homepage Welcome to WebmasterWorld Guest from 107.21.187.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Cringely : Phish or Cut Bait
Brett_Tabke




msg:343333
 11:00 am on May 27, 2005 (gmt 0)

Noted InfoWorld and PBS reporter Robert X. Cringly has posted a new article on the current status of phishing scams. It is one of the best all around articles on phishing by a mainstream tech reporter I have seen recently.

[pbs.org...]

So nobody talks about it, and the costs of phishing are generally hidden in the average eight percent that credit card companies figure they'll lose through theft, bankruptcies, etc. In a business with interest charges often going above 20 percent, phishing is tolerable.

 

Rosalind




msg:343334
 11:49 am on May 27, 2005 (gmt 0)

I've noticed an increase in phishing scams hitting my inbox lately, compared with a decrease in medication and other general spam. Clearly action needs to be taken, and that article includes some good, practical measures that could be taken. We need to prod the businesses into taking action, as well as encouraging potential victims to report phishing by offering a bounty.

Perhaps a carrot and stick approach would work with the businesses that are impersonated, with a hall of shame for those who are the least proactive about tackling this kind of fraud, and some kind of recognition for those who do the most?

MamaDawg




msg:343335
 1:20 pm on May 27, 2005 (gmt 0)

Good article. There definitely should be repercussions for companies that ignore the problem!

I'm getting more and more of these in my inbox too - the social engineering and URL masking techniques they use keep getting better and better. I had one the other day that used Google to mask the address of the phisher website.

Russ49Checkmate




msg:343336
 1:55 pm on May 27, 2005 (gmt 0)

Some common sense advice, though the article said it best "IF YOU PAY ATTENTION". If you're not checking your statements every month, then even the credit card companies will rip you off.

1. I don't have either SSN or Bank Account Numbers anywhere on my hard drive. I write these down on a 3x5 index card cleverly hidden under a stack of $100 bills.

2. I have an internet credit card, $500 limit, I use no other card on-line.

3. Clark Howard reports that even today, 90% of identity theft is still done the old fashion way, they steal your checkbook (now is the time to get a debit card).

4. Call the three credit reporting agencies, put a fraud alert on your files.

5. www.donotcall.gov

6. Most important; all the recent attempts to steal my identity have been thwarted by the scums not having my SSN. Protect that number at all costs

Spam and Phishing has ruined the email system. If we want it back, we need to insist on some techno reversals and tolerate some minor charges. In this day and age, there are many many website that allow even the most technically challedged to have home pages on the www. There is no reason to send a 15 page letter to 10,000 people, just post it to the www.

I authored a newsletter for some years and sent it via e-mail to about 900 subscribers. The thought occured to me that to stop spam, the government could tax all e-mails at a penny an address over 100. My newsletter would have cost me $8 to send out as a single mailing. Of course it's no problem for me to have sent it as 9 seperate e-mails and avoid any charges of this tax.

A spammer uses like 10 million address, no way are they going to send it out as 100,000 seperate e-mails. No way are they going to pay the $100,000 tax.

Also, we could eliminate HTML from e-mail. I'm an old school web developer, content is far more important than form. We see far too many websites today that are pretty as anything, but has absolutely nothing to say. We don't need to clog the e-mail system with such waste.

mcguffin




msg:343337
 2:47 pm on May 27, 2005 (gmt 0)

Unfortunately, credit card companies don't do much to help prevent phishing or other socially-engineered scams. Yesterday, I received the following automated voice mail message on my phone:

"We have questions about recent transactions on your [insert brand] credit card. Please call 1.800.blah.blah before May 27, 2005 to reactivate your card."

  • the phone number did not match the customer service number on my card
  • in fact, I had no way to tell whether the recorded message was from my credit card company or from some scammer who just knew that I had that brand of credit card.

    When you call a credit card company, they ask for your name, your credit card number and your security password. A scammer/phisher would ask for the exact same information.

    So, instead of calling the number that they left on my voicemail, I called the customer service number on my card. I told them I had been recently contacted by someone claiming to represent their company, and I politely asked them to verify the previous call.

    The customer service agent was surprised (almost shocked) that a consumer would think that someone might impersonate [credit card brand] in order to get my account info. Maybe they think their brand is so sacrosanct that thieves won't try stealing from them or their customers. However, I think they're deluding themselves.

    Instead of leaving recorded messages asking people to call unrecognizeable 1.800 numbers, the credit card company would make things much safer if they left a message that said: "We have a question about some recent transactions. Please call the customer service number printed on your card."

  • NickCoons




    msg:343338
     4:27 pm on May 27, 2005 (gmt 0)

    While I do think that companies that have been impersonated have motivation to fix the problem (because it can ruin customer confidence), I don't think there should be any legal consquences for them not taking any action at all. If someone breaks into my house, I'm within my rights to completely ignore the situation and not take any action, as stupid as that may be. Companies that ignore the problem will naturally lose business as their customers will not feel comfortable working with them.

    I received a phishing email a few months back impersonating eBay. I happened to be bored, so I decided to take a look at it. A few scans of the server showed that it was running Windows 2000 with SP1, so it was easily taken down with a few known exploits. What are they going to do? Call the authorities and complain that I took down their illegal scamming site? :-)

    <The thought occured to me that to stop spam, the government could tax all e-mails at a penny an address over 100.>

    I've heard this before, and I think it's an awful idea. Here's why.

    First, it's not technilogical possible with the current system. Everyone who runs an email server would have to voluntarily provide email statistics to the government for tax-reporting purposes. Obviously spammers won't do this, and they are perfectly capable of creating their own servers. If we were to create a system that doesn't depend on voluntary compliance, it would mean that we'd have to have some system where all emails filter through the government so they can verify the sender so they know who to tax (and this to some extent would have to be voluntary, as you'd have to convince companies, ISPs, hosting companies, etc to switch to the new email system). But at this point, the tax becomes unnecessary. If they know who to tax, then they know who to go after in the case of spam email.

    Second, the government has no business stepping in and dictating how I and a another individual send communication back and forth. If my friends and I each run mail servers, and we want to email back and forth, then the government is providing no service to us and shouldn't be charging anything. I understand that the argument here is that spammers aren't sending to willing recipients, but for a tax-per-email plan to work, it would have to invade on all email.

    Here's a bit of technical background for those not so familiar, a description of how the system is easily broken by spammers, and a proposed fix.

    Most connections over the internet are done through TCP. In this case, a client establishes a connection to a server on a specific port (port 25 for sending email). This is a two-way communication. The first thing the client then says to the server after the connection is established is:

    HELO example.com (yes, that's one L, not two)

    Then the server will respond back with something like:

    250 Pleased to meet you, example.com

    Next, it's time for the client to tell the server who this email is from:

    MAIL From: sender@example.com

    And the server responds:

    250 2.1.0 sender@example.com... Sender ok

    Then the client tells the server who the email is to:

    RCPT To: recipient@example.com

    And the server responds:

    250 2.1.5 recipient@example.com... Recipient ok

    And the communication goes on, as the client also sends the subject, any additional headers, and finally the body of the email.

    This is a two-way communication, which means for the client to see the "ok" responses, the server has to know who it's talking to, by IP address. Well you can track down from an ISP who had what IP address at what time, find out where they are (or at least what their billing address is) and go get 'em, so what's the problem?

    The problem is that when you're sending email, you technically don't *need* to see the server's response, you can just assume that it always comes back ok. That being the case, you could spoof your IP address (if you needed that information, you could not spoof your address, because you wouldn't receive communication from the server).

    So how do you make it so that the IP address cannot be spoofed? You modify SMTP so that it sends something to the client that the client absolutely needs in order to complete the transaction. For instance, send something to the client that the client has to send back to the server to verify that there is two-way communication.

    This solution does not stop spam, however. But what it does do is that it positively identifies the origin of spam (which has always been the problem, it's hard to go after spammers if you can't find them). In some cases, mail servers are compromised by spammers and used to send spam. Either way, you are led to the source of the spam so you can disable the equipment and prevent it from sending out further spam. If people find that their servers have been compromised and are sending out spam, they're going to want to fix them (I know I would).

    Here's another possibility. The manufacturers of email clients can put an auto-retaliation feature into the client. When the client receives email that it determines is spam, it initiates a DoS attack against the server that initially sent it. One client performing one DoS attack won't be very effective. But if the spammer planned on sending out 10,000,000 emails, and go knocked out after sending 1,000, that would be a fairly effective technique. Of course, this would depend on the above-mentioned protocol changes, as you would definitely want the real IP address of the server, not a spoofed one.

    All of these solutions work without any government intervention at all (which is one of the main criteria of any solution after all), and only protocol enhancements are needed, which can be proposed to the IETF. We could have SMTP2 in a short period of time and easily implement it to our existing servers.

    PatrickDeese




    msg:343339
     4:46 pm on May 27, 2005 (gmt 0)

    One of my clients fell for the Paypal phishing scam last week.

    She got the typical email, but instead went directly to Paypal.com, looked around for their "security center" or whatever the scammer called it, couldn't find it, went back to the email and clicked on the link to a site hosted in Russia, or wherever.

    I happened to run into her on the street a couple of hours later, and she complained to me about having to "update" her paypal info, and I broke the bad news to her.

    She's what I would consider one of my more tech savvy clients, so I think it has really become a massive problem that needs an urgent solution.

    MamaDawg




    msg:343340
     5:46 pm on May 27, 2005 (gmt 0)

    Here's another possibility. The manufacturers of email clients can put an auto-retaliation feature into the client. When the client receives email that it determines is spam, it initiates a DoS attack against the server that initially sent it. One client performing one DoS attack won't be very effective. But if the spammer planned on sending out 10,000,000 emails, and go knocked out after sending 1,000, that would be a fairly effective technique. Of course, this would depend on the above-mentioned protocol changes, as you would definitely want the real IP address of the server, not a spoofed one.

    Even if it is bulletproof against false-positives, the drawbacks I see to that approach are:

    1. Negative impact on legitimate users (innocent bystanders) on shared servers and on networks being hit with the DoS.
    2. Misuse to deliberately cripple a host or network (Get or compromise an account on your target, send out a s***load of spam and wait for all the recipients to crash it for you!)
    3. It opens up a big can of worms by effectively legalizing DoS attacks!

    (Not that I haven't been tempted to have a little fun with these sites myself once or twice ;) ...)

    paybacksa




    msg:343341
     5:59 pm on May 27, 2005 (gmt 0)

    I think the more important aspect of this is that our US government requires us to have credit cards, and doesn't protect us from being reqired to have them for commercial reasons.

    I should be able to choose cash, but I cannot. Just as I should be able to choose not to drive (and therefore not to have a driver's license) I cannot.

    Argue all you want but there are specific situations where you are actually required to have a DL and/or CC or you will not be acommodated, and except for an expensive lawyer perhaps, no one will help you.

    Fix that problem first, and then the market can fix the "market inefficiences" like fraud etc.

    StupidScript




    msg:343342
     7:53 pm on May 27, 2005 (gmt 0)

    Nick:
    You modify SMTP so that it sends something to the client that the client absolutely needs in order to complete the transaction.

    Is this approach being developed/experimented with anywhere that you know of? How easy is it to modify SMTP to add this extra communication?

    Sounds pretty simple, all things considered.

    NickCoons




    msg:343343
     4:57 am on May 28, 2005 (gmt 0)

    MamaDawg,

    <1. Negative impact on legitimate users (innocent bystanders) on shared servers and on networks being hit with the DoS.>

    If the server wasn't under a DoS attack, but it was otherwise identified as a server sending out spam, and verified to be such, wouldn't that server have to come down anyway (for repairs, security patches, etc), creating a negative impact of other users on that server?

    <2. Misuse to deliberately cripple a host or network (Get or compromise an account on your target, send out a s***load of spam and wait for all the recipients to crash it for you!)>

    Perhaps.. though people wanting to DoS attack a server already have many means at their disposal to do this. I don't think adding one more would cause this problem to become more widespread.

    <3. It opens up a big can of worms by effectively legalizing DoS attacks!>

    I know they're frowned upon.. are they currently illegal?

    paybacksa,

    <I should be able to choose cash, but I cannot. Just as I should be able to choose not to drive (and therefore not to have a driver's license) I cannot.>

    Neither of those statements are true. The government doesn't restrict the use of cash in anyway as far as choosing a payment method (at least not that I know of), and the government also doesn't require you to have a driver's license. A driver's license is only needed if you want to drive. Where did you ever get the idea that either of the statements you made were true?

    <Argue all you want but there are specific situations where you are actually required to have a DL and/or CC or you will not be acommodated, and except for an expensive lawyer perhaps, no one will help you.>

    Can you name some situations where a credit card is required, and some where a driver's license is required?

    StupidScript,

    <Is this approach being developed/experimented with anywhere that you know of? How easy is it to modify SMTP to add this extra communication?>

    I don't know of it being done right now. It would be easy to modify the technical specifications of the protocol, and even to design software to use it. Most of the open-source products (sendmail, postfix, etc) would probably jump on right away. The difficult part is the transition.. getting everyone to use the new protocols.

