This goes without saying, but they don't need access to Amazon.
If I were crafting an email and had to make it convincing, this is what I'd do:
Take a preexisting HTML newsletter, the ones with 9-15 products for sale. Replace two or three entries with bait, the $2.99 price mistakes. Have the bait link to my site, amazon.legitimatedeals.com, a mockup of Amazon's website. Clicking leads to a login page, where the unsuspected might be snared.
I'll be honest; I've clicked through html links before. I know about being asked for account information, and an immediate login request raises a warning flag. As an aside, I also disable periodic email updates whenever possible. I'm not a big fan of commercial email, no matter how many deals you have today, even if I place an order every two weeks or so.
Phishing asks the user to work. Come here, log in, etc. This is usually accomplished by scaring the user into compliance.
What happens when people are presented with the opportunity for rewards? If you log in right now, you might be able to get that deal before it's fixed or runs out of stock. People momentarily let their guard down, and it only takes a few seconds to be snagged. As another benefit, the email or link might be passed around or forwarded; I see posts all the time with "are these guys for real?", with some guys placing an order anyway because they can cancel it. They're to legitimate sites, but they don't always have to be.
As for petname, I believe most techies will choose the option of "being too smart to be fooled" over maintaining a user-created database of sites. Magicians know it's easier to fool intelligent people, because they "know" they can't be tricked. A little food for thought.
Snippets of your credit card info (the first part of the card number is usually the same for a issuer's customer base) Non-obfuscated links (not a link to a.ru domain) Valid SSL certificate Valid links to other credentialing organizations
Most of us are aware of the typical phishing attempt. Message from your bank, paypal, ebay, etc asking you to log in to "verify" your info. Old hat.
How about this: You get an email newsletter from Newegg or Amazon. Look, a brand new HP Laserjet printer for only $3.99. Whoa, those guys screwed up! You click the link, and sure enough, the price is valid, though they undervalued the printer by a factor of 100. You're lucky, there's only three left in stock (but don't worry, there's more on the way!) You log into your account; heart pounding, racing to get your order submitted and shipped before the price is corrected.
Congratulations, you've just been hit by a targeted phishing scheme.
I regret to inform you that the Army doesn't have a "Doom Corps" set aside for l33t gamers. The leadership skills you gain from the military do help in clans though.:) I play way too much UT2k4 ONS.
In the simulation I went through, neither friendly fire nor movement were monitored. Think of it as a souped-up, multiplayer game of Duck Hunt. I've read some articles about scenarios adpated for convoy operations; it is possible they monitor vehicle simulated speed and adjust the scenery accordingly. I've never seen this in person, so this is idle speculation on my part.
Do video gamers have an edge over nongamers? Signal units (MSE) are termed "combat support". We don't go looking for trouble, but we're still trained to react if trouble finds us. For convoys, a snap decision has to be made whether or not to engage. We see people carrying AK-47s every few minutes, and there's been times where we'll hear nearby fire. Are they shooting at us or at another convoy? Nah, they're shooting up in the air, celebrating (likely a wedding).
First instinct is to identify a threat. We all know better than to spray and pray; wounding civilians makes no friends. Also, to paraphrase the Doom II FAQ, it's better to die aiming than reloading.;)
Another concern is that of imminent threat. Hell, I wouldn't walk the streets in Iraq unarmed, so it's not entirely unreasonable for civilians to carry weapons for self protection. Just don't point your weapon at me, and we'll get along just fine. Mortar tubes mounted on pickup trucks don't count; it's open season on those guys.
I think the second issue would provide the most difficulty to gamers. In CS, when do you not shoot at the other team? I've never had to pull a trigger on a human being, so I've never been put in that situation.
My unit went through a computerized simulation before our deployment to Iraq in 2003.
Disclaimer: I'm active-duty Army (only for a few more days, hallelujah), but I'm not infantry or a "combat arms" MOS. I'm Signal, and have likely spent more time debating OSPF vs EIGRP than being on patrol. MOS25F/Node Center FTW.
As I said earlier, this was back in 2003, so I'm sure the tech has improved a bit since I went through.
Typical exercise involves 6-8 guys in a darkened room. The simulation is projected at one end of the room, and we are arrayed directly across from it. We are provided with M16s, and one person each gets an AT4 anti-tank rocket and M16/M203 grenade launcher. I don't recall if blanks were used with the M16, or if firing sounds were simulated.
Simulation starts with a nostalgic orange/white 3dfx splash screen. They wouldn't let me near the console PC, so I'll never know if it ran on a Voodoo5 6000.:)
Everyone is in either a crouched or prone position, and we are greeted with picturesque dunes. A Soviet-style armored vehicle rolls across the screen, slowly meandering towards our posision. Nobody does anything. Bah, everybody's frozen up, I thought. I take the initiative, and start unloading my M16's magazine into it. Sure enough, everyone else does the same a few seconds later.
Fun fact: 5.56 mm rounds have no effect on armored APCs. After being enlightened of this by the instructor, the simulation is run again. This time we get infantry swarming at us from over and between the dunes. We engage, and shoot at squad based groups for a few minutes. A running tally is maintained, and we are told our scores at the end. As expected, we were all wildly inaccurate (I blame sensor calibration), with the exception of the M203 guy, who managed to rack up a sizable percentage of kills. Who needs accuracy when you have grenades?
Since then, training has been heavily modified to focus more on "modern" threats, but I don't think I should go into particulars.;)
While I can't claim to be an InfoSec expert, I do work in the military (Army). I hope you're not inferring that flash drives are taboo because they might get lost. If this is true then CDs, floppy disks, and even paper printouts should be banned as well. This is not the case.
For MSE at least, we maintain the concept of least privilege. Simply put, everything has a classification level, from unclassified/FOUO, confidential, secret, top secret, and up. You do not mix and match equipment with varying security levels. If a laptop is rated unclassified, it will not go on the SIPRNET (secure network). In addition, a device carrying sensitive information is classified at the highest level of the information (i.e., a CD-R burnt with a Secret and Unclassified documents is now rated Secret, and will be handled as such.)This is how we protect data: determine the security rating, ensure that the boundary safeguards are respected, and treat all data in accordance with preexisting regulations.
From my experience, flash drives are the most viable portable media aside from paper. When my unit deployed to Iraq in 2003, we discovered that: 1) floppy disks were rendered unreadable by heat/dust within two months, and that CDROM drives usually died after 6-9 months of exposure. The second time we deployed, key leaders (and friends of the supply sergeant:))were issued flash drives. We had a few go bad, but the majority were damaged by abuse (donning body armor was main culprit). Storage is cheap, and we had a secure network to transfer files. (sneakernet discouraged) Our biggest problem was the people interpreting the data.:)
"Always on" is a two-edged sword. On one hand, your systems can be automatically patched (Windows XP defaults to 3 AM). On the other hand, that compromised box running a port scan on your network is always on, as well.
The average life expectancy of the Windows platform is currently 88 minutes. Keep in mind that this estimate is really a count of port attacks by worms, not active systems compromised. W32.Welchia's port scan (DCOM vuln; TCP 135) would have little effect on a XP Service Pack 2 machine.
Unless the individual keeps a 24/7 dialup connection, it is unlikely that the user will be up to date against current threats. You can try to download updates before you get infected, but often times people don't get that lucky. Worm/virus port scans are seemingly random, so it's really a tossup as to whether a dialup or broadband connection would be infected first. Broadband access allows Windows to more easily patch itself, and a common router with NAT could shield you from most worm attacks. On the other hand, once you free yourself from the confines of dialup, one's surfing begins to stray elsewhere. Rest assured, that warez/pr0n site is up to date with the latest IE/Java scripting vulnurability.:)
The key factor here isn't the ability to disrupt communications, but to do so temporarily. From what I gather, most of the Middle East relies on European commercial satellites for communications. Knocking a $500 mil bird out of the sky tends to piss of your coalition allies. Perhaps their contribution to the next war effort will be to endure a minor disruption in service while ground/air operations commennce.
The people who should be outraged are the corporations who put the satellites up in the first place. Now that we have the equipment to "harmlessly" disable a satellite, the inclination to do so will likely rise as well.
Slashdot Mirror
This goes without saying, but they don't need access to Amazon.
If I were crafting an email and had to make it convincing, this is what I'd do:
Take a preexisting HTML newsletter, the ones with 9-15 products for sale.
Replace two or three entries with bait, the $2.99 price mistakes.
Have the bait link to my site, amazon.legitimatedeals.com, a mockup of Amazon's website. Clicking leads to a login page, where the unsuspected might be snared.
I'll be honest; I've clicked through html links before. I know about being asked for account information, and an immediate login request raises a warning flag. As an aside, I also disable periodic email updates whenever possible. I'm not a big fan of commercial email, no matter how many deals you have today, even if I place an order every two weeks or so.
Phishing asks the user to work. Come here, log in, etc. This is usually accomplished by scaring the user into compliance.
What happens when people are presented with the opportunity for rewards? If you log in right now, you might be able to get that deal before it's fixed or runs out of stock. People momentarily let their guard down, and it only takes a few seconds to be snagged. As another benefit, the email or link might be passed around or forwarded; I see posts all the time with "are these guys for real?", with some guys placing an order anyway because they can cancel it. They're to legitimate sites, but they don't always have to be.
As for petname, I believe most techies will choose the option of "being too smart to be fooled" over maintaining a user-created database of sites. Magicians know it's easier to fool intelligent people, because they "know" they can't be tricked. A little food for thought.
I'm sure someone has already posted this before, but this is a pretty good scenario of techniques used today:
.ru domain)
http://isc.sans.org/diary.php?storyid=1118
Snippets of your credit card info (the first part of the card number is usually the same for a issuer's customer base)
Non-obfuscated links (not a link to a
Valid SSL certificate
Valid links to other credentialing organizations
Most of us are aware of the typical phishing attempt. Message from your bank, paypal, ebay, etc asking you to log in to "verify" your info. Old hat.
How about this: You get an email newsletter from Newegg or Amazon. Look, a brand new HP Laserjet printer for only $3.99. Whoa, those guys screwed up! You click the link, and sure enough, the price is valid, though they undervalued the printer by a factor of 100. You're lucky, there's only three left in stock (but don't worry, there's more on the way!) You log into your account; heart pounding, racing to get your order submitted and shipped before the price is corrected.
Congratulations, you've just been hit by a targeted phishing scheme.
I regret to inform you that the Army doesn't have a "Doom Corps" set aside for l33t gamers. The leadership skills you gain from the military do help in clans though. :) I play way too much UT2k4 ONS.
;)
In the simulation I went through, neither friendly fire nor movement were monitored. Think of it as a souped-up, multiplayer game of Duck Hunt. I've read some articles about scenarios adpated for convoy operations; it is possible they monitor vehicle simulated speed and adjust the scenery accordingly. I've never seen this in person, so this is idle speculation on my part.
Do video gamers have an edge over nongamers? Signal units (MSE) are termed "combat support". We don't go looking for trouble, but we're still trained to react if trouble finds us. For convoys, a snap decision has to be made whether or not to engage. We see people carrying AK-47s every few minutes, and there's been times where we'll hear nearby fire. Are they shooting at us or at another convoy? Nah, they're shooting up in the air, celebrating (likely a wedding).
First instinct is to identify a threat. We all know better than to spray and pray; wounding civilians makes no friends. Also, to paraphrase the Doom II FAQ, it's better to die aiming than reloading.
Another concern is that of imminent threat. Hell, I wouldn't walk the streets in Iraq unarmed, so it's not entirely unreasonable for civilians to carry weapons for self protection. Just don't point your weapon at me, and we'll get along just fine. Mortar tubes mounted on pickup trucks don't count; it's open season on those guys.
I think the second issue would provide the most difficulty to gamers. In CS, when do you not shoot at the other team? I've never had to pull a trigger on a human being, so I've never been put in that situation.
My unit went through a computerized simulation before our deployment to Iraq in 2003.
:)
;)
Disclaimer: I'm active-duty Army (only for a few more days, hallelujah), but I'm not infantry or a "combat arms" MOS. I'm Signal, and have likely spent more time debating OSPF vs EIGRP than being on patrol. MOS25F/Node Center FTW.
As I said earlier, this was back in 2003, so I'm sure the tech has improved a bit since I went through.
Typical exercise involves 6-8 guys in a darkened room. The simulation is projected at one end of the room, and we are arrayed directly across from it. We are provided with M16s, and one person each gets an AT4 anti-tank rocket and M16/M203 grenade launcher. I don't recall if blanks were used with the M16, or if firing sounds were simulated.
Simulation starts with a nostalgic orange/white 3dfx splash screen. They wouldn't let me near the console PC, so I'll never know if it ran on a Voodoo5 6000.
