Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
Or in other words, use Common Sense?
Dilbert really got the point.
follow me on Twitter: http://twitter.com/moeffju
Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"
I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
"Sir! Sir! Are you a terror-"*gets shot*
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
That's an order son.
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
That's why I never joined.
And because you 'never joined', it is understandable why you have little clue how the military actually works.
I think the issue here is to be more questioning of the authenticity of orders - I doubt they'll want cadets questioning the colonel about orders in person, but the point is that you can't trust the authenticity of an email without verification.
is not the same thing as blindly following orders from somebody claiming to be one.
Which of course is a known problem in the military; high ranking officers expect cooperation from everybody, including soldiers who have never met them before. They may flash (or even show) some kind of ID in rare instances, but for the most part a soldier has to guess if he's dealing with the real thing or not.
It depends. On a nuclear sub, they had better be verifying those orders are authentic before launching. In fact they do verify that messages are authentic. They use this thing called cryptography. So, this is in fact a healthy lesson to be teaching these cadets. They cannot blindly follow orders comming from untrusted sources.
But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
I hope they train them to make sure it actually is their superior officer giving an order. 'Cause if they don't, I've got a gwbush3838412@hotmail.com account and some stuff I wouldn't mind seeing get blowed up.
It doesn't say what the "instructions" were, but it sounds like all they did was go to a web-site. Depending on what these instructions were, the students were either gullible, or just following what seemed to be a legitimate set of instructions. It's really hard to tell the phishers from the legits until you actually see what is being requested of you and/or the URL of the web-site. Of course, this is why phishing is so prevalent.
Ben Hocking
Need a professional organizer?
I think these two methods can be complementary. Email correspondence within the company should ideally be signed, but this is often hard to enforce. Instead of saying "look how easily you were fooled," without providing an appropriate method of verifying authenticity, companies should be training employees to use encryption; the response should be "look what happens when you don't check the signature." This wouldn't cause employees to mistrust internal communication -- cryptographically signed messages are inherently trustworthy (up to a certain point).
Soldiers are absolutely not supposed to blindly follow orders.
Cadets are given instructions and then a "colonel" comes along and convinces some of them to do something they shouldn't. How is this a problem specific to email/technology? Hasn't this type of exercise been around as long as the military?
Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.
Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.
In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.
But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.
Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.
The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.
It's always a long day... 86400 doesn't fit into a short.
This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?
In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.
Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?
In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."
``I wonder what'll happen if they try that? Is that what they're trained in the military? Isn't it shoot first, ask questions later?''
Depends which they do when. If they are in the heat of a battle and they start questioning the superior's orders, it probably won't end well. If they start blindly killing everyone because they might be a threat, things probably wouldn't end very well either.
Fortunately, even in the military, people have brains that they can use to judge which would be the most appropriate action. Of course, they do make mistakes. Everybody makes mistakes. Training can help prevent them from making mistakes. That's what people where doing in this case.
Please correct me if I got my facts wrong.
I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.
ESPECIALLY at the top military academies, such as, oh, say, West Point!
So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
www.eFax.com are spammers
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
Military members are obligated to follow lawful orders from those above them. They have to ask themselves "is this legal? Does it mesh with the Uniform Code of Military Justice? Rules of engagement? Geneva Conventions?" Something tells me that inputting personal information because of an email does not necessarily qualify as an unlawful order.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
You might still be helping them in some small way by confirming that your email address is valid.
Many spam and phishing emails use links that contain an ID indicating the email address. For instance, "myspamsite.com/great_offers.php?id=1492" where "1492" corresponds to "columbus@hotmail.com" in the spammer's database. Sometimes that ID is buried within a long URL full of different parameters, too.
Valid emails (especially of those that click on them) are valuable to spammers.
It's the same reason that you shouldn't click the unsubscribe link or display remote images in your email.
Well, we all know you don't need something "well-written" at all.
There are a few disturbing sides to phishing, but the one that hits me hardest is that people fall for messages that are incredibly poorly written. Anyone who reads regularly and who has any sense of graceful language should see though the vast majority of phish attempts in a second or two. Phishers generally are truly bad, tone-deaf writers. Your bank isn't going to botch the spelling of "account" in a message asking for your SSN. Nobody from American Express would send a curt four-sentence message threatening bluntly to "remove your account."
It always seemed to me like the Nigeria messages were successful partly because people found the garbled language appropriate for the supposed sender. Those phishes play to the stereotype.
"Fundamentalism" isn't about divine morality. It's about human authority.
That only applies to soldiers of other countries. As the winners, our soldiers aren't subject to European or world courts, else our leaders themselves, as well as officers, would be incarcerated as war criminals for the invasion of Iraq and subsequent events in Abu Garaib, Camp X-Ray, etc.
Of course typing it in yourself is the smart thing to do. That's why I'm so pissed the university I work at keeps sending out emails to everyone on patch tuesday. They have the link to microsoft's windows update website in them and instruct all users that they must go to the site and patch their machines. They are teaching the users terrible habits! They are going to click on links in phising emails because the brilliant IT staff here has taught them that they should.
Since when did West Point start hiring EA employees as teachers?
It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.
Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
--
make install -not war
You've made your decision then?
