Aetheric Research, Ltd.

Some folks may remember the HBGary debacle a short while ago, when HBGary Federal (a wholly-owned subsidiary of HBGary, specializing in government contracts) got themselves cracked by Anonymous after specifically calling them out.  The parent company, HBGary, have published an open letter making certain claims, which Ars Technica has examined.

There’s little surprise in the letter–it’s mostly a reiteration of previous claims about the leaked emails having been ‘altered’ and about how HBGary Federal was a completely separate company with no actual connection to the parent organization other than ownership.  Ars does a good job in dissecting these claims and pointing out which ones hold water and which ones don’t.

Publishing this letter in the first place was likely a bad idea, though.  Anyone who has the least bit of knowledge about Anonymous–which the head of HBGary Federal claimed to have–knows that resurrecting attention to a controversy causes the phenomenon known as “lulz” to occur.  For those unfamiliar with the term, it’s a sort of measurement of attention-worthiness of a particular topic or entity, based on the quality and quantity of reaction to be gained from any interaction with them.  Leaking the HBGary Federal documents produced an extensive amount of this–it gained mainstream media attention and increased the visibility of Anonymous in the public eye.  The Scientology protests were the same–shedding light on the known-bad Scientology organization’s policies and procedures with public protests (and their characteristic purple prose) caused extreme consternation amongst the organization and brought public attention to Anonymous.

Now, HBGary has, essentially, done the same thing that HBGary Federal did–call out Anonymous’ activities, claim to be invulnerable to their attentions, and bring public attention to Anonymous’ interactions with them.  This is the sort of thing that tends to be deemed “lulzy” by Anonymous, and generally tends to bring certain actions.

Westboro Baptist attempted to take advantage of this phenomenon by releasing a fake press release (that claimed to be on behalf of Anonymous) claiming a war against them followed by a press release under their own aegis calling out Anonymous.  The Anonymous collective rather quickly determined the illegitimacy of the first release–there may be no central organization, but there is a fairly distinct style, which Westboro did not emulate perfectly–and (correctly, as it turned out) determined that there were likely specific intentions to trap Anonymim who attempted to DDoS or otherwise infiltrate the servers provided via honeypot servers.  

As it happened, when Westboro pushed the issue, they were rather promptly taken down–just as HBGary is likely to be.  Westboro, like HBGary, made the key mistakes of assuming Anonymous is entirely disaffected teenagers with a modicum of computer skills and a coherent organization with limited membership.  These assumptions miss certain key points–Anonymous is, in essence, a nom de guerre that can be taken on by any person or entity, as is evidenced by th3j3st3r’s participation in the actions against Westboro following his specific attacks against Wikileaks; while not strictly an Anonymous action (as he did claim credit for it), the action against Westboro was compatible with Anonymous’ goals and views.

What HBGary fails to realize is that, by seeking to defend themselves against the ‘blog-o-sphere’, they’ve inadvertently invoked the Streisand effect and drawn specific attention to what they want to keep quiet.  Whether this release has produced enough ‘lulz’–that is, attention to the incident as a cause worthy of working on–remains to be seen, but if they do manage to get away with it without significant infiltration and exposure of more embarassing secrets, they should count themselves lucky.

Anonymous’ actions cannot be predicted specifically, but it’s fairly obvious that calling them out is, as a comedian recently opined, tantamount to inserting one’s genitals into a hornet’s nest–a bad idea, and likely to cause embarassing, painful problems.

On their “Naked Security” blog at Sophos (which, by the bye, tends to be blocked by the more paranoid sorts of web filter due to the presence of a keyword in the title that’s often used for other purposes), the authors recommend that Facebook implement three relatively simple practises in order to vastly increase the amount of security available to the users. 

From a security standpoint, the recommendations are eminently reasonable: when changing privacy policies, allow the users to opt-in to the new expanded ‘sharing’ roles, rather than having to go in and opt out.  Vet app developers more carefully to ensure only legitimate and ethical developers are allowed access to user information.  Force secure connections, rather than making a ‘best effort’.

