• United States
Distinguished Systems Engineer

2009 Top Urban Legends in IT Security

Jun 08, 200911 mins
Cisco SystemsSecurity

There are lots of IT Security related urban legends floating around the Internet. Some have malicious intent and others are just for fun. Some have been with us for years but still refuse to die. Here is a list of my top IT Security Urban Legend picks for this year. 1) Department of Homeland Security mandates that all PC manufacturers install keyboard-logging devices in all PC keyboards.

This Urban Legend has been around for a while now but it just keeps popping up. The Legend goes something like this:

GOVERNMENT AND COMPUTER MANUFACTURERS CAUGHT INSTALLING HARD-WIRED KEYSTROKE LOGGERS INTO ALL NEW LAPTOP COMPUTERS! Devices capture everything you ever type, then can send it via your ethernet card to the Dept. of Homeland Security without your knowledge, consent or a search warrant each time you log onto the internet! The real life implications of this are plain: Computer manufacturers appear to be cooperating with the Department of Homeland Security to make every person who buys a new computer subject to immediate, unrestricted government recording of everything they do on those computers! EVERYTHING !

Most of the time this picture supposedly depicting the key-logger chip is shown

Read more here 2) Internet Spring Cleaning Another oldie but goodie, I bet we’d be surprised at the number of people who still believe stuff like this. The Legend goes something like this:

Subject: Internet Outage for Cleaning and Maintenance DO NOT CONNECT TO THE INTERNET FROM MARCH 31st 23:59 pm (GMT) UNTIL 12:01am (GMT) APRIL 1st. *** Attention *** It’s that time again! As many of you know, each year the Internet must be shut down for 24 hours in order to allow us to clean it. The cleaning process, which eliminates dead email and inactive ftp, www and gopher sites, allows for a better-working and faster Internet. This year, the cleaning process will take place from 23:59 pm (GMT) on March 31st until 00:01 am (GMT) on April 2nd. During that 24-hour period, five powerful Internet-crawling robots situated around the world will search the Internet and delete any data that they find. In order to protect your valuable data from deletion we ask that you do the following: * 1. Disconnect all terminals and local area networks from their Internet connections. * 2. Shut down all Internet servers, or disconnect them from the Internet. * 3. Disconnect all disks and hardrives from any connections to the Internet. * 4. Refrain from connecting any computer to the Internet in any way. We understand the inconvenience that this may cause some Internet users, and we apologize. However, we are certain that any inconveniences will be more than made up for by the increased speed and efficiency of the Internet, once it has been cleared of electronic flotsam and jetsam. We thank you for your cooperation. Interconnected Network Maintenance Staff Main Branch, Massachusetts Institute of Technology Sysops and others: Since the last Internet cleaning, the number of Internet users has grown dramatically. Please assist us in alerting the public of the upcoming Internet cleaning by posting this message where your users will be able to read it. Please pass this message on to other sysops and Internet users as well.

Read more here 3) Don’t Answer that Call Virus This legend is about a new cell phone virus that infects the phone when you answer a call from certain malicious numbers like “unavailable”. It was a big scare in certain circles in early 2000. The Legend goes something like this:

BEWARE!!! Dear all mobile phone’s owners, ATTENTION!!! NOW THERE IS A VIRUS ON MOBILE PHONE SYSTEM. All mobile phone in DIGITAL system can be infected by this virus. If you receive a phone call and your phone display “UNAVAILABLE” on the screen (for most of digital mobile phones with a function to display in-coming call telephone number), DON’T ANSWER THE CALL. END THE CALL IMMEDIATELY!!! BECAUSE IF YOU ANSWER THE CALL, YOUR PHONE WILL BE INFECTED BY THIS VIRUS. This virus will erase all IMIE and IMSI information from both your phone and your SIM card which will make your phone unable to connect with the telephone network. You will have to buy a new phone. This information has been confirmed by both Motorola and Nokia. For more information, please visit Motorola or Nokia web sites: or There are over 3 million mobile phone being infected by this virus in USA now. You can also check this news in CNN web site: Please forward this information to all your friends who have digital mobile phones.

