Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New whitepaper "The Phishing Guide"

from [Juraj Bednar] Network Security [Permanent Link]
Subject: Re: New whitepaper "The Phishing Guide"
Date: Mon, 27 Sep 2004 16:50:31 +0200 
Hello,


How does that help in practice? A user fooled by a link to ebay-support.com
is just as likely to accept signed mail from foo@ebay-support.com. Not to
mention that the potential profits from phishing could easily finance the
purchase of a forged cert if someone at one of the built-in CA's was
corruptible. Given the several that are based in 3rd world companies (not to
mention recent US corporate scandals) I have no confidence that won't
eventually happen.


it is quite possible, I had success of convincing U.S. CAs of issuing me
a certificate, while they shouldn't. I once wrote an article about it to
2600. 

Seems like most CAs are more capable of selling certificates than
providing real security checks, which are usually done by using that
same insecure channels, that they are trying to protect.

For example:
 - a fax of business license (which for example in our country can be
   get by anyone)
 - e-mail to one of the administrative contacts from whois database
   (which can be -- if not protected -- changed by sending simple
   e-mail, if your registrar uses RIPE).
 - creating a file on the target webserver (which in turn is capable of
   all those attacks, that SSL is trying to protect).

So basically, "hacking" CA is just paperwork, e-mail and browserwork.

You can read the article here:
http://files.juraj.bednar.sk/CA

(I'm not sure, if it's the latest version, that got published, so please
forbid any small mistakes, but you will get the point, hopefully).

I believe there are CAs, that are more secure even for e-mail. Here in
Slovakia, we have even law about electronic signatures, and you have to
go physically to CA, show your ID, passport and after you convince them,
you are the right person, they issue you a certificate (which is equal
to signature on paper). One particular issue is, that they guarantee
also your identity (not only the ability to read particular e-mail,
which often is checked by so-called CAs by sending e-mail to the target
address and user has to check the link, which does not guarantee
anything, but the ability to read the particular e-mail -- which we want
to protect from unauthorized users, right?).



   Juraj.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  @lex Guestbook (PHP) Include file, Himeur Nourredine
Next by Date:  Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, ERACC
Previous by Thread:  Re: New whitepaper "The Phishing Guide", Brian Dessent
Next by Thread:  Re[2]: New whitepaper "The Phishing Guide", Karsten Heidrich
Indexes:  [Date] [Thread] [Top] [All Lists]