Everyone is in either a crouched or prone position, and we are greeted with picturesque dunes. A Soviet-style armored vehicle rolls across the screen, slowly meandering towards our posision. Nobody does anything. Bah, everybody's frozen up, I thought. I take the initiative, and start unloading my M16's magazine into it. Sure enough, everyone else does the same a few seconds later.
Fun fact: 5.56 mm rounds have no effect on armored APCs. After being enlightened of this by the instructor, the simulation is run again. This time we get infantry swarming at us from over and between the dunes. We engage, and shoot at squad based groups for a few minutes. A running tally is maintained, and we are told our scores at the end. As expected, we were all wildly inaccurate (I blame sensor calibration), with the exception of the M203 guy, who managed to rack up a sizable percentage of kills. Who needs accuracy when you have grenades?
Since then, training has been heavily modified to focus more on "modern" threats, but I don't think I should go into particulars.
While I can't claim to be an InfoSec expert, I do work in the military (Army). I hope you're not inferring that flash drives are taboo because they might get lost. If this is true then CDs, floppy disks, and even paper printouts should be banned as well. This is not the case.
:))were issued flash drives. We had a few go bad, but the majority were damaged by abuse (donning body armor was main culprit). Storage is cheap, and we had a secure network to transfer files. (sneakernet discouraged) Our biggest problem was the people interpreting the data. :)
For MSE at least, we maintain the concept of least privilege. Simply put, everything has a classification level, from unclassified/FOUO, confidential, secret, top secret, and up. You do not mix and match equipment with varying security levels. If a laptop is rated unclassified, it will not go on the SIPRNET (secure network). In addition, a device carrying sensitive information is classified at the highest level of the information (i.e., a CD-R burnt with a Secret and Unclassified documents is now rated Secret, and will be handled as such.)This is how we protect data: determine the security rating, ensure that the boundary safeguards are respected, and treat all data in accordance with preexisting regulations.
From my experience, flash drives are the most viable portable media aside from paper. When my unit deployed to Iraq in 2003, we discovered that: 1) floppy disks were rendered unreadable by heat/dust within two months, and that CDROM drives usually died after 6-9 months of exposure. The second time we deployed, key leaders (and friends of the supply sergeant
"Always on" is a two-edged sword. On one hand, your systems can be automatically patched (Windows XP defaults to 3 AM). On the other hand, that compromised box running a port scan on your network is always on, as well.
SANS keeps a measurement of the 'survival time' of various platforms: http://isc.sans.org/survivalhistory.php
:)
The average life expectancy of the Windows platform is currently 88 minutes. Keep in mind that this estimate is really a count of port attacks by worms, not active systems compromised. W32.Welchia's port scan (DCOM vuln; TCP 135) would have little effect on a XP Service Pack 2 machine.
Unless the individual keeps a 24/7 dialup connection, it is unlikely that the user will be up to date against current threats. You can try to download updates before you get infected, but often times people don't get that lucky. Worm/virus port scans are seemingly random, so it's really a tossup as to whether a dialup or broadband connection would be infected first. Broadband access allows Windows to more easily patch itself, and a common router with NAT could shield you from most worm attacks. On the other hand, once you free yourself from the confines of dialup, one's surfing begins to stray elsewhere. Rest assured, that warez/pr0n site is up to date with the latest IE/Java scripting vulnurability.
It's the PSU that overheats, causing the majority of recent problems.
;)
But hey, if you'd rather spend ~180 on a water cooling system instead of not stuffing the power block deep inside a cabinet, more power to you.
A filter would be pretty easy to bypass, either by sending the wmf in a compressed file; or by renaming the extension.
One could simply block all images, but your boss might be a little miffed when he can't conduct "Internet research".
The key factor here isn't the ability to disrupt communications, but to do so temporarily. From what I gather, most of the Middle East relies on European commercial satellites for communications. Knocking a $500 mil bird out of the sky tends to piss of your coalition allies. Perhaps their contribution to the next war effort will be to endure a minor disruption in service while ground/air operations commennce. The people who should be outraged are the corporations who put the satellites up in the first place. Now that we have the equipment to "harmlessly" disable a satellite, the inclination to do so will likely rise as well.
http://www.google.com/search?hl=en&lr=&c2coff=1&q= %2B%22No+plan+survives+contact+with+the+enemy%22+% 2Bvon+%2Bmoltke