CastleCops® The Risk Digest

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

The Risk Digest

All -> FavForums -> Privacy

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

JackBenny

Sergeant

Joined: Jul 12, 2002
Posts: 140
Location: USA

Posted: Wed Dec 18, 2002 12:35 pm Post subject: The Risk Digest

I thought I'd share one of the newsletters I receive. This deals mainly with with news involving the risks of todays technologies. The following is the content list from the current issue, plus one of the stories:

Quote:

Contents:
Bad circuit crashed $150 million jet at Woomera (George Michaelson)
Senate closes accidental anonymizer (Dave Stringer-Calvert)
More on identity thieves strike eBay, whose policies make it worse (Elana)
Australian ruling is raising worries (Monty Solomon)
Moore's Law hits a leak (NewsScan)
Paypal scam? (Dawn Cohen)
Internet spam mogul can't take what he dishes out (Purkasz)
Tower reports customer information "leak" (B Crook)
Perils in switching to Yahoo (David Lazarus via Monty Solomon)
Community security education contacts (Rob Slade)
U.S. Army Research Office Calls For Odortype Detection Proposals (PGN)
Re: Anti-worm "throttling" (Jeremy Epstein)
The risks of RISKS (Donald A. Norman)
REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon (Rob Slade)
REVIEW: "Secured Computing", Carl F. Endorf (Rob Slade)
Abridged info on RISKS (comp.risks)

Quote:

The RISK of RISKS:

I've become paranoid over the past year, but legitimately. And it is
wrecking my life.

Because I was involved in a National Academies study of anti-terrorism, I
examined how people defeated security systems. The security community --
with some notable exceptions -- seems to think this is a technological
problem: put in enough technology and the system is secure. I have always
thought just the opposite: this is a social problem. Indeed, my belief is
that "The more secure you make the system from a technological point of
view, the less secure you are apt to have made it in reality." Why? Because
the technology gets in the way of work, and so the most dedicated workers
will defeat the system in order that they can get their work done. My
studies of the cracker community and discussions with professional "red
team" members simply reinforces the view.

We are social beings: we work well in small, cooperative groups. Part of the
benefits of our society is that we all help one another. We trust one
another. The people who would deceive us understand this and manipulate it.

Well, the social engineer takes advantage of all of this. I've just finished
reading the book by Mitnick and Simon. I recommend it to everyone: it is
scary. It tells how a few simple sounding (but very sophisticated) phone
calls can get the sophisticated con artist almost anything. It gives very
convincing examples.

Mitnick, K. D., & Simon, W. L. (2002). The art of deception:
controlling the human element of security. Indianapolis: Wiley.

So now I am on guard. And guess what, I immediately spot spoofs. I get an
e-mail stating that I have just signed up with American Express for
bill-paying, so I should log on to this URL and set up my account. Except
that I didn't recall signing up, and the URL is not associated with American
Express : it is "thevalidnetwork.com" . Sounded like a spoof to me. I call
up American Express. They deny all knowledge of the site, but they also
refuse to accept my complaint. "Not my department," said the woman, as she
gave me a different phone number to call and hung up on me. The man at the
other phone number also confirmed that this was not a valid American Express
site, and he wanted to report it, but it wasn't his responsibility either --
the phone number he asked me to use was for the woman who refused to take
it. He tried -- he was turned down too.

So American Express claims this is not their site, but refuses to let me
file a complaint.

Then yesterday, I get a letter inviting me to a conference. Would I send my
address and phone number, and also the phone numbers of anyone else I
thought should be invited. The person said he had gotten my name from X, and
said the conference was run by Consumers Reports. Well, the website he
listed gave no hint of why I should trust this person -- he claimed to be a
contractor. I checked with X, who said, no, he couldn't vouch for the
person. The letter said time was of the essence, but it came in over the
weekend, so I couldn't call Consumer Reports to check.

Both letters were perfect examples of Mitnick's illustrations of how to con
people. They look legitimate, but if you examine them closely, the URLs are
wrong, and although legitimate names are given, this is an emergency and the
answer must be given now, after hours, when those legitimate-sounding names
can't be checked.

I now have discovered that both e-mails were legitimate. My financial advisor
had signed me up for the bill payment scheme (he says we asked him to). The
site was subcontracted by American Express to do this, but obviously, their
phone support people don't know this. As for the invitation, the person at
Consumer Reports vouched for it.

But what a life we have to lead: we can easily be conned by legitimate
looking requests. And we might refuse to honor legitimate requests that
could also be frauds. Or, even if we accept them, we waste a lot of time
checking them out -- a lot of our time and that of the people we have to
bother to find out if it is real. And, along the way, I also discovered that
even if we are recipients of a real fraud, it is very difficult to tell
anyone. An amazing number of websites lack any contact information, any way
of reporting problem. And even if you do report a problem, it is answered
bizarrely. I just reported over a website to Mindspring that their server
seemed to be down. In reply I was told how to check the modem settings under
Windows 98. That wasn't my complaint, I don't use a dial-up modem, and I
don't run Windows 98. When I complained that the response was not relevant,
I got instructions to check the wiring of my modem.

So consider the RISKS of RISKS. We waste time every day deleting spam and
backing up our systems. We waste time every week updating our virus controls
and rescanning our computer systems. We no longer can trust the people we
interact with, for social engineers take advantage of all that we have come
to trust. We are searched at work and when traveling. We have to watch what
we say in public because it might be misinterpreted. And there is nobody to
complain to.

Trust is rapidly leaving our society, and we all are worse off as a result.

Current issue
http://catless.ncl.ac.uk/Risks/22.43.html

About, and subscription info http://catless.ncl.ac.uk/Risks/info.html#subs

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Wed Dec 18, 2002 1:57 pm Post subject:

I believe there needs to be a balance in whatever environment you find yourself in. Take for instance a look at this news item. It gives a list of sites to use for Internet or Identity fraud. Why wait to find out your credit is being accessed or tampered with? Sign up with Equifax or Experian's online watch program. Ok, so you can't trust me or others you communicate with, then take up secured messaging using X.509 or PGP encryption or signing. There are measures to help protect against social engineering. Take the SecurID system. Implement it on all servers in a work environment and give all those who require access a Keyfob. No one will be handing out their PIN numbers, and even if they do, they need the keyfob as part of the login process. I think if security is going to be implemented, it should be done all the way and not half-fast. It is that last state which is prone to social engineering. _________________ Paul Laudanski - http://www.laudanski.com http://www.linkedin.com/pub/1/49a/17b

ergibbs

Captain
Captain

Joined: Dec 10, 2002
Posts: 343
Location: Florida

Posted: Wed Dec 18, 2002 10:58 pm Post subject: Whatever happened to

Relying on people to use their own brains to protect themselves? The author of the article posted above certainly used his brain, but so many times you read about/hear about/deal with, "but it came from so-and-so, so it had to be valid!" Or, "just send me $100 to claim your $10000 prize!" I may not be the smartest cookie on the jar, but I ain't fallin' fer it! If you receive an email that reads, "the files you requested are on their way; in the meantime take a look at this!" and you click on the attachment, I can't really feel sorry for you. I mean, did you request any files from that person? You didn't?!?! Then why are you opening the attachment? It's the same with security. A little common sense goes a long way; unfortunately, those without much common sense are the ones that get compromised and aid to the security problems that are encountered.

	All -> FavForums -> Privacy	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 135ppm 0.210s (0.032s) Making cybercriminals unhappy since 2002*