These recommendations would go miles towards protecting the userbase of facebook.  By ensuring secured connections to protect against eavesdroppers, non-savvy users connecting from corporate or public networks that might be sniffed wouldn’t end up giving away all their information.  Vetting app developers to ensure that they’re publishing legitimate applications would help to prevent the dozens of scam applications that serve only to spread malware and the like.  Keeping users at their previous privacy settings until such time as they opt in to broader sharing agreements is a standard common-sense approach to security.

And Facebook will do none of this on their own.

Facebook is, first and foremost, a money-making enterprise.  They have found a very effective and useful (for them) model to collect and publish users’ demographic information, and get people invested into ensuring that their information is as accurate and up-to-date as possible.  They make their revenue from selling this information, so it’s in their best interests to ensure that as much of that information is available to the people who provide them with their money as possible.

Forcing secure connections will interfere with their customer base connecting to them on certain networks–corporate networks that have badly-configured proxies, for instance.  This results in less availability of the site to the users, and less information shared–not good for their corporate model.  Facebook wants users to access their page regardless of security settings, meaning that they will never insist on a secured connection if that will interfere with access to the page.  

Vetting app developers, as well, is not likely to happen in any sort of serious manner.  There’s no incentive for Facebook to block their revenue stream by making the barriers to entry any higher than filters out the most blatant and obvious scam artists; that would be an interruption of their revenue stream.  If vetting happens, it will almost certainly be due to specific regulation insisting on it from an outside agency, and will be to either the absolute minimum level required or–if the marketing department wishes to use the opportunity to boost the brand–to a slightly higher level.  It almost certainly will not be to any level that would filter out a significant number of scam artists.

Finally, Zuckerberg’s opinions on privacy aside, privacy settings will almost certainly remain ‘opt-out’ unless there is a significant rewrite of the codebase and a complete revision of the development process.  As it stands, code is deployed on a segment of the live userbase for testing; changing this would require either the use of simulated traffic on a simulated development database or requesting users to opt-in to testing the new features specifically.  Further, maintaining multiple privacy systems simultaneously would impact performance of the codebase (given that any request to a user’s information would have to determine which privacy setting system to go through) and would not automatically bring over ‘stale’ profiles; this further impacts revenues as those paying for the demographic information are not going to be interested in inconsistent results.

While Sophos’ recommendations are eminently reasonable (and could be implemented without too much actual cost–changing the privacy settings to be more atomic and making further revisions dependng on database timestamps or the like would not impact performance that much; allowing users to opt-in to beta testing would likely be met with enthusiastic response if it was presented properly; and vetting developers properly, while it would impact revenues in the short term, could be written off as a marketing campaign) they’re not likely to be implemented anytime soon.  Facebook’s current model works well for them (given the amount of money that they’ve been raking in) and they have no current incentive to change this, unless there is significant outcry and a tangible reduction in userbase–which, given the investment that many people have made in putting the bulk of their social life into the facebook domain, is not very likely to happen at all.

The Register has an excellent (if somewhat snarky, though that is the milieu of the publication) article on some of the recent breaks to SSL’s effectiveness as a platform for secure communications.

The basic problem behind this round of vulnerabilities is the reliability of the certifying organizations.  After the recent breakin to Comodo that resulted in the issuance of several fraudulent certificates, more attention has been paid to this particular flaw in the way in which traffic is secured.

SSL works by means of PKI: public key infrastructure.  This means that a large string of data, known as a ‘key’, is sent out into the public for use by anyone wishing to communicate with the server.  The key has a certain mathematical relationship with another key stored on the server (known as the private key); when data is encrypted with one, it can be decrypted with the other if the proper mathematical steps are taken.

