Going phishing

From today’s Guardian:

As scams go, the email was hardly sophisticated. “Hello dear client Barclays Bank,” it warned recipients. “Today our system of safety at night has been cracked!!! It not a joke!!! It is the truth!!! We ask you, in order to prevent problems, to repeat registration of your data. Make it very quickly! Administration Barclays Bank.”

But new research reveals the scale of a fraud which has already cost British banks hundreds of thousand of pounds after customers have been fooled by these apparently crude messages into divulging their online banking passwords to organised criminals.

The survey by the email security consultants MessageLabs will make grim reading for the online banking industry, which now boasts 11 million users. The scams, which first hit Britain last August, may range from the inept to the highly complex but they are starting to hurt.

“Phishing scams are pretty sophisticated, it’s high level social engineering,” said Mark Sunner, chief technical officer at MessageLabs. “They must be working because we are seeing so much of it. All the major banks are saying it’s a problem. Initially they were worried about loss of reputation, now it’s loss of money.”

We need psychiatrists here, folks. For this kind of ‘social engineering’ (nice Orwellian phrase, that) to work, people have to be extraordinarily stupid. Yet they are. That’s also why virus writers increasingly rely on gullible users to open rogue attachments as a way of disseminating malicious code. Why do people fall for this?

Moreover…I first came across the term ‘social engineering’ in Karl Popper’s writings — especially The Open Society and its Enemies. He was attacking ideologies requiring wholesale political reconstruction of society (what he called “utopian social engineering”) because they led inevitably to tyranny and totalitarianism. An open society, in contrast, would be based on step-by-step reform (“piecemeal social engineering”), in which every step could be critically examined and corrected. Seems such a far cry from phishing expeditions.

Bluetooth, schmootooth

I once had a Bluetooth phone — a Sony-Ericsson T68i which I got because my geek friends told me it was the only one that worked with Mac OSX.

Well, it kind-of worked, but was fantastically erratic and unreliable. T-mobile replaced the phone twice, but it got to the point where I couldn’t ever depend on it. And if your mobile is your main phone (as mine is) then that’s just not on. So one day last January I dumped it and went out and bought a cheapo, no-frills Nokia which has worked faultlessly ever since.

My main complaint was with the manufacturer, not the technology. Bluetooth seemed to me to be a good idea in principle. It meant, for example, that I could use the phone (when it worked) to drive presentations on my laptop. And I hate wires, so anything that reduced wiring seemed, a priori, to be A Good Thing.

That was before Adam Laurie went to work on it. He’s the Chief Security Officer at a British company, AL Digital. “Before we deploy any new technology for clients or our own staff”, he told C-Net, “one of my duties is to investigate that technology and ensure it is secure–actually rolling your sleeves up and looking at it, not just taking the manufacturers’ claims at face value. When I did that, I found that it is not secure,” he said.

Laurie found that phones are vulnerable to “bluesnarfing,” in which an attacker exploits a flaw to read, modify and copy a phone’s address book and calendar without leaving any trace of the intrusion. The flaw affects a number of Sony Ericsson, Ericsson and Nokia handsets (including my benighted T68i), but some models–including a handful of Nokia phones–are at greater risk because they invite attack even when in “invisible mode” — i.e. when they are supposed not to be broadcasting their presence. For the grisly details, see the web page he has prepared.

On Wednesday last (April 14) the London Times carried an interesting article by Steve Boggan, who went out on the streets with Adam Laurie and found that Bluesnarfing was indeed as easy as Laurie had claimed. It was also intriguing to see the differences between the two main companies affected. Sony-Ericsson put up a feeble spokesbot who first tried to downplay the problem. Nokia, in contrast, were more forthcoming. When quizzed by C-Net, they acknowledged that some of their phones were vulnerable, but claimed that an attack was only possible if the Bluetooth was in ‘visible’ mode. (Wrong, according to Laurie, for some models.) The Nokia spokesman also volunteered some extraordinary news:

If an attacker had physical access to a 7650 model, a bluesnarf attack would not only be possible, but it would also allow the attacker’s Bluetooth device to “read the data on the attacked device and also send SMS messages and browse the Web via it.”

What does all this mean? Well, it’s worrying, simply because mobile phones are becoming the repository for increasing amounts of personal data. If they are not secure, then there is massive scope for mischief. And the riposte that “one can always switch Bluetooth off” is not as reassuring today as it was a few months ago. The UK law which makes it a criminal offence to use a handheld mobile while driving has led to a massive increase in the use of Bluetooth headsets — which of course require that Bluetooth be switched on!

Photoshopping

If all else fails, incompetent photography can be rescued by Adobe. This picture of the view from the top of the Conor Pass comes from a photograph which didn’t hack it as a straight pic (it was too anaemic, somehow). I expect I didn’t think hard enough about exposure times in the freezing wind up there. But running through a Photoshop filter has made it look more interesting. That beach you can see in the distance is a great place for junior surfers BTW — as the kids will testify.