Update: more resources I picked up on  a security list just now (I'm drowning in email here!) Apologies for any duplication.

Update 2: more additions below.

@imaguid pointed out in a microblog that there's a pattern to the use of social engineering around disasters like the Haiti earthquake:  "first comes the tragedy, then malware purveyors exploiting the tragedy as a lure,and finally security bloggers exploiting that for content": in fact, it's not uncommon for the security community to post "We expect to see..." articles even before the first social engineering attacks are flagged. In another microblog, Kurt also asks: "how do you make people want to learn how to be more secure without using scare tactics that say in essence "you're in danger!"?"

I'm not going to try to answer that last question now, except to say that motivations for enhancing one's security probably run in this order of descending importance for many people:

  • Reaction to a bad experience
  • Fear of a potential bad experience
  • More altruistic desire to be a good employee/friend/netizen

(I think I may come back to that question elsewhere at some point, though, after I've given it more thought.)

It would be naive to contend that the security industry is entirely altruistic when it points to potential problems: we make our living from making people safer, or trying to. However, I'm not about to apologise for that any more than I expect my doctor to apologise for making his living out of accidents and diseases.

You can be as cynical as you like about how successful we are, but most of the people I know in the industry aren't in it purely for the money. And the warnings If've been seeing about SEO poisoning, scams, malware, rogue AV and so on, may increase sales directly or indirectly, but if they do encourage people to help themselves by whatever means, surely that's a good thing?

However, I've noticed several people in the industry or somehow connected to it taking what you might consider a more positive approach to evading some of these issues, by pointing to legitimate aid resources. As with other kinds of phishing, scamming and so on, you'll be much safer going to known legitimate resources than responding to unsolicited requests for help from unverified sources.

Caution: I haven't checked all these resources personally, at least, not in depth. They do, however, come from people I know to be not only honest and well-meaning, but also more than competent in security matters. That said, I nevertheless recommend that you take what steps you can to verify any resource before you contribute to it.

That first resource includes a long list of contact information for legitimate organizations working in or for Haiti. It also includes some recommendations from the FBI via MSNBC for avoiding being scammed or worse by bad actors.

More links to more on self-protection and threat information (tip of the hat to Tom Kelchner and Alex Eckleberry for flagging these):

ESET Latin America have posted a blog about Blackhat SEO exploitation of the Haiti disaster in order to push rogue security software, at http://blogs.eset-la.com/laboratorio/2010/01/14/terremoto-haiti-motivo-rogue/. The threats described in that blog are detected by ESET products as Win32/Kryptik and Win32/TrojanDownloader.FakeAlert, and use Search Engine Optimization poisoning to put malicious links at the head of the queue when people search for terms like "Haiti Earthquake Donation". As Cristian Borghello, ESET Latin America's Director of Education, so rightly suggests, this attack will be with us for days (even weeks) while this event is such a major topic of concern worldwide.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/