full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] phish war game

Re: [Full-disclosure] phish war game

From: Biz Marqee <biz.marqee_at_nospam>
Date: Tue Aug 05 2008 - 10:31:08 GMT
To: stuart@cyberdelix.net


Dude give it up... No . One. Cares. At all.

Accept that your ideas suck.. oh and you're an attention seeking douche bag -- or maybe a bad troll.

I guess pegasusmail_html.cpp will answer my questions...

On Tue, Aug 5, 2008 at 11:03 AM, lsi <stuart@cyberdelix.net> wrote:

> BLUE TEAM: anti-phishing blacklist
> RED TEAM: phish
> GREEN TEAM: end-users
>
> starting degree of obfuscation: 0% (none)
> starting number of blocked domains: 0
>
> ----------
>
> round 1:
>
> action: RED sends billions of phish
> consequence: 5% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the top 20 phished domains using the FROM field
> consequence: 80% of RED members are forced to make new sites and find
> new victims
>
> current degree of obfuscation: 0%
> current number of blocked domains: 20
>
> round 2:
>
> action: RED obfuscates their FROM fields by 20% and resends billions
> of phish
> consequence: 4% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM
> field
> consequence: 80% of RED members are forced to make new sites and find
> new victims
>
> current degree of obfuscation: 20%
> current number of blocked domains: 40
>
> round 3:
>
> action: RED obfuscates their FROM fields by 20% and resends billions
> of phish
> consequence: 3% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM
> field
> consequence: 80% of RED members are forced to make new sites and find
> new victims
>
> current degree of obfuscation: 24%
> current number of blocked domains: 60
>
> round 4:
>
> action: RED obfuscates their FROM fields by 20% and resends billions
> of phish
> consequence: 2% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM
> field
> consequence: 80% of RED members are forced to make new sites and find
> new victims
>
> current degree of obfuscation: 28.8%
> current number of blocked domains: 80
>
> round 5:
>
> action: RED obfuscates their FROM fields by 20% and resends billions
> of phish
> consequence: 1% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM
> field
> consequence: 80% of RED members are forced to make new sites and find
> new victims
>
> current degree of obfuscation: 34.56%
> current number of blocked domains: 100
>
> round 6:
>
> action: RED obfuscates their FROM fields by 20% and resends billions
> of phish
> consequence: 0% of GREEN members are suckered and lose some cash
>
> ----------
>
> GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered,
> due to over-obfuscation.
>
> final degree of obfuscation: 41.47%
> final number of blocked domains: 100
>
> ----------
>
> observations:
>
> 1. The model is over-simplified, in reality it's unlikely that BLUE
> would consistently achieve 80%. However in reality it's also
> unlikely that RED would enjoy a linear relationship between
> obfuscation and success, specifically, the more RED obfuscates the
> less success it has. Both teams might suffer diminishing returns
> from their efforts. (for the purposes of the above model, these
> effects have been allowed to cancel each other out)
>
> 2. The model has a constant 1% reduction in the victim rate, this is
> debatable, however it will never go upwards, eg., there is nothing
> RED can do to push that number back towards 100%. Conversely,
> everything BLUE does pushes that number towards 0%. In addition,
> other anti-phishing technologies will also be pushing the number
> towards 0%. GREEN itself might even push the number down.
>
> 3. The model does not allow RED to increase the number of phish they
> send. In reality, they way well do so. However they will blocked
> faster in this case, not only by BLUE but also by other technologies,
> such as spam filters. (for the purposes of the above model, these
> effects have been allowed to cancel each other out)
>
> 4. The model does not allow the game to be terminated voluntarily.
> In reality, RED will terminate the game voluntarily when phish
> revenue per hour falls below revenues per hour available from other
> sources. This will be some time before 0% of GREEN members are
> suckered, perhaps as early as round 3.
>
> 5. The blacklist contains 100 items at the time RED loses. It may
> contain as little as 60 at the time RED terminates voluntarily.
>
> ----------
>
> links:
>
> (...)
> http://en.wikipedia.org/wiki/Business_War_Games
>
> (this is a sales brochure, however it describes a war game a bit
> nicer than wiki, it's got diagrams, for a start)
> http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf
>
> (this isn't relevant to a war game, it might be something like what's
> happening when the top 20 phished domains are used to select the
> items to blacklist, OTOH, it might not, I don't know, I'm not a
> statistician. I'd love to know the name of the technique, I use
> something similar to optimise my spam rules...)
> http://en.wikipedia.org/wiki/Monte_Carlo_method
>
> (this was mentioned in one of the papers I quoted previously)
> http://en.wikipedia.org/wiki/Pareto_principle
>
> ---
> Stuart Udall
> stuart at_at_cyberdelix.dot net - http://www.cyberdelix.net/
>
> ---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/