Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Phishers Pose as Phishers to Make Point

Posted by CmdrTaco on from the now-that's-just-plain-silly dept.

Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"

5 of 337 comments (clear)

  1. Re:Fill them in with crap by lukewarmfusion · · Score: 3, Informative

    You might still be helping them in some small way by confirming that your email address is valid.

    Many spam and phishing emails use links that contain an ID indicating the email address. For instance, "myspamsite.com/great_offers.php?id=1492" where "1492" corresponds to "columbus@hotmail.com" in the spammer's database. Sometimes that ID is buried within a long URL full of different parameters, too.

    Valid emails (especially of those that click on them) are valuable to spammers.

    It's the same reason that you shouldn't click the unsubscribe link or display remote images in your email.

  2. Re:Blindly following orders from a colonel... by YomikoReadman · · Score: 3, Informative

    Depends on the situation. If a 4 star general is attempting to gain access to a protected installation, and a SF/MP member requests his ID, then that same 4 Star is required by law under UCMJ to provide it.

    Here's a real-world example:
    Location is on some AFB's flight line. An O-6 pilot , who thinks that restricted area demarcations do not apply to him, enters the restricted area without utilizing an authorized entry point. The SF team on patrol in the area hails the O-6, who ignores their orders to halt. At this point, he's run down, jacked up, placed in handcuffs, at which point he's escorted from the area and subjected to a very through search.

    So, as you can see, depending on the situation, there are NO repercussions. It's all about whether the challenging individual has the proper authority to request verification of identity. In all cases, a set of orders will be accompanied by a form of authentication, which you *should* be able to trust as valid.

    Now, getting back to the situation at hand, involving the email. Most likely, they received and e-mail with a valid signature block of the Col. in question. Upon receipt of that, they can do one of two things:

    1. Do what the email says. As far as they can tell, the email is properly authenticated as long as it comes from a .mil address and includes the proper signature block.

    2. Reply to the email requesting clarification. If the response seems sketchy, they can then use their chain of command to verify the authenticity.

    Now, herein lies the caveat in all of this; because they are cadets, they spend seven days a week, 24 hours a day getting it drilled into their heads to obey orders. As a result of that, they are less likely to question anything, or request clarification on anything they might otherwise question the authenticity of. Ultimately, I think this was a really bad way to handle the situation on part of the instructor.

    --
    I have no regrets, this is the only path.
    My whole life has been "UNLIMITED BLADE WORKS"
  3. Re:Schools of Phish by Doc+Ruby · · Score: 2, Informative

    (American) soldiers are already required to question commands - quickly, silently and answering "affirmative", for the most part. Because soldiers are liable for war crimes, even if "just following orders". The time for a soldier to learn the difference between (legally) acceptable killing, of an enemy in battle, and unacceptable killing, of a prisoner under torture, is in training - not when faced with the shock of either one in tactical engagement. Or even just the distinction is between interrogation and torture: you can be mean, intimidating, maybe even slap around or threaten to kill a military prisoner under some conditions. But you cannot drive bamboo shoots under the fingernails of a family rounded up on the word of a snitch neighbor. However, troops are being ordered, often by people without sufficient authority in their chain of command, to do things like that. When soldiers are trained to tell the difference, and to ask the questions that ensure the liability for the orders is in the person ordering them, then they'll be better protected. And people will abuse their perceived authority less. So soldiers will be more effective in battle, without hesitation, people ordering them will be more respected, and people targeted by orders will be less likely to be abused by actions that don't contribute to our victory, and usually create multiple effects of resistance, and therefore contribute to our defeat.

    Of course, when soldiers question wrong, or decide the answer wrong, that also prevents our victory. As well as when they're punished wrong for questioning, or for answering a wrong order with the right question or the right answer. The training can fix all of that.

    --

    --
    make install -not war

  4. Re:"Ask questions first, then execute" by awkScooby · · Score: 2, Informative
    If it was signed with that officer's public key, then it guarantees (ignoring hash collisions for the moment) that that officer, or someone with access to his private key, sent the message. Signing a message with public key crypto involves creating a hash of the document, and then encrypting the hash with the private key. Anyone can decrypt the hash with the public key, but only the private key owner could have created the hash.

    If you're not using public key crypto, then you still can assume that if a message was encrypted with a secret key that only you and the sending party know, then the message is from that sending party.

    Kerberos is based on Needham-Schroeder secure key exchange via a trusted 3rd party. The KDC is the "trusted 3rd party". In a nutshell, a session key is generated by the KDC, and 2 copies are made. One is encrypted with the user's key, and one is encrypted with the service's key. Mutual authentication happens, because both parties must know their secret key in order to communicate using that secret key.

    So, crypto is very useful for authenticity.

  5. Orders should NOT be sent by email by antispam_ben · · Score: 2, Informative

    or by other insecure means. Such a phishing campain should only be to enforce and test an already well-known rule that says "Do not follow orders sent by email." Properly encrypted messages excepted, and any military person using email should already know not to respond to a phishing expedition.

    For even a new cadet to confuse a phish email with a legit order is a terrible thing to happen.

    --
    Tag lost or not installed.