Just one day before April 1st 2006 I came across this article :
"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."
Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.
Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :
"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"
Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.
Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :
• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days
I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.
More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing
Technotati tags:
Security, Phishing, Scam, Banking
Wednesday, April 05, 2006
Heading in the opposite direction
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Securing political investments through censorship
I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.
Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "
"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."
I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?
More resources on the state of censorship in Singapore worth checking out are :
Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore
Technorati tags:
Censorship, Politics
Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "
"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."
I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?
More resources on the state of censorship in Singapore worth checking out are :
Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore
Technorati tags:
Censorship, Politics
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Insider fined $870
Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :
"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."
So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.
While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.
Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.
Technorati tags:
Security, Insider, Espionage
"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."
So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.
While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.
Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.
Technorati tags:
Security, Insider, Espionage
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
The "threat" by Google Earth has just vanished in the air
Or has it actually? In one of my previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" I mentioned the usefulness of Google Earth by the general public, and the possibility to assist terrorists. The most popular argument on how useless the publicly available satellite imagery is that it doesn't provide a high-resolution images, and recent data as well -- that's of course unless you don't request one, but isn't it bothering you that here we have a street-side drive-by POC?
The recently introduced Windows Live Local Street-Side Drive-by (A9's maps have been around for quite a while), is setting a new benchmark for interactive OSINT -- if any as this is also a privacy violation that can be compared with efforts like these if it was in real-time. Having had several conversations with a friend that's way too much into satellite imagery than me, I've realized that starting from the basic fact of targeting a well known or a movie-plot location doesn't really requires satellite imagery. I find that today's sources basically provoke the imagination and the self-confidence -- and hopefully nothing more!
There have been numerous articles on the threat posed by Google Earth, and India seems to be the most concerned country about this for the time being :
"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger national security by providing high resolution photographs of strategic defense facilities. The software could prove especially useful to countries that do not have their own satellite capabilities. Singh called Google Earth a shared concern for all countries, requiring all countries to cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns over Google Earth and national security."
You can spend hours counting the cars in front of NSA's parking lot through public satellite imagery resources, still you would never get to see what's going on in there, I guess things have greatly changed since the days when tourists sent over the USSR, or exactly the opposite, to the U.S, would try to get hold of as many maps as possible finish the puzzle.
In some of my previous posts on Cyberterrorism, I said that terrorists are not rocket scientists until we make them feel so, and I'm still sticking to this statement, what about you? As a matter of fact, Schneier is inviting everyone to participate in the Movie-Plot Threat contest -- stuff like terrorist EMP warfare, Nuclear truck bombs (the same story from 3 years ago), and other science fiction scenarios worth keeping an eye on.
Terrorism is a profitable paranoia these days, that's constantly fuelling further growth in defense and intelligence spending, as satellite imagery is promoted for the bust of Bin Laden, whereas their infrastructure seems to pretty safe, isn't it? (More photos, 1, 2, 3, 4, 5, 6) I'd rather we have known parties as an adversary, the way it used to be during the Cold War, whose competition sent us in Space, and landed us on the Moon , instead of seeing terrorists everywhere and missing the big opportunity.
Technorati tags:
Security, Terrorism, Cyberterrorism, Privacy, Google Earth, Google Maps, Space, Microsoft Live, New Media
The recently introduced Windows Live Local Street-Side Drive-by (A9's maps have been around for quite a while), is setting a new benchmark for interactive OSINT -- if any as this is also a privacy violation that can be compared with efforts like these if it was in real-time. Having had several conversations with a friend that's way too much into satellite imagery than me, I've realized that starting from the basic fact of targeting a well known or a movie-plot location doesn't really requires satellite imagery. I find that today's sources basically provoke the imagination and the self-confidence -- and hopefully nothing more!
There have been numerous articles on the threat posed by Google Earth, and India seems to be the most concerned country about this for the time being :
"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger national security by providing high resolution photographs of strategic defense facilities. The software could prove especially useful to countries that do not have their own satellite capabilities. Singh called Google Earth a shared concern for all countries, requiring all countries to cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns over Google Earth and national security."
You can spend hours counting the cars in front of NSA's parking lot through public satellite imagery resources, still you would never get to see what's going on in there, I guess things have greatly changed since the days when tourists sent over the USSR, or exactly the opposite, to the U.S, would try to get hold of as many maps as possible finish the puzzle.
In some of my previous posts on Cyberterrorism, I said that terrorists are not rocket scientists until we make them feel so, and I'm still sticking to this statement, what about you? As a matter of fact, Schneier is inviting everyone to participate in the Movie-Plot Threat contest -- stuff like terrorist EMP warfare, Nuclear truck bombs (the same story from 3 years ago), and other science fiction scenarios worth keeping an eye on.
Terrorism is a profitable paranoia these days, that's constantly fuelling further growth in defense and intelligence spending, as satellite imagery is promoted for the bust of Bin Laden, whereas their infrastructure seems to pretty safe, isn't it? (More photos, 1, 2, 3, 4, 5, 6) I'd rather we have known parties as an adversary, the way it used to be during the Cold War, whose competition sent us in Space, and landed us on the Moon , instead of seeing terrorists everywhere and missing the big opportunity.
Technorati tags:
Security, Terrorism, Cyberterrorism, Privacy, Google Earth, Google Maps, Space, Microsoft Live, New Media
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)