I was almost Phished this week. Not by some Nigerian scammer, or Russian botnet, but by my own bank.
Bundled with both my checking and mortgage statements – with the bank’s name, logos, and phone number was the warning: “Notice: Credit Report Review Re: Suspicious activity detection”. The letter made it appear that there were ongoing suspicious activity reported by the credit agency, and I needed to take immediate action. I thought “Crud, now I have to deal with this.” Enclosed was a signature sheet that looked like they wanted permission to investigate and take action. But wait a minute – when does my bank ask for permission? My suspicion awoke.
I looked at the second page of the letter, under an electron microscope to read the 10^-6 point fine print, and it turned out suspicious activity was only implied. They were using fear of not acting to scare me into signing the sheet. The letter was a ruse to get me to buy credit monitoring ‘Services’ from some dubious partner firm that has been repeatedly fined millions by various state agencies for deceptive business practices.
Now my bank – First Usury Depository – is known for new ‘products’ that are actually financial IED’s. Of the 30 fantastic new FUD offerings mailed in the last three years, not one could have saved me money. All would have resulted in higher fees, and all contained traps to hike interest rates or incur hidden charges. But the traps are hidden in the financial terms – they had not stooped to fear before, instead using the lure of financial independence and assurances that I was being very smart.
Alan Shimmel’s right that we need to be doubly vigilant for phishing scams, just for the wrong reasons. Both phishers and bank executives are looking to make a quick buck by fooling people. They both use social engineering tactics: official-looking scary communications, to trigger fear, to prompt rushed and careless action. And they both face very low probabilities of jail time. I can’t remember who tweeted “Legitimate breach notification is indistinguishable from phishing”, but it’s true on a number of levels. Phished or FUDded, you’re !@#$ed either way. I have to give First Usury some credit – their attack is harder to detect. I am trained to look at email headers and HTML content, but not so adept at deciphering credit reports and calculating loan-to-value ratios. If I am phished out of my credit card number, I am only liable for the first $50 If I am FUDded into a new service by my bank, it’s $20 every month. Hey, it has worked for AOL for decades…
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike quoted on metrics in Dark Reading.
- Adrian’s DAM and Intrusion Defense lesson
- Rich on Threatpost talking about RSA and Epsilon breaches.
- Adrian’s Securing Databases In The Cloud: Part 4 at Dark Reading.
Favorite Securosis Posts
- Rich: Less Innovation Please. We don’t need more crap. We need more crap that works. That we use properly.
- Mike Rothman: Less Innovation Please. Adrian kills it with this post. Exactly right. “We need to use what we have.” Bravo.
- Adrian Lane: FireStarter: Now What?
Other Securosis Posts
- Always Be Looking.
- Incite 4/6/2011: Do Work.
- Fool us once… EMC/RSA Buys NetWitness.
- Security Benchmarking, Going Beyond Metrics: Collecting Data Systematically.
- Security Benchmarking, Going Beyond Metrics: Sharing Data Safely.
- Quick Wins with DLP Light: Technologies and Architectures.
- Quick Wins with DLP Light: The Process.
Favorite Outside Posts
- Rich: IEEE’s cloud portability project: A fool’s errand? Seriously, do you really think interoperability is in a cloud provider’s best interest? They’ll all push this off as long as possible. What will really happen is smaller cloud vendors will adopt API and functional compatibility with the big boys, hoping you will move to them.
- Mike Rothman: Jeremiah Grossman Reveals His Process for Security Research. Good interview with the big White Hat. Also other links to interviews with Joanna Rutkowska, HD Moore, Charlie Miller, and some loudmouth named Rothman.
- Pepper: Creepy really is. You can build a remarkable activity picture / geotrack / slime trail from public photo geolocation tags.
- Adrian Lane: Incomplete Thought: Cloudbursting Your Bubble – I call Bullshit….
Project Quant Posts
- DB Quant: Index.
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
- NSO Quant: Manage Metrics–Process Change Request and Test/Approve.
- NSO Quant: Manage Metrics–Signature Management.
Research Reports and Presentations
- Network Security in the Age of Any Computing.
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
Top News and Posts
- Conde Nast $8M Spear Phishing Scam was mostly buried in the news, but a big deal!
- Something about email addresses being hacked. You make have heard about it from 50 or so of your closest vendors.
- Albert Gonzales surprise appeal.
- IBM to battle Amazon in the public cloud.
- Cyberwars Should Not Be Defined in Military Terms, Experts Warn.
- Net giants challenge French data law.
- EMC Acquires NetWitness Corporation
Blog Comment of the Week
“They seem to forget we are all supposed to be on the same team”
I work with a few people like this. It makes me wonder if they don’t really think about it and just go on doing what they have been doing for X number of years and consider that good enough.
The RSA can get pwnd as easily as the rest of the world, its not like they have users that carry around magical anti-hacker unicorn’s.
I see a new buzzword coming on, StuxAPT. 🙂 No?