For more gory details go here: 4) Hackers can legally break into web sites that lack “warning” notices. This urban legend is pretty self-explanatory, if you have a website that doesn’t post a proper “don’t hack me” warning notice then you will be unable to hold a hacker liable. It also works the other way to; a script kiddy might believe this legend and start hacking sites that don’t post the proper warnings thinking he is doing nothing illegal. 5) Protect your hotel room key like you would a credit card! Hotel door card keys secretly contain personal information like credit card info, name and address on the magnet strip. This is one of my favorite urban legends mostly because it almost seems plausible. Many resort hotels are treating your room key like a credit card while you’re on the resort right? So, it is not a giant leap for someone to believe this legend. The legend goes something like this:

Just received this and thought it was worth sending around — with so much identity theft going around, makes sense!! Remember this for the future: You know how when you check out of a hotel that uses the credit-card-type room key, the clerk often will ask if you have your key(s) to turn in…or there is a box or slot on the Reception counter in which to put them? It’s good for the hotel because they save money by re-using those cards. But, it’s not good for you, as revealed below. From the Colorado Bureau of Investigation: “Southern California law enforcement professionals assigned to Detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry. Although room keys differ from hotel to hotel, a key obtained from the “Double Tree” chain that was being used for a regional Identity Theft Presentation was found to contain the following the information: a.. Customers (your) name b.. Customers partial home address c.. Hotel room number d.. Check in date and check out date e.. Customer’s (your) credit card number and expiration date! When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense. Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest’s information is electronically “overwritten” on the card and the previous guest’s information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!! The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it’s illegal) and you’ll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!

6) Don’t wait! Add your name to the International Do Not Spam Registry Boy I wish this particular urban legend were true. This legend portends that an International Do Not Spam Registry exists where all you have to do is sign up and you will never receive any more spam email. Unlike the popular U.S. government “Do Not Call Registry,” there is no official “Do Not Spam” registry. This Legend goes something like this:

National Do Not Email Registry I know you are all tired of getting junk mail. The following link is a National Do Not Email Registry, if you elect to submit your email address they will remove you from junk mail. You can also file a complaint with them if junk emails persist:

The FTC has looked at creating a real one but concluded that it was not possible. For more info on this legend read here: 7) Work virus This one is not so much an urban legend, but rather a good joke. It usually goes something like this:

VIRUS WARNING This virus warning is genuine. There is a new virus going around, called “work.” If you receive any sort of “work” at all, whether via email, internet or simply handed to you by a colleague…DO NOT OPEN IT. This has been circulating around our building for months and those who have been tempted to open “work” or even look at “work” have found that their social life is deleted and their brain ceases to function properly. If you do encounter “work” via email or are faced with any “work” at all, then to purge the virus, send an email to your boss with the words “I’ve had enough of your crap… I’m off to the pub.” The “work” should automatically be forgotten by your brain. If you receive “work” in paper-document form, simply lift the document and drag the “work” to your garbage can. Put on your hat and coat and skip to the nearest bar with two friends and order three pints of beer (or rum punch). After repeating this action 14 times, you will find that “work” will no longer be of any relevance to you and that “Scooby Doo” was the greatest cartoon ever. Send this message to everyone in your address book. If you do NOT have anyone in your address book, then I’m afraid the “work” virus has already corrupted your life.

Read more here: 8) Free site to track anyone via cellphone gps signals Everyone knows that most phones today have a gps chip and can connect to the Internet so it is not much of a stretch to learn that anyone with their phone number can track them online. The legend goes something like this:

I received this email today from a “Peace Officer”. I live in Edmonton Alberta Canada. And I was just wondering if this is for real or a hoax. Check this out! Enter your phone number and watch it trace your exact location. Another example of Big Brother is watching and what you can do with satellites and GPS systems! Try out this mobile phone tracker, it’s great, using a satellite map to track any connected mobile phone with coverage anywhere in the world!!!! Go to the link below and type in a friends cell phone number or anyone that you want to track be sure and include the area code! I know where you have been!

Check out the fake site here: Do you have a favorite urban legend to share? If so, please post it. Now did you hear the legend that Cisco is supposedly just a front operation for the NSA and CIA to allow them to collect information on us all? I mean they do have 80% router and switch market share after all. Let’s see if that one makes its way back around to me. ☺

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco’s new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google’s Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.






Distinguished Systems Engineer

Jamey Heary, CCIE #7680, is a Distinguished Systems Engineer at Cisco Systems. Jamey sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey has authored several security books, his latest is Cisco ISE for BYOD and Secure Unified Access. He also has a patent on a new DDoS mitigation and firewall IP reputation technique. Jamey leads numerous security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is also recognized as a Distinguished Speaker at Cisco Live. He has been working in the IT field for 19 years and in IT security for 15 years.

More from this author