Tuesday, February 23, 2016

The time Thousand Foot Krutch taught me a cyber lesson

The end is where we begin
I'm a monster if that means I'm misunderstood
Cuz its alive and I can't hide it
The energy is rising
and I'm a traitor if that means I've turned on myself

"The End is Where We Begin," by Thousand Foot Krutch

It's not often that I find a security lesson by way of a rock band. In this case, the lesson was that events don't occur in a vacuum; If we overlook context, we tend to begin at the end, with pre-conceived assumptions and a misunderstanding of what really happened.

I use several security controls around my home, with varying settings depending on the age and the maturity of the user. For my older children, one of the controls is a proxy that warns (but does not block) when they browse to potentially risky sites. I figure by age 16 they are capable of making an informed decision, but the proxy interrupts "impulse clicks" (and serves as a reminder that Dad Still Knows).

Most of the proxy warnings are ad networks (which tends to eliminate popover and popunder malvertising), but occasionally something more interesting comes up. Something such as multiple click-throughs one evening to something.ru - a Russian website.

Just because a domain is hosted in Russia does not make it malicious. In fact, a not insignificant number of my readers are in Russia and its neighboring countries. Still, as Brian Krebs' recent book Spam Nation documents, there is an active criminal element operating out of that part of the world. I don't normally expect my children to be browsing Russian domains, so it piqued my curiosity.

Whether a father or a business owner, context plays an important role in cyber security. If your business comes entirely from North America, Great Britain, or Australia, traffic to or from Russia, China, or Brazil should at least catch your attention. It may even be appropriate to block it entirely (while still recognizing that with TOR or a VPN, someone may well appear to be somewhere they are not). Why leave yourself open to an attack from a part of the world you never do business with?

Conversely, if your business primarily centers on Asia, then Internet traffic to and from the Americas might be suspect, and might be worth blocking. The lesson isn't that ".ru" is evil and ".com" is good - it's just as likely that ".ru" could be a legitimate domain while ".com" is malicious. The lesson is to understand the context.

Which is what I discovered when I asked my son about this unexpected event. It turns out that one of his favorite rock bands, Thousand Foot Krutch, is about to embark on a concert tour covering Russia, Ukraine, and Belarus; my son was (with the help of Google Translate) reading a Russian forum dedicated to the band. With this context, a visit to a Russian web site was entirely understandable.

Ah, if only the story ended there. He was perusing the forum, yes ... but the reason was a rumor that the band had released their new single to the Russian market first, two weeks before it would begin radio play elsewhere. I can't say whether or not that was in fact the case; either way, it opened the door to another conversation about the forms of bait criminals will use to lure in a victim. Oh well - that's what parenting is all about.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen