In the end, an effective Distributed Denial of Service (DDoS) attack will likely be done in a manner making it difficult to block the involved IPs without shutting down services to the victim’s customers. In cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

With that in mind, I wanted to post some sites that can help identify from where attacks might originate. Please do remember that IPs used in an attack do not necessarily identify who is behind the attacks.

Overview

I agree with Col. Charles W. Williamson III that that cyberspace is a dangerous place. The idea of going on the offensive and striking back is appealing. Since early childhood, I can remember my dad always saying, “The best defense is a good offense.” The problem with a offensive military botnet is that it will run into problems when it comes to locating the base of the enemy. To understand why this is the case, we will start by defining some of the favorite cyberspace weapons used by the bad guys. We will then examine the countries where attacks are occurring. Sources of publish information will be examined, which should help the reader continuously monitor activities in their network. We will end by discussing Carnegie Mellon’s attempt to establish international communication and coordination.

Definitions

Let us defines a few of the favorite tools being used in carrying out attacks in cyberspace.

Malware

Malware is short for short for malicious software. It is any software written for malicious reasons that infiltrates or damage a computer without authorization. Some common malware types are trojans, worms, viruses, bots, rootkits, and spyware/adware. Below are definitions taken from the links above.

• Trojan – a package disguised as something useful or popular, but actually carrying a malicious payload that will damage the victim machines or threaten data integrity, or impair the functioning of the victim machine. Trojans can be classified according to the actions which they carry out on victim machines: backdoors, PSW trojans, trojan clickers, trojan downloaders, trojan droppers, trojan proxies, trojan spies, trojan notifiers, and arcbombs.
• Virus – will attach itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Viruses can be classified according to their environment and infection methods, such as file viruses, boot sector viruses, macro viruses, and script viruses.
• Worm – are considered a subclass of virus and take advantage of file or information transport features on systems allowing it to travel unaided. Worms includes programs that propagate via LANs or the Internet with the objective to penetrating remote machines, launching copies on victim machines, and spreading further to new machines. The key difference to a trojan is that worms can propagate on their own. They self-copy and infect other machines through penetrate and infect purely through vulnerabilities that are inherent to the system itself. No human intervention is required.
• Rootkit – a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.
• Spyware – is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.
• Adware - advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Generally, addware is classified as privacy-invasive software.

Botnet

A botnet is a collection of Internet connected computers running autonomously and automatically in order to accomplish some distributed task. Distributed computing can be used for useful and constructive applications, while the term botnet typically refers a system designed and used for illegal purposes. The individual compromised machines (drones or zombies) run malicious software (bot) and are assimilated and used without the owner’s knowledge. The machines operate under the Command and Control (C&C) of the botnet owner (herder). Botnets are used for (definitions taken from the accompanying links):

• Click Fraud – click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link.
• DDoS – one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
• Keylogging – a method of capturing and recording user keystrokes.
• Warez – refers primarily to copyrighted works traded in violation of copyright law.
• Spam – is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Phishing

Phishing is the practice of sending out fake emails, or spam for purpose of gathering personal information and/or identity theft.

Source Countries

Now that we know a few of the weapons used in cyberspace, we are ready to examine countries where these various attacks are occurring. Once more, please remember that those behind the attacks might not be at the same location as the machines that are launching the attacks.

The Shadowserver Foundation (see below) collects and provides some very interesting statistics. The below map shows the locations of infected machines (drones) that Shadowserver has observed in the past 24 hours. Please note that this information is not complete. It cannot be. If we knew all infected computers and C&C machines, we could shut them down easily. The challenge is in the ever changing landscape. The Shadowserver Foundation does a commendable job continuously monitoring this dynamic landscape.

The below map shows the last 24-hours worth of tracked C&C servers.

The below graph shows the count of all the network scans into routed CIDR blocks that occur from the botnets that Shadowserver is aware of:

The below map shows the last 24-hours worth of tracked existing C&C and the target of scan attacks.

The below graph shows the count of all the DDoS attacks that occurred from the botnets that Shadowserver is aware of:

The below most recent 24 hour period map shows the C&C and the target of the DDoS attack.

