IM Creepies

About twice a week for the last month, I've been getting aimless "hello?"'s from an AOL IM user named daringandbold4u. Never heard of him, no idea who it is, so naturally, I presume it's an IM Worm that's pinging its hitlist before sending its payload. Turns out, it's just a creepy guy. Below is the log for the curious and or law-enforcement types Googling his name in the event that he really is a pedophile.

Session Start (todbxxxx:daringandbold4u): Mon Jan 30 14:43:04 2006
[14:43] daringandbold4u: hey there
[14:43] daringandbold4u: asl?
[14:43] todbxxxx: hi
[14:43] daringandbold4u: aha
[14:43] daringandbold4u: you are alive.....
[14:43] todbxxxx: yes
[14:43] daringandbold4u: last time i saw you were on you wouldnct respond
[14:43] daringandbold4u: *wouldnt
[14:43] daringandbold4u: asl?
[14:44] todbxxxx: i dunno what asl means
[14:44] daringandbold4u: age?
[14:44] daringandbold4u: sex?
[14:44] daringandbold4u: Location?
[14:44] todbxxxx: um, if you don't know that, why are you talking to me
[14:44] daringandbold4u: i dont know i like to make friends
[14:44] daringandbold4u: you wanna know my asl?
[14:45] todbxxxx: by randomly IMing people?
[14:45] daringandbold4u: yea
[14:45] daringandbold4u: you dont?
[14:45] todbxxxx: that's pretty weird
[14:45] daringandbold4u: im a weird person
[14:45] todbxxxx: obviously
[14:45] daringandbold4u: lol
[14:45] daringandbold4u: so you dont want to talk?
[14:45] todbxxxx: not really
[14:45] daringandbold4u: ill leave you alone now
[14:45] daringandbold4u: bye
[14:46] todbxxxx: i was kind of hoping you were a worm
[14:46] daringandbold4u: why?"
[14:46] todbxxxx: because i'm a security researcher.
[14:46] todbxxxx: and i thought it was weird a ame would pop up on my IM at strange times of day
[14:46] daringandbold4u: oh
[14:46] daringandbold4u: what do you research?
[14:46] daringandbold4u: the internet?
[14:46] daringandbold4u: im confused
[14:47] todbxxxx: internet crime and fraud, mainly
[14:47] daringandbold4u: thats cool
[14:47] todbxxxx: i don't cover pedophiles, so don't worry.
[14:47] daringandbold4u: i want to be a forensic pathologist
[14:47] todbxxxx: that's adorable.
[14:47] daringandbold4u: so i want to work in thce crime field
[14:47] daringandbold4u: cool?
[14:47] daringandbold4u: whats adorable?
[14:48] todbxxxx: that you want to be just like on CSI
[14:48] daringandbold4u: yea
[14:48] todbxxxx: it's darling
[14:48] daringandbold4u: my dream career
[14:48] daringandbold4u: so...asl?
[14:48] daringandbold4u: :-D
[14:48] todbxxxx: 12/m/chicago
[14:48] daringandbold4u: 12?
[14:48] todbxxxx: yep
[14:49] daringandbold4u: yer kidding
[14:49] todbxxxx: nope. i'm a prodigy.
[14:49] daringandbold4u: im 17
[14:49] todbxxxx: that's great
[14:49] daringandbold4u: you dont sound like a 12 ycear old
[14:49] daringandbold4u: at all....
[14:50] todbxxxx: yeah i get that alot
[14:50] daringandbold4u: thats weird
[14:50] daringandbold4u: your not bullshitting?
[14:50] todbxxxx: negative
[14:50] daringandbold4u: holy shit
[14:50] daringandbold4u: wow!
[14:50] daringandbold4u: ttyl
[14:50] daringandbold4u: i gucess
[14:50] daringandbold4u: *guess
[14:50] todbxxxx: fab
[14:50] daringandbold4u: i gotta go for now
[14:50] *** "daringandbold4u" signed off at Mon Jan 30 14:50:53 2006.
Session Close (daringandbold4u): Mon Jan 30 14:50:56 2006

So there's my Turing test. He passed. The conversation ends with him getting blocked.

That's what I call targeted advertising

Occasionally, maybe once a week, my wife forwards me a story about something involving computer security. She likes to keep up with the issues, mostly because I talk about this stuff a lot.

Today, she sent me The Growing Threat of Cybercrime hosted at Capitol Hill Blue (click that link if you love popup ads!). The story is mostly about the fact that your more significant Internet crime is quiet and secretive.

The criminals use programs that insert themselves into people's computers, then search for sensitive financial data or do other tasks like recording keystrokes as computer users log on to their personal accounts.

What's being talked about here is spyware, and the article seems pretty much standarad fare, with the message, "Don't install stuff."

The funny part of the story, though, is that the banner ads on the right side of the article are, themselves, advertising for spyware. I count at least two being offered. I don't know their real names (I'm too lazy to look them up at Sunbelt), but they're the "Get All the Smiley Faces You'll Ever Want" one and the "Warning Your Computer is Already Infected" one.

Oh, and there's a popup generator in there I can't figure out -- I use Firefox's standard popup blocker and FlashBlock (which is awesome), yet I still manage to get it. I think there's a window.onFocus() event handler in there somewhere.

IM Worms

I've been reading up on IM Worms, and came across a really good, concise primer on the subject: On Instant Messaging Worms, Analysis and Countermeasures by Mannan and van Oorschot. There's of course plenty of material on Wormblog, but this is probably the best written I've seen yet.

I got interested in the topic after seeing some PR from a company called IMLogic. They talk abou IM worms pretty much exclusively and are full of doom and gloom -- yet I'm on about fifty zillion IM networks and I've only seen (maybe) three instances, and I have plenty of contacts, both security-wise and not-so-much. So, I was curious why I (and my customer sites) weren't seeing more.

Today, it seems like there's a ton of potential for the vector -- especially the OSCAR networks. But, I guess e-mail is still doing the job for the worm writer's ultimate goals.

Plus, I really don't see many people falling for IM phishing quite yet -- people don't tend to communicate with their banks over IM, so the transaction would feel inherently strange to the victim.

But, it sure does seem like a great way to install keystroke loggers in a jiffy, until the IM networks get some intelligence built in to halt this sort of thing.

College is for Chumps

Skimming over the SANS Salary Survey, it turns out that for 2005, a Bachelor's Degree ever-so-slightly depresses one's salary in the IT security field; statistically, degrees have no impact on salary.

This is pretty interesting, if completely expected. Over the last year, I went through roughly three interview cycles here at TippingPoint, and from that experience, I can say that having a degree didn't make a lick of difference when applying for entry/middle-position engineering work. Maybe it did for the HR screeners, but actually knowing what's going on in today's Internet security strata is far more useful to day-to-day performance than coursework and labs.

Also expected is the finding that IT certifications have a huge impact on starting salary. Somewhat frustrating is the continued dominance of the CISSP.