[<prev] [next>] [day] [month] [year] [list]
Message-ID: <04fb01c69b7e$3a36c3d0$0100a8c0@nuclearwinter>
Date: Thu Jun 29 14:12:11 2006
From: fd at g-0.org (GroundZero Security)
Subject: Are consumers being misled by "phishing"?
> Kiddie flaming mood?
Yes thats when someone is in the mood to actually answer your stupid mails.
>Thats a very cheeky comment there. I guess you want people to think
>you know more than me.
Well its not hard to know more than you. Actually about 99,9% of the
people here on this list know more than you. You have no idea
of the security business as you never worked in the field.
You can not code nor are you very familiar with different hacking technics.
All you ever do is playing with XSS and picking up well known or fake
stories so you can try to get people to sign up for your stupid google group.
Like last time you pretended people would get 0days if they sign up with
you.
Since you pretend to be the biggest group in the underground you
should know that in the underground a XSS isnt even counting as 0day
even on the fact its a private "bug".
>Its people like me who are giving you people something to think about.
More like, its people like you who make us laugh.
>If it wasn't for people like me, your job wouldn't be half as interesting.
True that, we wouldnt have so much to laugh about :-)
Its funny when someone without any clue steps up and tells the whole
list how he'd be better as the people he secretly looks up to.
>Its not me who needs your books, we're the people giving people
>things to write into books and to publish on the web for people to google.
Ah yes "XSS for dummies". You never brought anything worth to write into
a book. Why did you never write for phrack.org when it still existed ?
Its not like you ever invented something new and XSS is the most easy
thing you can do. Most security researchers dont even bother looking for it.
Fair enough, you provided a XSS bug to make people aware of the problems.
That would be ok if you wouldnt act like you would be the greatest hacker
out there, since in fact you where never a hacker nor a security professional.
You are just a rookie with too big of an ego. Once you can programm in C
and provide the list with exploit code or new exploitation technics, then you
can start to show off how great you are.
Until then go back into your basement and stfu.
----- Original Message -----
From: "n3td3v" <n3td3v@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, June 29, 2006 12:59 PM
Subject: Re: [Full-disclosure] Are consumers being misled by "phishing"?
> On 6/29/06, Gadi Evron <ge@...uxbox.org> wrote:
> > I guess I'm in kiddie flaming mood this week. About time too, been a
> > while.
>
> Kiddie flaming mood?
>
> >
> > > I believe the industry coined up "phishing" to make more money out of
> > > social engineering. Its obvious now that both are over lapping. Only
> > > the other day Gadi Evron was trying to coin up a phrase for "voice
> > > phishing". Why can't we cut to the chase and drop the (ph)rases and
> > > call it straight forward SOCIAL ENGINEERING.
> >
> > Hey there n3td3v team. I actually agree with you. Terming things with new
> > names all the time is very annoying. Pharming is one good example.
>
> Its not about being annonying, its about misleading the consumer with
> catch phrases to describe social engineering.
>
> >
> > I guess when the annual revenuw from phishing for the mafia gets to 2
> > Billion USD, things get their own names.
>
> There are a million books on phishing in borders book store, if the
> phishing phrase hadn't been coined, a lot of people wouldn't be
> millionaires right now.
>
> They brought in "phishing" in 2003. The actual act of phishing had
> been going on for years before the phrase was coined. Since the
> beginning of Yahoo corporation there have been fake login sites, and
> people making voice-based social engineering attacks. Its as if the
> technique known as phishing wasn't around until the term phishing was
> coined. I can tell you phishing and voice phishing were around and
> known as "social engineering" and everyone was happy with that.
> Phishing hasn't increased since the term phishing was termed, it was
> as big an attack method as it is today, its only because of the term
> phishing being recently invented, that companies have decided to make
> money out of setting up honey pots to detect phishing and report that
> to the consumer and corporate scene, and offer security products to
> protect users against phishing attacks. (websense ring a bell?). The
> whole term phishing is purely for money making purposes , and to allow
> security product vendors to break down the techniques of social
> engineering, in able to allow them to make money out of breaking down
> different characteristics of social enginnering, to allow them to
> create a multi million pound market for each technique of social
> engineering, as if each technique of social engineering is a seperate
> attack method. which it isn't. The industry is now trying to break
> down social engineering further by claiming theres this new type of
> attack "voice phishing" or "vishing" as you call it, to enable a new
> multi million dollar book market for people to sell books at borders
> book store. The truth of the matter however, is social engineering in
> all its glory has been around for years. These new names coming out
> are artifical and missleading. We've got consumers right now thinking
> theres a new threat, a new attack vector, when in fact their isn't.
> Though the security product industry have coined up a new phrase
> "voice phishing" to make your average joe sound convined that theres a
> new threat, and you should buy yet another security product. Soon
> they'll be websense voice phishing product, voice phishing for dummies
> book and a whole host of other products. True being, there is no need
> for consumers being misled just so websense, symantec etc can pretend
> theres a new threat, a new reason to build dedicated products and a
> new threat to take consumers money from. Now that voice phishing has
> been introduced, websense etc will start honey pot haresting hundreds
> of voice phishing reports, although these attacks have been around for
> years, like original phishing and social engineering was. If you or me
> want to make money and create a new sense of fear we could, thats
> thats exactly whats happenign here.
> >
> > Thing is, I didn't term "Vishing". Wish I did, it's cute and to the
> > point. Let call it a sym link to "Phishing +phone". Let me tell you
> > a short story, though. It's about arguing on the colour of bits.
>
> Its cute for the multi million dollar corporations. Pretend new
> threat, pretend new technique.
>
> The multi millions will start harvesting voice phishing reports now in
> their hundreds to create a new sense of attack wave, like they did
> with the original phishing term.
>
> All the new "voice phishing for dummies books" will be being printed
> as we speak.
>
> I can bet, the same time next year, suddenly some clever multi million
> corporate guy will extract another technique from SOCIAL ENGINEERING,
> pretend theres a new technique, pretend theres a new threat, pretend
> you need to buy their security products... and generally create a new
> multi million dollar market, out of something as old as social
> engineering, and all its levels of attackology.
>
> >
> > Ever heard of a guy (sorry, group) called n3td3v? :) I didn't either. Why
> > do people need nicknames?! We all have names right!@
>
> Do you know what security is? Then you would know why using a nick
> name makes sense. To use the same name thats on your birth
> certificate, bank details etc, when you are wanting to talk on the
> internet is wrong. If someone decides they don't like you, they could
> google in an attempt to see if your real name details are out there.
> Or hack into a system, and extract your real name to gain information
> on you. With using n3td3v, theres no chance of that kind of
> information being obtained by enemy hackers of n3td3v. Thats why as
> well, we use googlepages and geocities as websites, so that attackers
> cannot obtain personal information of the bank, social security,
> health records, birth cerificates and toehr real life documentation,
> which might be sitting on bank or government servers, waiting to be
> hacked, so personal attacks where personal information can be
> published on the internet saying "this is the bank details of n3td3v,
> this is the social security number of n3td3v" (or) by holding n3td3v
> to ransom, saying, if you don't give us money, wel'll publish your
> information. Theres a lot of different reasons for using a nickname,
> and to me by calling yourself Gadi Evron in public on the internet is
> putting yourself at risk from data theft, data compromise, personal
> attacks on your career and other attack vectors in relation to
> personal attacks, where malicious users will hack servers based ony
> our real name you are pushing out right now, and attempt to ruin your
> personal reputation, career, bank details, home address, car number
> plate, social engineer your co-workers, friends and family in real
> life, via e-mail, snail mail, telephone calls, and by computer based
> attacks exploting their computer and personal information along with
> yours.
>
>
> >
> > Well, I suppose we need 10 different users to digg stories with.
> >
>
> I hate Digg, I only used the site as an example of the confusion being
> posed, where avaerage joe's who you Digg are becoming socially
> engineered into thinking theres a new threat wave, so the multi
> millons can create a new money making market.
>
> > It's like the other guy responding here thought security is all about
> > vulnerabilities, social engineering and some other silly thing. If you
> > really have to simplify, than try and rise above Hacking Exposed. Security
> > is about Trust.
> > :)
> >
>
> Yes, trust ... or lack of knowledge by the consumer that trust is
> needed. The problem isn't always trust, its the lack of knowlege that
> trust needs to be applied.
>
> Your average joe isnt security aware and paranoid liek you and me. It
> would be wrong to expect the general public to give themselves a
> 'paranoid' mindthink on the internet, doing that would risk public
> mental health. Thats why folks like us are employed to do the worrying
> on their behalf, although I don't think creating new terms every time
> profits are milked out on phishing, that the industry feels the needs
> to create voice phishing as a supposed new threat.
>
> > Oh, and BTW - I have two tasks for you:
> > 1. Learn to read.
> > 2. Learn to search Google.
> >
>
> Thats a very cheeky comment there. I guess you want people to think
> you know more than me. Its people like me who are giving you people
> something to think about. If it wasn't for people like me, your job
> wouldn't be half as interesting. Be thankful theres people like me
> keeping you ina job. Its not me who needs your books, we're the
> people giving people things to write into books and to publish on the
> web for people to google.
>
> Thanks for playing though.
>
> > Gadi.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists