The long-standing problem with phishing, including spear phishing, is that people are easily fooled. The authentication mechanisms we all use daily are full of flaws. What further proof of the ever-expanding market of fraud do you need than the fact that a commercial site has been setup to “educate” users by trying to see if they are susceptible to fraud. This appears to be some sort of attempt to make a legitimate phishing site:

Over 15,000 corporate users have fallen prey to spear phishing.

Can your workforce dodge the hook?

The premise is simple, they ask you to enter your financial information and then they will help you determine if someone in your company is vulnerable to a pitch where they are asked to enter financial information…

Not sure who the company is? Ah, just click on the “Who We Are” button and you will find a site with a completely different name (“intrepidusgroup.com”) that appears to have absolutely nothing to do with the “phishme.com” site.

Is that how they create trust?

Another friendly is on their blog. It would seem they are not lawyers, but they propose the following banner for mail servers:

220-NO UCE. You are hearby notified that ANY email sent here becomes
220 the property of the recipient and CAN be redistributed
220 publicly to ANYONE without consent or notice. This notice supercedes
220 any legal claim appended to the body of emails delivered here.

Not the most convincing “we’re here for you” sales strategy I have seen.

My favorite example of a similar service gone awry was when a penetration tester used a spear phishing test connected to an IRC bot. The problem was that the test was “successful” and the target was not only infected but the tester then was tasked to help clean the mess. Not the model I would recommend.

If these self-proclaimed “black hats” really want to make a difference, perhaps they could start by educating the banks on best practices so that their customers aren’t trained to be more susceptible to fraud:

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they’ve been conditioned to ignore potential clues about whether the banking site they’re visiting is real — or a bogus site served up by hackers.

Several people have pointed out to me that a January 2001 article in the Onion called “Bush: ‘Our Long National Nightmare Of Peace And Prosperity Is Finally Over” was an accurate prediction of things to come for America:

“Finally, the horrific misrule of the Democrats has been brought to a close,” House Majority Leader Dennis Hastert (R-IL) told reporters. “Under Bush, we can all look forward to military aggression, deregulation of dangerous, greedy industries, and the defunding of vital domestic social-service programs upon which millions depend. Mercifully, we can now say goodbye to the awful nightmare that was Clinton’s America.”

“For years, I tirelessly preached the message that Clinton must be stopped,” conservative talk-radio host Rush Limbaugh said. “And yet, in 1996, the American public failed to heed my urgent warnings, re-electing Clinton despite the fact that the nation was prosperous and at peace under his regime. But now, thank God, that’s all done with. Once again, we will enjoy mounting debt, jingoism, nuclear paranoia, mass deficit, and a massive military build-up.”

Consider this detail:

During the 40-minute speech, Bush also promised to bring an end to the severe war drought that plagued the nation under Clinton, assuring citizens that the U.S. will engage in at least one Gulf War-level armed conflict in the next four years.

“You better believe we’re going to mix it up with somebody at some point during my administration,” said Bush, who plans a 250 percent boost in military spending. “Unlike my predecessor, I am fully committed to putting soldiers in battle situations. Otherwise, what is the point of even having a military?”

At least one?

How funny and silly it might have seemed in the initial days of the Bush administration…little did we realize back then that the majority of useful analysis and insight would need to come from the modern day equivalent of court jesters.

Mission accomplished yet?

Apparently Bush just tried to explain away the current financial crisis as “Wall Street got drunk — one reason I told you to turn off your TV recorders — and now it’s got a hangover.” Risk and consequences seem to be abstract concepts, or even a silly joke, to the President.

A strange story is circulating right now about a man who thought he could get a divorce by bringing another woman to court instead:

Sanjib Saha presented a woman as his wife in a lower court in the eastern city of Kolkata this month. Both said they sought a mutual divorce, something the court granted immediately.

Mr Saha’s real wife was then asked to leave the marital home. She has since appealed the ruling at a higher court, charged her husband with cheating and the original divorce was suspended.

I suppose the court relied on the husband and wife to authenticate each other, which in effect means no authentication at all. Perhaps he did not realize his real wife would be able to legally contest the divorce papers once they were granted.

I love this story from Peaceful Rise. It reads like a classic example of cultural differences in engineering and security. The author first describes the need for special effects in a movie:

For the burning village, the challenge would be to find someone who could manufacture the piping, and to figure out how to store and supply the set with such an absurd amount of fuel.

The author apparently left the project, due to other reasons, but he goes on to explain how an over-engineered solution was dismissed and the low-cost bid played out.

Not surprisingly, the American special effects team also left the project. I read that it was because their estimate of the cost to plumb the village with gas pipes was too high, although I wouldn’t be surprised if they intentionally gave a quote they knew would be too high just as an excuse to quit the movie and hurry on back to their American beachhouses. They were replaced by a Korean team who had a much more simple solution: douse the whole set and let it burn! As the story goes, a minute after they tossed the match and set the village up in flames, it occurred to someone in the production crew to inquire how they intended to douse the blaze. Put the fire out? That’s not our job, said the special effects crew. We set fires, we don’t put them out! The fire continued to spread to surrounding areas and grow out of control until finally emergency teams from a remote military film studio were able to arrive and control the blaze.

The requirement, if I read the story correctly was to create a fire that could be repeatably turned on, which seems to imply some kind of dousing mechanism. My guess is that the Americans started out with an assumption of an “effect” that was very different from the Korean crew. Or maybe it was just a case of high/low bid engineering. Anyway, it’s nice anecdote to share in my next presentation on culture and security.

It sounds similar to the story about American engineers that spent billions of dollars to design ink and a pen that could overcome zero gravity so astronauts could still take notes while on mission. The Russians, asked if and when they expected to achieve an engineering feat of similar magnitute, simply pointed out “we are ok with pencils”.