    At first, you'd be installing an MTA (mail transport agent) that spoke both protocols (SMTP and SMTP2, perhaps), and ultimately the old version would be phased out. Just like there probably isn't anyone using POP2 anymore :-).

    BeeDeeDubbleU




    msg:343344
     9:07 am on May 28, 2005 (gmt 0)

    Good find Brett. This is a great article and all attempts to publicise this should be this be applauded. Phishing makes my blood boil and I cannot understand those who dismiss it as unimportant. These people are trying to steal from us and their crimes are just as serious as if someone stole your credit card from your purse/wallet.

    Like the author I am very disappointed that I never hear of anyone being prosecuted for this but surely "they" must be able to catch somebody doing this? The perpetrators are not all living in banana republics. Let's go get them and hang 'em high!

    While I do think that companies that have been impersonated have motivation to fix the problem (because it can ruin customer confidence), I don't think there should be any legal consquences for them not taking any action at all. If someone breaks into my house, I'm within my rights to completely ignore the situation and not take any action, as stupid as that may be.

    Bad analogy. Why? Because in your house you don't look after my money ;)

    MamaDawg




    msg:343345
     2:05 pm on May 28, 2005 (gmt 0)

    If the server wasn't under a DoS attack, but it was otherwise identified as a server sending out spam, and verified to be such, wouldn't that server have to come down anyway (for repairs, security patches, etc), creating a negative impact of other users on that server?

    I'd shut down the rogue account(s) ASAP - patches requiring downtime would be planned and announced to users in advance if at all possible. Unless I needed to preserve system state for forensic purposes...

    While the server issues may be arguable, hammering the network would still affect a lot of innocent machines/users.

    I know they're frowned upon.. are they currently illegal?

    In the USA under 18 USC section 1030 if you deliberately cause at least $5k in losses to one or more victims (includes business losses, costs to repair damages - which can include costs to repair customer relations ...etc.) you are subject to federal prosecution.

    I think it's generally a bad idea to sanction something you don't want people to do.

    I do like the idea of adding more robust authentication to SMTP - though as you pointed, out widespread implementation would be far from immediate.

    Holmes




    msg:343346
     9:13 pm on May 28, 2005 (gmt 0)

    Phishing would be really easy to exterminate if the browser companies could agree to a given standard.

    1. Put together a working group of volunteers with honeypots to grab these phishing attempts as soon as they launch.

    2. IE, Firefox and Safari each reserve a small but significant spot on the right of their main toolbar for phishing alerts. Please no separate toolbars, there are too many competing for screen space right now.

    3. Everytime the browser launched it would check for updates to the database of URL's maintained by the volunteers.

    3. If someone visited a phishing URL they would have a bright red one inch square blinking so it is unavoidable to anyone that something is the matter with their site.

    Not much money for the phishers if within an hour or so all their potential suspects had been warned, they've move on to some other criminal activity.

    ControlEngineer




    msg:343347
     1:45 am on May 29, 2005 (gmt 0)

    I think both the phishing and spam (particularly the really fraudlant spam) will likely have to be attacked using the old fashioned detective work. It will be expensive; that will require heavy fines and suits against the perps and, I hate to say, perhaps taxes.

    Police agencies and credit card company investigators already have bank accounts and credit card accounts set up for law enforcement purposes. If it hasn't happed yet, sooner or later a phisher will be caught when he gets a credit card or bank account number and password for a law enforcement account and tries to obtain money.

    Stings can also be made. A "porno distributor" (cop) goes looking for a way to get more business, meets up with a spammer, the spammer spams and is caught. I understand that at least one spammer has been caught this way.

    Of course, technical solutions to help in the location of phishers and spammers will be a great help if they can be made to work. Probably attacks from all directions are needed.

    paybacksa




    msg:343348
     3:04 am on May 29, 2005 (gmt 0)

    Neither of those statements are true. The government doesn't restrict the use of cash in anyway as far as choosing a payment method (at least not that I know of), and the government also doesn't require you to have a driver's license. A driver's license is only needed if you want to drive. Where did you ever get the idea that either of the statements you made were true?

    Really?

    Go to your local town clerk and try and pay for a license or permit that costs more than pocket change. Offer to pay cash. Big city offices have bursars.. basically a bank branch. Smaller ones will not want several hundreds in cash, and want a check or cc. Want to pay by check? Show a DL. Go ahead.. argue.

    Go and get a passport and try and pay cash. With no driver license? The RealID Act will make it even harder to do anything without a proper State DL.

    The ID issue aside, there are many cases where you may only renew or register by mail or Internet. That means no cash, right?

    Getting more abstract, go try and get an SBA loan without a credit card history. You can have plenty of cash history (even paying of loans) but without the credit cards see what happens.

    NickCoons




    msg:343349
     3:33 pm on May 29, 2005 (gmt 0)

    <Go to your local town clerk and try and pay for a license or permit that costs more than pocket change. Offer to pay cash. Big city offices have bursars.. basically a bank branch. Smaller ones will not want several hundreds in cash, and want a check or cc.>

    A cashier's check or money order will work just fine in place of cash with no identification required. And it doesn't take ID to walk into a Circle-K and get a money order.

    <Want to pay by check? Show a DL. Go ahead.. argue.

    Go and get a passport and try and pay cash. With no driver license? The RealID Act will make it even harder to do anything without a proper State DL.>

    A driver's license isn't required, just a valid picture ID. You can get an ID card that's not a driver's license.

    <The ID issue aside, there are many cases where you may only renew or register by mail or Internet. That means no cash, right?>

    Renewing my mail means I can send a check, obviously without any sort of ID. In fact, my accountant used to pay my bills all the time by sending checks through the mail. Amazingly enough, she never once had to send a photocopy of my driver's license or other ID. If I renew some government service over the internet, like a driver's license, it is a chosen convenience for me. If I didn't want to use a credit card, I could easily go down to the DMV and pay for the renewal in cash.

    <Getting more abstract, go try and get an SBA loan without a credit card history. You can have plenty of cash history (even paying of loans) but without the credit cards see what happens.>

    Not true.. they simply want credit history, not specifically credit card history. In fact, your credit report looks better if you have diversified your loan types (car, mortgage, etc), not just credit cards.

    However, the government doesn't require anyone to get an SBA loan, so even if they made having a credit card a condition of that loan, it would not make "The require everyone to have a credit card" a true statement.

    NickCoons




    msg:343350
     3:46 pm on May 29, 2005 (gmt 0)

    BeeDeeDubbleU,

    <Bad analogy. Why? Because in your house you don't look after my money ;)>

    That's fairly irrelevent to the analogy. It may be true that my house is made of 8x8x16 cinder blocks and the eBay headquarters is of solid concrete walls, but that is also irrelevent to the analogy :-).

    If someone is impersonating eBay in a phishing scam, how would that put your money at risk? It doesn't. It puts the phishing recipient at risk, and it puts eBay at risk (reputation-wise). But you as a third-party aren't directly at risk.

    MamaDawg,

    <I'd shut down the rogue account(s) ASAP - patches requiring downtime would be planned and announced to users in advance if at all possible.>

    So while your server is sending out 1000 spams/minute, you'd post a note somewhere to your users saying something like, "Okay everyone, we've found some security issues and we'll be taking the server down in a few hours to correct them." In the meantime, your box has sent out thousands of spam emails.

    <While the server issues may be arguable, hammering the network would still affect a lot of innocent machines/users.>

    It sounds like your box being up and live is causing more problems to innocent users/machines than had it been shut down earlier.

    <In the USA under 18 USC section 1030 if you deliberately cause at least $5k in losses to one or more victims (includes business losses, costs to repair damages - which can include costs to repair customer relations ...etc.) you are subject to federal prosecution.>

    It sounds like the spammer would be at fault for causing this damage.

    <I think it's generally a bad idea to sanction something you don't want people to do.>

    If someone mugs me with a gun, that is an inappropriate use of a gun. If someone else then approaches with a gun and stops the mugger, that is an appropriate use of a gun. A DoS attack could easily be categorized in the same way.

    <I do like the idea of adding more robust authentication to SMTP - though as you pointed, out widespread implementation would be far from immediate.>

    You'd have to do this before implementing the DoS retaliation attack, otherwise there's a good chance you'd be attacking the wrong box.

    paybacksa




    msg:343351
     1:19 am on May 30, 2005 (gmt 0)

    Well Nick it sounds like you are after a theoretical argument unless I can identify exact instances for which here are no workarounds, and I am too lazy for that right now.

    ...and the gov't doesn't require MS Word (sure.. just get a Word file reader) or Adobe Acrobat (just compile an open source one for free) etc etc... I am sure there are workarounds for everything eventually.

    my accountant used to pay my bills all the time by sending checks through the mail. Amazingly enough, she never once had to send a photocopy of my driver's license or other ID.

    if you have an acount (and therefor a bill) they already know who you are.

    If I renew some government service over the internet, like a driver's license, it is a chosen convenience for me. If I didn't want to use a credit card, I could easily go down to the DMV and pay for the renewal in cash.

    There's the theoretical argument again. In NJ there are renewals that cannot be done in person. There are also requirements for obtaining certain government docs that cannot be met without a CC... except if you have some very obscure other paperwork (like a verterans ID, or Firearms ID, or Seret service ID). By your argument, that means al you have to do is join the armed forces and there's no rrequirement for a cc.

    However, the government doesn't require anyone to get an SBA loan, so even if they made having a credit card a condition of that loan, it would not make "The require everyone to have a credit card" a true statement.

    Obviously we have different perspectives. If the govt restricts access to benefits to only certain people, that's ok? That doesn't count as being a requirement? Odd argument, in my book.

    I'm pretty tired of beaurocrats who make it so "technically" everybody has access while practically only those who can achieve the workarounds have access. It leads to a cheating society (liek we have now). Usually a waste of time to argue against, and a huge waste of individual time and effort to demonstrate the practical barriers (been there).

    paybacksa




    msg:343352
     1:31 am on May 30, 2005 (gmt 0)

    If someone breaks into my house, I'm within my rights to completely ignore the situation and not take any action, as stupid as that may be.

    This is another examle of a theoretical comment that is not practically true.

    In my town, if that happened you could be cited and fined. I can't quote you the law, but it actually happended to me. My car was vandalized and I called in. After surveying the damage I decided not to follow thru with a report -- it would be better for me if I did not file an insurance claim at all. I got a call back for the local police who informed me that I had a responsibility to report the crime that occurred, and if I did not I could be cited and fined. I argued abut it having been on my property, and my prerogative to report it, and they assure dme that was not the case and that I should consult my attorney before deciding not to file a report.

    My attorney agreed and also informed me that there could be civil liability concerns as well, should my neighbors be vandalized later by the same thieves, after I had acknowledged a crime and not followed thru with a report that would enable law enforcement to follow up.

    Off-the-cuff comments about your rights and obligations that seem acceptable often do not apply in today's practical world. I am no lawyer.

    NickCoons




    msg:343353
     6:53 am on May 30, 2005 (gmt 0)

    paybacksa,

    <Well Nick it sounds like you are after a theoretical argument unless I can identify exact instances for which here are no workarounds, and I am too lazy for that right now.>

    The fact that I'm asking for specifics is evidence that it is a very practical argument, not a theoretical one.

    <...and the gov't doesn't require MS Word (sure.. just get a Word file reader) or Adobe Acrobat (just compile an open source one for free) etc etc... I am sure there are workarounds for everything eventually.>

    Not workarounds; alternatives. And not impractical ones either. OpenOffice.org is a very good alternative to MS Office. It's actually free and easier to obtain/install than MS Office. I would hardly call this a workaround.

    <if you have an acount (and therefor a bill) they already know who you are.>

    And the same would be true for a renewal such as you've mentioned.

    <There's the theoretical argument again. In NJ there are renewals that cannot be done in person.>

    If this situation is specific to New Jersey (and I haven't come across any such situation in Arizona), then that sounds like it's a local government issue, not a US government one.. otherwise is would be nationwide, no?

    <Obviously we have different perspectives. If the govt restricts access to benefits to only certain people, that's ok? That doesn't count as being a requirement? Odd argument, in my book.>

    To use the SBA example again -- If the government restricts the ability to obtain an SBA loan to those people that have a good credit history (proving that they have the means and ability to repay the loan), yes, I think that's perfectly okay. But you can have excellent credit history and qualify for such a loan without ever having a credit card or driver's license.

    <I'm pretty tired of beaurocrats who make it so "technically" everybody has access while practically only those who can achieve the workarounds have access. It leads to a cheating society (liek we have now). Usually a waste of time to argue against, and a huge waste of individual time and effort to demonstrate the practical barriers (been there).>

    I'm tired of government providing any services at all other than police, court system, and the military.. all else should be privatized.. but I don't know if we should make this a political discussion (or at least, anymore than we have already) :-).

    <In my town, if that happened you could be cited and fined. I can't quote you the law, but it actually happended to me.>

    I'm not aware of any such law here in Arizona.. and I've spoken to several police officers about the situation after having property vandalized. Though I'm not a lawyer either.

    The point of the analogy was to convey an idea that the victim should not be criminalized if they decide not to take action. I suppose that analogy falls on deaf ears to those that believe victims should be obligated to retaliate.

