Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
Or in other words, use Common Sense?
Dilbert really got the point.
follow me on Twitter: http://twitter.com/moeffju
I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?
My MythTV HowTo
Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"
I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
"Sir! Sir! Are you a terror-"*gets shot*
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
So these people who were CADETS followed phishing instructions that came to them STRAIGHT FROM THEIR OWN COLONEL. I hardly think that's a reasonable test!
Now, if they'd all mindlessly obeyed an email from ebay or paypal or their bank or something, then yes, they would have been ownz0red. But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
Whence? Hence. Whither? Thither.
That's an order son.
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
That's why I never joined.
And because you 'never joined', it is understandable why you have little clue how the military actually works.
Just beware of when your SO sends you an email saying "Click here for wet and wild pics" and you get the email:
:P
You're in big trouble, buster!
To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.'
Reminds me of a quote from Interview With The Vampire. "Vampires pretending to be humans, pretending to be vampires."
How would one distinguish the real thing from phishing? Most phishing e-mails give themselves away by their bogus requests: give us your bank account #, SSN, etc. This one was just going to a web-site to verify their grade report. The only way they could have verified this was not legit was to search for the name of the sender and find that he isn't actually at West Point. Of course, many phishing e-mails use actual names, so that wouldn't tell you anything if it did exist.
Of course, I use pine on Unix, so I feel quite comfortable opening up any e-mail. I know this doesn't make me bullet-proof, but so far nothing bad has ever hit me this way.
Ben Hocking
Need a professional organizer?
is not the same thing as blindly following orders from somebody claiming to be one.
Which of course is a known problem in the military; high ranking officers expect cooperation from everybody, including soldiers who have never met them before. They may flash (or even show) some kind of ID in rare instances, but for the most part a soldier has to guess if he's dealing with the real thing or not.
It doesn't say what the "instructions" were, but it sounds like all they did was go to a web-site. Depending on what these instructions were, the students were either gullible, or just following what seemed to be a legitimate set of instructions. It's really hard to tell the phishers from the legits until you actually see what is being requested of you and/or the URL of the web-site. Of course, this is why phishing is so prevalent.
Ben Hocking
Need a professional organizer?
I think these two methods can be complementary. Email correspondence within the company should ideally be signed, but this is often hard to enforce. Instead of saying "look how easily you were fooled," without providing an appropriate method of verifying authenticity, companies should be training employees to use encryption; the response should be "look what happens when you don't check the signature." This wouldn't cause employees to mistrust internal communication -- cryptographically signed messages are inherently trustworthy (up to a certain point).
Whenever I get a phishing email, I visit the site and fill it in with (genuine looking) crap details.
Perhaps a small waste of their time sifting genuine responses from garbage, but if everyone did that it'd make their life a lot harder.
On the common ebay one, if it rejects your credit card as invalid, change the check digit (the last digit of the 16 digit number) until you get the right one.
Perhaps there's a good reason why this isn't any use in fighting phishers, but it makes me feel better anyway.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
Cadets are given instructions and then a "colonel" comes along and convinces some of them to do something they shouldn't. How is this a problem specific to email/technology? Hasn't this type of exercise been around as long as the military?
You, sir, were ripped off.
Free as in mason.
Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.
Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.
In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.
But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.
Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.
The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.
It's always a long day... 86400 doesn't fit into a short.
a while back I was testing Outlook at Microsoft, and I dropped a potential privacy hole into the bug database. They resolved it as an unimportant issue.
a couple years later, I saw the bug mentioned again...
on CNN.
If you need a well-written email to do phishing, some email that you want to spam to try and phish people, well, you just go here to this anti-phishing.org site because they have a library of all phishes that have been sent around the world.
This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?
In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.
Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?
Most legitimate requests will tell you to log in to the front page of their web-site (where you've already been), and follow a certain chain of links to get to where the information needs to be verified. The biggest hole in this assumption is that someone could have hacked that web-site. But, it will protect you from the more common phishing schemes.
I'd say that the more critical the information, the more you need to protect it. If they're phising for my /. password, for example, I'll force them to give me a retinal scan, but I'll give my SSN away for some of that free beer I keep hearing about.
Ben Hocking
Need a professional organizer?
Back in the days when we were all wearing bearskins, we'd have to keep a guard up 24/7 as well. Since then only the type of threat has changed.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
http://en.wikipedia.org/wiki/K%C3%B6penick
And it is why mindless obedience should be considered a liability in any modern army, and therefore discouraged.
The guy mentioned in the article just took over the town hall. Good thing they didn't have any nukes back then.
In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."
Where do I get this "$20 electricity" from?
Is it guaranteed for the life of the product, or what?
I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.
ESPECIALLY at the top military academies, such as, oh, say, West Point!
So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
www.eFax.com are spammers
Prior to this you mentioned "it illustrates that army cadets are particularly vulnerable to social engineering attacks, and therefore in dire need of education" (which might very well be true), but it was these employees who entered their passwords.
Granted, the army cadets might have done the same thing (and I agree they would be vulnerable), but the article doesn't explicitly state this.
Ben Hocking
Need a professional organizer?
Which order would this be?
If they verified that the email was authentic (e.g. it was PGP-signed or whatever mechanism they have in place), then fair enough, they received an order and they should obey it.
But that kind of test isn't representative of real-world phishing. Phishers can't subvert USA army communications to fake orders, can they? Or, if they can, surely that is the problem, and not the fact that people trust the authentication in place.
On the other hand, if they received an email and they didn't verify the identity of the sender, then the phishing attack worked and they are at fault.
It all boils down to the method of authentication that is in place, and whether it was used. The article doesn't go into enough detail to say whether the claim they were "just following orders" is a valid defence or not. "Just following orders" is no defence if you didn't establish that the order came from a superior officer.
Bogtha Bogtha Bogtha
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
Military members are obligated to follow lawful orders from those above them. They have to ask themselves "is this legal? Does it mesh with the Uniform Code of Military Justice? Rules of engagement? Geneva Conventions?" Something tells me that inputting personal information because of an email does not necessarily qualify as an unlawful order.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I know it's cool to get submissions from the Wall Street Journal, but you don't have to put all of them on the front page. They are obviously using you guys as a traffic magnet to drive up interests and subscriptions.
beware the jabberwock, my son! the jaws that bite, the claws that catch!
Which is why one should always type in the link, instead of clicking on the link provided. Of course, few people do this, which is why phishing can be successful. Of course, the more devious phishers cyber-squat waiting for you to swap the "i" and the "e" (in some imaginary domain name) or some other such nonsense.
My point is that there are legitimate e-mails that request you visit their web-site. For example, I get e-mails from my bank frequently telling me I have new messages and/or bills and I should check them. These messages provide links to the front page of my bank's URL, which I always type in by hand.
Ben Hocking
Need a professional organizer?
The point is, we don't know what "all they did was...". Perhaps, they just clicked on the link to see where it took them. If you're using a reasonably secure e-mail client and OS, this is a reasonably safe step to take. The most information a standard e-mail would get from this is that you actually clicked on this link and so the e-mail address is valid, etc. Of course, the URL could download a trojan, but with a good browser you'll have an option to execute the trojan or not.
Ben Hocking
Need a professional organizer?
"Sir yes sir!" is not actually what the civilian world thinks it means. Even the meaning of the word "orders" is quite often taken wrong outside of the military.
Well, we all know you don't need something "well-written" at all.
There are a few disturbing sides to phishing, but the one that hits me hardest is that people fall for messages that are incredibly poorly written. Anyone who reads regularly and who has any sense of graceful language should see though the vast majority of phish attempts in a second or two. Phishers generally are truly bad, tone-deaf writers. Your bank isn't going to botch the spelling of "account" in a message asking for your SSN. Nobody from American Express would send a curt four-sentence message threatening bluntly to "remove your account."
It always seemed to me like the Nigeria messages were successful partly because people found the garbled language appropriate for the supposed sender. Those phishes play to the stereotype.
"Fundamentalism" isn't about divine morality. It's about human authority.
I used to do that during the sub7 and backorrifice days 6 or 7 years back. Used to pop up a message telling them that their machine is under my control and prove to them that I was. Then directed them to a nice article I had written up about linux. I really had a hateful passion against MS back then and saw myself as some inquisitorial crusader smiting the stray back into the line of rightousness.
