Remember the classic story from grade school? “The dog ate my homework.” Maybe not such a popular (or remembered!) excuse nowadays, it sure was popular “way back when.” Fast-forward to today, when a similar story is used by internet-based crooks to con people out of important personal information – the password to their e-mail account. In my private computer practice, several of my clients have reported getting an e-mail that allegedly comes directly from their e-mail provider. I’m not going to mention any names, but this seems to hit hard at those online, web-based mail systems. Yahoo, Gmail and Hotmail have all seen this scam. The mail message looks very official and basically says the provider needs to “confirm your e-mail address and other information.” The message even includes a link for you to click on, to take you directly to the e-mail system’s “information page” so you can fill in needed data, including your e-mail address and the account password.Don’t ever fall for this! Don’t click on that link! It’s just a hoax! Let’s look at the logic of this “breach.”
1. You gave the e-mail provider permission to enter your computer and check for computer files that might have been tampered with.
2. Once the provider knows that it has secured your computer, it asks you to confirm your e-mail address and other information.
3. If you, like so many millions of other people, have indeed given this e-mail provider permission to enter your computer, it then asks you to confirm your e-mail address and other information.
4. Finally, the e-mail system asks you to restart your computer and check your computer for unauthorized entries.
So what’s wrong with this scenario? Nothing, if you can be arsed to copy the link in the e-mail and click on it. But NEVER EVER click on the link – even if it’s telling you that your computer is infected with dangerous Trojans. You could also get a nasty virus of your own if you click on the link – I’ve seen it happen!) Instead, just go to the e-mail system’s abuse/fraud section and report this supposed scam to them. Here’s how to do that. Right-click on the link that the e-mail system wants you to click on, and choose Report Link this URL to [http://www.ifccfbi.gov/index.asp]. Remove the “Prenotice” from the end of the URL and replace it with the name of the e-mail system being tempted, like this, yahooptoms35markdownlaotickslayer.com. Remove any extra links from the envelope – these are all redundant. Upload your modified e-mail software to your computer and send a copy of it to everyone you know using the same procedure (sending to each is just common courtesy, remember?). From here on out, we will use the same procedure to send reports to other engineers who work with us.
We’ll start now with part 2 of the IFCC kickoff event, following our live webcasts with analyst Henry Lowenstein at HotSpots.com and presentation at RSA-West on October 12-13, 2007. We’ll cover a number of topics, including:
Part 2http://www.hotspots.com/news_pages/ifccfbi.asp
Part 3http://www.hotspots.com/news_pages/32etfbi.asp
Welcome to part 2 of the IFCC kickoff event for 2008. I am very excited about this year’s event and look forward to welcoming you to the I.T. Fbi.com website.
What’s going on in the Security area this year? As you can see from the video, there are many changes. The changes are:
We have provided behavioral enhancement opportunities for employees. This includes education on risk treatment, role-playing, non-conventional approaches, application of social engineering techniques, and training in intrusion detection and incident response.
We have added a new exam, based on the real-world, exploitation style of testing that corporate security professionals have been using for years. We call it the Two Genome Fluency exam. It is a advanced online skill check that corporate security professionals will surely give their best performance.
As part of the curriculum, we have also included a number of stand-alone IT security modules, blended with theory, to help students understand such concepts as confidentiality, integrity, availability, and confidentiality/integrity.
What’s new this year? Well, actually not much.
