Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
Or in other words, use Common Sense?
Dilbert really got the point.
follow me on Twitter: http://twitter.com/moeffju
I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?
My MythTV HowTo
Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"
I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
"Sir! Sir! Are you a terror-"*gets shot*
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Practical example of "Ask questions first, then execute":
[Abu-Ghraib guard] Blindfold?
[Iraqi prisoner]No...
Bang
So these people who were CADETS followed phishing instructions that came to them STRAIGHT FROM THEIR OWN COLONEL. I hardly think that's a reasonable test!
Now, if they'd all mindlessly obeyed an email from ebay or paypal or their bank or something, then yes, they would have been ownz0red. But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
Whence? Hence. Whither? Thither.
"follow an order from a colonel, no questions asked"
This is how plans end up knocking down buildings.
Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked.
Regular smtp email is not a secure messaging platform. There is no guarranty of delivery, and no guarranty of authentication.
Remind me to send some email labelled:
From: georgewbush@whitehouse.gov
That's an order son.
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
That's why I never joined.
And because you 'never joined', it is understandable why you have little clue how the military actually works.
Just beware of when your SO sends you an email saying "Click here for wet and wild pics" and you get the email:
:P
You're in big trouble, buster!
To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.'
Reminds me of a quote from Interview With The Vampire. "Vampires pretending to be humans, pretending to be vampires."
How would one distinguish the real thing from phishing? Most phishing e-mails give themselves away by their bogus requests: give us your bank account #, SSN, etc. This one was just going to a web-site to verify their grade report. The only way they could have verified this was not legit was to search for the name of the sender and find that he isn't actually at West Point. Of course, many phishing e-mails use actual names, so that wouldn't tell you anything if it did exist.
Of course, I use pine on Unix, so I feel quite comfortable opening up any e-mail. I know this doesn't make me bullet-proof, but so far nothing bad has ever hit me this way.
Ben Hocking
Need a professional organizer?
is not the same thing as blindly following orders from somebody claiming to be one.
Which of course is a known problem in the military; high ranking officers expect cooperation from everybody, including soldiers who have never met them before. They may flash (or even show) some kind of ID in rare instances, but for the most part a soldier has to guess if he's dealing with the real thing or not.
It doesn't say what the "instructions" were, but it sounds like all they did was go to a web-site. Depending on what these instructions were, the students were either gullible, or just following what seemed to be a legitimate set of instructions. It's really hard to tell the phishers from the legits until you actually see what is being requested of you and/or the URL of the web-site. Of course, this is why phishing is so prevalent.
Ben Hocking
Need a professional organizer?
I think these two methods can be complementary. Email correspondence within the company should ideally be signed, but this is often hard to enforce. Instead of saying "look how easily you were fooled," without providing an appropriate method of verifying authenticity, companies should be training employees to use encryption; the response should be "look what happens when you don't check the signature." This wouldn't cause employees to mistrust internal communication -- cryptographically signed messages are inherently trustworthy (up to a certain point).
Whenever I get a phishing email, I visit the site and fill it in with (genuine looking) crap details.
Perhaps a small waste of their time sifting genuine responses from garbage, but if everyone did that it'd make their life a lot harder.
On the common ebay one, if it rejects your credit card as invalid, change the check digit (the last digit of the 16 digit number) until you get the right one.
Perhaps there's a good reason why this isn't any use in fighting phishers, but it makes me feel better anyway.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
Cadets are given instructions and then a "colonel" comes along and convinces some of them to do something they shouldn't. How is this a problem specific to email/technology? Hasn't this type of exercise been around as long as the military?
You, sir, were ripped off.
Free as in mason.
Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.
Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.
In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.
But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.
Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.
The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.
It's always a long day... 86400 doesn't fit into a short.
a while back I was testing Outlook at Microsoft, and I dropped a potential privacy hole into the bug database. They resolved it as an unimportant issue.
a couple years later, I saw the bug mentioned again...
on CNN.
If you need a well-written email to do phishing, some email that you want to spam to try and phish people, well, you just go here to this anti-phishing.org site because they have a library of all phishes that have been sent around the world.
This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?
In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.
Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?
Most legitimate requests will tell you to log in to the front page of their web-site (where you've already been), and follow a certain chain of links to get to where the information needs to be verified. The biggest hole in this assumption is that someone could have hacked that web-site. But, it will protect you from the more common phishing schemes.
I'd say that the more critical the information, the more you need to protect it. If they're phising for my /. password, for example, I'll force them to give me a retinal scan, but I'll give my SSN away for some of that free beer I keep hearing about.
Ben Hocking
Need a professional organizer?
Back in the days when we were all wearing bearskins, we'd have to keep a guard up 24/7 as well. Since then only the type of threat has changed.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
http://en.wikipedia.org/wiki/K%C3%B6penick
And it is why mindless obedience should be considered a liability in any modern army, and therefore discouraged.
The guy mentioned in the article just took over the town hall. Good thing they didn't have any nukes back then.
In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."
Where do I get this "$20 electricity" from?
Is it guaranteed for the life of the product, or what?
I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.
ESPECIALLY at the top military academies, such as, oh, say, West Point!
So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
www.eFax.com are spammers
Prior to this you mentioned "it illustrates that army cadets are particularly vulnerable to social engineering attacks, and therefore in dire need of education" (which might very well be true), but it was these employees who entered their passwords.
Granted, the army cadets might have done the same thing (and I agree they would be vulnerable), but the article doesn't explicitly state this.
Ben Hocking
Need a professional organizer?
Which order would this be?
If they verified that the email was authentic (e.g. it was PGP-signed or whatever mechanism they have in place), then fair enough, they received an order and they should obey it.
But that kind of test isn't representative of real-world phishing. Phishers can't subvert USA army communications to fake orders, can they? Or, if they can, surely that is the problem, and not the fact that people trust the authentication in place.
On the other hand, if they received an email and they didn't verify the identity of the sender, then the phishing attack worked and they are at fault.
It all boils down to the method of authentication that is in place, and whether it was used. The article doesn't go into enough detail to say whether the claim they were "just following orders" is a valid defence or not. "Just following orders" is no defence if you didn't establish that the order came from a superior officer.
Bogtha Bogtha Bogtha
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
Military members are obligated to follow lawful orders from those above them. They have to ask themselves "is this legal? Does it mesh with the Uniform Code of Military Justice? Rules of engagement? Geneva Conventions?" Something tells me that inputting personal information because of an email does not necessarily qualify as an unlawful order.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
A Cadet or Soldier is required to follow lawful orders. In this case, the spoof phishing email was not giving the cadets a lawful order, because telling them to violate computer security policy without first changing the policy can not be a lawful order. I think that it did an excellent job of highliting the scruitiny that a user of email must place on all emails. As TFA stated, the biggest vulnerability in any computer system is the HMI.
I know it's cool to get submissions from the Wall Street Journal, but you don't have to put all of them on the front page. They are obviously using you guys as a traffic magnet to drive up interests and subscriptions.
beware the jabberwock, my son! the jaws that bite, the claws that catch!
Which is why one should always type in the link, instead of clicking on the link provided. Of course, few people do this, which is why phishing can be successful. Of course, the more devious phishers cyber-squat waiting for you to swap the "i" and the "e" (in some imaginary domain name) or some other such nonsense.
My point is that there are legitimate e-mails that request you visit their web-site. For example, I get e-mails from my bank frequently telling me I have new messages and/or bills and I should check them. These messages provide links to the front page of my bank's URL, which I always type in by hand.
Ben Hocking
Need a professional organizer?
The point is, we don't know what "all they did was...". Perhaps, they just clicked on the link to see where it took them. If you're using a reasonably secure e-mail client and OS, this is a reasonably safe step to take. The most information a standard e-mail would get from this is that you actually clicked on this link and so the e-mail address is valid, etc. Of course, the URL could download a trojan, but with a good browser you'll have an option to execute the trojan or not.
Ben Hocking
Need a professional organizer?
"Sir yes sir!" is not actually what the civilian world thinks it means. Even the meaning of the word "orders" is quite often taken wrong outside of the military.
Well, we all know you don't need something "well-written" at all.
There are a few disturbing sides to phishing, but the one that hits me hardest is that people fall for messages that are incredibly poorly written. Anyone who reads regularly and who has any sense of graceful language should see though the vast majority of phish attempts in a second or two. Phishers generally are truly bad, tone-deaf writers. Your bank isn't going to botch the spelling of "account" in a message asking for your SSN. Nobody from American Express would send a curt four-sentence message threatening bluntly to "remove your account."