I wish I had time to find an article on it, but I remember a few years ago, this guy was making headlines because he would pick up a girl from a bar, get her out to a secluded area, calmly explain to her that were he a murderer or rapist, there was no one to stop him, then drive her back. The police were trying to find something to charge him with, but could never find anything.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
"No sir I am an Italian secret serv-!" *gets shot*
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Is that evidently, 20% of the cadets didn't dutifully follow the instructions!
Ben Hocking
Need a professional organizer?
In combat, no order should be questioned. the edict should be, "Follow any order that comes in official form, email is NOT official for giving orders"
meh
Since when did West Point start hiring EA employees as teachers?
It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.
Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
--
make install -not war
You've made your decision then?
Not remotely! Because spam comes from Russia. As everyone knows, Russia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not click the spam in front of you.
Truly, you have a dizzying intellect.
Wait 'til I get going!! ... Where was I?
Russia.
Yes! Russia! And you must have suspected I would have known the spam's origin, so I can clearly not click on the spam in front of me.
You're just stalling now.
You'd like to think that, wouldn't you! You've beaten my trojans, which means you're exceptionally well protected against viruses ... so you could have put the spam in your own email trusting on Norton AV to save you, so I can clearly not choose the spam in front of you. But, you've also bested my spyware, which means you must have studied ... and in studying you must have learned that man is mortal so you would have put the spam as far from yourself as possible, so I can clearly not choose the spam in front of me!
You're trying to trick me into giving away something. It won't work.
It has worked! You've given everything away! I know which email the phishing attack is!
Then make your choice.
I will, and I choose ... what in the world can that be?
What? Where? I don't see anything.
Oh, well, I ... I could have sworn I saw something. No matter. [laughing]
What's so funny?
I ... I'll tell you in a minute. First, let's click, me on my email and you on yours.
You guessed wrong.
You only think I guessed wrong! That's what's so funny! I switched emails when your back was turned! Ha ha! YOU FOOL! You fell victim to one of the classic blunders. The most famous is: Never get involved in a land war in Asia!, and only slightly less well known is this: Never go in against a Sicilian when death is on the line!
John
Indeed! It would be interesting to have a follow-up study, and interview the cadets to find out why they made the choices they did (if they haven't done so already). Well, interesting to me anyway... ;^)
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Captain: What happen ?
Mechanic: Somebody set up us the scam.
Operator: We get email.
Captain: What !
Operator: Main screen turn on.
Captain: It's you !!
CATS: How are you gentlemen !!
CATS: All your details are belong to us.
CATS: You are on the way to fake site.
Captain: What you say !!
CATS: You have no chance to survive enter your detail.
CATS: Ha Ha Ha Ha
banks continue to train people to be good little phishies by sending legitimate email with links in it. Yes, I can tell the difference, and Bank of America sends me notices such as 'statement ready' or 'bill from X' with direct links to login and view/pay.
I've complained that they should include text alerting people to never click on links in email, and not include any links. When the 'good' email trains people to be careful, the 'bad' email will be less successful.
Doubleplusgoodidea, I say.
What if I'm a bad guy pretending to be the good guy pretending to be the bad guy?
In other words, I'm really a phisher opperating under the guise of one of these people trying to "help" others.
On every successful "catch" for something like, say, bank information or ssn, I have a script automatically check the victims bank account balance or credit score. If they're low, I automatically send them a "gotcha!" letter saying "look at what you just gave to me? It's a good thing I'm a responsible citizen and let you know!"
If the values are high, I sell them at a premium to other criminals (who will come to know that *my* information always contaians the personal information of someone with means).
If I ever get caught, I simply can point to the large number of emails I sent off warning people. "Hey, that some other guy robbed them blind isn't my fault; just because I deal with people who are prone to fall for this stuff doesn't mean I exploit them. Heck, I help them, and here's all my (doctored) logs to proove it. Don't believe me? Go interview the countless number of people I saved!
In the end, the profit wouldn't be huge, but it'd sure add another layer of safety to the fraud.
The Internet is generally stupid
As a (Real Soon To Be) member of the United States Air Force [this-is-not-an-official-opinion-disclaimer], I can not only -not- berate you as living scum... ...I can actually sympathize with you.
There is absolutely, absolutely a place in this world for nonviolent people. Hell, there's even room for 'em in a war zone, if you feel up to being medical assistance with the Red Cross / Red Crescent, or helping in refugee camps, or, god - a million places where people who just want to stop pain and suffering can be used. Pick an American inner city, for instance. 'Tis an easy way to start at home.
Useless soldiers are not worthless people, nor do they deserve berating from servicemembers. Like Solomon said, though, there's a time for peace, and a time for war. And when it's time for war, we intend to be the absolute, indisputable best.
And hey, rest easy. If there's ever a draft, they'll ask you about six million times whether you're a consciencious objector.
The Yes Men
If you haven't seen it, it's worth checking out.
Time is comparison of movement to other movement.
Suppose you are in some battle or in a "hot zone". You see a seven-year old boy. Your SO orders you to shoot the boy. You will probably stand trial for homicide if you shoot the boy.
I didn't know you could join the service w/o all the chest-thumping... ;)
But then how would you know whether to salute or compile?
Is it just my observation, or are there way too many stupid people in the world?
There are four sorts of people in the world: fools, lunatics, idiots and morons. - Umberto Eco, Foucaut's pendulum.
...I suppose that this might explain the phishing email I found in my inbox yesterday, which tried to point me towards a "Paypal verification" page under "clueless.net"... And here I just thought that phishers were getting lazy.
<THUD!>
They were both phishing attacks. I spent the last few years lying about who I am to build a false identity. I'm no one to be trifled with. That is all you'll ever need know.
//Information does not want to be free; it wants to breed.
This would be a valid issue - if there was any crime involved.
... "interesting" content and a date in 2048. The message made clear at the end that it was a fake, and there was nothing inappropriate in the message.
.vbs script that pops up a dialog saying "If this had been a malicious script, it could have destroyed all your work and broken your computer" has a profound effect, it seems.
Spoofing an email, or putting up a fake website, was not a crime last I heard.
Someone might try to take civil action against you if offended (trademark problems; leibel; etc) but the chances are pretty darn good they won't if you're doing it with their permission.
Personally, I think this is an important education tool. Where it becomes a problem is if it goes too far, into "oops! Look! this trojan has been on your system for a week emailing your credit card details to some dodgy site. I guess you should be more careful with your email."
I remember how I was finally able to wake a few people up about the issue of viruses and impersonation in the very early days of mass email worms - not long after the Melissa worm. Direct education attempts had failed with the staff, so I sent an email to all of them that pretended to be our Prime Minister (this is a newspaper) with some
It was remarkable how many people came to me and asked about that - it was clear that it'd managed to get their attention as simply explaining the issue ("the From: address doesn't guarantee that it's from who it says it is") had failed to do.
Despite almost computer illiterate users, we've been unaffected by email worms due to a combination of a paranoid mail gateway and such periodic reminders to users. Things like a
However, an order such as "click this link and fill out the form there with your personal information" may be stupid and/or dangerous, and still remain lawful. On the gripping hand, these officer candidates should also be trained to verify the source of questionable orders, and call superiors attention to clarify doubtful points. (EG: "Is this really Colonel Blake? Is it really appropriate for us to fill out confidential information on a non-secure website form?)
See this nice piece from the US Army's on-line Combined Arms Research Library; look especially for the part on "Phase of Communication".
//Information does not want to be free; it wants to breed.
Homer: Now to answer all the popups. Ooh a talking moose wants my credit card number, that's only fair.
New York, Mr. Pelgrin says he took pains to carefully design the exercise, including hiring an outside Web consultant to design the mock email pitch. "We wanted to make sure it was not too good," he says.
Burned!
I've been noticing the grammar is improving, and have gotten several that are actually free of all spelling and grammar errors. Like many simple anti-phishing tactics, this one won't work for much longer. Go back and re-read your Bierce.
//Information does not want to be free; it wants to breed.
http://www.hahathatswhatyouget.com/citibank/
If you look at the javascript for the page, it disregards any post information, and redirects to a page taunting the user, and describing that if the page were a real phishing site, that their info would have been stolen.
*sigh* Guess it's only news when some other site posts it.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Phishers already pose as Anti-Phishers. ("Someone's trying to break into your account! Please send us your password so we can stop them!") So to be convincing, Anti-Phishers would have to pose as Phishers, posing as Anti-Phishers. Are we confused yet?
Obviously the best course of action is to employ the Poser-Buster. Once the bad guys turn on their Poser-Buster-Buster then you move to phase two, the Poser-Buster-Buster-Buster. Heaven forbid they have a Poser-Buster-Buster-Buster-Buster...
Every officer MUST ask himself these two questions before following any order:
1) is the order authentic
2) is the order legal
If it's both, then "YES SIR" is the correct answer.
If it's not, then don't follow it.
If you can't tell, then I'd hate to be you.
What if a bad guy faked the Colonel's email address, or worse, broke into the Colonel's email account and sent it on his behalf?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A professor once mentioned getting an .exe file from a friend, which made it seem like all of the files in her "my documents" folder were being deleted.
autopr0n is like, down and stuff.
In the context of the (slashdot) article, what you wrote becomes:
Isn't that a main part of the job of the military?
The real solution here is for trustable entities to cryptographically sign their e-mails. This includes banks, e-commerce companies, and in this case, a colonel.
This is by no means a new idea, but NO ONE does it. Like most people, I have e-commerce relationships with >10 companies, from banks to Amazon.com, and none of the e-mails I get from them are signed.
S/MIME is not as easy to set up nor as obvious as it should be. If used, though, it would squash the phishing problem AND the "virus from spoofed sender" problem altogether.
I started organize all my phishing e-mails into a RSS news feed back in May and wrote a (slow) little script to generate false information.
I'm probably averaging about 2 phishing e-mail spam a day at the moment.
Most of them are sitting on sites referenced with IP addresses, but occassionally there will be domains from obviously hacked sites -- the most recent one was a lawfirm's site hosting a PayPal scam which I found amusing.
He's the one saying that he'll never kill anybody, while you're the one claiming that under certain circumstances we can call it "true compassion for humanity". So that'd be a "relativism" point for you, surely, not him.
Mind the Gap
There have been studies on obedience to authority; check here:
http://en.wikipedia.org/wiki/Stanley_Milgram
The real issue is that no matter what, when people *perceive* that others have authority over them, they will tend to obey even the most horrible of orders. The perception of authority in Stanley Milgram's obedience experiments (sorry, it's not described in the wikipedia link but I don't have time to find it) stemmed from scientists wearing lab coats.
The military by nature is authoritarian... Not only are soldiers already inclined to obey authority, but they are also explicitly taught to obey authority. (I am not a soldier btw, so please excuse the oversimplification, etc. etc.)
The site's YOU MORON page could be made a hell of a lot more useful. It is using terms like URL, IP, and so on with no further explanation (in truth, you don't even need to use those terms to explain them). After who-knows-how-many support calls with my grandmother, she still has no idea what a URL or location bar is; she just knows it as "the place you type in next to the Back button."
You'd probably be surprised how many users use the Internet without ever typing in a URL. Which is one reason why phishing works; people barely know what a URL is, if they even know that they exist.
The site would also be a lot better off by using non-derogatory wording; calling someone a moron or idiot simply because they were not educated in safe Internet usage is not productive - it's more likely to piss them off than it is to get them to really learn what you're trying to teach them. That whole "tact" thing is genuinely useful.
The page also (erroneously, at least for my quick test) claims that the URL is an IP. I've been thinking... how often does a normal user need to use an IP for a URL? Practically never, I'd think. It would be interesting to see what would happen if you disabled using IPs in URLs (with a hidden option somewhere for techies that actually require the functionality) and seeing if that adversely affected normal users.
Additionally, it would be cool to try doing a domain trust system for web-access, similar to what's being done for email. Real banks and known safe organizations would have absolute trust, and sites they links too would have trust, etc. (Would be necessary for forums to use the newish nofollow attribute to avoid polluting the trust system.) Known bad sites would have explicit no-trust. Browsers then can check the trust level of any site visited. By default, for average users, sites without trust would be flatly denied (sorry, but warning dialogs *do not work* - users just click through them). Alternate behavior could be to allow non-trusted sites to be viewed but to disable form submission/javascript/downloads/etc. (So Aunt Tillie's brand new personal page she had her grandson put online will be viewable, but the methods allowing theft of data on the grandson's new phishing site he just put up would be disabled.)
This could actually be developed as a Firefox extension, I believe. Although I could already think of a few ways for clever sites to hack around it (not sure how much power Firefox extensions can have, especially in terms of not allowing a site to, say, use DOM to recreate form fields after the extension disabled them, and use more javascript to copy the form field values into a url for a GET request using location.href to avoid the extension from stopping a POST or general form submission).
There needs to be a good name for this technique. I propose "Phishing for Phools".
-Don
On the topic of the article, I think it's good that this guy tricked his students like this. I can certainly understand them feeling betrayed, but folks in the military are really the last people we want tricked by authentic-looking emails. I mean, if I open an email that's supposedly from a prof and accidentally download some nasty virus, yeah, it sucks, but at worst, I lose some money and data. If some military grunt gets an email from a phisher posing as his commander, the worst case is likely to involve the loss of human lives. I think this is something worth guarding against, and if the education process upsets the students, then so be it.
The exercise email may well have exploited some inclination of the receiver to follow instructions from someone in authority - but SO DO REAL PHISH EMAILS! - thats the whole point - that anyone can pretend to be some person in authority in an email - You think the captian of some nuke sub is going to get an email claiming to be from the President telling him to launch and is just going to beleive it without validating it? Heck no!
From the article: The mock phishing exercises demonstrate how effective such attacks can be. In June 2004, more than 500 cadets at West Point received an email from Col. Robert Melville notifying them of a problem with their grade report and ordering them to click on a link to verify that the grades were correct. More than 80% of the students dutifully followed the instructions.
;)
;)
But there is no Col. Robert Melville at West Point.
Hello, people. These cadets weren't paying attention to the chain of command. They were just following orders blindly. As shown by Abu Ghraib, this can be just as dangerous as soldiers who question everything before obeying. There needs to be a light on upstairs. I for one am glad that people who are trained to kill are being trained to think as well. Since phishing attacks are getting more complex, this social engineering vector needs to be addressed before more important information is compromised.
Every few weeks, my Mum - who I have dutifully trained - sends me a phishing email that has freaked her out. The email always seems to come from my domain where she has an account with official wording. Even though I have trained her and trained her she still panics. She doesn't click on the links. She doesn't fall for the scams (I'm proud to say that she can spot a stupid bank phishing scam with her eyes closed now). She panics because somebody is posing as me (i.e. an admin from my domain) and trying to trick her. This is scary and invasive for the common computer user. People want to believe everything they read because it is fatiguing to be suspicious of everything all the time. Slashdotters have built up amazing suspicion stamina, but they aren't the norm. My Mum learned her lessons. She's a trooper. But how many people out there can recognize phishing scams? The scammers are getting cleverer. They're using spell checkers now.
I believe training government officials to recognize phishing scams in this way is excellent. As the article also says: "Repetition is important. Vigilance is critical," he says. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information."
The only addition I would recommend would be an official notice announcing this training. Then the few complainers who feel stupid about getting caught wouldn't have anything to complain about. Having employees on guard for phishing attacks would only improve their alertness to the problem, IMO, even if they knew the attack was going to be a training exercize. Of course, this official notice would have to be sent out on a different day than the fake phish scam in order for this program to be effective.
The Splintered Mind - Overcoming
This is all well and good for now, until crocodile-resistant strains of these diseases evolve through our overuse of crocodile serum... And then the crocodiles are going to be PISSED.
https://www.eff.org/https-everywhere
"Phishing phor Phools".
Phor Ghod's sake, get it right.
Tag lost or not installed.
or by other insecure means. Such a phishing campain should only be to enforce and test an already well-known rule that says "Do not follow orders sent by email." Properly encrypted messages excepted, and any military person using email should already know not to respond to a phishing expedition.
For even a new cadet to confuse a phish email with a legit order is a terrible thing to happen.
Tag lost or not installed.
There are many ways to validate a message, encryption is only one of them.
Most of the time, 100% validation isn't even necessary.
For example, if your military boss sends you an order saying "here's the plans for next weeks's field exercise" AND it came from the same email server you use AND you've checked the headers for signs of spoofing AND he makes mention of the email in today's breifing, then you can be 99% sure that your copy of the email is valid.
Now, if you get a message from "president@whitehouse.gov" telling you the war in Iraq is over and ordering you home, definately do some validation before acting on that "order."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.