Not remotely! Because spam comes from Russia. As everyone knows, Russia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not click the spam in front of you.
Truly, you have a dizzying intellect.
Wait 'til I get going!! ... Where was I?
Russia.
Yes! Russia! And you must have suspected I would have known the spam's origin, so I can clearly not click on the spam in front of me.
You're just stalling now.
You'd like to think that, wouldn't you! You've beaten my trojans, which means you're exceptionally well protected against viruses ... so you could have put the spam in your own email trusting on Norton AV to save you, so I can clearly not choose the spam in front of you. But, you've also bested my spyware, which means you must have studied ... and in studying you must have learned that man is mortal so you would have put the spam as far from yourself as possible, so I can clearly not choose the spam in front of me!
You're trying to trick me into giving away something. It won't work.
It has worked! You've given everything away! I know which email the phishing attack is!
Then make your choice.
I will, and I choose ... what in the world can that be?
What? Where? I don't see anything.
Oh, well, I ... I could have sworn I saw something. No matter. [laughing]
What's so funny?
I ... I'll tell you in a minute. First, let's click, me on my email and you on yours.
You guessed wrong.
You only think I guessed wrong! That's what's so funny! I switched emails when your back was turned! Ha ha! YOU FOOL! You fell victim to one of the classic blunders. The most famous is: Never get involved in a land war in Asia!, and only slightly less well known is this: Never go in against a Sicilian when death is on the line!
John
Indeed! It would be interesting to have a follow-up study, and interview the cadets to find out why they made the choices they did (if they haven't done so already). Well, interesting to me anyway... ;^)
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
What if I'm a bad guy pretending to be the good guy pretending to be the bad guy?
In other words, I'm really a phisher opperating under the guise of one of these people trying to "help" others.
On every successful "catch" for something like, say, bank information or ssn, I have a script automatically check the victims bank account balance or credit score. If they're low, I automatically send them a "gotcha!" letter saying "look at what you just gave to me? It's a good thing I'm a responsible citizen and let you know!"
If the values are high, I sell them at a premium to other criminals (who will come to know that *my* information always contaians the personal information of someone with means).
If I ever get caught, I simply can point to the large number of emails I sent off warning people. "Hey, that some other guy robbed them blind isn't my fault; just because I deal with people who are prone to fall for this stuff doesn't mean I exploit them. Heck, I help them, and here's all my (doctored) logs to proove it. Don't believe me? Go interview the countless number of people I saved!
In the end, the profit wouldn't be huge, but it'd sure add another layer of safety to the fraud.
The Internet is generally stupid
As a (Real Soon To Be) member of the United States Air Force [this-is-not-an-official-opinion-disclaimer], I can not only -not- berate you as living scum... ...I can actually sympathize with you.
There is absolutely, absolutely a place in this world for nonviolent people. Hell, there's even room for 'em in a war zone, if you feel up to being medical assistance with the Red Cross / Red Crescent, or helping in refugee camps, or, god - a million places where people who just want to stop pain and suffering can be used. Pick an American inner city, for instance. 'Tis an easy way to start at home.
Useless soldiers are not worthless people, nor do they deserve berating from servicemembers. Like Solomon said, though, there's a time for peace, and a time for war. And when it's time for war, we intend to be the absolute, indisputable best.
And hey, rest easy. If there's ever a draft, they'll ask you about six million times whether you're a consciencious objector.
<THUD!>
They were both phishing attacks. I spent the last few years lying about who I am to build a false identity. I'm no one to be trifled with. That is all you'll ever need know.
//Information does not want to be free; it wants to breed.
The US soldiers often have the benefit of superior intelligence so they don't have to ask, but mostly confirm who they are going to shoot.
Or in some cases, request permission to fire, get denied and then drop a bomb or two on coalition forces thus resulting in the death of four allied infantry personel.
Homer: Now to answer all the popups. Ooh a talking moose wants my credit card number, that's only fair.
Alternatively, if you've ever had to cancel a card as lost or stolen, use that number with bogus personal info. This might have a better chance at raising a louder alarm bell if they ever try to use it.
Citi Visa 4128 0032 4259 7154, if anyone wants one. (Cancelled when I left it at a restaurant in 1999.)
//Information does not want to be free; it wants to breed.
If you're not using public key crypto, then you still can assume that if a message was encrypted with a secret key that only you and the sending party know, then the message is from that sending party.
Kerberos is based on Needham-Schroeder secure key exchange via a trusted 3rd party. The KDC is the "trusted 3rd party". In a nutshell, a session key is generated by the KDC, and 2 copies are made. One is encrypted with the user's key, and one is encrypted with the service's key. Mutual authentication happens, because both parties must know their secret key in order to communicate using that secret key.
So, crypto is very useful for authenticity.
He's the one saying that he'll never kill anybody, while you're the one claiming that under certain circumstances we can call it "true compassion for humanity". So that'd be a "relativism" point for you, surely, not him.
Mind the Gap
or by other insecure means. Such a phishing campain should only be to enforce and test an already well-known rule that says "Do not follow orders sent by email." Properly encrypted messages excepted, and any military person using email should already know not to respond to a phishing expedition.
For even a new cadet to confuse a phish email with a legit order is a terrible thing to happen.
Tag lost or not installed.