US Army "Scams" Service Members to Test Their Spam Gullibility

9gezegen writes "An offer for free tickets to theme parks for service members turned out to be an email scam, a ploy that was in actuality a security exercise run by the Army. Involved servicemen and DoD civilians received an email, allegedly coming from the 'Army Family and Morale, Welfare and Recreation Command Office,' and directed them to a phishing site which asked for personal information. After rebuttal and warning by Army MWR, the website revealed that it was a security exercise after all. Army MWR later verified the exercise and announced they were not informed beforehand."

Let me guess...

[Chris Burke]

In order for the Army MWR to verify that this was in fact a legitimate security operation, they had to visit a website and enter their personal information...

Why no stats on who fell for it?

[QuesarVII]

I want to know a percentage of people that fell for it!

Re:

[Anonymous Coward]

We could tell you, but then we would have to lock you up at a secret facility.

Not the answer you are looking for....

[raehl]

Because it's Wednesday, and the test was on Monday. Give 'em a chance to process the data!

Now, on to the answer you were looking for:

Unfortunately, in the process of transferring a few million dollars left by a distant relative in the State Bank of Nigeria, the soldier responsible for compiling the data allowed his system to be compromised, and all data was lost.

Re:

[Radical Moderate]

The stats are posted here. [phish-r-us.com] Have your credit card and social security number ready!

According to them, roughly 30%

[ronabop]

http://www.army.mil/-news/2008/04/02/8265-phishing-e-mail-to-mwr-patrons-turns-out-to-be-army-exercise/ [army.mil] 10,000 mails sent, 3,000 visitors to the site (enough to gather IP addies, browser agents, etc.).

Re:

[jackrabbit123]

I know someone who did. As an aside all the site asked for was your email address. It's not like they were asking for people to give up their SSN or bank account numbers.

Re:

[IdleTime]

I want it broken down on rank. Number for each rank including a per rank number showing how large a percentage of each rank fell for it.

Re:

[bhiestand]

I want to know a percentage of people that fell for it!

Hello friend,

I'm Sherman Tecumseh. You may have heard of me from the recent news articles about my program under the Freedom Of Information Act to give out valuable data to intelligent people such as yourself.

I am writing to inform you that you have been hand-picked to be the first to receive this data, but I need more of your information to be able to send it to. As you probably know, this information is highly sensitive, so we need your social security number, mother's maiden name, and all your previou

Re:

[XnavxeMiyyep]

perhaps in some way that only their workmates know

Aww, you're so nice. I'd just want a list of people who foll for it for, uh, other reasons...

Typical

[SatanicPuppy]

The MWR people are all crying because no one told them that it was a test...Apparently, in their minds, there is no need to test an army organizations response to someone falsifying announcements in their name.

Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy.

Re:

[glavenoid]

Sounds like the test went off swimmingly. I can't count the number of times I've thought about doing the same sort of thing to people I work with. A few good solid scares will tighten up their security policy

*Sigh (not at you, just in general)* That's true, but how long will they remain scared and secure? People often fall into a false sense of security when there has been either a trend of "good times" or when someone keeps crying wolf. One scare will keep people safer in the short term, but not permanently.

Except for those of us who are always waiting for the other shoe to drop...

Re:Typical

[raehl]

how long will they remain scared and secure?

As long as you leave up the signs that say "Threat Level: Orange", of course.

Re:Typical

[glavenoid]

Or worse-- Threat Level: Elmo

Education?

[JSBiff]

Maybe I'm overly optimistic, but maybe the point of this exercise wasn't *just* about scaring people, but about trying to educate them in such a way that they remember the lesson? So, it could have a longer term positive impact that you credit it.

They will still need to conduct something like this once every year or two, though, you're right, because 1) yes, people will tend to become complacent, even if they now know better, and 2) Turnover (not apple or cherry) - old people leaving, new recruits joining, need to educate the new guys (and gals).

Plus, the information gathered in this exercise (not the data entered by the people on the phishing site, but the lessons learned by Command about the phishing attack and what made it succeed) could help them to review and re-write training material / procedures, and policies, to help them tighten up their security longer term. Although, we are talking about the military so who knows? (I kid, I kid. . . honestly, the military for the last 20 or so years has been doing, as far as I can tell, a pretty impressive job of re-inventing itself, and becoming much less bureaucratic than it used to have a reputation for being).

Re:Education?

[Jaime2]

Ummmm.... This was a test, not a lesson. A good test is designed to evaluate something, not to educate or to scare. Now, the Army knows at what rate people can be scammed. This data will either be used to judge the effectiveness of their previous training (if there has been any), or as a baseline to judge effectiveness of future training. You cannot teach during a test without destroying the statistical validity of the results.

Re:

[somersault]

I think stuff like this should be taught at a more basic level - in school rather than on the job. Nothing wrong with organisations doing it at the moment for the already schooled peeps, but the only way to get rid of phishing scams is to educate people so that they stop being worth the scammer's time. Advertising spam will probably never stop being worth it unless people start using white lists for all their communication, but that's not possible in a lot of situations (like most businesses).

Re:Typical

[KevMar]

I am tempted to do this all the time, but I know the administration would not understand what I am talking about. In the end I would prabably get fired on a technicality.

The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).

Now you will have to make a new password is has to have ... blah ... blah ... ... You have to retype it to confirm it before you press enter this time.

now you have to put in your old password again. not that one, the one I just gave you is the old password. You have to click in the line. click the mouse. left click. you can't hover the mouse over it, you have to click in it. ... now type you new password. On the next line retype it. You have to click, no left click, click the mouse in the box.

You have to type it the same. no, I can see they don't match. the first one is longer, it has more dots.

You just cant explain to some people what fishing even is.

I had one guy call up freaking out that his computer told him he had porn on it. (its a fire on the spot if you have porn). It was a little pop up window trying to get him to instal a program to "remove" it. The good news is he was too scared to click the button and called me instead. Other users had to be rebuilt.

I know an attack like this would catch so many people and you have to train them. But you spend so much time just logging them in or working on the basic stuff. This is one detail that some people will have a hard time grasping.

I am in an interesting enviroment. I have college students looking to enter the workforce working with people that are about to or have retired. So I deal will the full range of users all the time.

Re:Typical

[daeg]

Clear it with management and do it on a limited, rolling basis.

We do it on a random sample of users with our web platform. All login requests get routed to a central domain ("shield.domain.com") which is non-SSL. That domain does a little basic load balancing to distribute requests to "https://foo.domain.com" or "https://bar.domain.com". We have a few extra domains set up, including "https://foo.domane.com" with a valid SSL certificate; "https://aa.domain.com" with an invalid certificate; and a non-SSL domain, "http://foodomain.com". All are nearly identical to our login page - one has a button out of alignment, throws some JavaScript errors, etc.

The pages alert the user to the deception on the first try. Second tries net a phone call. Third tries get a more detailed phone call with the office owner & account lockout.

It's been very effective, in fact, I've received several thank you notes so far from our users for teaching them about it. Not just dictating to them, but teaching them through first hand experience. They thank us because they can easily apply those same "does the address bar really match what it should?" technique to every other site out there.

And to get the same effect as phising, we send out periodic/random e-mails that read pretty official, but come from the wrong domain, or have a forged From: address, asking a user to visit a set up fraud website to enter personal information (not detailed, mostly just fishing for their user credentials).

The only thing I don't know yet is if users are learning because they are actually learning, or if it's a forced behavior just so they don't get a phone call from me. I'm not sure it matters why, just as long as it's happening.

Re:

[TheLink]

"its a fire on the spot if you have porn"

Nowadays with all the usual stuff out there I think just having porn pics in the browser cache shouldn't be such a serious offense.

Just let everyone know that all web requests are logged, and once in a while check the top 10 users and the top 10 sites.

But be aware that often the top will be the CEO or someone near that level, so if you are going to make public announcements better inform them and do a private trial run first ;).

Re:Typical

[vidarh]

A company I did consulting for at one point did this by posting a top ten list in a very visible spot in the office regularly. No identifiable information, even though all outgoing requests were forced through Squid and so they had the internal static IP addresses of everyone. Within a week visits to "undesirable" sites had dropped to near zero, and there was no reason to deal with anyone - just a gentle reminder that their requests _had_ been logged seemed to be more than enough.

Re:

[caluml]

Yes, I've had that idea before. Sort of a Panopticon.

