Volunteering to help other people comes naturally to me. At a point, I had been researching Volunteerism and came upon this quote: I am only one, but still I am one. I cannot do everything, but still I can do something. And because I cannot do everything, I will not refuse to do something that I can do. Edward Everett Hale, Ten Times One is Ten (1870) The funny (ironically speaking) part of it was that it was a 13-year old boy, Trevor Ferrell of Philadelphia, Pennsylvania that repeated that quote to President Regan as he received a Presidential certificate for Volunteerism. He started out by taking blankets to the homeless on a cold winter’s day and that spark grew into Trevor’s Place. The point is that anyone can make a difference in the life of others and when you volunteer for something, it is better if it is for something you are interested in. This is even true when you apply that interest to learning or work.
Back in 2006 when the PIRT initiative was announced, I knew that it was something that I wanted to contribute my time to. The first reason was that it was in my opinion a great idea: to send out take-down notices for phishing and keep a public repository of the reports. Private citizens could submit email that is only normally deleted, erasing valuable evidence of a crime. Secondly, it was the military MyPay phishes that hit home for me. To target these Soldiers who give up so many things just to serve our country is like a slap in the face. Last but not least, I had the desire and willingness to learn. What I learned from the experience is that even the little guy (a figure of speech - small business owner, forums, personal websites, etc.) needs help from time to time and no one reached out to them in this aspect for free (at that time).
This PC World article highlights Gary Warner’s career up to 2007. It also backs up my claim that even one private citizen can make a difference.
Digital Vigilantes: The White Knight of Phish-Busting
PC World, 24 Dec 2007
Warner is now focusing on fighting cyber-crime full-time and on training a new generation of network forensics investigators. "You wouldn't believe the looks on their eyes the first time they got an email back from a Webmaster saying, 'Thanks for letting me know. I just shut that down.'"
When he spoke with IDG News, it was five days after final exams at the University of Alabama at Birmingham and though it would have no effect on their marks, four students were still coming into the labs to help shut down phishers.
"That idea that as a private citizen, you can help, that's the kind of thing we're trying to inspire," he said.
More………
I am a member at PhishTank and Digital PhishNet (DPN). I do support the Anti‐Phishing Working Group (APWG), just not as member because I do not belong to any of the member organizations or have the required email address. I wish that they would allow independent security researchers that are not a non-profit organization. The APWG does provide expert advice to the little guy.
What to Do if Your Web Site Has Been Hacked by Phishers
APWG, January 2009
You may receive a notice by phone or email from an individual or organization that claims knowledge of an attack. Obtain as much information from the third party as possible, including:
a) The person’s name
b) Name of their organization
c) Return contact information (phone, email, postal address, organization’s web site)
d) Web page(s), including the URL (link) the party alleges to be a phish web site
e) Nature of attack (attempt to steal personal information, to complete a bogus credit card transaction, to obtain user account credentials, etc.)
f) A description of any malicious content that appears to be downloadable from your web site (e.g., spyware)
and……
APWG encourages you to report the phishing site URL to the APWG via the email address reportphishing@antiphishing.org. Reporting to this address will cause most anti‐phishing organizations to receive a notification of the phishing web site. Security products, e.g., anti‐phishing toolbars, will be updated with the offending URL, thus offering protection to thousands, if not millions of potential victims.
and…..
The APWG provides a standard “you've been phished!” redirection page and instructions for its use at http://education.apwg.org/r/about.html. This strategy will prevent further use of the phishing site, keep your customers informed, keep your web site online for real time analysis, and afford you additional time to perform containment actions.
More………..
Even with CastleCops and PIRT gone, there are still ways to fight phishing on a daily basis. The volunteer opportunities do exist as long as the volunteer is interested and willing to learn. If ten people send a take-down request to the ISP for ten different phish, ten fraudulent websites will be able to remove that content, investigate the crime, and update their servers. If a modest estimate that each phish could have led to twelve cases of ID Theft, 120 people could be spared this. Ten Times One is Ten.
Thanks, Faith, for posting that. You put into much better words similar thoughts that I have. I really miss Castlecops, but things to change for good or worse all the time in our lives and online. I got to know great people like you and the other members on PIRT, so when I think of it that way, I tend to think about the good things, each of us making a little difference. I believe many times we don't know exactly what good we have done as law enforcement cannot reveal much about their own investigations.
ReplyDelete