[conspire] Fraudulent e-mail addresses (was: ...Straffic data breach)
Rick Moen
rick at linuxmafia.com
Fri Feb 28 11:01:53 PST 2020
Quoting Nick Moffitt (nick at zork.net):
> These are folks you hire to test your defences, both purely digital
> ("Can we tighten our Internet-facing security?") and physical ("Can we
> tighten our street-facing security?"). The first step is a
> painstakingly negotiated contract detailing the work to be attempted,
> acceptable targets, acceptable method categories, conditions for
> success, etc.
>
> Then you get a sealed letter for the people actually performing the
> testing to carry. It has the names, contact details, and signatures
> of the authorities that approved the tests (Usually a CIO, CEO, and
> board member team or something).
I'm guessing that by 'sealed letter', you mean 'letter bearing a
persuasive seal' (of the sort that used to be stamped into hot wax), not
'letter sealed inside an envelope or other enclosure'. Because it would
be an extremely trusting Red Team member who staked his/her liberty on
something written and then hidden by others inside an opaquely sealed
container. (Like, remember what Hamlet did to the letter from the
Danish crown to the English crown concerning Rosencranz and
Guildenstern.)
> But what I've noticed is that there is no description of how people
> verify it when that comes into the tale. Sometimes it sounds like
> they just *call the numbers on the letter* and shrug when someone on
> the other end of the line says "yes, we authorised them".
Boggling, isn't it? I've observed to Deirdre that there is positive
value to having grown up with a compulsive liar as a sister. You
learn that there can be a perilous gap between asserted and verified.
> I trained my child to answer any requests by phone for personal
> information with the phrase "But YOU called ME!" This is something I
> do with bank fraud department calls with an incredulous tone. "What
> sort of Fraud department would think this isn't suspicious? I'm
> hanging up now and calling my bank's ACTUAL Fraud department now."
Well done.
Some years ago, I adopted a phrase that helps keep one in the right
frame of mind: 'Nobody-in-particular from nowhere-in-particular'
To a first approximation and until meaningfully proven otherwise,
someone showing up on my front porch, or ringing me up on the telephone,
or sending me e-mail, is Nobody-in-particular from nowhere-in-particular
until proven otherwise. And I suppose documents waved around by
Nobody-in-particular might be thought of as 'psychic paper' until
appropriately vetted.
(Anyone not getting that reference needs more Doctor Who.)
More information about the conspire
mailing list