It always seemed to me like the Nigeria messages were successful partly because people found the garbled language appropriate for the supposed sender. Those phishes play to the stereotype.
"Fundamentalism" isn't about divine morality. It's about human authority.
I used to do that during the sub7 and backorrifice days 6 or 7 years back. Used to pop up a message telling them that their machine is under my control and prove to them that I was. Then directed them to a nice article I had written up about linux. I really had a hateful passion against MS back then and saw myself as some inquisitorial crusader smiting the stray back into the line of rightousness.
I wish I had time to find an article on it, but I remember a few years ago, this guy was making headlines because he would pick up a girl from a bar, get her out to a secluded area, calmly explain to her that were he a murderer or rapist, there was no one to stop him, then drive her back. The police were trying to find something to charge him with, but could never find anything.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Millions have been saved from work, slave, and concentration camps because most of us are not like you.
That alone makes me a pretty useless solider.
Some of us have true compassion for humanity and the courage to stand up and fight. Others hide cowardice in a cloak of morality and relativism and so ignore preventable suffering and grave injustice. Which one are you?
Sarcasm and hyperbole are the final refuges for weak minds
"No sir I am an Italian secret serv-!" *gets shot*
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Is that evidently, 20% of the cadets didn't dutifully follow the instructions!
Ben Hocking
Need a professional organizer?
I can say: "Befehl ist Befehl" is a poor excuse for NAZI warcrimes, but not a form of command in the Federal Republik of Germany.A german soldier has the same duty as the american: to check whether the person giving the order is authorized to do so AND if the order itself is legal.
Please forget the silly stereotypes you learned while watching silly movies of the seventies about idiotic stereotypes of the wehrmacht of the fourties.
Although you would have done better to refer to the wikipedia article on Wilhelm Voigt
In combat, no order should be questioned. the edict should be, "Follow any order that comes in official form, email is NOT official for giving orders"
meh
...when they just robbed people on the streets. All the fuss on this phishing is for wussies! Get out of those closets!!! Now!
Java Oracle Linux Enthusiast
Since when did West Point start hiring EA employees as teachers?
"Sir yes sir!" is not actually what the civilian world thinks it means.
In that case, please explain to us ignorant civilians what it means....
SpyDock: Scientific Python in a Docker container
It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.
Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
--
make install -not war
You've made your decision then?
Not remotely! Because spam comes from Russia. As everyone knows, Russia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not click the spam in front of you.
Truly, you have a dizzying intellect.
Wait 'til I get going!! ... Where was I?
Russia.
Yes! Russia! And you must have suspected I would have known the spam's origin, so I can clearly not click on the spam in front of me.
You're just stalling now.
You'd like to think that, wouldn't you! You've beaten my trojans, which means you're exceptionally well protected against viruses ... so you could have put the spam in your own email trusting on Norton AV to save you, so I can clearly not choose the spam in front of you. But, you've also bested my spyware, which means you must have studied ... and in studying you must have learned that man is mortal so you would have put the spam as far from yourself as possible, so I can clearly not choose the spam in front of me!
You're trying to trick me into giving away something. It won't work.
It has worked! You've given everything away! I know which email the phishing attack is!
Then make your choice.
I will, and I choose ... what in the world can that be?
What? Where? I don't see anything.
Oh, well, I ... I could have sworn I saw something. No matter. [laughing]
What's so funny?
I ... I'll tell you in a minute. First, let's click, me on my email and you on yours.
You guessed wrong.
You only think I guessed wrong! That's what's so funny! I switched emails when your back was turned! Ha ha! YOU FOOL! You fell victim to one of the classic blunders. The most famous is: Never get involved in a land war in Asia!, and only slightly less well known is this: Never go in against a Sicilian when death is on the line!
John
Indeed! It would be interesting to have a follow-up study, and interview the cadets to find out why they made the choices they did (if they haven't done so already). Well, interesting to me anyway... ;^)
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Captain: What happen ?
Mechanic: Somebody set up us the scam.
Operator: We get email.
Captain: What !
Operator: Main screen turn on.
Captain: It's you !!
CATS: How are you gentlemen !!
CATS: All your details are belong to us.
CATS: You are on the way to fake site.
Captain: What you say !!
CATS: You have no chance to survive enter your detail.
CATS: Ha Ha Ha Ha
banks continue to train people to be good little phishies by sending legitimate email with links in it. Yes, I can tell the difference, and Bank of America sends me notices such as 'statement ready' or 'bill from X' with direct links to login and view/pay.
I've complained that they should include text alerting people to never click on links in email, and not include any links. When the 'good' email trains people to be careful, the 'bad' email will be less successful.
I'm just out of the British Army. In my time there I was a professional solider, simple as that. If you have a problem with anything I did I suggest you take it up with a politician and become more politically active. You like what I did, same difference to me.
It certainly had nothing to do with "humanity" or "cowardice" or any words of that nature. Its 100% about professionalism. My loyalty is to my country and my colleagues. Begins and ends there. Quite frankly I would question your effectiveness as an "ideologue in uniform". Its very rare one liberates people from camps or acts in a way that is clearly saving the lives of clearly innocent people. That mainly happens in films not real life. It would be nice if it was that way, but the work of the modern solider is (alas) a far more complex business beacuse the world is a more complex place (or at least our understanding of it is more sophisticated). Only in the speeches of people like George Bush is the world clearly seperable into good guys and bad guys, like in an old western film.
I spent most of my active service helping keep people apart who wanted to kill each other. I have no strong views who was in the right or the wrong there. Perhaps one side did deserve to be killed. Perhaps they both deserved the fate we averted. Possibly we made things worse. I have no idea, its not my job to think of things like that, and as a professional soldier it shouldn't be yours either.
Doubleplusgoodidea, I say.
Military members are obligated to follow lawful orders from those above them.
OK, so far so good.
They have to ask themselves "is this legal?
Hmm. I don't think unilateral aggressive "regiem changes" are legal.
Does it mesh with the Uniform Code of Military Justice?
Two words, Abu Graib. I guess this is a NO.
Geneva Conventions?
Give them a read sometime, the US is in violation of a BUNCH of them. Bombing civillian areas, using cluster munitions in civillian areas, torture, murder, POW treatment, the list goes on and on.
So your point was what again? That the US military creates these free thinking, military officers who would question a bad order? Who stood up during the Iraq debacle?
You also state that these officers are obliged to follow lawful orders from those above them. Well, in the case of Iraq, that means that officers from EVERY SINGLE LEVEL of the military FAILED to do, what you claim they are trained to do. From SecDef, to Lt nobody on patrol.
The only people who questioned these orders, as you claim they are trained to do, have gone AWOL. They are all labeled "traitors". Funny, don't you think, the only people who did what they were supposed to do, get hung with that label. They should all be given medals.
I think the current state of US affairs shows quite clearly, that West Point, Annapolis, and the Air Force academy do in fact create legions of unthinking, "Sir, Yes Sir" officers, and VERY few who actually ask any type of question, let alone important ones, like "Is this legal?".
What if I'm a bad guy pretending to be the good guy pretending to be the bad guy?
In other words, I'm really a phisher opperating under the guise of one of these people trying to "help" others.
On every successful "catch" for something like, say, bank information or ssn, I have a script automatically check the victims bank account balance or credit score. If they're low, I automatically send them a "gotcha!" letter saying "look at what you just gave to me? It's a good thing I'm a responsible citizen and let you know!"
If the values are high, I sell them at a premium to other criminals (who will come to know that *my* information always contaians the personal information of someone with means).
If I ever get caught, I simply can point to the large number of emails I sent off warning people. "Hey, that some other guy robbed them blind isn't my fault; just because I deal with people who are prone to fall for this stuff doesn't mean I exploit them. Heck, I help them, and here's all my (doctored) logs to proove it. Don't believe me? Go interview the countless number of people I saved!
In the end, the profit wouldn't be huge, but it'd sure add another layer of safety to the fraud.
The Internet is generally stupid
As a (Real Soon To Be) member of the United States Air Force [this-is-not-an-official-opinion-disclaimer], I can not only -not- berate you as living scum... ...I can actually sympathize with you.
There is absolutely, absolutely a place in this world for nonviolent people. Hell, there's even room for 'em in a war zone, if you feel up to being medical assistance with the Red Cross / Red Crescent, or helping in refugee camps, or, god - a million places where people who just want to stop pain and suffering can be used. Pick an American inner city, for instance. 'Tis an easy way to start at home.
Useless soldiers are not worthless people, nor do they deserve berating from servicemembers. Like Solomon said, though, there's a time for peace, and a time for war. And when it's time for war, we intend to be the absolute, indisputable best.
And hey, rest easy. If there's ever a draft, they'll ask you about six million times whether you're a consciencious objector.
You have to wonder how much of the drugs in this country are simply sold by the DEA, FBI, BATF, and CIA all doing their own secret undercover operations that they don't want to expose.
"Ask questions first, then execute."
Well, duh. They have to teach this at West Point? You can't get good intelligence from them the other way around. They won't be getting any good intelligence out of former Iraqi general Abed Hamed Mowhoush, for example.
The Yes Men
If you haven't seen it, it's worth checking out.
Time is comparison of movement to other movement.
Suppose you are in some battle or in a "hot zone". You see a seven-year old boy. Your SO orders you to shoot the boy. You will probably stand trial for homicide if you shoot the boy.
I didn't know you could join the service w/o all the chest-thumping... ;)
But then how would you know whether to salute or compile?
Is it just my observation, or are there way too many stupid people in the world?
he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked
First, they shouldn't forget to make sure it really is the colonel before they follow his orders. Second, they shouldn't follow an illegal order (think war crimes trial). That 2nd part may mean they have to sacrifice their careers and/or status, but they signed on to sacrifice their lives so it's not that bad. I hope these guys learn more before they get out of the academy.
There are four sorts of people in the world: fools, lunatics, idiots and morons. - Umberto Eco, Foucaut's pendulum.
...I suppose that this might explain the phishing email I found in my inbox yesterday, which tried to point me towards a "Paypal verification" page under "clueless.net"... And here I just thought that phishers were getting lazy.
No. Most armies are not like the one from your country.
BTW: your English is very good for a Congolese.
damaged by dogma
From:Avril E S Accra Ghana Reply To:acs96@ecplaza.net
Dear Friend,
I am Defence Secretary Donald Rumsfeld.
During one of our routine auditing exercise,we discovered an oil field belonging to one of our foreign chemical weapons customers.This oil field has been dormant for the past years without anyone operating it.The oil field had a value of Seven Trillion, Five hundred million United States Dollars(US$7,500,000.00. Several notices were sent to him without any reply from him.He was Mr Saddam Hussein, a Evil Terrorist(TM) in the sub region.
Again,we tried to reach him through his country embassy but all efforts failed.We later learnt that he was involved in the 9/11 attacks.Further investigation revealed that the missing customer did not declare any next o f kin in his official papers including the paper work of his oil field.And he also confided in my partner the last time he was at his office that no one except him knows about the oil field which should be maintained secret.So,Seven Trillion, Five hundred United States Dollars is still lying in around in the middle east and no one will ever come forward to claim it.What bothers us most is that according to the international laws at the expiration of five years the oil field will revert to the ownership of the Middle Easts if nobody appears to seize control,and we shall gain nothing.
WHAT IS TO BE DONE:
Provide us with Three Hundred Billion Dollars worth of support from your military so that we will expidite action.Thereafter,I will draft a Iraqi constitution which you will forward to the telex dept for the transfer of the oil field to you.
You are hearby ordered send me your armed forces,and I will provide you with more details of this operation, including a disengagement plan.Your earliest response to this letter will be appreciated.
Kind Regards
Donald
YOU SHOULD REPLY TO:acs96@ecplaza.net
<THUD!>
They were both phishing attacks. I spent the last few years lying about who I am to build a false identity. I'm no one to be trifled with. That is all you'll ever need know.
//Information does not want to be free; it wants to breed.
"They cannot blindly follow orders comming from untrusted sources."
You thought no one would notice that extra 'm', eh? Especially ironic, considering the sentence.
This would be a valid issue - if there was any crime involved.
... "interesting" content and a date in 2048. The message made clear at the end that it was a fake, and there was nothing inappropriate in the message.
.vbs script that pops up a dialog saying "If this had been a malicious script, it could have destroyed all your work and broken your computer" has a profound effect, it seems.
Spoofing an email, or putting up a fake website, was not a crime last I heard.
Someone might try to take civil action against you if offended (trademark problems; leibel; etc) but the chances are pretty darn good they won't if you're doing it with their permission.
Personally, I think this is an important education tool. Where it becomes a problem is if it goes too far, into "oops! Look! this trojan has been on your system for a week emailing your credit card details to some dodgy site. I guess you should be more careful with your email."
I remember how I was finally able to wake a few people up about the issue of viruses and impersonation in the very early days of mass email worms - not long after the Melissa worm. Direct education attempts had failed with the staff, so I sent an email to all of them that pretended to be our Prime Minister (this is a newspaper) with some
It was remarkable how many people came to me and asked about that - it was clear that it'd managed to get their attention as simply explaining the issue ("the From: address doesn't guarantee that it's from who it says it is") had failed to do.
Despite almost computer illiterate users, we've been unaffected by email worms due to a combination of a paranoid mail gateway and such periodic reminders to users. Things like a
However, an order such as "click this link and fill out the form there with your personal information" may be stupid and/or dangerous, and still remain lawful. On the gripping hand, these officer candidates should also be trained to verify the source of questionable orders, and call superiors attention to clarify doubtful points. (EG: "Is this really Colonel Blake? Is it really appropriate for us to fill out confidential information on a non-secure website form?)
See this nice piece from the US Army's on-line Combined Arms Research Library; look especially for the part on "Phase of Communication".
//Information does not want to be free; it wants to breed.
Homer: Now to answer all the popups. Ooh a talking moose wants my credit card number, that's only fair.
New York, Mr. Pelgrin says he took pains to carefully design the exercise, including hiring an outside Web consultant to design the mock email pitch. "We wanted to make sure it was not too good," he says.
Burned!
I've been noticing the grammar is improving, and have gotten several that are actually free of all spelling and grammar errors. Like many simple anti-phishing tactics, this one won't work for much longer. Go back and re-read your Bierce.
//Information does not want to be free; it wants to breed.
http://www.hahathatswhatyouget.com/citibank/
If you look at the javascript for the page, it disregards any post information, and redirects to a page taunting the user, and describing that if the page were a real phishing site, that their info would have been stolen.
*sigh* Guess it's only news when some other site posts it.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Phishers already pose as Anti-Phishers. ("Someone's trying to break into your account! Please send us your password so we can stop them!") So to be convincing, Anti-Phishers would have to pose as Phishers, posing as Anti-Phishers. Are we confused yet?
Give a man some phish and you feed him for a day. Teach a man to phish and you feed him for a lifetime
Obviously the best course of action is to employ the Poser-Buster. Once the bad guys turn on their Poser-Buster-Buster then you move to phase two, the Poser-Buster-Buster-Buster. Heaven forbid they have a Poser-Buster-Buster-Buster-Buster...
Every officer MUST ask himself these two questions before following any order:
1) is the order authentic
2) is the order legal
If it's both, then "YES SIR" is the correct answer.
If it's not, then don't follow it.
If you can't tell, then I'd hate to be you.
What if a bad guy faked the Colonel's email address, or worse, broke into the Colonel's email account and sent it on his behalf?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A professor once mentioned getting an .exe file from a friend, which made it seem like all of the files in her "my documents" folder were being deleted.
autopr0n is like, down and stuff.
In the context of the (slashdot) article, what you wrote becomes:
Isn't that a main part of the job of the military?
The real solution here is for trustable entities to cryptographically sign their e-mails. This includes banks, e-commerce companies, and in this case, a colonel.
This is by no means a new idea, but NO ONE does it. Like most people, I have e-commerce relationships with >10 companies, from banks to Amazon.com, and none of the e-mails I get from them are signed.
S/MIME is not as easy to set up nor as obvious as it should be. If used, though, it would squash the phishing problem AND the "virus from spoofed sender" problem altogether.
I started organize all my phishing e-mails into a RSS news feed back in May and wrote a (slow) little script to generate false information.
I'm probably averaging about 2 phishing e-mail spam a day at the moment.
Most of them are sitting on sites referenced with IP addresses, but occassionally there will be domains from obviously hacked sites -- the most recent one was a lawfirm's site hosting a PayPal scam which I found amusing.
He's the one saying that he'll never kill anybody, while you're the one claiming that under certain circumstances we can call it "true compassion for humanity". So that'd be a "relativism" point for you, surely, not him.
Mind the Gap
There have been studies on obedience to authority; check here:
http://en.wikipedia.org/wiki/Stanley_Milgram
The real issue is that no matter what, when people *perceive* that others have authority over them, they will tend to obey even the most horrible of orders. The perception of authority in Stanley Milgram's obedience experiments (sorry, it's not described in the wikipedia link but I don't have time to find it) stemmed from scientists wearing lab coats.
The military by nature is authoritarian... Not only are soldiers already inclined to obey authority, but they are also explicitly taught to obey authority. (I am not a soldier btw, so please excuse the oversimplification, etc. etc.)
The site's YOU MORON page could be made a hell of a lot more useful. It is using terms like URL, IP, and so on with no further explanation (in truth, you don't even need to use those terms to explain them). After who-knows-how-many support calls with my grandmother, she still has no idea what a URL or location bar is; she just knows it as "the place you type in next to the Back button."
You'd probably be surprised how many users use the Internet without ever typing in a URL. Which is one reason why phishing works; people barely know what a URL is, if they even know that they exist.
The site would also be a lot better off by using non-derogatory wording; calling someone a moron or idiot simply because they were not educated in safe Internet usage is not productive - it's more likely to piss them off than it is to get them to really learn what you're trying to teach them. That whole "tact" thing is genuinely useful.
The page also (erroneously, at least for my quick test) claims that the URL is an IP. I've been thinking... how often does a normal user need to use an IP for a URL? Practically never, I'd think. It would be interesting to see what would happen if you disabled using IPs in URLs (with a hidden option somewhere for techies that actually require the functionality) and seeing if that adversely affected normal users.
Additionally, it would be cool to try doing a domain trust system for web-access, similar to what's being done for email. Real banks and known safe organizations would have absolute trust, and sites they links too would have trust, etc. (Would be necessary for forums to use the newish nofollow attribute to avoid polluting the trust system.) Known bad sites would have explicit no-trust. Browsers then can check the trust level of any site visited. By default, for average users, sites without trust would be flatly denied (sorry, but warning dialogs *do not work* - users just click through them). Alternate behavior could be to allow non-trusted sites to be viewed but to disable form submission/javascript/downloads/etc. (So Aunt Tillie's brand new personal page she had her grandson put online will be viewable, but the methods allowing theft of data on the grandson's new phishing site he just put up would be disabled.)
This could actually be developed as a Firefox extension, I believe. Although I could already think of a few ways for clever sites to hack around it (not sure how much power Firefox extensions can have, especially in terms of not allowing a site to, say, use DOM to recreate form fields after the extension disabled them, and use more javascript to copy the form field values into a url for a GET request using location.href to avoid the extension from stopping a POST or general form submission).
There needs to be a good name for this technique. I propose "Phishing for Phools".
-Don
On the topic of the article, I think it's good that this guy tricked his students like this. I can certainly understand them feeling betrayed, but folks in the military are really the last people we want tricked by authentic-looking emails. I mean, if I open an email that's supposedly from a prof and accidentally download some nasty virus, yeah, it sucks, but at worst, I lose some money and data. If some military grunt gets an email from a phisher posing as his commander, the worst case is likely to involve the loss of human lives. I think this is something worth guarding against, and if the education process upsets the students, then so be it.
this is training. military such. some of these cadets will end up having to make critical decisions on the spot years from now. in situations where what's on the surface may be a misrepresentation given by the enemy.
and those that won't have to will more than likely be enough to compromise network security.
The exercise email may well have exploited some inclination of the receiver to follow instructions from someone in authority - but SO DO REAL PHISH EMAILS! - thats the whole point - that anyone can pretend to be some person in authority in an email - You think the captian of some nuke sub is going to get an email claiming to be from the President telling him to launch and is just going to beleive it without validating it? Heck no!
Back at ROTC field training about 10 years ago, I was appointed as the squadron adjutant for a week. During the middle of the week our flight commanders got a cryptic briefing announcing a scavenger hunt of sorts. The announcement asked us to form ranks and wait for further instructions. When we got into formation and there was some commotion among the flight commanders. Suddenly they called out my name. It turns out the squadron commander was sick, so I was to take over as squadron commander. They handed me the piece of paper. It had a diagram on it and the instructions "trust no one." I asked the flight commanders their opinions, and the general consensus was for us to march to the location on the diagram. Off we went.
;-)
When we got to the destination, our FTO (an actual officer) appeared and said that the two flights were to split up. I called the flight commanders over and said "this is a trick" and pointed them to the piece of paper. They agreed... at least until the FTO threatened to hand out demerits. After that they never offered to let me be in charge again.
Moral of the story: (1) Verbal orders trump written orders. (2) Questioning authority can get you in trouble, even if your orders are to question authority.
From the article: The mock phishing exercises demonstrate how effective such attacks can be. In June 2004, more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct. More than 80% of the students dutifully followed the instructions.
;)
;)
But there is no Col. Robert Melville at West Point.
Hello, people. These cadets weren't paying attention to the chain of command. They were just following orders blindly. As shown by Abu Ghraib, this can be just as dangerous as soldiers who question everything before obeying. There needs to be a light on upstairs. I for one am glad that people who are trained to kill are being trained to think as well. Since phishing attacks are getting more complex, this social engineering vector needs to be addressed before more important information is compromised.
Every few weeks, my Mum - who I have dutifully trained - sends me a phishing email that has freaked her out. The email always seems to come from my domain where she has an account with official wording. Even though I have trained her and trained her she still panics. She doesn't click on the links. She doesn't fall for the scams (I'm proud to say that she can spot a stupid bank phishing scam with her eyes closed now). She panics because somebody is posing as me (i.e. an admin from my domain) and trying to trick her. This is scary and invasive for the common computer user. People want to believe everything they read because it is fatiguing to be suspicious of everything all the time. Slashdotters have built up amazing suspicion stamina, but they aren't the norm. My Mum learned her lessons. She's a trooper. But how many people out there can recognize phishing scams? The scammers are getting cleverer. They're using spell checkers now.
I believe training government officials to recognize phishing scams in this way is excellent. As the article also says: "Repetition is important. Vigilance is critical," he says. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information."
The only addition I would recommend would be an official notice announcing this training. Then the few complainers who feel stupid about getting caught wouldn't have anything to complain about. Having employees on guard for phishing attacks would only improve their alertness to the problem, IMO, even if they knew the attack was going to be a training exercize. Of course, this official notice would have to be sent out on a different day than the fake phish scam in order for this program to be effective.
The Splintered Mind - Overcoming
Yes. Because it's obviously a trick.
.01% of the time or something else absurdly low. If you don't believe it's very likely to be coincidence, you'll find that there are prefectly logical reasons for the "strange coincidences" or luck most of the time, and they're not always good or ill, but they're always good to know about.
A harmful one? I don't know. But I'm not in the habit of being easily tricked--it's not a good sort of habit to be in--and because of such "extra" caution I find myself not falling prey to the scams so many others do.
But this has been enlightening as to why people fall prey to greed so easily. Sure, maybe it is your lucky day, but in my estimation, it's far more likely that you're about to get the shaft, and I have 1,000s of "you've won!" banners/emails/etc. to back me up on that. If you believe in luck, you'll be right
Then again, a perceptive person quickly figures out who they know who is also perceptive, and I can therefore tell you that there are entirely too damn few who have much of any perception at all.
This is all well and good for now, until crocodile-resistant strains of these diseases evolve through our overuse of crocodile serum... And then the crocodiles are going to be PISSED.
https://www.eff.org/https-everywhere
Phishers could pretend to be good guys acting like bad guys, and when that warning message comes up, the spyware could get slipped into the system behind the person's back.
"Phishing phor Phools".
Phor Ghod's sake, get it right.
Tag lost or not installed.
or by other insecure means. Such a phishing campain should only be to enforce and test an already well-known rule that says "Do not follow orders sent by email." Properly encrypted messages excepted, and any military person using email should already know not to respond to a phishing expedition.
For even a new cadet to confuse a phish email with a legit order is a terrible thing to happen.
Tag lost or not installed.
There are many ways to validate a message, encryption is only one of them.
Most of the time, 100% validation isn't even necessary.
For example, if your military boss sends you an order saying "here's the plans for next weeks's field exercise" AND it came from the same email server you use AND you've checked the headers for signs of spoofing AND he makes mention of the email in today's breifing, then you can be 99% sure that your copy of the email is valid.
Now, if you get a message from "president@whitehouse.gov" telling you the war in Iraq is over and ordering you home, definately do some validation before acting on that "order."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.