Phishing Alert – Secret Army Gold

Two phun phishing emails in two days. Both from the same domain, nac.net, which you might want to add to your block list. Yesterday is was a fake FBI email, today it’s the Army.

This is another that falls into the ridiculous category, and maybe the get-rich-quick category as well. How come this army general decided to include me in his $26,000,000.00 windfall of “secret army gold”? (Sound like Three Kings anyone?) And if he really trusts me, why doesn’t he know my name? That alone should be enough reason to ignore such emails automatically.

phishing-army

In review, here’s a few of the things that are wrong with this email:

  • The “From:” email address clearly is not the any valid domain, either military or normal social channels. In fact, it’s known for phishing scams.
  • addressed to “Friend” – He trust me with millions, but doesn’t know my name
  • Random people don’t send you email offering you millions of dollars – not happening
  • Official email address at the bottom doesn’t match the from address. Everything on the left side of the @ sign is the same, but the domain is nac.net at the top, and outlook.com at the bottom. Normal people don’t usually send email like that, with obvious reasonable exceptions.
  • Why is the story a plot from a 90s movie?

FYI nac.net is registered through Godaddy.com since 1995 to a US company called “Net Access Corporation”, so I’m wondering are they purveyors of scams, or just a crappy email provider? Registrant is in New Jersey, server is in Colorado, and domain name redirects to cologix, so who knows.

Stay on the alert – best not to click anything in emails from unknown senders, and anyone who really has millions of dollars for you will figure out how to reach you. That kind of money makes it easy to find out.

== RESOURCES ==

Phishing Alert – FBI Offering Millions

Just a quick reminder to keep yourself safe in your email. Some of the phishing scams are incredibly good – they imitate the actual emails that a bank or company will send with the same icons and layout. It’s usually the email address and URL they’re trying to redirect you to that gives it away.

Remember, don’t just check URL’s in your email before clicking them. Don’t click them at all, instead if you’re concerned go to the site by typing in it’s name, like mybank.com rather than clicking a link. That way you’ll be safe even from the really good fakes.

Also watch out for scams that are just too ridiculous. They come in email, text messages, and voice mails. I constantly get warnings from the “IRS” that marshals are one the way. How do people think that’s accurate? I mean you can hate the IRS but that’s still not how they operate. And why do you think they’d come after you? I guess if you haven’t actually paid your taxes maybe it’s easier to get fooled by this. I had fun the other day when I was bored and answered one of these calls. Then I told the person I was onto their scam, and calling the police, and marshals were indeed on the way, but to them, not me. They hung up quickly. A waste of my time, I know, but I enjoyed it anyway.

Finally, watch out for the get rich quick scams – there is no simple thing for you to invest in that industry is trying to hide but you’re going to make a fortune. Add to this the foreign money laundering schemes, Nigerian prince emails, rich dead uncles, and the like. Let me make it simple – there is no one out there who’s just waiting to hand you millions of dollars, or even thousands, or even hundreds. Delete the email/text/voicemail and just move on.

For your entertainment, here’s an email I got today, purportedly from the director of the FBI, who somehow knows my email address but not my name. He’s reminding me that I have $10 million due to me and he’s thoroughly checked it out and for sure it’s legit! Note the ridiculous email address they refer to, and it came from andrewmcjr.fbioffice2017@nac.net because somehow the director didn’t get an official work email address. Poor guy – guess they’re really struggling these days.

phishing-fbi-citibank-2017-10

As an exercise, here’s a few of the things that are wrong with this email:

  • The “From:” email address clearly is not the FBI
  • addressed to “dear beneficiary” – they don’t know my name
  • The director of the FBI isn’t sending me any email – not happening
  • Citibank supposed email address – again not a Citibank email domain
  • FBI supposed address at the bottom – still not official FBI.gov domain, and different from the sender email, even though the email warns me explicitly to not trust such things
  • Why do I think this is my money?

Stay safe out there – phishing schemes and identity theft are rampant. By the way, if you need to report a scam to the FBI here’s the FBI E-scams and safety page.

== RESOURCES ==

Software Terms Without Definitions

I’m often bemused by words in the software industry aka computer science. It’s generally OK when industries just make up new words for something new, but in software we re-use words that have (or at least had) a real definition, and then use them completely differently. Or worse still, twist the definition just enough to make it not obvious that the meaning has changed. Sometimes even the words had a good software meaning, but it’s been killed over time – like artificial intelligence or AI.

With that in mind, and without a lot of blather, I just wanted to vent and list a bunch of them here. I’m not going to define them properly, because how could I? If I’ve missed your favorite, let me know in the comments, twitter, etc. If you disagree let me know and we can argue. 😉

The list is alphabetical, because I’m a human and think that way. If I was ordering it by capability to annoy, it’d be AI, Software engineer, and everything else beneath. Enjoy!

Agile – you’d think this had a good definition but ask around and see what happens.

API – used to have a good meaning but no longer. h/t to @keith_wilson.

