Anti-Phishers Pose as Phishers to Make Point

Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"

Common Sense

[moeffju]

Or in other words, use Common Sense?

Dilbert really got the point.

Re:Common Sense

[Kainaw]

Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.

I learned this when giving a computer security class at an old job. I had over 200 people in the auditorium and I said, "If you came home and there was a box on your front step that said 'Happy Birthday - Please Open Me - Love, Grandma'" and it wasn't your birthday and you normally don't get presents from your grandma, would rush right over and rip it open.

Over half the people said yes and claimed that I was stupid for being suspicious of strange boxes showing up at my door.

Re:Common Sense

[QuestorTapes]

> I think that some slashdotters must be fortunate enough to have never seen a
> really good phishing email.

I have to agree. I have seen several -extremely- well-crafted ones in recent months. The only way I could tell them from the legitimate ones was to use my own bookmarked links to go to the firm's web site and verify that there was nothing to see and no connection. Most of them, of course, I can tell from the real by looking at the raw mail source. But some are just too good.

Example of why this can be difficult: I just received an email from my ISP asking me to update the credit card information. It was real; the credit card company had just sent out a new card with an updated expiration date. At first, however, I assumed it was a scam.

> You get a letter in the mail on your banks letterhead in an envelope exactly like every
> other letter you have received from the bank...

Excellent example. In fact, there are a -lot- of postal mail scams going around now. Despite what bigman2003 stated, it's not merely a failure on the part of the technical community to provide secure communications. Ensuring communications, either electronic or snail-mail, cannot be spoofed is not something anyone knows how to do with 100% accuracy.

Re:Common Sense

[jschottm]

Then you are stupid for being suspicious of strange boxes showing up at your door.

When I was a teenager, I had the same piano teacher as the daughter of a man who'd been horribly injured and disfigured by a bomb sent by the Unibomber. No law enforcement, military, or government work in his past, just too involved with technology for a madman's taste. During the three years that I knew him, he had to wear a plastic face guard almost 24/7. Good times.

Let's just chalk this one up as another geek analogy bites the dust.

Regardless of bombs, you wouldn't find getting an unexpected package on the wrong date from a person who doesn't usually send you anything out of the ordinary? Right... What's your e-mail address?

Human Nature

[kevin_conaway]

Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"

I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.

Blindly following orders from a colonel...

[lightspawn]

is not the same thing as blindly following orders from somebody claiming to be one.

Which of course is a known problem in the military; high ranking officers expect cooperation from everybody, including soldiers who have never met them before. They may flash (or even show) some kind of ID in rare instances, but for the most part a soldier has to guess if he's dealing with the real thing or not.

Secure e-mail

[bhaberman]

From TFA:

Still, there are potential pitfalls, including the possible loss of trust among employees for their organizations' own information-security staff. "My initial thoughts when I heard about it was 'Whoa, this sounds questionable,' " says David Jevans, chairman of the Anti-Phishing Working Group, an industry consortium. He says that although employers are within their rights to train their employees, companies should be careful before they intentionally use mock email on their customers. "You're playing with fire," he says. "Are people ever going to trust your email?" Mr. Jevans, chief executive of a computer-security firm called IronKey Inc., argues that technical methods for authenticating email are likely to be more effective than such user education.

I think these two methods can be complementary. Email correspondence within the company should ideally be signed, but this is often hard to enforce. Instead of saying "look how easily you were fooled," without providing an appropriate method of verifying authenticity, companies should be training employees to use encryption; the response should be "look what happens when you don't check the signature." This wouldn't cause employees to mistrust internal communication -- cryptographically signed messages are inherently trustworthy (up to a certain point).

Highlights serious mil communications issue

[Curien]

Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.

Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.

In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.

But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.

Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.

The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.

Re:Highlights serious mil communications issue

[djmcmath]

First, individual certs are a great idea, as long as they're free. For the vast majority of military users, however, it simply doesn't make any sense. I mean, 99.9% of the e-mail that I send and receive has two attributes that make the above phishing test a little silly. 1) My writing is my writing, and my people know what it looks like. My orders are my orders, and my people recognize them. If I said something out of character, I expect them to question that. 2) Anything relaxed enough to send via e-mail can be backed up by a phone call. If I'm at a terminal with e-mail, I have a phone. Even if an "order" seems a little fishy, you can back it up by voice just to make sure.

Second, an "order" given by e-mail doesn't carry anything like the weight that a verbal or written order does. Technically, an orders violation is an orders violation is an orders violation, but practically, the defense for an e-mail orders violation is a lot stronger than a written (and signed, and witnessed) orders violation. Anyone who uses the excuse "I thought that the e-mail from my Colonel asking for my credit card numbers was a little strange, but I didn't question authority because I was afraid of breaking the rules" is just an idiot.

