A question of phishing

Arecent McAfee press release offered to “Test Your Phish IQ” to see just how much I really know about phishing scams: the ten-question SiteAdvisor Phishing Quiz at www.siteadvisor.com/quizzes/phishing_0707 follows versions for spyware and spam that proved quite popular with 120,000 participants so far. Most of the questions involved a couple of screenshots of web pages, email messages and security authentication requests – choose which is genuine and which is a fake in each case, not so simple as the crooks get better at deception. It’s a good wheeze and worth pointing friends and family to for a useful lesson in IT humility. Once you’ve collected whatever abysmal score you deserve, McAfee walks you through the questions pointing out how each fake site could have been spotted, usually through sloppy spelling and grammar, inconsistent design, or clumsily concealed real destination URL.

That’s my first problem with this quiz: only two out of the ten screenshots showed the site URL, which should be revealed in every case since it’s what almost always gives the game away. The phisher has little control over this, a natural weak spot that everyone should check before all else. No matter how clever the copycat site design, how accurate and grammatical the page content, if the URL points somewhere else, or is hopelessly convoluted to confuse, then the gig is up. This will become increasingly important as the scam evolves, eliminating sloppy and inadequate fraudsters to leave just the polished professional career criminals in control. All spelling mistakes will have been corrected, brand misuses abolished and social-engineering skills polished to 100% believability. All that will be left is that malformed URL, which is where security education should rest.

Don’t get me wrong, there’s still value in tests like McAfee’s to get the security message across – useful during staff security-awareness training. But sometimes, looking at the bigger picture blurs your view and tunnel vision provides a better focus.

Boot sale

Here’s a question that didn’t appear in the McAfee quiz, but let’s see how you get on with it anyway:

Q: Where would you leave a laptop containing unencrypted payroll information, including banking details for the Prince of Wales?

A: a) in your car boot

b) on the back seat of your car

c) always keep it with you

If you chose any of these answers, you got it wrong, my friend, just as Moorepay got it wrong when such a laptop containing Duchy of Cornwall estate payroll data – including Bonny Charlie’s – was stolen from an employee’s car in the field. A few weeks previously, the same company hit the IT newsfeeds when another payroll computer, this one with details of 500 staff at the Eden Project, was stolen. The correct answer isn’t to keep such data on a laptop in unencrypted form in the field in the first place. Keep such sensitive information where it can best be managed, encrypted on your network where remote workers can access it via a secure VPN, numbnuts.

Paint IT black

If your geekdom extends into the obsessive world of the audiophile, no doubt you’ll fondly recall the great “green CD” debate, which became one of the most talked-about nonsenses ever in the early 1990s, as one of the first pieces of seemingly plausible information to spread virally over the internet.

The concept was simple enough: paint the inner and outer edges of all your CDs green using a magic marker, and it would improve their audio quality. The explanation even sounded feasible – stray lightrays reflected from the CD rims changed the digital bit count in the CD player’s laser pickup and created a dirty sound. Hence, reducing the amount of stray light with green ink (meant to absorb the most light) made for a better listening experience. This was pure tosh, as light travels so fast that reflections back to the laser all occur during a fraction of the reading time for one bit and can’t possibly impact on the next bit to cause sound distortion.