The below map shows the machines suffering DDoS attacks and the C&C sources in 2007.

The PhishTank (see below) provides daily verified phishing attempts. Below is a map of the countries generating the most reported verified Phishing attempts for April 2008.

Sources for Information

As previously mentioned, the Shadowserver Foundation gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, presented last week at the Asia Pacific Information Security conference (AusCERT2008).

PhishTank provides information on phishing attacks. While OpenDNS created and operate the site, PhishTank is a community effort with the information being provided by companies and people submitting phishing e-mails and Web sites. The data is totally open and a free API exist. The API documentation is available for developers wanting to use PhishTank’s community data to integrate anti-phishing elements into their applications.

If you have anything in your security arsenal that is monitoring for certain IPs or domains, the DNS-DB Malware Domain Blocklist and the Global Watchlist provide invaluable up-to-date information. The DNS-DB Malware Domain Blocklist site maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. The Global Watchlist was created after a discussion between C.S. Lee and Spoonfork. C.S. Lee describes the purpose of this list in his posting “The Harimau Watchlist” What they have done, in their own words is to “pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place.” You can search through a web interface or set up processes to search automatically via URL. They have also made all the IPs and data available in one file. Helping detect and possibly prevent access from these IPs and domains through Snort, Dragon, and other IDS/IPS signatures is the Emerging Threats site.

The Spamhaus Project attempts to “track the Internet’s Spam Gangs, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.” The project offers a realtime database of IP addresses consisting of a combination of the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL). If you desire a data feed, the service is not free. You can try it out for 30 days free. They do operate DNSBL servers spread across 18 countries. You may qualify for free access via DNS queries.

The SANS Internet Storm Center (ISC) provides a free analysis and warning service to fight back against the malicious attackers. The ISC gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is a a free service to the Internet community. After removing identifying information, the ISC sends send intrusion detection and firewall logs to the DShield distributed intrusion detection system.

The National Vulnerability Database (NVD) is a fantastic source of free information enabling automation of vulnerability management, security measurement, and compliance. While it might not help with filtering of IPs, the data can be used in combination when automating your security. To quote the site, “NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.” NVD is the repository for Information Security Automation Program (ISAP) and the Security Content Automation Protocol (SCAP). Here are a few of the major sources of information NVD provides:

1. CVE Vulnerabilities – a dictionary of publicly known information security vulnerabilities and exposures. Allows you to download the entire CVE List in various formats.
2. Checklists – repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
3. US-CERT Alerts – provide timely information about current security issues, vulnerabilities, and exploits.
4. US-CERT Vuln Notes – include technical descriptions of the vulnerability, as well as the impact, solutions and workarounds, and lists of affected vendors.
5. OVAL Queries – an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL Repositoty downloads include Data Files of all vulnerability, compliance, inventory, and patch definitions for supported platforms.

There are a few good sources for security statistics in the form of a reports. The Anti-Phishing Working Group (APWG) is the global pan-industrial with over 3000 members in over 1700 companies and agencies worldwide. The group’s purpose is eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. They produce an interesting Phishing Activity Trends report which was last updated in January 2008.

WhiteHat produces a Security Statistics Report. The report presents a statistical picture of current website vulnerabilities focused solely on previously unknown vulnerabilities on public websites. The report also contains expert analysis and recommendations. Jeremiah Grossman, founder and CTO, does maintain a very informative blog where additional information can be found. You can hear Jeremiah on a recent episode of Risky Business where he discussed with host Patrick Gray Cross Site Request Forgery attacks.

Microsoft produces a “Security Intelligence Report.” Currently the fourth volume is available covering July through December 2007. You can also watch the video cast of Bret Arsenault, GM US National Security Team and Vinny Gullotto, GM Microsoft Malware Protection Center, discuss the trends and findings in the latest SIR.

There are a few final additional sources of information that I have found useful when trying to understand security trends. Dan Geer did a presentation, “A Quant Look at the Future Extrapolation via Trend Analysis.” The state-of-the-art report (SOAR) published by the Information Assurance Technology Analysis Center (IATAC) provides observations about noteworthy trends in software security assurance as a discipline. The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. They use to issue the report with the FBI. Registration is required.

Blogs can also be a valuable source of information, and may occasionally post IPs to be concerned about. SunBelt Software just did a posting titled “Fresh new rogue antispyware programs.” Dancho Danchev recently posted “Malware Domains Used in the SQL Injection Attacks.” The F-Secure folks maintain a very informative site concerning the latest news from their labs. There are many excellent sites for information on malware, botnets, and phishing. For example, Kaspersky Lab maintains the blog VirusList and the AVDefender. SANS ISC has the Handler’s Diary.

International Incident Coordination

Security on international projects is complicated. Take a look at my previous post, “Information Security and the Law.” Different countries have different laws impacting what can and cannot be done. Many CEOs may not know a great deal about information technology, but they know they have no desire to break the laws of other countries. This can pressure managers to prefer to implement light security. Heavy on the data protection, but light on the detection. We have established cyberspace can be a dangerous place, especially when you are playing in international waters. Defenses will fail. If an organization cannot detect nefarious activities in a high risk environment, that is a bad combination. Even when you have fully supportive management, it is easy to run into a road block when dealing with other countries.

Carnegie Mellon University Software Engineering Institute (SEI) is trying to help establish some coordination between the white hats working in international security. First, a little history in order to understand the players involved. SEI was charged by the Defense Advanced Research Projects Agency (DARPA) with setting up center to “coordinate communication among experts during security emergencies and to help prevent future incidents.” This center was named the CERT Coordination Center (CERT/CC) and is an amazing source for cutting edge security research and information.

With the establishment of incident response team both within the United Stated and Internationally, soon difficulties developed due to differences in language, timezone, and international standards or conventions. It became apparent that better communication and coordination between teams were needed. The Forum of Incident Response and Security Teams (FIRST) was established. Membership consists of teams from a wide variety of organizations including educational, commercial, vendor, goverment and military.

CERT/CC also began a program to help Computer Security Incident Response Team (CSIRT) development and establish CSIRTs around the world. National CSIRTs deal with security at the macro level. Large-scale incidents can affect the economy, critical infrastructure, government operations, and/or national security. If the incident ends up being a worldwide event, National CSIRTs can coordinate with CSIRTs in other countries to establish communications and cooperation among those countries.

To hear more about CSIRT, in August Jeff Carpenter talked with Julia Allen on the CERT podcast titled, “Tackling Security at the National Level: A Resource for Leaders.” Jeffrey J. Carpenter is the technical manager of the CERT/CC and has assisted with the formation and development of CSIRTs. Julia Allen is a senior researcher within the CERT Program and is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. She is one of my favorite sources for enterprise security information.

Below is an interactive map to locate CSIRTs with national responsibility around the world. From the map, additional information can be pulled up on the individual sites.

Final Words

I understand the frustration Col. Charles W. Williamson III feels. The problem is that in cyberspace, the enemy is all around us. It is within us. If we lash out, our first target must be ourselves. In the end, we are fighting blind. Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” I do not think good men attacking each other was the something Edmund had in mind. That is what will occur if we fight blind. We can’t even withdraw into the safety of our own silos for the perimeters are being continuously breached. Retreat is not an option. The delusion that isolationism will bring safety has been shattered. The only solution is for the good guys to band together. There is strength in unity. Only when working together will we be strong enough to take on those who bring destruction.

Perception is not reality. Figuring out what is real can be very confusing. Phisher’s prey on confusing and scaring people enough that they can be lead to clicking on a link, entering personal information, and even calling a phone number. Initially I was going to use a riddle at the top of this post to try and confound the reader. Unfortunately, I ended up the one confused. I was unable to find the original source for the classic riddle I have heard so many times. Worse yet, there are several variations. I decided to go with the Tom Peters’ quote, create my own version of the riddle, and use the new variation in the body of the post. Now bear with me, though no bears were used in the making of this post (only a dog and some fish). We will go through the riddle to get in the proper mindset for phishing, step through a few examples, and finish strong with a little clarity.

Imagine if you will that last night, after too little sleep, and too much Red Bull, you finally crashed. When you woke up this morning, you find Cerberus before you. Unfortunately, in this case, Cerberus is not the network authentication protocol but the actual three headed hound that guards the gate to Hades. Being one who is always prepared, you fortunately went to sleep with your square headed girlfriend. The good news is, being so close to Hades (a definite hot spot) you are able to access the Internet. With a little googling, you discover a few little known facts about Cerberus.

First, each of Cerberus’ heads can speak English, along with Greek. If a talking bilingual hound is not amazing enough, one head will always tell the truth, one head will always lie, and one head may lie or tell the truth depending on its mood. Cerberus, like any other dog, enjoys playing. Still, Cerberus is a little different from other dogs. He will only play a special game fashioned after “Let’s Make a Deal.” Here are the rules. Before you, there are two doors. You may ask two questions, but you have to direct your questions to only one of Cerberus’ heads at a time. Once asking one head a question, you cannot ask the same head a second question. Of course, you have no idea which head lies, tells the truth, or does what ever it feels like.

As for what’s behind the doors? One door, once open, will immediately suck you down into Hades. The other door, when opened, teleports you to Google where there is free Red Bull, 10G Internet access, masseuses, and free lunches and dinners in the cafeteria. Do not worry, Rod Serling is not hiding anywhere. There are no “Twilight Zone” plot twists where Google turns out to be the real evil in this tale. Being a true IT professional, you burn easily, so you will want to avoid Hades. What two questions do you ask?

Confused? That is the theme of this post. Life can be very confusing. Unfortunately there are many black hatters that will take advantage of people’s confusion. In order to avoid the whole hacker verse crackers debate, I am calling evil doers black hatters. Black hatters will build on mistakes, creating some fairly sophisticated deception. For the who, what, and when on phishing, see the Anti-Phishing Work Group (APWG) July 2007 report. As for a recent personal example, last week I received some emails appearing to come from a local credit union. The first email came through with subject “Notice!”

Dear Customer,

The Hades Post Office Credit Union temporarily suspended your account. Reason: Billing failure.

To start the update process click here.

Once you have completed the update, we will send you an email notifying that your account is available again. After that you can access your account at any time.

The information provided will be treated in confidence and stored in our secure database. If you fail to provide information about your account you’ll discover that your
account has been automatically deleted from HPOCU database.

Copyright © The Hades Post Office Credit Union , All Rights Reserved

I do appreciate the copyright notice at the end. It is a nice touch. Not to add to anyone’s confusion, I don’t really live in Hades. I am just protecting the credit union. Also, the original “click here” link went off to a phishing site, so I have changed that link. Also, the Goliath Corporation, while ethically challenged, was not behind the attack. For those less battle hardened, what are the give aways on this email? Here is what I noticed:

1. The use of “Customer” instead of my name. This indicates they had no personal information. Maybe it was purely by luck, but this email did appear to come from a local credit union. It seems they may have known about where I lived. Or maybe this email went out to so many people, I just happened to live at the same location as the credit union. Let’s assume it was not by chance. If not, this is known as spear phishing. Spear phishing describes any highly targeted phishing attack where the black hatters gather personal or organizational informal to make the emails appear more genuine.
2. The link in the email does not go to the Hades Post Office Credit Union. On the positive side, the black hackers failed to compromise the credit union web server. To add confusion to the customer, I have seen many credit unions out source their banking web site so when doing bank business, you go to a non credit union web site.

Right after the first email, a second emails came through. I am not going to reproduce it here because it seems to be from a second black hatter. It is more sloppily done. The sharks are circling. A third email arrives a little later with the subject “Urgent Notice!”

Dear Customer,

We regret to inform you that we have received numerous fraudulent emails which ask for personal account information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages.

Because of this we are launching a new security system to make accounts more secure and safe. To take advatage of our new consumer Identity Theft Protection Program we had to deactivate access to your card account.

To activate it please call us immediately at 253-397-2068

Activation is free of charge and will take place as soon as you finish the activation process.

If you think your identity has been stolen, here’s what to do now:

1) Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified, and all three credit reports will be sent to you free of charge.

2) Close accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing new unauthorized accounts.

3) File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.

4) File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC gather more information about identity theft and the problems victims are having.

For more information, go to: http://www.consumer.gov/idtheft/.

Please do not reply to this message. For any inquiries, contact Customer Service.
Hades Post Office Credit Union – Copyright © 2007

Now one might believe this email was legit. The calvary to the rescue. There are a few problems.

1. Once more, they never identify who they are sending this email to. There is no indication the credit union knows this customer
2. “advatage” is misspelled. Black hatters are getting much better at proper grammar and spelling. I would hope a credit union, after being caught up in a phishing attack on its members, would not make spelling errors on the email informing people of this fact.
3. I do not have an account with the Hades Post Office Credit Union. The credit union does not know me and should not be sending me email.
4. The phone number is not local to Hades. It is not even an 800 number, though there are reasons not to trust 800 numbers. The phone number does not match the numbers listed on the “contact us” page. I cannot find the number via the Internet. This looks like it could be a VoIP Phishing attack. With VoIP phishing attacks, the black hatters will pose as the bank, email people trying to get them to dial a number and then have them enter or provide personal information. In this case, customers call to get IDTheft protection and end up giving the black hatter all their personal information.

You have to give the black hatters credit. If the first email did not fool you, with “billing failure,” they are going to scare you into trying to get IDTheft protection. Going to the Hades Post Office Credit Union website revealed a notice that fraudulent emails were sent out. That notice, unlike the above email, does not provide a special contact phone number.

Now, one could look at the full header of the email and see that the email did not originate from the Hades Credit Union. For IT professionals, this is a wise course of action. Most people are not IT professionals and looking at email headers is confusing. For demonstration purposes, let me show the non IT professional a valid email header from nist.gov. IT professionals you can skip ahead.

From Patrick O’Reilly Tue Nov 13 14:44:40 2007
Return-Path:
Authentication-Results: mta207.mail.re4.yahoo.com from=nist.gov; domainkeys=neutral (no sig)
Received: from 129.6.16.226 (EHLO smtp.nist.gov) (129.6.16.226)
by mta207.mail.re4.yahoo.com with SMTP; Tue, 13 Nov 2007 14:45:46 -0800
Received: from imp.nist.gov (imp.nist.gov [129.6.16.10])
by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id lADMjAUC014099;
Tue, 13 Nov 2007 17:45:13 -0500
Received: from imp.nist.gov (localhost [127.0.0.1])
by imp.nist.gov (8.13.7/8.13.7) with SMTP id lADMieSw013254;
Tue, 13 Nov 2007 17:44:40 -0500 (EST)
Date: Tue, 13 Nov 2007 17:44:40 -0500 (EST)
Message-Id: <7.0.1.0.2.20071113172800.0277b3e0@email.nist.gov>
Errors-To: patrick.oreilly@nist.gov
Reply-To: poreilly@email.nist.gov
Originator: compsecpubs@nist.gov
Sender: compsecpubs@nist.gov
Precedence: bulk
From: “Patrick O’Reilly” To: Multiple recipients of list
Subject: NIST Announces the Release of 3 Special Publications

Notice the occurrences of nist.gov in the header. The IPs in the header could be looked up and they would belong to nist.gov. Below is the black hatters email header. Pay attention to the bold text.

From Hades Post Office Credit Union Mon Nov 12 03:54:05 2007
Return-Path:
Authentication-Results: mta327.mail.re4.yahoo.com from=hpocu.org; domainkeys=neutral (no sig)
Received: from 64.202.189.57 (HELO k2smtpout05-02.prod.mesa1.secureserver.net) (64.202.189.57)
by mta327.mail.re4.yahoo.com with SMTP; Mon, 12 Nov 2007 03:54:15 -0800
Received: (qmail 13872 invoked from network); 12 Nov 2007 11:54:05 -0000
Received: from unknown (HELO DZVS01.prod.phx1.secureserver.net) (68.178.147.168)
by k2smtpout05-02.prod.mesa1.secureserver.net (64.202.189.57) with ESMTP; 12 Nov 2007 11:54:05 -0000
Received: (qmail 24335 invoked from network); 12 Nov 2007 11:54:04 -0000
Received: from tx-65-40-99-101.sta.embarqhsd.net (HELO User) (65.40.99.101)
by digizoneusa.net with SMTP; 12 Nov 2007 11:54:04 -0000
Reply-To:
From: “Hades Post Office Credit Union”
Subject: Notice !