These keys are used to negotiate a secured connection to a server, which serves two purposes–first, it assures the person connecting to the server that they are connecting to the genuine article; the fact that the connection can be made successfully proves that the server has the requisite private information associated with the key.  Secondly, it allows the entire connection to be encrypted so that people between the computer and the server will be unable to determine the content of the transaction.

This only works, however, if the key is trusted–if anyone has access to the private key other than the server in question, then there is no assurance that the connection is being made to the correct server, and no assurance that someone in the middle is unable to eavesdrop.

Cerifying Authorities such as Comodo, VeriSign, and others are supposed to guarantee that they issue certificates only to the organizations that they identify.  However, this is not always the case; especially in the case of their licensees–companies that issue certificates under license from the CA houses, and whose certificates are intended to be just as trusted–the requisite identification of the certificate request is not always accomplished properly, resulting in certificates being issued to incorrect persons.

One particular certificate that has been mentioned is one for ‘localhost’–that is, one’s own computer.  While most articles on this subject have noted that this is an essentially frivolous certificate and have paid much more attention to the ‘exchange’ domain certificates that could be used for intercepting corporate email, it’s worth noting that a live ‘localhost’ certificate along with a maliciously-installed local proxy could intercept all internet traffic that a user attempts, thus providing no overt sign (unless the user was very security-conscious and checked carefully the certificates of all the sites that they connected to) to the user that they were being compromised and, for instance, their bank account details were being stolen.

Certain alternatives to the SSL system have been proposed, but as yet they all suffer from the difficulties of limited adoption.  Until a significant movement arises–or at least some of the ‘big players’ get involved–eCommerce and the like will likely continue to be only partly secured.

(On a side note, a service that actively tracks and validates certificates issued by all authorities–like the automated one run by Google on page 3 of the article linked–could be made very profitable)

Chase has reported (amongst other companies) that the vendor who handled their email notifications, Epsilon, suffered a security compromise and customer email addresses had been leaked.

While this is unlikely to result in a disclosure of financial information (given that financial information is generally not sent out via email, at least not to unsecured addresses) it does throw into the spotlight the practises of outsourcing IT functions to other companies.

Outsourcing is the practise of contracting with another company for the implementation of some of a company’s business functions.  This allows the business to focus on its core competencies while still maintaining relevance in the marketplace; the company doing the business functions acts, in effect, like a subdepartment of the company.

At least, that’s the theory.

Common outsourcing targets tend to be business functions that the company feels that they can do without the headaches of trying to manage: marketing, for instance, can be contracted out to any number of professional marketing firms (hence the sometimes edgy ads that get retracted now and then).  Customer service is also frequently contracted out to any number of outfits that provide call centers and the requisite infrastructure to maintain the same.  IT is also a frequent target of outsourcing, especially given the usual lack of ability of business majors in the field–it is the confluence of IT and customer service that gave rise to the Indian call centers that have dogged Tier 1 technical services for the past decade or so.

(Note: IT technical support tiers are numbered from Tier 1 to Tier 3, with Tier 1 talking to most customers and Tier 3 being highly technical experts who focus on fixing specific subsets of hardware or software problems)

At the confluence of marketing and IT lies Epsilon and other companies of their sort, that send out notification and solicitation emails to customers.  They are generally provided with a list of names and contact information (email addresses in this case) and serve as a distribution point for status notifications and the like.  Theoretically, the contracted company can manage the large quantities of mail to be distributed without the contracting company needing to manage a datacenter of the mangnitude required.

Unfortunately, this results in an increased attack surface for anyone interested in penetrating the security of the institution; especially for those institutions that deal with financial information.  Any information is good information, as far as attempting to penetrate the defenses of a bank, and commonly-checked email addresses provide two venues of attack.

The first venue is, naturally, phishing attacks.  With a list of known-good email addresses and a context for the attack, significant numbers of phishing emails can be sent to customers purporting to require their immediate intervention in order to ameliorate some problem.  This can result in significant compromise of the customers’ information, as incautions customers (who have not taken email security to heart) may end up providing more than enough information to successfully steal their identities to the persons or organizations who undertook the compromise.

The second venue will, in the case of this bank, require a bit more finesse; Chase requires pseudo-two-factor authentication, requiring any device without an identifying cookie set to re-register with the website to login and perform any financial transactions.  However, combined with any information gathered from a phishing attack and a knowledge of typical psychology, educated guesses can be made as to the credentials required to enter both the requisite email account and the bank credentials, in order for more profitable monetary gains to be made.  

Chase’s fraud department is likely to be very busy in the next few weeks.

No information seems to be immediately available on how the compromise at Epsilon was effected, but all the usual recommendations on avoiding phishing–link is above–apply, especially regarding not clicking on any links found in an email and independently checking any recomendations made by an email purporting to be from a financial institution, especially an unsolicited email.

Mobile devices offer a powerful platform for business and social applications.  The ubiquity of the handsets combined with the continually increasing power of mobile chipsets–today’s smartphones have at least as much computing oomph as the business desktop systems of ten years ago–has lead to a vibrant marketplace of mobile apps for any conceivable purpose.  A significant amount of money has been invested in these platforms–and where there is money, there is crime.  Accordingly:

• Make sure you understand what the app you’re installing requires.  The Android platform is particularly good here; each app lists what it has access to, so there are no unwelcome surprises.  If you should choose to go outside the official marketplaces (whether by unlocking your phone, in the case of the iphone, or by enabling the “install third-party apps” for Android), you lose the ‘official’ vetting.  The creators of the OS have a very vested interest in ensuring that hostile software does not end up on users’ handsets; they want their markets to appear “safe.”  For the most part, this does work, although Apple’s app market has had some problem with:
• Counterfeit apps.  You can generally identify these as being at a lower price point than the authorized app–possibly even offering the full functionality of the paid version of an app for free.  While most of the time these do not end up in the official app markets, it does pay to be careful in case one sneaks in.  Counterfeit applications have been known to play host to a variety of hostile software, some of which may end up costing you a significant amount of money.  
• Even if the counterfeit app does not contain hostile software, it may contain a weakness through which others can extract your personal information.  The real versions, those that the developer is paid for, are generally kept fairly well updated; it’s in the developer’s best interest to fix bugs.  The same maintenence does not extend to the counterfeit versions.
• Be careful with geolocation features.  Foursquare may give you a discount for being the ‘mayor’ of a location, but if you continually check in everywhere, then anyone can find out where you are.  Most people will likely not be too concerned, but those people in a law enforcement or military capacity may want to exercise extra care.
• Likewise, turn off the geotagging feature in your handset’s camera, especially when sharing the pictures with others.  There may be no obvious danger in sharing a picture of a funky face you’re making with friends, but if the location is embedded into the picture’s properties and there’s something appealing in the background, burglars have been known to look for these sorts of things.
• Handsets are small and valuable, and can potentially be stolen.  Most app markets have at several apps that allow the handset to be tracked via GPS if it should be lost or stolen.  They can also lock down the handset and make it unusable.
• Handsets are also relatively fragile.  Consider setting up a backup of your information, so that you can still access it if something happens to the handset. This is less a concern for Android OS phones than others; many of their applications synchronize your data with an online repository, if you allow them to do so.
• Mobile antivirus products have begun to appear; consider installing and using one of those.  

Naturally, all of the general safety tips still apply.  Much of the hostile sofware thus far has been focused at either extracting personal information or causing the hanset to spend money without your intervention–at least, so far.  A likely further avenue that the developers of this software will take is the ‘ransomware’ trick–encrypting your data, with the decryption key available only after payment; taking backups on a regular basis, as mentioned above, as well as being careful which software you install, makes you functionally immune to that trick beyond some mild inconvenience.

As Monday was about basic online safety and Tuesday was about safe Email use, today’s Security 101 will focus on web surfing specifically.  Web surfing is one of the more common uses of online time, as it’s the way to access much of the generally available information (rather than the special-purpose non-”web” internet archives–those are a special case).  Accordingly:

• Make sure that you have applied all the updates available for your computer, your browser, and any antivirus program that you might run.  The vast majority of infections by hostile software come about as a result of unpatched security updates.
• If you use Windows, do not use Internet Explorer.  IE is still tightly integrated into the operating system; as such, any vulnerability in IE that is not patched–either because Microsoft has not released a patch or because you ignored the previous bullet–is a vulnerability in Windows as a whole.  Using any other browser (such as Chrome, Firefox, or Opera) will introduce another layer for hostile software to have to go through before it can affect your computer.  Additionally, both Chrome and Firefox have numerous plugins (or add-ons or extensions or whatever the browsers are calling them these days) available specifically to make your browsing experience safer.  Some of those for Chrome have been discussed here; those available for Firefox are just as easy to find.
• Consider blocking most advertisements.  There have been several cases where advertisement servers have been compromised and have ended up serving ads containing hostile software.  Text ads are, by their nature, immune to this–though it is still adviseable to be very careful before considering clicking them, as many ads do point to sites of dubious provenance.  
• Hover before you click.  Especially on sites where users submit links, hover your pointer over the link and look at the address that appears at the bottom when you do so.  If you have any doubts about the domain that the link goes to, don’t follow it.
• When in doubt, close the browser.  A website can’t hurt you if you don’t have a browser open to it.
• If shopping, or any time that you might enter personal information, make sure that the form has SSL–a technology to keep your information encrypted in transmission–enabled.  Most modern browsers have a specific, clear indicator that the page has been encrypted with SSL; for instance, the Chrome browser will turn the address bar green.  SSL addresses always start with “https” rather than “http”–double-check to make sure, and don’t put in any personal information unless that’s there.
• Do not give out any personal information other than the bare minimum required.  If a site wants more information from you than you feel comfortable providing–especially if, like the Gawker family, they have poor security–consider alternatives instead.
• Avoid downloading any files unless you are sure of the source.  Anything more complicated than a basic text file can contain hostile software that can harm your computer, and this risk goes up with the complexity of the file.  
• If a website suddenly looks different than what you’re used to–especially if it’s one where you manage your financial information–doublecheck the spelling of the address.  There have been many instances of what is referred to as “typosquatting,” where an address only a couple letters off from the official one is bought by someone unrelated to the official website and used for fraudulent purposes.  If in doubt, close the browser window or tab and try again.
• If some kind of web content “requires” a plugin to view, do not follow the link from the page.  Instead, check to see if you have the plugin installed, and if not, look for the manufacturer’s webpage to find it.  Flash, for instance, comes from Adobe; any other source cannot be trusted.

As before, all the other general recommendations still apply:  think before you click, and if you’re not sure of a situation, find someone who does this for a living and ask them nicely.  Merely keeping “tips” in mind will not keep you safe–only a deep and abiding commitment to safety, and careful use of safe browsing practises, will do that.

Continuing yesterday’s monologue about remaining safe online, this entry discusses the typical hazards that might be found in email.

Email was invented shortly after the first computers were networked together; its roots as what was, at the time, a nifty interoffice memo system still show through in some places.  While it is convenient as a means of communication, it’s also convenient as a delivery mechanism for various scams and hostile software.  Accordingly:

