Re: Yet another Visa scam scheme

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 02/03/04

  • Next message: E. Jimmy Allotey: "RE: Blaster Recurrence" 
    Date: Tue, 03 Feb 2004 12:17:40 +1300
To: incidents@securityfocus.com

    Raffael Marty <rmarty@arcsight.com> wrote:

    > You are neglecting the fact that those emails are PGP signed. It's up to
    > the reader to verify the signature, but I'd say that you can expect a
    > security analyst to check the signature before he believes (and acts
    > upon) the contents of such an email.

    And you are neglecting the fact that "typical users" expect their
    "commodity computers" to "just work".

    A typical user does not know what PGP is and, more importantly, does
    not care.

    Worse, your typical user's "typical computer" does not know what PGP is
    and its Email client couldn't care less...

    Worse still, some of these typical users are bound to be naïve enough
    to expect that the:

       -----BEGIN PGP SIGNED MESSAGE-----

    and/or:

       -----BEGIN PGP SIGNATURE-----
       Comment: Blah

       iQdCVEAwGUBQsBcz3kyh9+716yA23DNAQSMTrAlP/VKuCKZzTJMTxK...

       -----END PGP SIGNATURE-----

    gibberish (or "computer talk" as many are inclined to call it) actually
    means something significant. And some of those are bound to assume
    that the message would not have beeen delivered were the signature not
    kosher. Given the geniuses at MS continue to entirely fail to
    understand that code signing is a not solution to any truly important
    integrity issue, should we really expect our typical user to have any
    better idea?

    I agree with the OP that these messages make an enticing target for the
    scammers and/or forgers out there.

    And, to address a different issue with these "alerts", I'll repeat the
    last bit of Raffael's comment again:

    > ... but I'd say that you can expect a
    > security analyst to check the signature before he believes (and acts
    > upon) the contents of such an email.

    One would certainly hope so, but given the way these "alerts" are being
    compiled and distributed, do you really expect them to be any better
    than or much different from the (former ??) FBI "cyber security"
    alerts? To date these have, from a professional's perspective, been
    too late and/or too innacurate to be useful. Surely they are aimed
    squarely at whatever fraction of "middle America" the DHS sees as
    caring about such issues?

    And, to answer the hopefully obvious question -- of course I
    subscribed! One can always use a little more humour in their life...

    Regards,

    Nick FitzGerald

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: E. Jimmy Allotey: "RE: Blaster Recurrence"