Techdirt. Stories filed under "phishing" Easily digestible tech news... http://www.techdirt.com/ en-us Techdirt. Stories filed under "phishing"http://www.techdirt.com/images/td-88x31.gifhttp://www.techdirt.com/ Mon, 12 Mar 2012 07:30:35 PDT If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem Mike Masnick http://www.techdirt.com/articles/20120309/16470618060/if-phishing-email-can-kill-ny-power-grid-lack-cybersecurity-legislation-is-not-problem.shtml http://www.techdirt.com/articles/20120309/16470618060/if-phishing-email-can-kill-ny-power-grid-lack-cybersecurity-legislation-is-not-problem.shtml faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it's all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a "simulated cyberattack on New York City's power supply" to convince elected officials to move forward on the legislation.
During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.

“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.
Now that's interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:
During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.
Um, there's your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn't we take it off the internet? This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.

Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.

So, once again, can we take a step back and ask some simple questions: what's the real threat and the real risk here? If it's that the NYC power grid is accessible by a simple password over the public internet, then the problem isn't cybersecurity, it's whoever was stupid enough to connect the power grid to the internet. Let's fix that. But let's not regulate and spy on large segments of the public internet to cover for a few bad decisions.

Permalink | Comments | Email This Story
]]> oh-come-on http://www.techdirt.com/comment_rss.php?sid=20120309/16470618060 Mon, 23 May 2011 04:43:31 PDT Oh Look, Sony Hacked Again, Site Used For Phishing Mike Masnick http://www.techdirt.com/articles/20110521/09303414368/oh-look-sony-hacked-again-site-used-phishing.shtml http://www.techdirt.com/articles/20110521/09303414368/oh-look-sony-hacked-again-site-used-phishing.shtml hacked yet again, and this time the hacked site was being used for phishing. This was totally unrelated to the PlayStation Network hacks, but involved a website for Sony Thailand. Still, given all the trouble Sony has had lately keeping its systems secure, this seems to just add another layer to the stack of questions about Sony's technical competence.

Permalink | Comments | Email This Story
]]> count-the-hacks http://www.techdirt.com/comment_rss.php?sid=20110521/09303414368 Fri, 4 Jun 2010 06:43:41 PDT Yet Again, Real Police Called Into Virtual World Over (Not Really) Theft Of Virtual Items Mike Masnick http://www.techdirt.com/articles/20100602/1644049664.shtml http://www.techdirt.com/articles/20100602/1644049664.shtml arrested a kid for "stealing" virtual furniture in the virtual world, Habbo Hotel. At the time, we pointed out how problematic it is when real laws (and real police) cross over into virtual worlds. What if "stealing" is a part of the game? Even if it's not, it seems like these are cases where the folks who run Habbo Hotel should handle it via terms of service issues, rather than getting the real police involved. If virtual items are "stolen," then Habbo should be able to give them back. That's one of the nice things about a virtual world where there is no scarcity and where there's the ability to bring "stolen" things back.

However, it looks like that's not happening any time soon. A bunch of folks have sent in the news that the Habbo Hotel folks have now asked Finnish police to investigate 400 cases of "theft" in their world. Seriously. Of course it is a bit more complicated than that. They're really upset about phishing scams that let scammers get users login information, which they then use to get into their account and transfer the virtual goods away. But that's not really "theft" and it's a misnomer to call it that. And, really, if Habbo Hotel users are getting phished so frequently, perhaps the Habbo developers should focus on building a better login system that is not so susceptible to simple phishing scams...

Permalink | Comments | Email This Story
]]> not-again http://www.techdirt.com/comment_rss.php?sid=20100602/1644049664 Thu, 31 Dec 2009 15:44:52 PST FCC Boss Spams Facebook Friends With Make Money Now Scam Mike Masnick http://www.techdirt.com/articles/20091231/1440067570.shtml http://www.techdirt.com/articles/20091231/1440067570.shtml spam all his friends with a message saying "Adam got me started making money with this" which was followed by a link to a now defunct site. Facebook has taken down Genachowski's page, and appears to be effectively blaming him for the problem, putting out a generic notice about how users need to be careful not to click on strange links...

Permalink | Comments | Email This Story
]]> whoops http://www.techdirt.com/comment_rss.php?sid=20091231/1440067570 Tue, 1 Dec 2009 09:30:00 PST If You Gain Unauthorized Access To A Character In A Virtual World, Is It Theft? Mike Masnick http://www.techdirt.com/articles/20091130/0711587130.shtml http://www.techdirt.com/articles/20091130/0711587130.shtml questioned the wisdom of using real world laws to deal with issues within virtual worlds. You begin to open up quite the Pandora's Box of problems. If it's okay to charge someone for theft of virtual goods in a virtual world, what do you do if "theft" is a part of the game? And then does killing another character in a virtual world become "murder"? These issues are coming up again as Slashdot points out that a guy in the UK has been arrested for "robbery" of a player in the online world RuneScape. In this case, the arrested guy used a phishing scheme to get access to the username and password, making it similar to a story from two years ago involving "stolen goods" in Habbo Hotel that involved a similar "hacking" of an account.

But, again, it seems questionable to call this a robbery. Why not just charge the guy with violation of whatever laws there are against phishing or fraud, rather than robbery. These sorts of "robberies" can and probably should be dealt with directly in the virtual worlds themselves, where game administrators should be able to just "make things whole." Instead of calling it a robbery, why not focus on the actual crime of phishing, rather than the questionable "crime" of "robbery" of another's character.

Permalink | Comments | Email This Story
]]> confusion-abounds http://www.techdirt.com/comment_rss.php?sid=20091130/0711587130 Thu, 22 Jan 2009 18:46:53 PST Facebook's Lack Of Hacking Resolution System For Nigerian Scammers Mike Masnick http://www.techdirt.com/articles/20090121/2124463488.shtml http://www.techdirt.com/articles/20090121/2124463488.shtml Nigerian scammers hacking into Facebook, and then sending their "friends" messages, saying they're stranded in London without money. It is, of course, just the latest improvement on the venerable old Nigerian 419 scam, this time upgraded to use hacked/phished Facebook accounts to trick trusting friends into coughing up their money. However, one of the biggest issues is raised by Yehuda Berlinger, who points out that for those who are hacked, Facebook doesn't seem to have any reasonable way to contact them and fix the problem. Considering how much of your "identity" might be tied up in your social networking profile, you would think that a company like Facebook would have a ready made system in place to handle such "emergency" situations.

Permalink | Comments | Email This Story
]]> seems-like-a-problem http://www.techdirt.com/comment_rss.php?sid=20090121/2124463488 Thu, 13 Nov 2008 23:07:56 PST Online Criminals Move On To Corporate Espionage Mike Masnick http://www.techdirt.com/articles/20081112/0321052809.shtml http://www.techdirt.com/articles/20081112/0321052809.shtml margins were getting squeezed for older online organized crime groups who had focused on such practices in the past. Apparently, the big money now has moved away from standard phishing and into corporate espionage. Organized crime groups are figuring out ways to hack into company networks, suck up as much data as possible, and then sell it off to the highest bidder -- whether it's competing firms or foreign governments.

Permalink | Comments | Email This Story
]]> plain-old-phishing-doesn't-pay http://www.techdirt.com/comment_rss.php?sid=20081112/0321052809 Mon, 18 Aug 2008 04:54:44 PDT Phishing Scammer Gets Seven Years Mike Masnick http://www.techdirt.com/articles/20080815/1422541995.shtml http://www.techdirt.com/articles/20080815/1422541995.shtml just got sentenced to seven years in prison. Considering that he was scamming people's passwords to use elsewhere, this seems a lot more reasonable than the folks who get long jail sentences just for spamming. But, with all of these stories about spammers and phishers getting convicted, it always seems like the punishment is rather arbitrary. There's no clear pattern at all.

Permalink | Comments | Email This Story
]]> this-ought-to-make-some-folks-happy http://www.techdirt.com/comment_rss.php?sid=20080815/1422541995 Mon, 21 Apr 2008 21:01:08 PDT Non-Existent Domain Hijacking Not Just Annoying, But A Security Threat Mike Masnick http://www.techdirt.com/articles/20080421/015522900.shtml http://www.techdirt.com/articles/20080421/015522900.shtml huge mess over VeriSign's plan to create "SiteFinder," which effectively hijacked "page not found" messages online and inserted advertising instead. This also broke a bunch of online services that relied on accurate page not found messages. Eventually, VeriSign backed down, but over the last couple of years, ISPs have been starting to do the same thing on their own at a slightly different level in the process. However, some security researchers have demonstrated just how dangerous this can be, by using Earthlink's set up to show how it can be used by phishers to make pages look like they're really on someone else's domain. This particular hole has been patched, but it does demonstrate some of the unintended problems of hijacking a widely accepted standard behavior on the internet for the ISP's own purposes. The ISPs (including Earthlink in this case) always claim that they put up these ad pages as a "customer service" or to "improve their experience," but that's simply untrue. Such pages don't help matters. If a page can't be found, the user should be told that the page can't be found. They can do a search on a search engine themselves to find the proper page.

Permalink | Comments | Email This Story
]]> please-stop http://www.techdirt.com/comment_rss.php?sid=20080421/015522900 Thu, 3 Apr 2008 23:47:00 PDT Army Sets Up Phishing Scam To See How Gullible Service Members Are Mike Masnick http://www.techdirt.com/articles/20080402/194347734.shtml http://www.techdirt.com/articles/20080402/194347734.shtml leaked nuclear secrets via a P2P site, perhaps it's nice to know that our military runs its own phishing tests to see how gullible service members are. Slashdot points us to the news that the Army ran its own phishing scam, emailing members with an offer for free tickets to theme parks if they just went to a website and filled in certain information. The test itself was set up by the U.S Army Intelligence and Security Command (INSCOM) and U.S. Army Network Enterprise Technology Command (NETCOM) -- and it involved a "fake" website supposedly from Army Family and Morale, Welfare and Recreation Command (Family and MWR). Amusingly, it appears that INSCOM and NETCOM didn't bother to tell the folks at Family and MWR that they were conducting this test, so the group had rushed out an announcement warning people away from the fake site, only to later be clued in by the security folks. Oh well, it still seems better than using Dungeons & Dragons as a test of whether army members are security risks.

Permalink | Comments | Email This Story
]]> and-here's-the-list-of-folks-not-to-give-sensitive-info-to http://www.techdirt.com/comment_rss.php?sid=20080402/194347734 Wed, 27 Feb 2008 07:21:00 PST Senate Looks To Outlaw Phishing, Even Though It's Already Illegal Mike Masnick http://www.techdirt.com/articles/20080226/195527365.shtml http://www.techdirt.com/articles/20080226/195527365.shtml seeks to outlaw phishing. One tiny point is important here: phishing is already illegal. So, really all this bill does is allow these politicians to claim that they took a stand to stop phishing. Except, it's actually worse than that. Not only will this bill not do anything to stop phishing, it will actually make life worse for plenty of non-criminals. That's because a part of the bill would outlaw hiding domain name registration information. Now, there are plenty of legitimate reasons for not wanting to reveal your info in the whois database -- but according to this bill, it won't be allowed any more. If you want to own a domain, you'll need to cough up your name, address and phone number to whoever wants it -- and they better be legit. If you provide false info, you'll also be breaking the law. So, it won't do anything new to stop phishing, but will make it much more difficult to own a domain anonymously. That's quite a nail.

Permalink | Comments | Email This Story
]]> gotta-do-something http://www.techdirt.com/comment_rss.php?sid=20080226/195527365 Tue, 30 Oct 2007 21:49:19 PDT Phishing Scammers Convince Grocery Store To Give Them $10 Million Mike Masnick http://www.techdirt.com/articles/20071029/222817.shtml http://www.techdirt.com/articles/20071029/222817.shtml approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.

Permalink | Comments | Email This Story
]]> the-big-phish http://www.techdirt.com/comment_rss.php?sid=20071029/222817 Mon, 23 Jul 2007 08:34:37 PDT Latest Phishing Scam... Actually University Research Mike Masnick http://www.techdirt.com/articles/20070722/221435.shtml http://www.techdirt.com/articles/20070722/221435.shtml actually phishing a variety of people to con important information out of them in order to understand what kind of phishing scams work. The researchers and the university are defending the practice, saying they learned a lot from it, and it's legal to be deceptive for the purpose of research so long as the deception is no different than what a person might come across normally and the risk to the person is minimal. Still, if any of the information is eventually misused or gets leaked, it certainly could create some problems for the university (and universities are no stranger to leaking data). The university still claims that this kind of research is key to preventing phishing... but oddly, the article seems to highlight what works for phishing scams, rather than what works to stop phishing scams. So, right now, the research seems to be telling scammers how to be more effective scammers, rather than coming up with ways to stop phishing.

Permalink | Comments | Email This Story
]]> gotta-trick-you-to-understand http://www.techdirt.com/comment_rss.php?sid=20070722/221435