Re:

[Eivind]

In non-fascist states employers powers to surveil their employees are limited. Yes it's work-time and work-equipment. No the employer STILL can't legally operate his own little private police-state 8-16 with no limitations.

Besides, making an announcement like that with high-value employees that actually have a choice would simply result in half of them quitting the job. Seriously.

We do traffic-monitoring, but anonymized. (we chop off the last byte of the ip-adress so we see *what* is done, but not by *whom*

Re:Typical

[bhiestand]

The weakest link in any security system is the end user. I work with users that have the hardest time with computers. I have this guy call every week because he forgot his password and I have to take 10 min training him how to change his password. (why every week? he only works on Thursdays).

Now you will have to make a new password is has to have ... blah ... blah ...

Have you ever considered that your passwords might be too complex for the average user? I worked for an organization that had very stringent password rules: 2 lower case, 2 upper case, 2 special character, 2 numbers, numbers cannot repeat, letters can't be next to each other on the keyboard, and password must be changed every 60 days, and that was just for my network login. There were more for internal company websites, databases, and custom programs that all had to have similar (but different) passwords.

I consider myself fairly intelligent, but I had a heck of a time remembering the passwords and was embarrassed by needing regular password resets after long weekends.

To make matters worse, password management programs like KeePass were not allowed on the network and any unauthorized software could get you in trouble. Because of this I ended up having to do things like writing half my password on a post-it and the other half on a card in my wallet. I devised all sorts of incredibly insecure systems to store the myriad complex passwords I was required to maintain.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[plover]

You just cant explain to some people what fishing even is.

But, can you teach them to fish?

Give a man a phish and you'll eat for a day.
Teach a man to phish and you won't get jack squat out of it, ever.

Re:

[caluml]

And all the others you could possibly want [calum.org]! "Give a woman a fish and you'll be sleeping on the couch again."

Re:

[somersault]

What method would you recommend? Stapling it to his forehead, or perhaps just a tattoo while they sleep?

Re:

[Gogo0]

Youre right, but there is a little more to it.
These are called 'exercises', are planned extensively, and there is definitely installation coordination. The local DOIM (directorate of information management) is notified of the exercise, usually by their theatre command well ahead of time.

Of all the phishing iv seen during various exercises, iv never seen one more complicated than simply counting how many users on what installation clicked the link. no information gathering besides IP, which is helpful fo

Re:

[PRMan]

I used to work at a company that had very tight security and tested it in every way imaginable, including using social engineering.

Ironically, they had everything locked down so tightly that everyone had to move data from Development to Production using USB drives, because no machine could talk to both networks. Developers had "phony" copies of databases locally on their laptops, because of how difficult it was to connect at different locations (and they expected people to work on the plane as well).

Al

Re:

[indifferent children]

I think the MWR people are pissed because while MWR is trying to learn how to use new media to better serve soldiers and families (and make enough money to keep operating), they have just been painted (in the soldiers' minds) as a scam site or a way to test soldiers' gullibility.

How would you like it if the FBI created a fake copy of your company website, and sent-out an email that contained a link that displayed your URL, but that directed browsers to their gullibility-test site? Then, to triple the da

This is good.

[Anonymous Crowhead]

More companies should do this. Hell, banks should do this to their customers.

Re:

[Moonpie Madness]

Absolutely banks should do this. Ebay, paypal, etc.

Hell your email provider should send you a 419 scam every month or so, and attach "sexy" photos to them.

Seriously would help.

Re:

[vidarh]

I really don't want "sexy" photos of the dead presidents and ugly old presidents wives that the 419 scams I get typically claim to be from, thank you very much.

Re:

[Intron]

Mod up. Paypal should also create a few phish sites that let you "confirm your information" and then tell you what an idiot you are. When they shut down the fake sites, they could redirect them to the fake fake sites.

Re:

[zippthorne]

Paypal is, itself, a scam.

It's a way for "businesses" who can't even muster enough confidence from a bank to get an account with them, to still be able to "accept" credit cards.

But although you can do something that's very much like banking, with paypal, they are not, themselves, a bank. So they can get away with outrageous fees and also avoid any of the liability the CC banks have.

This is very much in line with Ebay's business practices: a classified-ad web site server which charges based on how much mone

Re:

[glavenoid]

More companies should do this. Hell, banks should do this to their customers.

