> Well yeah, I actually did that exact Google before I sent this message.
> It's people's reasoning that I don't understand.
>
I thought you would :).
Well, what I actually meant to say is that I did that Google before I sent
the *first* message. :)
> What are the odds that the recipient actually had a recent conversation
> about a file with a person chosen at random by a bot to put in the "From"
> field of that email? And then the person told the recipient that s/he was
> going to send the file in a zip archive. I mean really?
>
Well, maybe one in a million? But divide those long odds by the cost - zero
- to send the message, and the potential earnings - bazillions - if you can
compromise yet another machine to add to the botnet.
Actually most of the people I deal with don't even know what a zip file
is--and the ones who do tend to pretty much know what they're doing about
everything else as well.
And this assumes a random, phishing attack, and not a spear-phishing attack
specifically targeting a user. If you want the clerk in a accounting to
open a file, you spoof an email from the VP by name citing discussions with
her boss, again by name, that "he was the one to get this project done, and
it needed to be done ASAP!"
For some of my clients email accounts, 85% or more of the email is spam,
most of it obvious garbage, but some of it fairly sophisticated social
engineering, "eBay reciepts" or "VISA declined your payment" that trick
fairly savvy people into opening it. And again, the economics are such that
it is nearly free to send a million of these emails, and anyone you catch
puts money in your pocket.
All right.
What you're describing does seem to be somewhat domain-specific though. For
example, nobody where I work would have any business opening emails
relating to VISA or eBay. (The fiscal people know they're never going to
hear from "VISA" about a VISA account; they'll hear from the bank that
issues the card, and they'll "hear" it only in writing, by snail-mail.)
And our organization doesn't have the low-level data-crunchers you've
described.
Nobody in our industry sends a password-protected zip file with the
password contained in the same message that included the attachment. That's
a well-known no-no.
(BTW: one state agency commonly sends two emails, one right after another,
the first announcing that "your account has been created", and the second
one saying, "the password for your new account is ******". They insist that
this is "secure". However, the main reason for passwording email
attachments is to prevent packet-sniffers from accessing their contents.
And if somebody is listening to email traffic with a packet-sniffer and
they somehow successfully manage to pick up the first email out of all the
bazillions of bits streaming through the intertubes in their location, then
they certainly are quite likely to pick up the immediately following second
message with the password. Grr.....)
The problems I've had with attachments haven't involved people being
"fooled" by anything accompanying the attachment. They've been people who
didn't understand the email and thought opening the attachment would clear
up their confusion. They are among the group that doesn't know what a zip
file is and wouldn't know how to deal with one even after they got it open.
These people only mess up with un-archived attachments.
So I think I'm still correct in applying a risk-benefit analysis that takes
into account the specific characteristics of my organization when deciding
whether to allow zip attachments in email.
> If you just tell people not to open any attachment that they don't know
> exactly what it is, you've achieved the same level of security without
> inconveniencing anybody or spending any extra money.
>
And if you tell people they should always have protected sex, AIDS
infections would stop tomorrow.
Well, most of them are afraid of me. I do a good job of putting on a
typical computer-geek persona: the gruff guy with no social skills. And if
they mess up once, then I really make an *effort* to frighten them. :)
In theory, theory and practice have the same outcome. In practice, not so
much.
Wasn't that Yogi Berra?
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
