May 19 2004
Look Ma, it’s a hoax!
US-CERT Cyber Security Tip ST04-009 — Identifying Hoaxes and Urban Legends
I am so tempted to send a copy of this to every single relative, not to mention most of my co-workers. Of course, most of my friends and relatives only send me one hoax email to me. I make it very clear that forwarding me a hoax once is acceptable, twice earns them a special place in my heart. I do have a heart. Honest.
I wonder if having this collection of links will mean any more to them when it’s posted by USCERT, rather than a link to my own web page.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “Look Ma, it’s a hoax!”
The trouble is, I don’t think it’s as simple as that.
The network security industry is taking a stance on chain letters, hoaxes and the more serious “phishing” phenomena etc. that’s reminiscent of the motor industry and road safety in the 1960’s. The standard reaction to the problem of people getting killed or injured in cars was always that it was “the nut behind the wheel” and that if only drivers learnt to drive better it would all be OK. It wasn’t until people were regularly being killed in collisions at speeds of less than 30mph that the industry (with a hefty kick up the arse) did something about it in motor vehicle design.
In the same way, we now have a situation where real damage is being done (fraud, identity theft, etc.) because the security industry is doing far too little to design the problems away. Simply blaming ignorant users who can’t tell the real from the fake isn’t helping. Time and again I see people in the industry saying that users won’t understand the principles of PKI or digital signatures, etc. while then expecting them to be able to understand what a “safe” URL might be, or advising them to look for spelling errors on “official” communications.
For example, I recently received a mail from eBay. It informed me that my account had been used to place fraudulent bids and that I should confirm my identity with them by clicking a link or my account would be disabled. The email looked to me like it was legitimate - but I was suspicious. Yes, I had NO WAY of validating whether the email was real or a good attempt at “phishing.” I emailed eBay about this, and am waiting for a reply. I’ll be interested to see what they say.
Johnathan,
While I agree with most of your post, I have yet to see a solution to the problem that A) would work, and B) wouldn’t do more harm than good. I’m interested to see what the most recent efforts from Microsoft, Sendmail and other companies turn out, but I’m worried about any effort that includes Microsoft. They have their hooks in too many things already.
The legislative approach to dealing with spam worries me just as much. The target here is moving so fast that I’m afraid most governments will be far behind any phishers, or whatever arises afterwards. Additionally, the US government has a history of making mistakes with technology. I feel better when they just stay out of it.
I don’t have a better solution. I think that changing the way email works is probably the right way to go. Let the engineers who understand the function of email be the ones to make changes. I believe the engineers have a much greater chance of understanding the repercussions of their changes than the politicians would
One possible solution would be to use digital signatures on outgoing emails. It’s not that hard to install an enterprise-wide encryption and signing solution with something like Outhouse or Lotus Nods. Then it would at least be possible for a knowledgeable person to check if the email is legit.
Martin, do you really think people will believe USCERT messages more than yours? I highly doubt that: after all, one of my sisters-in-law who is a bit more active online forwards any hoax and chain letter she receives to her complete address book. And not only once, but several times by now. I don’t hesitate to call her back (and the rest of her addressees, too), but I feel like some oldfashioned Spanish knight fighting against the proverbial windmills (sans Sancho Pansa, of course).
I think digital signatures on outgoing mail would at least be a _start_. True, most users would not understand how they could use them to validate an email, but if enough companies used them in their communications (I’m thinking here of my eBay example) then over time, they would. After all, if you can grasp how eBay works, then something like PKI - simply explained - should be easy enough. Particularly if you rely on your eBay account not being compromised!
I agree that solutions should ideally not be vendor-specific, but given the fact that perhaps 80% of users use Outlook, and Outlook (both versions) can I believe parse signatures, then perhaps that’s how it has to be - at least in the medium term. After all, if you want to see video on the web, that’s vendor specific (Real, MS - the others are as yet below the horizon for most users).
Basically, it’s getting to a point where pontificating about ideals is not good enough any more. We need the security industry to start barking at businesses, the media (and perhaps the government, maybe) to do something about the issue of online authentication, not keep blaming users for being ignorant.
Another related anecdote - I recently got a call from my bank. They wanted to ask me about a couple of credit card purchases I’d made. But first they asked me to verify my identity (”for security reasons”). I said I would, but I that I also wanted to verify theirs as well. OK - I was being tin-foil-hat, but I was curious. The caller had no script for that, so I suggested I give them my day of birth if they gave me my month, etc. until we were both satisfied that we both were who we said we were. It was hard to keep a straight face…