Slashdot Mirror
Anti-Phishers Pose as Phishers to Make Point
Carl Bialik from the WSJ writes "This article notices a new trend in efforts to fight phishing: Anti-fraudsters are posing as phishers to 'to train users to be more careful about sharing sensitive information online.' Or, as the Wall Street Journal puts it, 'To fight computer crime, the good guys are masquerading as bad guys pretending to be good guys.' West Point cadets were among those who got fake phishing emails -- in their case, from Aaron Ferguson, a teacher at the academy. 'The gullible cadets received a "gotcha" email, alerting them they could easily have downloaded spyware, "Trojans" or other malicious programs and suggesting they be more careful in the future. ... Nonetheless, he says the exercise upset some cadets, who felt it exploited their inclination to follow an order from a colonel, no questions asked. He says the new edict is, "Ask questions first, then execute." '"
Its all fun and games until the bad guys start posing as the good guys posing as the bad guys.
Its human nature to be trusting of others. People don't want to believe that there are bad people out there who want to do them harm. I think this exercise was kind of silly, "Look, these cadets in an ARMY SCHOOL will follow what a SUPERIOR tells them to do! OMG ROFL!!!!11"
I think its sad that its come to the point where we have to assume everything is untrustworthy and to have to keep a guard up 24/7.
"Sir! Sir! Are you a terror-"*gets shot*
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
That's an order son.
My initial response is that cadets needs to wise up about who's who when orders are given, but then I realized that it's probably a federal offense to impersonate a military officer in real life. The question then becomes whether it's illegal to impersonate an officer online. If so, the good/bad/good guys have gone too far.
What do you mean they cut the power? How can they cut the power, man? They're animals!
It depends. On a nuclear sub, they had better be verifying those orders are authentic before launching. In fact they do verify that messages are authentic. They use this thing called cryptography. So, this is in fact a healthy lesson to be teaching these cadets. They cannot blindly follow orders comming from untrusted sources.
Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.
Average users feel that since mail was sent to them, it should be safe to open in.
Common sense means that it is the job of the technical industry to make sure that this can happen. That the average user can open mail without worrying about being 'infected.'
Common sense means that when an e-mail is sent, and it says that Grandma Jones sent it, it really was from Grandma Jones.
Common sense means that WE (technical industry) have a lot of work to do. Not the average user. Thier only job is to use the infrastructure we create.
No reason to lie.
But following an instruction from a superior officer is something we do try to encourage in the Forces these days.
I hope they train them to make sure it actually is their superior officer giving an order. 'Cause if they don't, I've got a gwbush3838412@hotmail.com account and some stuff I wouldn't mind seeing get blowed up.
Under the current rules, an e-mail from a superior carries the force of an order. In most situations, this is a good thing. However, there is a problem in that plain e-mail is inherently insecure. Most military e-mail servers don't perform any sort of authentication, so I could easily send mail that looks like it came from General Foobar.
Of course, the solution is some sort of PKI solution -- and it's mostly here. US military ID cards are smartcards with PKI certficates on them. There was a mandate that all official DOD e-mail be signed. The deadline passed years ago, with most people unaware that it was ever a requirement. The problem is that the military's infrastructure just isn't ready.
In the Air Force, for example, your e-mail address is first.last@basename.af.mil. What happens when you change bases? You have to get a new cert, of course, and now you can't decrypt e-mail sent to your old address (ie, archived mail). Further, say you have an Army person stationed at an Air Force installation. The Army has unified e-mail addresses (name@us.army.mil), but the Soldier will also have a unit e-mail address, which will probably be his primary SMTP address (if it weren't, he wouldn't show up correctly in the GAL). The solution is to give him two e-mail addresses on his cert.
But wait! The software the DOD uses to write the certs can't do two RFC822 addresses. Lame, but true. So now you're stuck forcing the Soldier to have his army.mil address set as his primary SMTP, have it forward e-mail to his unit account, and just suck it up when people complain about not being able to find him in the GAL.
Now for the real reason PKI isn't fully implemented. Exchange 2000 OWA can't handle S/MIME out of the box. Exchange 2003 can, and some major commands run it, but at least one (I'm looking at you, USAFE) have it disabled (WHY????!!!). The long and the short is that commanders wouldn't be able to read their secure e-mail from anywhere but their desks.
The end result is that the taxpayers payed millions of dollars to pave the way for a decent secure e-mail solution for the US military, but we don't use it. The result is that those cadets (and anyone else) really don't know who their e-mail comes from, but they still must act as if it's an order from the person it says sent it.
It's always a long day... 86400 doesn't fit into a short.
What will happen if someone knocks at Joe 6P's door and tells him:
[BLAH BLAH...]
and ask for his bank account number and other personal info.
A lot of people would fall for it. You think con-artistry didn't exist before email? It's just more efficient now. Once you had to knock on 1000 doors to find someone so gullible, now you let them come to you. Some people are just [trusting/greedy/desperate] like that.
It's even more important that cadets be taught to question orders from superiors before executing them, than it is for them to recognize they're being phished. Because soldiers "execute" real people. Especially with orders increasingly coming over telecom, rather than the more easily authenticated "face to face" (or "about face / forward march"). And with the chain of command increasingly complex, like mercenaries, unaccountable either to military law, US law, or (nonexistent) US law, commanding troops in Iraq.
Lots of the abuse we see coming from Guantanamo and Abu Ghraib (and elsewhere) could have stopped before it started, if soldiers had questioned the orders or directions given them to execute inhuman acts on prisoners. The more humane soldiers will question such orders anyway, even when they are legit. So it's extremely important that they learn how to quickly, consistently, and effectively question and execute orders during training. Instead of facing that awkward learning curve on a battlefield, or just in a prison where they can't afford to lose face before a prisoner.
--
make install -not war
You've made your decision then?
Not remotely! Because spam comes from Russia. As everyone knows, Russia is entirely peopled with criminals. And criminals are used to having people not trust them, as you are not trusted by me. So, I can clearly not click the spam in front of you.
Truly, you have a dizzying intellect.
Wait 'til I get going!! ... Where was I?
Russia.
Yes! Russia! And you must have suspected I would have known the spam's origin, so I can clearly not click on the spam in front of me.
You're just stalling now.
You'd like to think that, wouldn't you! You've beaten my trojans, which means you're exceptionally well protected against viruses ... so you could have put the spam in your own email trusting on Norton AV to save you, so I can clearly not choose the spam in front of you. But, you've also bested my spyware, which means you must have studied ... and in studying you must have learned that man is mortal so you would have put the spam as far from yourself as possible, so I can clearly not choose the spam in front of me!
You're trying to trick me into giving away something. It won't work.
It has worked! You've given everything away! I know which email the phishing attack is!
Then make your choice.
I will, and I choose ... what in the world can that be?
What? Where? I don't see anything.
Oh, well, I ... I could have sworn I saw something. No matter. [laughing]
What's so funny?
I ... I'll tell you in a minute. First, let's click, me on my email and you on yours.
You guessed wrong.
You only think I guessed wrong! That's what's so funny! I switched emails when your back was turned! Ha ha! YOU FOOL! You fell victim to one of the classic blunders. The most famous is: Never get involved in a land war in Asia!, and only slightly less well known is this: Never go in against a Sicilian when death is on the line!
John
You get a letter in the mail on your banks letterhead in an envelope exactly like every other letter you have received from the bank (with the exception that the postmark is from a different zipcode than usual, but who checks those?). The letter states you need to sign some paperwork, could you please come to the nearest branch to take care of it. It provides some directions to your branch that isn't your usual route but their way does seem more direct. You arrive at the branch and everything looks just like you remember it, even the tellers look familiar. They ask you to fill in some account information on a form, sign it, and you are on your way.
The good phishes don't ask for your password or account information through email outright. In an official looking email they direct you to visit your financial companies website to update or confirm something. For your convenience they even provide a link to the "website" for you, which directs you to an exact duplicate of that companies login page. I have even seen ones where clicking on the "help" or "contact us" links will actually take you to the corresponding pages on the real sites. A lot of these phishers are far from amateurs!
Unfortunately, common sense does not mean the same thing for the average user, as it does for people on Slashdot.
I learned this when giving a computer security class at an old job. I had over 200 people in the auditorium and I said, "If you came home and there was a box on your front step that said 'Happy Birthday - Please Open Me - Love, Grandma'" and it wasn't your birthday and you normally don't get presents from your grandma, would rush right over and rip it open.
Over half the people said yes and claimed that I was stupid for being suspicious of strange boxes showing up at my door.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
<THUD!>
They were both phishing attacks. I spent the last few years lying about who I am to build a false identity. I'm no one to be trifled with. That is all you'll ever need know.
//Information does not want to be free; it wants to breed.