Defending Our Privacy—A True Story 

 

NEW FROM CSX

Defending Our Privacy—A True Story

By Claudio Cilli, Ph.D., CISA, CRISC, CISM, CGEIT, CIA, CISSLP, CSSP, HCISPP, M.Inst.ISP

The Nexus  |  9 January 2017


George speaks aloud on a mobile phone on the train from Turin to Rome, Italy. He states his name and his initials are also on his luggage tag. He speaks of money, houses, restructuring. He seems to be handling a lot of money with aplomb. Very likely, it is not his own money.

He calls his mother to greet her and it seems that he is asking for money. An observer surmises he is obviously an ambitious young man, but perhaps also a rascal? He talks to friends and to his mother of pending contracts that would put a considerable amount of money at his disposal and advises his mother that, in the meantime, she should wait with anticipation.

The observer assumes that he deals with finances; more precisely, in speculative investments—perhaps for wealthy investors who want to leverage their assets or something related to money laundering. It makes one think of the Italian Parioli Madoff: a man who tried to emulate the “original” Bernie Madoff and is now spending the rest of his life in jail. It is an automatic comparison.


One can find almost anything on the Internet, it takes only a little searching. And everything that is on the Internet remains there forever without any chance of eradication.

He states in his phone call that he is going to Milan, his home city. The observer now has enough information to begin intelligence work via the Internet. For added security, the observer waits until George gets off the train.

One can find almost anything on the Internet, it takes only a little searching. And everything that is on the Internet remains there forever without any chance of eradication.

The observer continues his investigation. The research is not simple. There are many people named George on Linkedin, but no one seems to be this man. If what the observer suspects is true, he is not listed on professional networks as an individual, but perhaps his company is listed. The observer needs to find the name of George’s company.

Facebook is another viable option, as many people are very evident on Facebook. George appears to be young and single; he likely wants an easy way to connect with friends and family. However, there are many Georges on Facebook. So the observer refines the search to “George, Milan.”

There are many, but, surprisingly, there is also a “George Scam.” He is not a real user. Perhaps, though, this is someone who knows George or has had something to do with him (and lost money) and is trying to exact revenge. However, the profile says that George Scam is from Turin and he lives in Milan (which fits the details the observer has). In fact, George boarded the train in Turin; perhaps he went to his mother to grab some money, and travelled to Milan, where he left the train.

Continuing to look for George with the available evidence (the George Scam allowed the observer to trace the correct profile of this man on Facebook), the observer stumbles onto h2biz, which says:

  • Makemoney Inc.
  • Brand: (Moneymaker Inc.) MMI
  • Sector: Credit and finance
  • City: Prague (Czech Republic)
  • Manager name: George Xxxx
  • Website: www.makemoneyinc.com

Bingo! The enterprise exists. This information was confirmed by searching various Czech Republic websites, but by analyzing the company website the following can be learned:

  • George Xxxxx
  • (…) (TO), Via (…)
  • Italska republika
  • Vklad: 200 000,- Kč
  • Splaceno: 100%
  • Obchodni podil: 100%

Now, the observer also knows where George lives.

The capital stock of the society in Prague is 200,000 Czech crowns, corresponding to a little more than 7,000 Euro.

The enterprise’s registered office corresponds to a business center in a fairly central location in Prague. The websites http://rejstrik.penize.cz/adresa-firmy/praha-1-nove-mesto-revolucni-10828-psc-110-00 and http://regiony.kurzy.cz/praha/revolucni/1082-8/ show that there is a large list of organizations that have their registered office in Prague.

The observer now has a great deal of information, but it remains to be seen if George is hiding something. The observer studies the website a little more. Whois indicates the website is Italian, and registered in Aruba. The Internet Service Provider (ISP) indicates its headquarters is in Tuscany, and the website has been created from a Wordpress standard template (the owner is US Tucows Domains Inc.). The email of the legal representative is m.xxx@yyyconsult.com.

The site www.yyyconsult.com is registered, but does not exist. Continuing the search on Whois, the observer discovers that the owner used contactprivacy, a service that allows users to hide the identity of Whois services. The home page states:

Welcome to contactprivacy.com. Use this site to contact the owner of a domain name protected by the WHOIS Privacy Service. This service protects the privacy of domain name holders in the WHOIS system. Please note that domain name owners are not obligated to respond to requests. Enter the domain you would like to contact the owner of. Please do not enter 'www' in your query: ___________________.1

The observer’s further discoveries include:

  • A closer look at the Wordpress site (It takes 10 minutes to create a site of this type.)
  • Descriptions of the various services offered, which are generic and do not describe what exactly Makemoney Inc. does
  • Other locations based in other countries, without addresses
  • No individuals listed as employees (e.g., managers, directors, executives, shareholders)
  • Only two methods of contact: a letter to the Czech Republic and the email address: info@makemoneyinc.com

One thing is certain: It is not through the website that Makemoney Inc. seeks its customers. The observer now knows enough. The observer could try to discover the other locations and check if they really exist, but the train has arrived in Rome and he must get off. The observer hopes that his assumptions are incorrect and that Makemoney Inc. is a legitimate company.

Privacy is threatened every day, not only when users are online, but in real life. Everything a person does can be used to gather private information about him/her, and the wide usage of mobile phones makes the situation even worse.

Organizations can help fight privacy invaders by teaching their employees how to protect themselves when talking about their job and when online, but the first line of defense remains the individual. Individuals must always consider that everything they say is heard by others, and, perhaps those “others” are not all friendly. The Internet accelerates information retrieval and correlation. The best advice is to keep silent and these rules for self-protection:

  • Use a virtual private network (VPN), which passes Internet traffic through different servers around the world.
  • Alternatively—or together with a VPN—use TOR. TOR encrypts and bounces Internet traffic through different servers, making it difficult, but not impossible, to track.
  • Use an encrypted message application. Although the content of a person’s chats in Facebook Messenger or WhatsApp can be accessed only by hacking your phone, it might be advisable to start using a more secure messaging app to ensure that what is stored on the various servers is not accessible.
  • Think about why it is desirable to stay private. It is important that people think about what data they have, what data they want to protect, how likely it is that that data could get into the wrong hands and how serious that would be if it happened.
  • Protect passwords. Change them often and do not use the same password for all accounts.
  • And stop playing with global positioning systems (GPS) and other devices that let the entire world know where you are and with whom.
Claudio Cilli, Ph.D., CISA, CRISC, CISM, CGEIT, CIA, CISSLP, CSSP, HCISPP, M.Inst.ISP

Is a university professor, researcher and professional information security consultant. His areas of expertise include computer science, software compliance, lexical and semantic analysis, and information systems analysis and development. He is a member of a number of scientific and advisory boards and teaches post-graduate courses in computer security and IT governance. Cilli is also a consultant at the Office of Internal Oversight Services at the United Nations. He is president of the ISACA Rome (Italy) Chapter and has authored and published several specialized books and magazine articles. He is a frequent speaker at many international conferences and seminars.

Endnotes

1 Contactprivacy.com home page

 


 

ISACA Knowledge Center

Share Knowledge about Cybersecurity with other members and discuss current issues. Collaborate, make connections and learn how to keep your enterprise safe

Knowledge Center