Unfortunately this Infographic called “How to Spot a Liar” would not be very useful in online scams like 419 Fraud. The references hint that technology may have been left out of focus; do people really lie more often on the telephone than with email or IM?

Spoiler alert, this is their list:

1. Listen to how they say what they say
2. Watch their body language
3. Detect irregular emotional patterns
4. Recognize awkward interactions
5. Study subtle facial expressions
6. Understand eye movements

First, although this Infographic says it will help you spot a liar, the list is nearly impossible to use with online fraud as I pointed out above. That seems to me a strange oversight. That is why I titled this post how to detect fraud in-person. It still seems useful that regard.

Second, however, it appears to fail to bridge cultural differences, the very foundation of 419 fraud — attackers can use differences to exploit victims through social engineering. If you expect an African to have funny body language because you don’t know much about Africa or Africans, then you will be unable to use their #2 recommendation. In fact, you might be more likely to be a victim because you think #2 is a good test but you also think you have to disable it because you are more convinced that Africans have funny body language.

Third, the list gives examples from a baseline that may not fit your situation. It comes from a particular view which may not be suited to every environment. It suggests to watch for people who repeat what you say, for example. Yet I have found this to be common in some rural communities. As an outsider from the city I may find it unusual but I am not about to suggest that rural inhabitants should be trusted less because they behave differently from me. I see a tendency in the Infographic to assume that time in a zone is the same thing as time.

Overall it’s a good presentation on specific fraud vectors and specific detection methods. It would be easy to add the the above points to the Infographic and make it more flexible, as we have described in our paper and presentations.

Attacks by scammers appear to make sophisticated use of language ideology to abuse trust relationships. Language that indexes Africans allows perceived ‘authenticity’ to be constructed in a way that breaks down a victims’ defenses — a variety of linguistic devices are used as attack tools.

In the meantime it serves as a good illustration of how a fraud detection system could backfire or fail a simple change of environment.

Calculating availability is a fairly well-worn path. It is a matter of dividing up time and then applying cost values.

I often hear large enterprise architects arguing that building to three nines (99.9% Uptime) is a necessity to avoid the high cost of outages. However, the cost of building a highly available infrastructure must also be weighed against the risk of confidentiality loss. In other words, how much will they increase the risk of sensitive data exposure in order to get from 99.5% to 99.9%? Regulations should help companies more clearly weigh the options (e.g. a $250,000 minimum fine for each incident in California is higher than a $100,000 outage).

This is not to suggest that confidentiality is more valuable than availability but rather, confidentiality should not be sacrificed for a particular architecture to achieve availability. The best solution is one that provides high confidentiality and availability, but it is likely to cost more than a solution that sacrifices one to achieve the other.

Microsoft’s Threat Research and Response Blog says a recent update to their Malicious Software Removal Tool (MSRT) can now detect Renocide, a worm from 2008. The new MSRT in one week already has Renocide at #4 on the top ten infections list.

A description, with some signs of infection, was provided with the update.

Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications.

It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS protocol to look for machines in the local network where it can plant copies of itself.

To infect computers beyond the local network, it plants copies of itself in the shared folders of popular file sharing applications. This step also involves social engineering techniques to maximize infection success.