Artificial Intelligence or “AI” – this term has lost all meaning. I have come to agree with Musk and others that real AI will be real dangerous, but nothing we currently call AI is “artificial intelligence” in that sense. I’ve seen a working definition that it means a computer doing something that would normally require human intelligence. I can agree with that, but if the software is essentially doing a big data lookup to get an answer, that wasn’t intelligence, it was data processing.

Computer science – You could argue this one is real as long as you apply it to hardware, but software? Forget about it. Software development hasn’t progressed to the science state yet. Blogs and rants on this are in the queue.

Cybersecurity – is it antivirus? firewall? software? coding?

DevOps – I thought this had a definition, but many, like my friend Theresa, disagree, so it must not.

Engine – this one is now just a noise word used to give something a fancier sounding name.

False positive – developers throw this word around in a way that usually means one of the following: 1) the tool output was actually wrong; 2) I don’t like this finding or don’t think it’s important; 3) I don’t understand this finding or why it’s important (usually a type of #2). It REALLY only means the first one, but the most common definition includes all of the above.

Framework – should be a great word. Was a great word. Now a marketing word.

Memory leak – you think this has a definition, but try to look it up. In my world we think of it as memory you can no longer access or control, including freeing it. Others think it means memory you never freed. (Note – they’re wrong.)

Mock – seems simple enough, but it’s surprisingly broad. Some even think it includes service virtualization.

Platform – again a term that had a meaning once upon a time, now it just means “some package of software we sell”.

– in short it kind of means “have developers start testing”. But depending on whom you ask, you might be surprised at the answer you get if you ask someone what this means in specific. Like “where IS left” and “what are you shifting”?

Service virtualization – this is a fair call. The original meaning of the term has been overloaded and extended and the “new” meaning has become more common in the software testing world, while the “old” meaning still holds true for hardware, deployment, and networking people.

Software engineering – please, this is one of the worst. Most people who call themselves software engineers don’t even begin to behave like engineers. If they are, what particular standards were they taught that all other with the same title were also taught? I thought so.

Standards – You think this one has a meaning, don’t you? In “engineering” standards means something. If you’re an engineer, you already know what I’m saying. If you don’t get this, you’re not an engineer.

How did this happen? Is marketing to blame? Or is it just that there is no “software science” even if there is “computer science?

Again, if you have a favorite let me know and I’ll add it to the list. If you disagree I’m always up for a good twitter argument. If we get enough I might add it as a new Hall-of-shame permanent list. I feel like I’ll come up with a bunch more myself as soon as I hit publish.

[Update – suggestions coming in already. I’m putting them in proper alphabetical place, but will reference the source.]

[Update 2017-09-19 – added “memory leak”. Should have realized that was needed, it’s an obvious one. also false positive]

[Update 2017-12-11 – added “shift left” because last week I was meeting with some people and discovered we didn’t have the same definition at all. Essentially their “shift left” was entirely to the left of my left. Also expanded a few other non-definitions that were already here.]

Hardening Your Software Webinar

I’ve long been an advocate for turning software development into software engineering. By this I mean that we need to start following known best practices and using the tools and processes that have been proven to help produce better code. It’s amazing how software developers often ignore standard things that everyone knows makes for better code.

As an effort to promote understanding I’m doing a two-part webinar series with Parasoft on this topic this Thursday the 22nd and next Thursday the 29th. Come join us and learn how getting back to the basics is a great way to harden your software and improve security, safety, and reliability.

Overview

The best way to fundamentally improve software is simply to get back to software engineering fundamentals. But reaping benefits from these fundamentals (such as static code analysis, runtime analysis, and unit testing) requires using these practices effectively, and ineffective practices persist at organizations around the world: unit test suites that are noisy are often ignored and hide real issues that will happen after deployment; static analysis that focuses on simple bug-finding instead of real defect-prevention represents a real missed opportunity and forces us to react to software issues rather than take a proactive stance.

In this two-part webinar series, we’ll go into detail on how to reap maximum benefits from fundamental software development practices, showing you how to use them effectively by leveraging Parasoft’s automated testing tools.

In the first session, we’ll concentrate on process, setup, and configuration, to provide you with actionable takeaways around:

  • How to harden your code with static code analysis to increase safety and prevent cyber attacks, including which coding standards are the best place to start
  • How to add runtime error detection to your testing process to find bugs early and avoid reliability issues in the field
  • How unit test automation reduces your effort of creating and maintaining test suites

In the second session, we’ll show you how to integrate automated testing tools into your existing software development process. You will learn how these tools can run as part of continuous integration, inside your favorite development environment. We’ll focus on:

  • How to create tests more quickly for C, C++, Java, and .NET by building on ready-made frameworks
  • How to win at continuous testing by leveraging automation and analysis
  • How to streamline compliance efforts that are normally tedious, with efficiency provided by static code analysis and unit testing

Join us June 22nd and June 29th to see for yourself how easy the fundamentals can be, and how they can help you perfect your software.

Ranting about Software, Security and Tech