Tuesday, December 09, 2003

Interesting piece on using mass e-mail as a "physical" Denial of Service attack - iPod email phone jam scam:

"Concerned callers rang the Huntingdon-based HQ after receiving an email informing them that £399.99 would be taken out of their account to pay for an iPod music player they'd supposedly ordered.

The email also advised recipients that they should call the number listed in the email if they had any queries. The snag was that the number did not belong to some ecommerce outfit, but to Cambridge Police HQ. Its phone lines were jammed.

Third instance of an e-mail-dependent "scam" or hoax I've seen in just two days now (firstly the o2 scam, then a hoax virus warning, and now this). This one's particularly interesting, naturally, and I expect this will become more and more of a concern as we move more of our infrastructure and information over to technology that we inherently trust way too much. There's definitely a mismatch between what we expect (and/or trust, and what actually happens, as I've said before. I guess it depends on whether we allow this to interfere with what we allow as public information (e.g. telephone numbers, postal addresses).

Should we be looking at educating people, not into necessarily being highly sceptical of everything, but at least to be wary of various channels of information? And should we be investigating the idea of connected reputation moreso than we are already? Or is this a purely social case that has no place on formal tech specifications?

Also of mention, in terms of real-world DDoS, is the (relatively old) Japanese mobile phone virus that would dial the emergency services, and the Slashdot attack against a spammer through subscription to as many magazine mailing lists as possible. Any other attack vectors?

No comments: