to shift to a competitor. In such a case, the company that hired Shortinfosec Human Capital will receive a list of their employees that may then be subject to unfair treatment. In another scenario, Shortinfosec Human Capital may sell information to several companies about their respective employees that are prepared or preparing to leave.
2. The ad is a front for a well planned security attack. With the collected information, the attacker has a list of people with knowledge of infrastructure, access to administrative privileges, and are generally trusted by the organization. They can be further targeted for blackmail, resource theft (laptop with corporate data) or can be referred to in a social engineering attack
3. The ad is a front for a hacker attack on specific infrastructure, that investigates which companies have a specific infrastructure with known flaws, which can then be targeted for specific attack

Recommendations

Before applying for a job, especially on an Internet published ad, take a couple of hours to investigate the publisher. There is no silver bullet for total protection, but the following steps will help you to weed out most of the malicious ad publishers:

1. Analyze the domain name of the publishing agency - is the registered company the same as the name in the ad?
2. Check when was the domain registered and use wayback machine to check that the web site was consistent with their advertised line business for at least 2 years - be very weary of brand new companies, or companies not having a web site
3. Check that they have a physical address, and that it is consistent over a longer period (again, wayback machine)
4. Check the ad boards, to see whether the same companies published other ads before
5. If you were contacted directly, try to find out how did they reach you/hear about you
6. Look for a privacy statement on their web site, and even in the ad. - print out these pages and save them - if all else fails, they may be usable in legal actions.
7. Use Linked in connections to possibly get referrals of the work of the publisher
8. Be careful of PO Box addresses, if such exist, take extra care to confirm that they in the above 6 steps, and even contact the publisher via phone to again confirm the PO Box number.

Related posts
Tutorial - Measures for minimizing Spear Phishing Attacks
Understanding Penetration Testing Methodology


Talkback and comments are most welcome