Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yet another Visa scam scheme

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 03 Feb 2004 12:17:40 +1300
Raffael Marty <rmarty () arcsight com> wrote:


You are neglecting the fact that those emails are PGP signed. It's up to
the reader to verify the signature, but I'd say that you can expect a
security analyst to check the signature before he believes (and acts
upon) the contents of such an email.



And you are neglecting the fact that "typical users" expect their
"commodity computers" to "just work".

A typical user does not know what PGP is and, more importantly, does
not care.

Worse, your typical user's "typical computer" does not know what PGP is
and its Email client couldn't care less...

Worse still, some of these typical users are bound to be naïve enough
to expect that the:

   -----BEGIN PGP SIGNED MESSAGE-----

and/or:

   -----BEGIN PGP SIGNATURE-----
   Comment: Blah

   iQdCVEAwGUBQsBcz3kyh9+716yA23DNAQSMTrAlP/VKuCKZzTJMTxK...

   -----END PGP SIGNATURE-----

gibberish (or "computer talk" as many are inclined to call it) actually
means something significant.  And some of those are bound to assume
that the message would not have beeen delivered were the signature not
kosher.  Given the geniuses at MS continue to entirely fail to
understand that code signing is a not solution to any truly important
integrity issue, should we really expect our typical user to have any
better idea?

I agree with the OP that these messages make an enticing target for the
scammers and/or forgers out there.

And, to address a different issue with these "alerts", I'll repeat the
last bit of Raffael's comment again:


... but I'd say that you can expect a
security analyst to check the signature before he believes (and acts
upon) the contents of such an email.


One would certainly hope so, but given the way these "alerts" are being
compiled and distributed, do you really expect them to be any better
than or much different from the (former ??) FBI "cyber security"
alerts?  To date these have, from a professional's perspective, been
too late and/or too innacurate to be useful.  Surely they are aimed
squarely at whatever fraction of "middle America" the DHS sees as
caring about such issues?

And, to answer the hopefully obvious question -- of course I
subscribed!  One can always use a little more humour in their life...


Regards,

Nick FitzGerald


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: