Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
Or in other words, use Common Sense?
Dilbert really got the point.
follow me on Twitter: http://twitter.com/moeffju
Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"
I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
"Sir! Sir! Are you a terror-"*gets shot*
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
That's an order son.
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
I think the issue here is to be more questioning of the authenticity of orders - I doubt they'll want cadets questioning the colonel about orders in person, but the point is that you can't trust the authenticity of an email without verification.
It depends. On a nuclear sub, they had better be verifying those orders are authentic before launching. In fact they do verify that messages are authentic. They use this thing called cryptography. So, this is in fact a healthy lesson to be teaching these cadets. They cannot blindly follow orders comming from untrusted sources.
But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
I hope they train them to make sure it actually is their superior officer giving an order. 'Cause if they don't, I've got a gwbush3838412@hotmail.com account and some stuff I wouldn't mind seeing get blowed up.
Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.
Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.
In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.
But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.
Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.
The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.
It's always a long day... 86400 doesn't fit into a short.
This raises a rather interesting question of whether institutions with assumed automatic compliance, like the military (for practical reasons), may become especially vulnerable to certain types of viruses that engage in a form of social engineering attack?
In the article's example, no colonel of the name given existed. However, in many virus variants, compromised computers use address books to form fake mailings to one person on the list from another person on the list. Given that an email list generally represents a network of people who mostly know each other, this leads to the recipients using a much lower level of caution when receiving an email with an attachment from someone they know. To make this even more severe, where institutionalized automatic compliance exists, many of these emails would appear to come from superiors and make virus transmission almost a certainty.
Of course, this could also occur in any private organization with strict command and control or possessing a culture of fear leading to blind obedience to any orders coming down from the top. Therefore, one could hold that you can lessen security exposure to these types of attacks (viruses serve as just a starting point as other social engineering attacks could also work in this context, with much more disastrous results) by creating a more permissive and questioning command and control structure. However, obviously, this would not work for the military and perhaps some other institutions, except in certain contexts, so what do you do?
In this case, I would expect a colonel to trust his officers enough to tell them "I'm sending this autoinstal to you". Or his officers to reply "Sir, you sent us an autoinstall without mentioning it. Please confirm this was your intent."
I thought a big part of military training was the idea that no soldier is to obey an unlawful order, or a lawful order unlawfully given.
ESPECIALLY at the top military academies, such as, oh, say, West Point!
So these cadets are, in effect, saying "But I was Just Following Orders!" - which is NOT a valid excuse.
www.eFax.com are spammers
To me, it's pretty scary that someone would just commit an action just because that someone was trained to follow instructions only, and to never question.
Military members are obligated to follow lawful orders from those above them. They have to ask themselves "is this legal? Does it mesh with the Uniform Code of Military Justice? Rules of engagement? Geneva Conventions?" Something tells me that inputting personal information because of an email does not necessarily qualify as an unlawful order.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
You might still be helping them in some small way by confirming that your email address is valid.
Many spam and phishing emails use links that contain an ID indicating the email address. For instance, "myspamsite.com/great_offers.php?id=1492" where "1492" corresponds to "columbus@hotmail.com" in the spammer's database. Sometimes that ID is buried within a long URL full of different parameters, too.
Valid emails (especially of those that click on them) are valuable to spammers.
It's the same reason that you shouldn't click the unsubscribe link or display remote images in your email.
It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.
Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
--
make install -not war
You've made your decision then?
Not remotely! Because spam comes from Russia. As everyone knows, Russia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not click the spam in front of you.
Truly, you have a dizzying intellect.
Wait 'til I get going!! ... Where was I?
Russia.
Yes! Russia! And you must have suspected I would have known the spam's origin, so I can clearly not click on the spam in front of me.
You're just stalling now.
You'd like to think that, wouldn't you! You've beaten my trojans, which means you're exceptionally well protected against viruses ... so you could have put the spam in your own email trusting on Norton AV to save you, so I can clearly not choose the spam in front of you. But, you've also bested my spyware, which means you must have studied ... and in studying you must have learned that man is mortal so you would have put the spam as far from yourself as possible, so I can clearly not choose the spam in front of me!
You're trying to trick me into giving away something. It won't work.
It has worked! You've given everything away! I know which email the phishing attack is!
Then make your choice.
I will, and I choose ... what in the world can that be?
What? Where? I don't see anything.
Oh, well, I ... I could have sworn I saw something. No matter. [laughing]
What's so funny?
I ... I'll tell you in a minute. First, let's click, me on my email and you on yours.
You guessed wrong.
You only think I guessed wrong! That's what's so funny! I switched emails when your back was turned! Ha ha! YOU FOOL! You fell victim to one of the classic blunders. The most famous is: Never get involved in a land war in Asia!, and only slightly less well known is this: Never go in against a Sicilian when death is on the line!
John
Depends on the situation. If a 4 star general is attempting to gain access to a protected installation, and a SF/MP member requests his ID, then that same 4 Star is required by law under UCMJ to provide it.
.mil address and includes the proper signature block.
Here's a real-world example:
Location is on some AFB's flight line. An O-6 pilot , who thinks that restricted area demarcations do not apply to him, enters the restricted area without utilizing an authorized entry point. The SF team on patrol in the area hails the O-6, who ignores their orders to halt. At this point, he's run down, jacked up, placed in handcuffs, at which point he's escorted from the area and subjected to a very through search.
So, as you can see, depending on the situation, there are NO repercussions. It's all about whether the challenging individual has the proper authority to request verification of identity. In all cases, a set of orders will be accompanied by a form of authentication, which you *should* be able to trust as valid.
Now, getting back to the situation at hand, involving the email. Most likely, they received and e-mail with a valid signature block of the Col. in question. Upon receipt of that, they can do one of two things:
1. Do what the email says. As far as they can tell, the email is properly authenticated as long as it comes from a
2. Reply to the email requesting clarification. If the response seems sketchy, they can then use their chain of command to verify the authenticity.
Now, herein lies the caveat in all of this; because they are cadets, they spend seven days a week, 24 hours a day getting it drilled into their heads to obey orders. As a result of that, they are less likely to question anything, or request clarification on anything they might otherwise question the authenticity of. Ultimately, I think this was a really bad way to handle the situation on part of the instructor.
I have no regrets, this is the only path.
My whole life has been "UNLIMITED BLADE WORKS"
<THUD!>
They were both phishing attacks. I spent the last few years lying about who I am to build a false identity. I'm no one to be trifled with. That is all you'll ever need know.
//Information does not want to be free; it wants to breed.
The US soldiers often have the benefit of superior intelligence so they don't have to ask, but mostly confirm who they are going to shoot.
Or in some cases, request permission to fire, get denied and then drop a bomb or two on coalition forces thus resulting in the death of four allied infantry personel.