• If you don’t know who it’s from, don’t open it.  Any email that you did not directly solicit will probably be either spam (and trying to sell you something), a scam (and trying to get your money without even the courtesy of giving you a fake handbag), or hostile software (which may steal your identity and send it to some guy in Moldovia who’s going to sell it to the Russian mafia).  If it’s from someone you know but the subject line is odd or uncharacteristic of them, don’t open it–it may have been sent by hostile software working off his addressbook.  Consider these letters to be the equivalent of a brown-paper package with a loud ticking noise inside–it’s better to let someone else deal with it.  
• The base email standard that everyone works with does not have any provision for confirming identity.  By forging email headers, any reasonably competent spammer or scam artist can pretend to be anyone else.  If your email provider or company allows for digital signing of emails–an add-on intended to prove that the sender is who they say they are–then consider using them.  Ask your mail administrator if they’re available.
• Never open an attachment unless you know exactly what it is.  Especially today, with free “cloud” storage available, there is no reason for any legitimate user to send programs through email; if any attachment asks you for permission to run, then it is likely hostile software.  Even innocuous-looking attachments can carry hostile payloads; pay attention to the email they’re sent in–ask yourself if the person who sent it to you would write in that manner.  If you’re not sure, delete it, and ask the sender to confirm that they sent it.
• Repeating from yesterday, do not forward chain emails.  If it’s worth sending on, then the original source likely exists online.  Give credit to the original creator; that way they’re more likely to keep creating.  You may also find out that what you’re forwarding is some kind of scam or other falsehood; in that case, by looking before you send, you’ve avoided looking foolish in front of your friends who do do the research.
• No, there is no email tracking software being tested, and you will not receive money for forwarding the email.  Similarly, any email that promises a benefit from forwarding it falls under the previous bullet point.  Do not forward chain emails.  They clog up mailboxes and lead to infection with hostile software.
• Repeating from yesterday, turn off the preview feature in your email client.  There have been several viruses that have used this in the past as a means of infection; it’s likely that, since it worked once, it’ll work again.  
• Never reply to an email that you did not specifically ask for.  Regardless of the apparent legitimacy if any ‘unsubscribe’ links or instructions to reply to the sender to unsubscribe, any unsolicited email should be deleted immediately; if your mail provider allows you to report it as spam, do so.  Following the unsubscribe instructions will tell the spammer or scammer that the email address belongs to a real person who checks it regularly.
• Read your emails in plain text.  Yes, this is boring.  It’s also safe, and will prevent several different kinds of hostile software from infecting your system.  Also:
• Send only plaintext emails.  If your email “needs” pictures or fonts or special layouts, then you need a website or a blog for that.  Plain text may be boring, but it is safe; nobody yet has managed to write a virus that will infect a text file.
• Never, NEVER, buy anything from an email link.  Any legitimate coupons will still be valid if you visit the website and go through the normal portal; any legitimate merchant will have several characteristics on their website for you to identify them.  
• Any email that says it requires immediate action on your part, else some bad consequence will happen, is a scam.  No legitimate business, bank, or service provider will send a notification of that kind through email.  Manually open the webpage of the company and log in in your usual way if you want to be sure; following any link from an email is a sure way to have your credentials stolen and sold to the Russian mafia.

Email has made modern business possible, but has also provided a platform for many criminals to make a lot of money off of careless and gullible users.  Be suspicious of every email that enters your inbox; even if you think you know who it’s from, it may well be forged or the result of infection by hostile software.  

For the sake of completeness, I tender for the consideration of the masses the following “tips”–though that’s hardly the right word–on the basic rules of staying safe online.  It’s worth noting that simply providing ‘tips’ as though safety was merely something to ‘keep in mind’ is really not enough; if you want to be safe, you have to make a comittment to safety and security.  Avoiding hazards is not a result of anything other than close and careful attention to everything that you do online.  Accordingly:

