lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 29 12:10:37 2006 From: n3td3v at gmail.com (n3td3v) Subject: Are consumers being misled by "phishing"? On 6/29/06, Gadi Evron <ge@...uxbox.org> wrote: > I guess I'm in kiddie flaming mood this week. About time too, been a > while. Kiddie flaming mood? > > > I believe the industry coined up "phishing" to make more money out of > > social engineering. Its obvious now that both are over lapping. Only > > the other day Gadi Evron was trying to coin up a phrase for "voice > > phishing". Why can't we cut to the chase and drop the (ph)rases and > > call it straight forward SOCIAL ENGINEERING. > > Hey there n3td3v team. I actually agree with you. Terming things with new > names all the time is very annoying. Pharming is one good example. Its not about being annonying, its about misleading the consumer with catch phrases to describe social engineering. > > I guess when the annual revenuw from phishing for the mafia gets to 2 > Billion USD, things get their own names. There are a million books on phishing in borders book store, if the phishing phrase hadn't been coined, a lot of people wouldn't be millionaires right now. They brought in "phishing" in 2003. The actual act of phishing had been going on for years before the phrase was coined. Since the beginning of Yahoo corporation there have been fake login sites, and people making voice-based social engineering attacks. Its as if the technique known as phishing wasn't around until the term phishing was coined. I can tell you phishing and voice phishing were around and known as "social engineering" and everyone was happy with that. Phishing hasn't increased since the term phishing was termed, it was as big an attack method as it is today, its only because of the term phishing being recently invented, that companies have decided to make money out of setting up honey pots to detect phishing and report that to the consumer and corporate scene, and offer security products to protect users against phishing attacks. (websense ring a bell?). The whole term phishing is purely for money making purposes , and to allow security product vendors to break down the techniques of social engineering, in able to allow them to make money out of breaking down different characteristics of social enginnering, to allow them to create a multi million pound market for each technique of social engineering, as if each technique of social engineering is a seperate attack method. which it isn't. The industry is now trying to break down social engineering further by claiming theres this new type of attack "voice phishing" or "vishing" as you call it, to enable a new multi million dollar book market for people to sell books at borders book store. The truth of the matter however, is social engineering in all its glory has been around for years. These new names coming out are artifical and missleading. We've got consumers right now thinking theres a new threat, a new attack vector, when in fact their isn't. Though the security product industry have coined up a new phrase "voice phishing" to make your average joe sound convined that theres a new threat, and you should buy yet another security product. Soon they'll be websense voice phishing product, voice phishing for dummies book and a whole host of other products. True being, there is no need for consumers being misled just so websense, symantec etc can pretend theres a new threat, a new reason to build dedicated products and a new threat to take consumers money from. Now that voice phishing has been introduced, websense etc will start honey pot haresting hundreds of voice phishing reports, although these attacks have been around for years, like original phishing and social engineering was. If you or me want to make money and create a new sense of fear we could, thats thats exactly whats happenign here. > > Thing is, I didn't term "Vishing". Wish I did, it's cute and to the > point. Let call it a sym link to "Phishing +phone". Let me tell you > a short story, though. It's about arguing on the colour of bits. Its cute for the multi million dollar corporations. Pretend new threat, pretend new technique. The multi millions will start harvesting voice phishing reports now in their hundreds to create a new sense of attack wave, like they did with the original phishing term. All the new "voice phishing for dummies books" will be being printed as we speak. I can bet, the same time next year, suddenly some clever multi million corporate guy will extract another technique from SOCIAL ENGINEERING, pretend theres a new technique, pretend theres a new threat, pretend you need to buy their security products... and generally create a new multi million dollar market, out of something as old as social engineering, and all its levels of attackology. > > Ever heard of a guy (sorry, group) called n3td3v? :) I didn't either. Why > do people need nicknames?! We all have names right!@ Do you know what security is? Then you would know why using a nick name makes sense. To use the same name thats on your birth certificate, bank details etc, when you are wanting to talk on the internet is wrong. If someone decides they don't like you, they could google in an attempt to see if your real name details are out there. Or hack into a system, and extract your real name to gain information on you. With using n3td3v, theres no chance of that kind of information being obtained by enemy hackers of n3td3v. Thats why as well, we use googlepages and geocities as websites, so that attackers cannot obtain personal information of the bank, social security, health records, birth cerificates and toehr real life documentation, which might be sitting on bank or government servers, waiting to be hacked, so personal attacks where personal information can be published on the internet saying "this is the bank details of n3td3v, this is the social security number of n3td3v" (or) by holding n3td3v to ransom, saying, if you don't give us money, wel'll publish your information. Theres a lot of different reasons for using a nickname, and to me by calling yourself Gadi Evron in public on the internet is putting yourself at risk from data theft, data compromise, personal attacks on your career and other attack vectors in relation to personal attacks, where malicious users will hack servers based ony our real name you are pushing out right now, and attempt to ruin your personal reputation, career, bank details, home address, car number plate, social engineer your co-workers, friends and family in real life, via e-mail, snail mail, telephone calls, and by computer based attacks exploting their computer and personal information along with yours. > > Well, I suppose we need 10 different users to digg stories with. > I hate Digg, I only used the site as an example of the confusion being posed, where avaerage joe's who you Digg are becoming socially engineered into thinking theres a new threat wave, so the multi millons can create a new money making market. > It's like the other guy responding here thought security is all about > vulnerabilities, social engineering and some other silly thing. If you > really have to simplify, than try and rise above Hacking Exposed. Security > is about Trust. > :) > Yes, trust ... or lack of knowledge by the consumer that trust is needed. The problem isn't always trust, its the lack of knowlege that trust needs to be applied. Your average joe isnt security aware and paranoid liek you and me. It would be wrong to expect the general public to give themselves a 'paranoid' mindthink on the internet, doing that would risk public mental health. Thats why folks like us are employed to do the worrying on their behalf, although I don't think creating new terms every time profits are milked out on phishing, that the industry feels the needs to create voice phishing as a supposed new threat. > Oh, and BTW - I have two tasks for you: > 1. Learn to read. > 2. Learn to search Google. > Thats a very cheeky comment there. I guess you want people to think you know more than me. Its people like me who are giving you people something to think about. If it wasn't for people like me, your job wouldn't be half as interesting. Be thankful theres people like me keeping you ina job. Its not me who needs your books, we're the people giving people things to write into books and to publish on the web for people to google. Thanks for playing though. > Gadi. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists