Security Incidents mailing list archives
Re: Yet another Visa scam scheme
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 03 Feb 2004 12:17:40 +1300
Raffael Marty <rmarty () arcsight com> wrote:
You are neglecting the fact that those emails are PGP signed. It's up to the reader to verify the signature, but I'd say that you can expect a security analyst to check the signature before he believes (and acts upon) the contents of such an email.
And you are neglecting the fact that "typical users" expect their "commodity computers" to "just work". A typical user does not know what PGP is and, more importantly, does not care. Worse, your typical user's "typical computer" does not know what PGP is and its Email client couldn't care less... Worse still, some of these typical users are bound to be naïve enough to expect that the: -----BEGIN PGP SIGNED MESSAGE----- and/or: -----BEGIN PGP SIGNATURE----- Comment: Blah iQdCVEAwGUBQsBcz3kyh9+716yA23DNAQSMTrAlP/VKuCKZzTJMTxK... -----END PGP SIGNATURE----- gibberish (or "computer talk" as many are inclined to call it) actually means something significant. And some of those are bound to assume that the message would not have beeen delivered were the signature not kosher. Given the geniuses at MS continue to entirely fail to understand that code signing is a not solution to any truly important integrity issue, should we really expect our typical user to have any better idea? I agree with the OP that these messages make an enticing target for the scammers and/or forgers out there. And, to address a different issue with these "alerts", I'll repeat the last bit of Raffael's comment again:
... but I'd say that you can expect a security analyst to check the signature before he believes (and acts upon) the contents of such an email.
One would certainly hope so, but given the way these "alerts" are being compiled and distributed, do you really expect them to be any better than or much different from the (former ??) FBI "cyber security" alerts? To date these have, from a professional's perspective, been too late and/or too innacurate to be useful. Surely they are aimed squarely at whatever fraction of "middle America" the DHS sees as caring about such issues? And, to answer the hopefully obvious question -- of course I subscribed! One can always use a little more humour in their life... Regards, Nick FitzGerald --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Yet another Visa scam scheme Raffael Marty (Feb 02)
- Re: Yet another Visa scam scheme Nick FitzGerald (Feb 03)