• Think before you click.  Especially on windows or error messages that pop up, think about what you’re doing before you click any part of it–especially before clicking a “yes” button.  Especially for Windows users, Microsoft has done a great disservice by spawning endless annoyance windows that have ingrained auto-agree behaviors into people’s minds–and hence allowed more than a few trojans into people’s computers.  Hovering the pointer over hyperlinks in webpages will display the URL that it leads to at the bottom of the browser; pay attention to this, to make sure you want to go where the link leads you.  Actually read error messages that show up, and if you’re going to be placing a support call about them, write down the exact wording; error messages exist for a reason–to tell people exactly what is wrong.
• Turn off automatic running and previewing ‘features’ on everything.  Yes, it’s a great convenience for the user to be able to pop a CD in a drive and have it automatically run a program.  It’s a great convenience for you to have your email show up without having to open it up.  It’s also an incredible convenience for anyone wanting to install some breed of malware onto your system–especially if you should happen to not pay attention to the previous bullet point and automatically click the ‘authorize’ button on any warnings that may appear.  True, turning off these features is a hassle, and results in more work; however, it’s less of a hassle to open emails and CDs by hand than to try to take back a stolen identity–especially if your identity is worth stealing, you may still be fighting that for decades.
• Use different passwords for different things.  A plurality of people, even after several highly-pubicized compromises of password information, remain lazy in their password discipline.  If you use different passwords on different sites, the only account that will be compromised in the event of a break-in on that site will be the one associated with that site.  Simply adding a letter or a number is not good enough, either; there are numerous tutorials online about how to choose secure passwords, and there are numerous tools available to help manage them.
• Turn on automatic updates for your operating system and for your antivirus program.  The only people who should not automatically run those updates are administrators of large corporate networks; they have to test patches before the patches are applied to production systems, and as such have means in place to control the updating of the systems under their charge.  Unless you are a systems and networks administrator for a large business or enterprise network, there is little to no reason not to keep the updates on automatic update.  The vast majority of malware is filtered out by simply keeping your system up to date and by paying attention to what you allow to run; the first filters out the majority of hostile software that relies on exploiting weaknesses in the operating system; the second filters out trojans masquerading as something else.
• Do not forward chain emails.  Yes, that means that the cute bunnies that someone sent you will not be sent to your Aunt Martha from your email address–however, it’s more than likely that those cute bunny pictures exist somewhere online.  The folks at Tineye have built a search engine for figuring that sort of thing out; find out where the pictures originally came from there, and send the link to your Aunt Martha.  This keeps her inbox from filling up; this gives credit to the original content creators; and this gives less opportunity for hostile software to spread.
• Turn off HTML emails.  Yes, plain text emails are boring, but they’re also safe.  If your email requires pictures and animations and other flashy things, then what you require is a website or a blog, not an email.  Viruses cannot spread through plain text.  Besides–if what you say doesn’t work without a cute font and a bunny picture, it probably wasn’t worth saying to begin with.
• There Ain’t No Such Thing As A Free Lunch.  Anyone offering you an “amazing deal” is probably trying to scam you.  If the price for a product or service that you’re seeing is more than a few percent away from the price elsewhere, then it’s probably not legitimate.  
• Never–never–NEVER–buy anything at all from an email that you did not specifically solicit.  Especially not ‘discount pharmaceuticals’ or whatnot.  There are more than enough legitimate sources for anything that is sent out in spam emails–and any email that shows up from any source that you did not make first contact with is spam.  Not only will buying these goods likely result in identity theft, but you are financing organized criminal operations, and you are putting yourself in danger of being clubbed to death by an irate mail administrator.  Do not click, do not open, do not reply that you want to be ‘taken off the mailing list’–if your mail provider offers a ‘mark as spam’ button, use that, or delete it.  The only reason spam continues is because it is profitable, and it only takes one or two people to buy something forit to remain profitable.
• Think before you click.  Again.  If you have to think about whether you should click something for more than a few seconds, then the answer is likely that you should leave it alone or deny it permission.  If you still aren’t sure, then find someone who does this manner of thing for a living and ask their advice–you’ll get a much better answer if you compensate them in some fashion for their time.  

The internet is a massive convenience, and is rapidly becoming entirely necessary for societal function.  Like any other place where people gather, there is danger of crime; just like walking through a bad part of town, keep your eyes open and your wallet hidden, and you’ll likely avoid any hazards.