A few days ago I started a blog post with this:

At the RSA SF Conference in 2010 my mother and I presented a talk called “There’s No Patch for Social Engineering”.

One of the key findings revealed in the talk (also explained in other blog posts and our 2006 paper) is that intelligence is not a reliable defense for social engineering.

The social engineering I was talking about is known as the Advance Fee Fraud or Nigerian 419 Scam. And then I included a quote from the press-release:

For seven years, Harriet Ottenheimer, a K-State professor emeritus of anthropology and a Fulbright scholar to the Czech Republic, and her son, Davi Ottenheimer, president of security consultancy flyingpenguin, collected and analyzed Nigerian 419 e-mails for clues that could be used to block these messages. These spam e-mails are called Nigerian 419 messages, or 419 for short. The number “419” refers to an article of the Nigerian Criminal Code concerning fraud.

[…]

Ottenheimer used her linguistic skills to decode the discourse of the scam e-mails and how they work on their victims. Primarily, she said, the victims have been well-educated westerners, such as such university professors, doctors, lawyers, financial planners and bankers.

Now I feel like I have to mention it again.

Before, I brought it up in response to a New Yorker story on “new” research that came to concusions that supported our findings. We showed how and why vulnerabilities form within even very intelligent and well-respected professionals. Then someone else did the same.

We also explained why scammers say they are from Nigeria. With that in mind, a Microsoft Research paper by Cormac Herley has been released called “Why do Nigerian scammers say that they are from Nigeria?”

Unfortunately, it not only ignores our findings but also makes some strange errors in logic.

Who are the most likely targets for a Nigerian scammer? Since the scam is entirely one of manipulation he would like to attack (i.e., enter into correspondence with) only those who are most gullible. They also need, of course, to have money and an absence of any factors that would prevent them from following through all the way to sending money.

Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions such as shown in Figure 8. It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets. They represent a tiny subset of the overall population.

Wrong.

First of all, the victims do not “need, of course, to have money”. They need access to money. Very different; they have borrowed or stolen rather than had it themselves. In many cases a person trusted with other people’s money secretly gave it away with the hope of returning it after the big windfall. In other cases a person convinces others to pool money.

Second, “factors that would prevent them from following through” is a very vague qualification. We have to assume Herley clarifies this with the next paragraph, which centers on gullibility and verification. It turns out that the victims are not the “most gullible”. They are confident about their ability because they have a track-record of being successful. In fact, we have proven that the victims are very savvy with risk and actually not gullible under most people’s definition. A former agent for intelligence? A banker? It is by leveraging a specific bias attack vector that they lose their normal defenses and do not know how to see “factors that would prevent them from following through”.

That is why Herley’s next point on verification is also wrong. Victims have confidence in their ability to handle the situation despite warnings and advice from friends, family and financial institutions. Unless this threat is explained in the terms of bias, a victim can be unwilling or even unable to process the danger they are facing.

In the end, it seems that Herley’s paper tries to argue a tautology as a premise:

Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

That is like saying some fish will bite a worm, therefore by using a worm you can catch some fish.

In other words, some scams based on Nigeria have victims, therefore by using a scam based on Nigeria you can get some victims. File that under “Pardon me but no shit, Sherlock”. Definitely not a satisfactory answer.

The answer we have presented, as confirmed by other “new” research, is that Nigeria, or more generally Africa, triggers a bias reflex in some recipients of the message. The more unfamiliar a topic or tactic the fewer defenses a victim may have. Their confidence in ability to handle risk, combined with a unrealistic view of Nigeria, becomes a dangerous shortcut to disaster.

One might jump to the conclusion that general fraud education would be a simple response, but it turns out that the education has to be tailored specificially towards reducing bias to be effective. The people that gamble will continue to gamble but if you make them less confident then they will not fall for this particular bet. You can’t just call confident, intelligent, successful risk-takers gullible because they fall for AFF.

It’s a particular method of social engineering, if you want to put it in terms of thinking like the attacker. So the paper is correct in some sense; attackers want to find victims at a low cost-per-target and a percentage of targets are vulnerable. Those should have been obvious. However, the paper fails to identify why Nigeria. It therefore also fails to explain why there still are victims and how to prevent attack.

Updated to add: PDF of our presentation deck

Here’s a a very amusing quote from Simon Crosby of Bromium.

“Any approach that says we can stop the bad guys is basically a lie,” Crosby says. With Bromium, he hopes to turn a $20 billion enterprise security market on its head by proving we don’t have to stop them. We just have to keep them from getting to our sensitive data when we inevitably click that infected link.”

Is it just me or does the phrase “we just have to keep them from getting to our sensitve data” actually mean the same thing as stop the bad guys? I don’t see the distinction between keeping someone out and stopping them from getting in.

He and I traded perspectives on this topic last year on a roundtable called “Security in the Cloud: Data Sovereignty, Open Source and Multi-Tenancy” (MP3 Recording)

Perhaps this Wednesday he will clarify at the GigaOm conference in SF.

The Journal of Applied Ecology has featured a study of predator behavior based on perceived risk.

…it is now well recognized that predators can impose strong top-down controls on ecosystems. What is less recognized is that even top predators live in landscapes of fear too…

Lion and Human Prints by jit bag on Flickr, CC

The conclusion seems to be that people could be more effective managing risk if they better learn how to influence their threats. The following gives an interesting perspective on hack back (or active defense, etc.). Not only can the Lions be trained to avert and avoid humans and their assets but the humans have to also adjust (e.g. reduce their attack surface).

…if the behavior of the predators can be manipulated then the same should apply to the herders and their livestock. Herders need incentives to be more diligent during periods when depredation is most likely and keep their livestock within the zones that predators are induced to avoid. Livestock need to be allowed to develop their own landscapes of fear, which is impossible for the continually mixed and moved herds on public rangelands in the western USA, for example, where depredation by wolves is an increasingly contentious issue. Finally, the indigenous prey base has to be conserved or else large predators will have no future anyway.

The Human-Lion Conflict Toolkit, available from the Central Kalahari Lion Research (CKLR), will have to be updated. The CKLR also mentions “until beef-farming Africans and later Europeans moved in, humans were able to live quite well alongside the massive predator”.