In Krebs on Security, Brian Krebs covered an interesting case of a robocall that a reader decided to investigate further.  Most of us have received robocalls on our home phones, and now on our smartphones.  It even seems that the frequency of these have been increasing.

Many of these calls actually sound like a real person looking for someone, but it is really a clever AVR or automated voice response system.  When I receive a robocall, I typically assume that there is just that one entity or company involved in annoying me in an attempt to sell some dubious service.

As Krebs on Security reports, behind that singular call might be a tangled web of connected organizations.  This reader who received the call had become increasingly irritated at getting these calls and decided to stay on the line to play along.

The reader ended up being connected to a representative at creditfix.com.  Later, the reader tried calling the phone number back that had called him and found it disconnected, “suggesting it had been spoofed to make it look like it was coming from his local area” (Krebs, 2017).

He then looked up the domain creditfix.com and found it registered to someone named Michael LaSalla with a mail drop in Las Vegas.  The IP address used by creditfix.com is registered to a company called System Admin, LLC in Florida who lists LaSalla as a manager.  A search for the company’s physical address turned up a filing with the FCC that showed the CEO of System Admin, LLC to be an entrepreneur associated with founding voip.com, an internet telephone service.

After reaching creditfix.com by email, their compliance department said that creditfix.com was likely scammed by a lead generation company called Little Brook Media, a “marketing firm in New York City.  Krebs reports that multiple attempts to contact Little Brook Media were unsuccessful.

As this tangled web points out, the company placing the robocall might not be the company one gets connected to.

Reference:

Krebs, B. (2017, June 25). Krebs on Security. Retrieved June 25, 2017, from https://krebsonsecurity.com/2017/06/got-robocalled-dont-get-mad-get-busy/

There is a lot of information available these days on information security (which is often called cybersecurity), threats, vulnerabilities, data breaches, and cybersecurity news in general.  Where does one go, and importantly, how do people know if they are getting good, trustworthy information.

I often use the CARS Checklist for Evaluating Sources (Bellevue University, n.d.):

• Credibility

trustworthy source, author’s credentials, evidence of quality control, known or respected authority, organizational support. Goal: an authoritative source, a source that supplies some good evidence that allows you to trust it.

• Accuracy

up to date, factual, detailed, exact, comprehensive, audience and purpose reflect intentions of completeness and accuracy. Goal: a source that is correct today (not yesterday), a source that gives the whole truth.

• Reasonableness

fair, balanced, objective, reasoned, no conflict of interest, absence of fallacies or slanted tone. Goal: a source that engages the subject thoughtfully and reasonably, concerned with the truth.

• Support

listed sources, contact information, available corroboration, claims supported, documentation supplied. Goal: a source that provides convincing evidence for the claims made, a source you can triangulate (find at least two other sources that support it).

Below, I list some sites that I check regularly and find useful for cybersecurity information.  This is not a comprehensive list by far, but this would give most people a good starting place.

The Security Bloggers Network:  http://securitybloggersnetwork.com/

Krebs on Security.  Brian Krebs’ excellent security news and investigative site.  Well written blog on current cybersecurity events:  https://krebsonsecurity.com/

Blogs at the SANS Institute.  The SANS Institute hosts various blogs on different cybersecurity topics.  Some very good work here:  https://www.sans.org/security-resources/blogs

Security Magazine:  http://www.securitymagazine.com/topics/2236-cyber-security-news

US-CERT.  The United States Computer Emergency Readiness Team:  https://www.us-cert.gov/

References:

CARS Checklist (n.d.).  CIS 629, Managing Emerging Technologies, Bellevue University.

Harris, R. (2015, January). Evaluating Internet Research Sources. Retrieved June 18, 2017, from http://www.virtualsalt.com/evalu8it.htm

C.A.R.S. Checklist (n.d.).  CLRC Writing Center. Santa Barbara City College.  Retrieved from https://www.sbcc.edu/…/CARS%20Checklist%20for%20Evaluating%20Sources.pdf