The email did not originate from hpocu.org. You can go to SpamCop and look up the IPs and see if the IP is a known spammer. On local spear phishing attacks, there is a good chance the IP will not be listed. Another point, each of the emails from the black hatter originated from different IPs and domains, which is another indication that even if the credit union out sourced their work, something is not right with these emails. I understand that for many people looking at full headers is not an option. If you are aware of what to look for in the body of the email, that will go a long way in helping protect you against phishing attacks. To help those not in the IT profession learn what to look for, there is Antiphishing Phil.

Carnegie Mellon University has created Anti-Phishing Phil as an “interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.” To continue to quote the site, “Our user studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Our studies demonstrate that Anti-Phishing Phil is an effective approach to user education.” I applaud Carnegie Mellon. I found Anti-Phishing Phil to be a fun way to teach users about identify phishing attempts.

In the end, security often does not have a simple solution. Once a solution is found, it seems the black hackers build upon yesterday exploits requiring security professionals to derive more complicated solutions. It is an arms race. Fortunately, some problems do have final solutions. I might not have the final answer to preventing all phishing attacks, but I do have the answer to the riddle. As with many problems, the answer can be found through first simplifying the problem. Imagine if there were are only two question-answerers: a truth-teller and a liar. The liar might even wear a black hat, but probably does not. That would make it too easy. In this problem, you must determine which is the correct door using only one question. This solution is well known: pick one of the two answerers and ask the following question, ”Which door would the OTHER answerer say leads to Google?” If the response is ”Door A” go through Door B and vice-versa.

The riddle is made more difficult because of the third head that can either lie or tell the truth. Now suppose that using only one question we can ensure that our second question will be asked of the head that tells only the truth or only lies. Then we can solve the problem just as we did above. So, we choose one head and ask the following question: “Of the other two, which one is most likely to give me a truthful answer when I ask them a question?” Now apply the lessons learned from above in case we are asking of the truth-teller or liar. Our second question we ask of whoever was NOT the answer to the first question, “Of the other two heads, what answer would the head that has to lie or tell the truth give when asked which door leads to Google?” Then you know which door leads to Google.

Let’s confirm this. We will start off by giving names to each of the heads: Adam, Bert, and Carl. Adam is the head that tells only the truth. Bert always lies. And Carl does what he feel like. First question, Q1, is “Of the other two, which one is most likely to give me a truthful answer when I ask them a question?” Second question, Q2, is “Of the other two heads, what answer would the head that has to lie or tell the truth give when asked which door leads to Google?” If the head we ask Q1 of is Carl, then he will answer Adam or Bert. The importantly point is that Q2 will not be asked of Carl. If the head we ask Q1 of is Bert, he will tell us Carl is more likely to tell the truth. Bert is a stinker. No wonder Homer is always chocking him. Again, the important point is for Q2 we choose whoever is not the answer to Q1. So, Adam will be asked Q2. If the head we ask Q1 of is Adam, he will tell us Carl is more likely to tell the truth. In which case, Q2 would be asked of Bert. In other words, our second question will end be asked of Bert or Adam. If we ask Q2 of Adam, Adam will truthfully answer what Bert would say, and point to the door to Hades. If we ask Bert, he will take Adams response and then lie by choosing the door to Hades. Whatever they response to the second question, we choose the other door.

I hope this post has helped clear up some of the confusion over phishing. At the very least, if you ever find yourself a game show contestant with Cerberus filling in for Monty Hall, you will hopefully now know how to figure out which door to choose. See you at Google.

Copyright © SpecOps 2007, All worldwide rights reserved.