Re:Highlights serious mil communications issue

[Chanc_Gorkon]

Easy way to fix this....DON'T SEND ORDERS VIA E-MAIL! Or don't do that until the e-mail has been secured.

I realize that it's nice that the base is in the address, but I would rather see something like thus:

first.last.sumnumber@af.mil
first.last.sumnumber@army.mil

or something along those lines. Make the e-mail address NEVER change and simply change the mailing address in the LDAP directory (if that's what they use). They can issue a key to everyone and the mailing address never changes, but periodically the key is changed.....say everytime the pop3/imap4 password changes.

Anyway, until you can definitely verify that the e-mail came from your superior, sending Orders via e-mail should not be allowed and that would get rid of this type of "problem".

Now you don't have to use encryption all of the time...you can say only use your key when encoding official questions to the superior and orders from the superior. Otherwise, as long as the e-mail is not sensative, don't encrypt.

Better yet....DARPA needs to create a better e-mail system for the soldiers to use (and then release it as open source or at the very least write RFC's....). E-mail as it currently stands is pretty much unsecured, and so easy to spoof it's not funny. Securing it is NOT easy for basic e-mail users like Generals.

Dangers of Institutionalized Automatic Compliance?

[aldheorte]

This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?

In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.

Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?

Orders _aren't_ Orders!

[redelm]

This highlights an extremely important lesson I'd hope West Point and Annapolis cadets learn: Orders _aren't_ Orders! The US isn't the German "Befehl ist Befehl". A US officer must not blindly obey orders, but has a duty to first determine if the orders are authentic (they weren't, and probably proveably so from the headers), _and_ whether they're legal.

In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."

Re:Absolutely

[LurkerXXX]

Of course typing it in yourself is the smart thing to do. That's why I'm so pissed the university I work at keeps sending out emails to everyone on patch tuesday. They have the link to microsoft's windows update website in them and instruct all users that they must go to the site and patch their machines. They are teaching the users terrible habits! They are going to click on links in phising emails because the brilliant IT staff here has taught them that they should.

Schools of Phish

[Doc+Ruby]

It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.

Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.

Time for a follow-up?

[SimilarityEngine]

Indeed! It would be interesting to have a follow-up study, and interview the cadets to find out why they made the choices they did (if they haven't done so already). Well, interesting to me anyway... ;^)

Take it one step further

[interstellar_donkey]

What if I'm a bad guy pretending to be the good guy pretending to be the bad guy?

In other words, I'm really a phisher opperating under the guise of one of these people trying to "help" others.

On every successful "catch" for something like, say, bank information or ssn, I have a script automatically check the victims bank account balance or credit score. If they're low, I automatically send them a "gotcha!" letter saying "look at what you just gave to me? It's a good thing I'm a responsible citizen and let you know!"

If the values are high, I sell them at a premium to other criminals (who will come to know that *my* information always contaians the personal information of someone with means).

If I ever get caught, I simply can point to the large number of emails I sent off warning people. "Hey, that some other guy robbed them blind isn't my fault; just because I deal with people who are prone to fall for this stuff doesn't mean I exploit them. Heck, I help them, and here's all my (doctored) logs to proove it. Don't believe me? Go interview the countless number of people I saved!

In the end, the profit wouldn't be huge, but it'd sure add another layer of safety to the fraud.

Re:Sir, No, Sir...

[ki4iib]

As a (Real Soon To Be) member of the United States Air Force [this-is-not-an-official-opinion-disclaimer], I can not only -not- berate you as living scum... ...I can actually sympathize with you. There is absolutely, absolutely a place in this world for nonviolent people. Hell, there's even room for 'em in a war zone, if you feel up to being medical assistance with the Red Cross / Red Crescent, or helping in refugee camps, or, god - a million places where people who just want to stop pain and suffering can be used. Pick an American inner city, for instance. 'Tis an easy way to start at home. Useless soldiers are not worthless people, nor do they deserve berating from servicemembers. Like Solomon said, though, there's a time for peace, and a time for war. And when it's time for war, we intend to be the absolute, indisputable best. And hey, rest easy. If there's ever a draft, they'll ask you about six million times whether you're a consciencious objector.

Re:Fill them in with crap

[abb3w]

On the common ebay one, if it rejects your credit card as invalid, change the check digit (the last digit of the 16 digit number) until you get the right one.

Alternatively, if you've ever had to cancel a card as lost or stolen, use that number with bogus personal info. This might have a better chance at raising a louder alarm bell if they ever try to use it.

Citi Visa 4128 0032 4259 7154, if anyone wants one. (Cancelled when I left it at a restaurant in 1999.)