If more companies did this, then people would stop using their services as the trust relationship would be totally broken. People in general don't like to be dicked around with, even if it's for their own good (maybe especially then?). More companies should create better mechanisms that protect their consumers instead.

Re:

[The Master Control P]

Stopping stupid humans' stupidity from hurting them requires human-equivalent AI (to do everything on their behalf).

How do you protect someone who actually believes that there's a prince in Nigeria who wants to wire him/her millions of dollars?

Re:This is good.

[steveo777]

Hell, banks should do this to their customers.

They already do. Haven't you ever received a "Pre-Approved" credit card application?

Re:

[owlnation]

Hell, banks should do this to their customers.

If the banks were the ones losing money through ID theft they'd do it in an heartbeat. For sure. However, you lose your ID, you lose the money. Your bank's just fine thank you very much.

It's not happening... it should, yes. But it's not.

In before....

[Protonk]

people suggest that the stupidity of the army members leads to a higher percentage of click throughs. Remember, studies across the board have shown about a 60% 'gullibility' rate for almost any sector of the populace. Those using general banking, investment banks, 4 year degree holders, etc.

Re:In before....

[Moonpie Madness]

who are these people making that suggestion?

I'm not pretending the army is full of Einsteins, but they all graduated high school or earned a GED (vast vast majority graduated high school), and all of them are required to learn math skills involving chemical attack detection, navigation, operating a frequency hopping radio, etc.

Compare that to kids in the average US city, where 50% do not graduate high school.

The Army is certainly a lot smarter than the general population. They may be more willing to rely on titles (like MWR)... I don't know about that, but I'd like to know who is buying the Carter era propaganda that the army is a bunch of idiots.

Re:In before....

[kd5ujz]

At least Half (if not all) of the military's equipment has VERY explicit instructions written on it, to the point that if you had not been trained in its use, you could pick it up on the battlefield and make it work in a few minutes. Take the AT-4 for example, if you follow the attached link and click on detailed instructions, you will see what is printed on the launch tube. In the other photos, you can see the instructions, but you can not make out the words.


http://www.bellum.nu/armoury/FFVAT4.html [bellum.nu]

Re:

[Moonpie Madness]

What is that supposed to prove?

You realize that if you are trying to fire an AT-4 you're probably being attacked by a tank or something? Don't you think you might have a hard time concentrating on difficult instructions? The simple instructions are meant to help a person operate something like a rocket launcher while under severe pressure. You can't compare this to anything that doesn't involve the direct possibility of death. It's not like office phones in the army have a "pick up receiver and talk int

Re:

[magarity]

you're probably being attacked by a tank or something? Don't you think you might have a hard time concentrating
 
Fear not; I'd make time to learn properly under those circumstances.

Re:

[Moonpie Madness]

HAHA, well, many people are like you, and would try to calm down and handle themselves when their life is on the line. But, understandably, some people freeze up, and that's why a lot of weapons have very simple and obvious warnings on them.

I mean, my toaster as a "do not use in bathtub" picture on the bottom of it". My Playstation 2 comes with a similar warning. Same with my Thinkpad.

It's not fair to point to a rocket launcher, something capable of destroying nearly any vehicle and killing nearly anyone

Brings to mind...

[Adambomb]

the sign hung over the door to The Asylum.

I agree with your point though, a toothpick is not going to suddenly cause the office building across the street to collapse.

Re:

[Moonpie Madness]

what a pathetic troll attempt. A: the radio is in use in the military today, even if it's been superseded by a superior model. B: even if it wasn't it's representative of a normal Army radio terminal and therefore my argument is still sound.

What exactly did you think you were proving, anyway?

Re:

[Anonymous Coward]

Actually it's smart to have directions. Not because people are dumb, but so people who are under extreme duress can still function. And what about people not trained to use the device, or who were trained a long time ago but don't regularly use it? Not putting directions on everything would be dumb.

Re:In before....

[evilviper]

you will see what is printed on the launch tube.

"AIM AWAY FROM FACE." ???

Re:

[plover]

I'm surprised no one's mentioned the claymore mine, where in big letters on the front it says "front towards enemy".

Well, there is no lesson there that experience can successfully teach.

Re:

[rossz]

So the guy trained to use the anti-tank rocket is killed. Isn't it nice that they put nice, easy to follow instructions on it so that any private can use it and save everyone's ass?

Simple instructions are the fail-over mechanism.

Re:

[Kohath]

At least Half (if not all) of the military's equipment has VERY explicit instructions written on it, to the point that if you had not been trained in its use, you could pick it up on the battlefield and make it work in a few minutes.

So you're saying that the army is not only intelligent but also wise and practical.

Re:

[sco08y]

At least Half (if not all) of the military's equipment has VERY explicit instructions written on it, to the point that if you had not been trained in its use, you could pick it up on the battlefield and make it work in a few minutes.

This is going to be Army centric; guessing my MOS probably won't be hard. No direct fire weapon I know of (M2HB, M4, M9, M16, M60, M203, M240, M249, Mk19) has instructions. Claymores do, sewn into the carrier. Neither hand grenades, M203 grenades nor Mk19 grenades have any instr

Re:

[DerekLyons]

At least Half (if not all) of the military's equipment has VERY explicit instructions written on it, to the point that if you had not been trained in its use, you could pick it up on the battlefield and make it work in a few minutes.

Exactly none of the equipment I worked with or saw while I was in the Navy had such instructions. Hell, explicit instructions on how to operate my fire control system would have covered the entire exterior of the submarine as well as one moored outboard of us.

T

Re:

[maxume]

It would be better if the weapons and equipment didn't have instructions?

Re:

[quantaman]

who are these people making that suggestion?

I'm not pretending the army is full of Einsteins, but they all graduated high school or earned a GED (vast vast majority graduated high school), and all of them are required to learn math skills involving chemical attack detection, navigation, operating a frequency hopping radio, etc.

I don't consider learning those math skills to be a sign of intelligence as it's not that hard to teach someone to carryout the a small subset of procedure and theory required.

Compare that to kids in the average US city, where 50% do not graduate high school.

The Army is certainly a lot smarter than the general population. They may be more willing to rely on titles (like MWR)... I don't know about that, but I'd like to know who is buying the Carter era propaganda that the army is a bunch of idiots.

I don't believe they're dumb but I doubt the claim that "The Army is certainly a lot smarter than the general population".

I grew up in a community with a large Canadian air force base (which should be higher than the army). Judging from my military classmates (who are probably a good reflection of the intelligence of their parents)

Re:

[Moonpie Madness]

My hunch is that the average army member is competent or better, incompetent people are filtered out but a lot of smart people tend towards other professions.

Your hunch is correct, and without the bottom half of the bell curve, I assure you that you wind up with a much smarter group than the general population.

Not smarter than a college campus (even a community college campus)... smarter than a population including every dumbass out there.

It's not an especially bold claim I'm making.

Re:

[hughk]

My hunch is that the average army member is competent or better, incompetent people are filtered out but a lot of smart people tend towards other professions.

Ok, I am not military but have known plenty of people who are and through some work I did on computer security. I got to know some people in CID.

Perhaps many aren't totally incompetent but before/between the Gulf-Wars, many were very dumb (i.e., lacking in common sense). The wars tend to weed out some of the dumbest as these are the ones who end u

Re:

[Eivind]

Dunno about that. It's hard to end up without the "bottom half of the bell curve" when hardly anyone of above average intelligence will even apply.

My guess is that the army mostly consist of people in the 3rd quartile, which is hardly above-average.

Re:

[Moonpie Madness]

you're kinda muddled here. Not only do you not provide any source for the actual national graduation rate, but you're not making clear if that figure includes GED passers.

Also, while the military has a 100% graduation rate if you count GED passers, it makes little sense to compare national graduation rates at any ages and compare it to only new recruits in one branch and not the entire military of all ages. Do you understand why?

Fact is, it's actually not that easy to determine the precise level of high s

Re:

[Moonpie Madness]

Sorry pal, but you're going to have to back up that extreme position you're taking, because all research indicated there is a correlation between high school graduation and intelligence.

Sorry you met a dumbass or two with a diploma. But I'm relying on facts and you're relying on anecdote and claiming I'm the one with the fallacy.

Sure, there are geniuses who fail to graduate. There are tons of morons who do graduate... but the group of non graduates is definitely dumber, as a group, than those who did grad

They should have known better...

[Anonymous Coward]

I don't care, they should have known better. I've been a service member, and I gotta' tell you, I would have realized it was a scam the second I read the words "Army Family and Morale, Welfare and Recreation Command Office" ... and tried to pronounce the acronym so I could start using it.

AFMWRCO... AFMWRCO... wait a minute, something's fishy here... [wikipedia.org]

Pronounce enough of these and you start seeing a pattern. What is that pattern? Beats me. It's just "one of those things."

Can I get a hoo-ah?

Re:

[DerekLyons]

Fishy? Not really - as it's astoundingly close to the actual name [armymwr.com] of the command.

Good Idea

[DigitalisAkujin]

This is a totally good idea and should be implemented by educational and business institutions and here's why: #1 It creates awareness for the issue. #2 It will make people pay attention to the URL when using the web. #3 By inciting #2 it will make basic internet security main stream.

Addendum

[oahazmatt]

1. Don't ask.
2. Don't tell.
3. Don't opt-in.

Re:Addendum

[TubeSteak]

1. Don't ask.
2. Don't tell.
3. Don't opt-in.

Hello [Armed Forces Member],
    This is an e-mail from the Army Family and Morale, Welfare and Recreation Command Office informing you that you've been signed up for the "STDs and You" mailing list. To Opt-Out, please visit the following link: hxxp://maliciouslink.com where you will be asked for some basic information to verify your identity.

Re:

[nick_davison]

A little smart application of the third one actually removes the need for the first two.

Don't opt-in to opt-out holes and try not to opt-out of opt-in holes, then we won't need to ask and you won't need to tell.

This in a confused world where the Senator Ted Stevens says the internet is a series of tubes [wikipedia.org] and Bush's nomination for Surgeon General says that male and female "plumbing" explains why homosexuality is bad [comedycentral.com]. Clearly they're linked. Teh intarwebs are teh gey.

.mil???

[QuantumRiff]

One would think the military would have an easier time than most. You and I cannot register .mil addresses. Shouldn't the people have been looking out for http://mwr.army-support.mil/ [army-support.mil] instead of http://mwr.army-support.com/ [army-support.com] (the link in the email?) Or does the army use .com addresses for some things, cause that seems silly. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something..

Re:

[Moonpie Madness]

.com is widely used.

There is nothing wrong with the military's affiliates using .com for legit businesses. Many military arms pull a profit (such as the PX: http://aafes.com/ [aafes.com] ) .mil isn't for that stuff. Note that millions of people relying on services like this are civilians.

Re:

[Dachannien]

That's what I've always thought about annualcreditreport.com. It's the FTC running the show, so why don't they get a .gov domain name? Now, we're stuck with Experian's crappy TV commercials with that idiot driving the car (die already, will you?) where they trick people into thinking they're the way you're supposed to get free credit reports. They already got their wrist slapped once, but they're still at it.

http://www.ftc.gov/opa/2005/08/consumerinfo.shtm [ftc.gov]

Re:

[QuantumRiff]

I completely agree. A previous poster did mention that the "PX" address is a .com, i didn't know that. I'm really not sure about how the militaries domains work, I guess I just assumed. I totally agree with the annualcreditreport.gov, but in Experian's defence, if you were making millions a month, and someone said, "Bad person, here is a $50,000 fine, and if you do it again, we'll fine you in a few months for the same amount!" would you change?

Re:

[hurfy]

If you ask google it seems to be armymwr.com and/or armymwr.org

One would really have to know this somehow ahead of time...to actually go there. None of them LOOK right at first glance ;)

Gotta agree that mwr.army.mil would seem an obvious and safer choice. At least the few people that looked at the URL would have a chance. Military seems to have quite a few 'odd' named websites for this kind of thing :( I suppose you wait til they print in a newsletter or something ;)

Re:

[-Tango21-]

That's a great idea but it might have been obfuscated by spoofing and hiding a ".mil" extension within a long hyperlink. I know many organizations that send out requests for information via third party links. I would be that the service men and women who responded to the offer were trained to a certain degree _to do_ the very thing that the Army admonished them for. What I mean is, they are probably so used to replying/responding to such inquiries that they didn't even think twice (heck, they're the Army ev

Re:

[jmkaza]

MWR is a civilian organization, they don't rate a .mil

Re:

[jc42]

. One would think they could tweak the source in firefox to change the address bar a different color for .mil addresses or something.

Except that they'd mostly need to tweak the source for Internet Explorer, and they probably don't have access to that. ;-)

rated flamebait?

[Moonpie Madness]

I'm responding directly to something that's relevant to the topic, and specifically giving a reasonable reaction to an obvious troll.

Not sure how that's flamebait. Granted, I did call an idiot an idiot.

Face it, whoever rated this down, you just don't agree with attacks on "your side". You know I'm right about this issue.

Re:

[glavenoid]

Mostly learning how the fuck to spell "recruiting". What a douchebag you are!

I stad the correctd.

Seems fitting

[Gat0r30y]

I always thought phishing was a recreation, why wouldn't it be part of MWR?

Challenges = Good Security

[Anonymous Coward]

Human nature is to focus on important things and disregard unimportant things. Because security challenges don't happen every day, we tend to get lazy and think it's not important. (Blame evolution; your brain just isn't worried about charging lions until it sees one. After that, you tend to watch out for lions!)

At work, I will always do something to an unlocked computer. Sometimes it's just to open Notepad and write, "This machine has been hacked!" and crank the font size up to 96. Sometimes I'll send an "I Love You" e-mail from the person to the person sitting next to them. (Who I always bring in on the prank, and I have never had a problem getting cooperation).

Last week, my boss (VP of IT) went into a meeting and left his machine unlocked. I sent *his* boss an "I Quit!" message.

Now, unlocked computers are so very rare around here. I'm glad for the increased security, but sad that I can no longer prank my co-workers.

Re:

[Wonko the Sane]

I love unlocked computers. I always treat the lucky individual to a free desktop makeover.

I call it: black text on a black background with black menus and black scroll buttons with a solid black background image.

Re:

[zippthorne]

Have you ever actually done this? I imagine there's a proper order, such that if you do it the wrong way, you can't finish on account of the inability to see enough widgets to accomplish the task.

Re:

[Wonko the Sane]

Make all the changes at once, then click "apply".

I've only ever done it on windows machines.

I like it

[Daniel Wood]

I didn't get the e-mail myself(or maybe I did, I'm on leave so I have not checked it in weeks), but this is an example of the kind of tests that the Army should do. Not telling MWR, good idea. It not only gives them an opportunity to see the response of troops, but an opportunity to see the response of MWR to this kind of threat.

What I think the Army will find most surprising(or not!) is the apparent lack of use of the AKO Webmail system, it sucks, hard. //SPC Wood, Active Duty

Re:

[Moonpie Madness]

AKO does suck, but trust me, it's extremely convenient in many ways. I've gotten into touch with old pals from a decade ago just be guessing their ako email. You can get your DD-214 in .pdf, handle promotion points, etc etc.

The only real problem is that you can't forward your emails to gmail style services. But I think that's to help you remember your password or something. I know the email system isn't very good, and you'd be silly to rely on it for personal email. Hope it gets better though.

Good

[barzok]

There need to be more of these "safe tests" to point out to people that they need to be more careful about their email habits. Maybe, eventually, I won't have to worry about family members getting phished and falling victim to identity theft if they're educated this way.

Dear Seargent or Lewtenant

[jameskojiro]

Hello, I am the former general Fred Mercasey of Ft. Oscdurity and recently I was relived of command. Not before I had transferred a large amount of C-4 and M-16's in an un-marked supply shed on the outskits of the base. The decision to relive me of command was unjust and illegal. I need your help in helping me reocver these supplies. With your assiatnce I will reward you with 10lbs of C-4 and 3 M-16s. In order for this transaction to happe3n you will need to send a good faith deposit of 3 M1A1 Abrams tanks to and undisclosed location in the Sierra Nacho desert. God Bless and Ten-hut!

Dear sir

[sootman]

Your post advocates a
( ) technical
( ) legislative
( ) market-based
(x) military
approach to fighting spam...

absolute authority and absolute trust

[peter303]

This is the core of the military, especially in active combat. You subsume yourself into the greater whole to complete your mission and survive.

I would find it doubtful that a true soldier would approve scams. perhaps this is an idea from some computer consultant.

Re:And what was the point?

[qbzzt]

Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?

If my company trusted my co-workers with information that could get me killed, I'd want them to test susceptibility to social engineering. If I do a bad job, my company loses money. When people in the military do a bad job, people can die (OK, when they do a good job people still die - but they're other people, those trying to kill them). They need to worry more about security.

Re:And what was the point?

[couchslug]

"I don't think they needed to try this on the military with so much data out there."

I think that the military should try more such exercises to keep their people aware of such security issues. If they do it enough, the standard response to such emails will be to verify the source and report it as required.
Even with that somewhat computer literate USAF folks I served with, these "exercises" would have been very helpful.

Re:

[couchslug]

"I have a friend who admins my gbsd network and he doesn't even run a a/v on his windows box. He is that confident in his ability to discern good/bad archives/files/websites. I just burned him by giving him the g2p.org link, and he search for something (probably porn huh?) and BAM! Had to ghost his system."

Proof complacency has consequences. Wanna surf pron? That's a fine use for a VMware appliance. :)

"So even though he KNOWS he should run an a/v, he doesn't because he trusts himself."

That's why you train p

Re:

[protolith]

Either way that's not cool at all. Just think if your company set this up on you, what would your reactions be?

I would prefer that my company be active in testing security in this exact fashion. Rather than imposing increasingly opressive restrictions because of what some people "might" do.

it would be better to get teh e-mail "Since 12% of you BONEHEADS didn't recognize a clear security threat, and feature XYZ was essentially opened to be compromized, it will be locked untill you boneheads demonstrate yo

Re:

[STrinity]

Just think if your company set this up on you, what would your reactions be?

"Wow, you boneheads fell for that? What a bunch of 1uzors! I hope it learned you a lesson -- but if not, you'd better give me your credit cards for safe keeping."

Re:

[Moonpie Madness]

ya know, it's pretty likely that the Army isn't just informing its members about online scams, but also getting data for use by the cyber command, the FBI, whoever. It would be handy to know which attacks work against whom, and they know more about that now.

Re:

[Detritus]

Most people are aware, or they should be aware, that in the event of a war or national emergency, they may be in for the duration. I was certainly aware of it. That's one of the risks that you take. It isn't the Hooterville Chowder and Marching Society.

Re:The army has been scamming people for years.

[IHC Navistar]

Actually, that's not a scam. The military will pay for whatever school you can get accepted into. If there is a conflict going on, and you are currently enrolled, you just send in a verification of your enrollment and the military will (they have to) pass over you until your next deployment comes up next, you graduate, or you decide to resume service.

They cannot pull you out of class. The only time they can pull you out of class is during a natural disaster (National Guard, or in extreme cases, the standing military). If the conflict or disaster gets to the point where they are pulling people out in the middle of class, school for everybody will pretty much be irrelevent to the issues occuring. However, they can keep you deployed for a certain amount of extended time, provided you are already deployed.

I know it's easy to trash the military, being all high on your horse and born with a silver spoon in your mouth, but until you can actually say you've EARNED your right to free speech, rather than using it because you were born with it, pull your head out of your ass and stop abusing it. Unlike you, obviously, those of us in the military have the guts, balls, discipline, and bravery to fight for our rights at the expense and derision of little pussies like you who talk trash about us while sipping a Starbucks latte in your comfy office. Someone should strap you to the side of a Humvee and use you for armor. Weak armor.

Re:

[IHC Navistar]

"I have, in my life, been denied the ability to petition for a writ of habeas corpus right here in this country you're so fond of claiming is free.
"I have had my rights violated, under color of law, and been denied any redress thanks to procedural technicalities."

Boo hoo. So the law didn't let you get your way, because you weren't supposed to under the way it was written. Just because you feel that you should get something doesn't meant that you are SUPPOSED to get something. Freedom and rights do not mean

Re:

[treeves]

Not really. Any legitimate Army website should be in the .mil domain.
Still they picked an ironic command to spoof - this whole exercise must've been just great for morale. "87% of Army personnel were successfully conned into revealing personal information by a phishing e-mail and website. Go ARMY!"
(I made up 87% - it's a joke.)

Re:

[rampant poodle]

The Army, (and other services), also use .com, .org and .biz domains. The actual Family & MWR Command site is armymwr.com. This is primarily done so that soldiers, sailors, etc. can reach the, (commercially hosted), sites from home computers. Lots of .mil and .gov domains restrict huge chunks of the Internet from accessing anything.