    BeeDeeDubbleU




    msg:343354
     8:00 am on May 30, 2005 (gmt 0)

    [quoteThe point of the analogy was to convey an idea that the victim should not be criminalized if they decide not to take action. I suppose that analogy falls on deaf ears to those that believe victims should be obligated to retaliate. [/quote]

    I said that this was a bad analogy because the banks and CC companies know that this is a risk. They are well aware of Phishing and they know that its proliferation puts more and more of their clients at risk of falling for it. They should be compelled to do all they can to stop this.

    MamaDawg




    msg:343355
     3:02 pm on May 30, 2005 (gmt 0)

    Nick-

    So while your server is sending out 1000 spams/minute, you'd post a note somewhere to your users saying something like, "Okay everyone, we've found some security issues and we'll be taking the server down in a few hours to correct them." In the meantime, your box has sent out thousands of spam emails.

    You apparently misunderstood what I was saying - or missed the key phrase "if at all possible". Of course you need to respond immediately to the incident! But there's appropriate incident response and there's overkill - in most cases there's some option which will minimize business losses to your organization and to your clients. My point being that in the example situation (one spammer inside your network) terminating the source of the problem would normally be far less disruptive than a massive inbound DDOS.

    A little more on-topic: if anyone wants info on the not-yet-standardized approaches currently being tried to improve email authentication, a search on "SPF", "Sender ID" or "Domain Keys" will turn up some reading material .

    aleksl




    msg:343356
     6:51 pm on Jun 1, 2005 (gmt 0)

    Retaliatory DoS attack is not an option, period.
    Spammers will just move on to sending spam from distributed networks - using millions of highjacked computers. Are you going to DoS all of them too? Would be interesting to see - computers DoSing each other untill internet comes to a halt.

    Both-ways SMTP 2.0 may be a solution, but a very long-term. The issue here is that it's gotta be backward-compatible. Otherwise how's your grandma in Montana going to figure out why she can't send email anymore? If that is the case, spammers will just keep using SMTP 1.0, no way to force them.

    NickCoons




    msg:343357
     5:41 pm on Jun 2, 2005 (gmt 0)

    aleksl,

    <Retaliatory DoS attack is not an option, period.
    Spammers will just move on to sending spam from distributed networks - using millions of highjacked computers. Are you going to DoS all of them too?>

    Yes -- It would be a great incentive for people to actually secure their networks.

    Actually, I don't think it would come to that. Many of the larger residential ISPs have some sort of port 25 block that only allows SMTP connections to their mail servers. A highjacked computer could not send out mass amounts of email without the ISP noticing it, and then taking action to block that customer's ability to send mail until they've repaired their machine/network.

    <Would be interesting to see - computers DoSing each other untill internet comes to a halt.>

    Again, I don't think it would ever come to that.

    <Both-ways SMTP 2.0 may be a solution, but a very long-term. The issue here is that it's gotta be backward-compatible. Otherwise how's your grandma in Montana going to figure out why she can't send email anymore? If that is the case, spammers will just keep using SMTP 1.0, no way to force them.>

    Backwards compatibility would defeat the purpose. Mail servers would have to run SMTP 1.0 and SMTP 2.0 side-by-side for awhile, notifying their customers that they are phasing out the old system, and people will have to update their software. Someone could suggest a date to phase out the old standard, and most service providers would voluntarily comply.

    The benefits to comply voluntarily with such a date would be 1) The ability to provide the new service and be compatible with other providers using that service, and 2) To remove the old "spam gateway" service from your network.

    aleksl




    msg:343358
     8:01 pm on Jun 2, 2005 (gmt 0)

    A highjacked computer could not send out mass amounts of email without the ISP noticing it

    Don't need to send mass, if there's a network of a 1000. Just send 100 a day * 10 days = 1,000,000 emails in 10 days.

    Also, you can't block port 25. What if a highjacked computer is behind firewall? Or a business? Are you saying you are going to block the whole business? Aren't you going to paralyze entire companies? It is as impractical as blocking the roads so you can give out a couple of speeding tickets.

    NickCoons




    msg:343359
     4:56 am on Jun 3, 2005 (gmt 0)

    <Don't need to send mass, if there's a network of a 1000. Just send 100 a day * 10 days = 1,000,000 emails in 10 days.>

    The ISP generally gives the customer one IP address. Whether they use one computer to send lots of emails, or many computers using NAT to individually send a few emails, it doesn't matter; they see many emails going through their network from one public IP address.

    <Also, you can't block port 25.>

    Yes they can, and they do. Cox and Earthlink currently do, and there are many others as well. They prohibit inbound port 25 access, and they restrict outbound port 25 access to their mail server. This means that all outbound mail must go through their server, which means they can see when large amounts of traffic are passing through, and it also means they can identify and stop it.

    <What if a highjacked computer is behind firewall?>

    That really is irrelevent. If the ISP blocks specific outbound access, no amount of internal firewalling will get around that.

    <Or a business? Are you saying you are going to block the whole business?>

    Usually ISPs do not have such port restrictions on business services, because many businesses run their own mail services (something you cannot do with a port 25 restriction). On the other hand, if their ISP receives such reports, they impose such a restriction. Qwest does that.

    <Aren't you going to paralyze entire companies?>

    If a company's network (or an individual's computer) has been been compromised, they are a victim. If they allow their compromised network to damage others (i.e. by sending out spam), then they should now be subject to consequences.

    When someone is looking to compromise a network for the purposes of mass-mailing, they don't care which network they get into, they just want the one that takes the least effort; the one that's easiest to hack. Following that, it would make sense that such people are breaking into systems that are easy to break into.

    It is very easy to put security measures in place that prevent such attacks, making your network a less desirable target. Just like those devices you can put on your steering wheel to "prevent" your car from being stolen. They are easily removed with a hacksaw, but a car thief usually won't bother.. they'll move on to an easier target.

    Since spammers are compromising networks that are easy to break into (and there are plenty of them), the problem is that people are not properly securing their networks. By not locking down services, not applying security patches, and not using proper firewalls, system administrators are negligent and should not be surprised if their network goes down caused by a DoS attack immediately after it began spamming.

    I had a box that I setup at a colo facility about three years ago.. I used it as a backup box, and never really touched it our locked it down. In fact, about a year ago, I even forgot that I had it there. About six months ago, the ISP called me and said that they received calls saying that my box was launching SSH attacks on other servers, and to prevent further damage they shut the box down. It wasn't a DoS attack against my box, but the ISP shutting it down was effectively the same thing.

    It was a box that I completely forgot about and had never maintained, so it was fairly easy for someone to get into and use it for rogue purposes. This was my fault, and I deserved having my box shut down. If it had been a production machine, it might have caused me some hardship, but I would have brought it on myself.

    <It is as impractical as blocking the roads so you can give out a couple of speeding tickets.>

    I don't follow that logic. If the roads are blocked, how can anyone speed?

    soquinn




    msg:343360
     5:48 am on Jun 3, 2005 (gmt 0)

    Phising is a huge problem now spinning off even more spamming, scamming and fraud. With all the phished information floating out there in the hands of criminals we see 10-20 stolen identities a week pass through our various sites. I don’t’ know if the phisher’s are also scammers or if they just sell information to scammers but you can almost predict within a day, the onslaught of scammers appearing just after the phishing emails arrive and are forwarded to the appropriate spoof@ address.

    “The costs of phishing are generally hidden”

    How load can you yell chargebacks! Someone is making money from this? The real problem is that the stolen information is now so accurate that is passes all the security checks and it’s almost impossible to report, block or trace an overseas criminal with an AOL IP or satellite connection, 10 yahoo or other free email accounts and 10 different real identities. The scams are a related problem but it all starts with the phished information or maybe now the scams drive the need for more phished identities? We can only hope through more publicity and education that the average Joe doesn’t fall for these phishing schemes and checks in on their credit cards and other accounts more frequently before the real damage is done.

    lemming




    msg:343361
     2:36 am on Jun 9, 2005 (gmt 0)

    Did anyone read the followup Cringely article on phishing?

    [pbs.org...]

    It has what seems like a much better solution. Give false information to the phishers so that they will have to sift through 1000's of bogus identities before they can find a real one.

    I wish there was a tool like a Firefox extension or IE toolbar that would make it easier. Kind of like Autofill or Roboform except that it would fill out random false information.

    ControlEngineer




    msg:343362
     1:08 am on Jun 10, 2005 (gmt 0)

    It has what seems like a much better solution. Give false information to the phishers so that they will have to sift through 1000's of bogus identities before they can find a real one.
    Very good idea. Not only will it drown the perps in useless information, but every time they try to make use of a username or password or other information that is false, it increases the chances that they will be caught.
    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / WebmasterWorld / Webmaster General
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved