Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New whitepaper "The Phishing Guide"

from [Brian Dessent] Network Security [Permanent Link]
Subject: Re: New whitepaper "The Phishing Guide"
Date: Mon, 27 Sep 2004 05:37:45 -0700 
Daniel Veditz wrote:


How does that help in practice? A user fooled by a link to ebay-support.com
is just as likely to accept signed mail from foo@ebay-support.com. 


You can never help the users who can't help themselves.  What you can do
is help the users who know a little bit about phishing but do not care
to learn the methods de jour of URL forgery and other arcane knowledge. 
In other words you can simply tell them, "if it says it's from @ebay.com
and has a valid signature, it's probably legit.  Otherwise delete and
ignore."  Whereas today you have to tell them to hover over links,
explain all the ways URLs can be obfuscated, check email headers, and so
on.  Sure, the phishers will just start signing their messages as well,
but at least you have more options at hand to check the authenticity.


mention that the potential profits from phishing could easily finance the
purchase of a forged cert if someone at one of the built-in CA's was
corruptible. Given the several that are based in 3rd world companies (not to
mention recent US corporate scandals) I have no confidence that won't
eventually happen.


This is why all software should be shipped with the option to check
certificate revocation lists enabled by default.

Brian
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: iDEFENSE Security Advisory 09.22.04 - Sophos Small Business Suite Reserved D, Lise Moorveld
Next by Date:  RE: Microsoft's GDI Detetection Tool faults, Scott Jacobson
Previous by Thread:  Re: New whitepaper "The Phishing Guide", Philip Stoev
Next by Thread:  Re: New whitepaper "The Phishing Guide", Juraj Bednar
Indexes:  [Date] [Thread] [Top] [All Lists]