Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Fwd: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollo

from [Anonymous Squirrel] Network Security [Permanent Link]
Subject: Fwd: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow
Date: Fri, 31 Mar 2006 18:30:46 -0500 
On 3/31/06, Mike Nice <niceman@att.net> wrote:



http://www.hexview.com/sdp/node/24

(Show this article to your computer-illiterate spouse to confuse him/her
even more :)


   Better yet, do the right thing and implement Tip #4:  Go to the secure
SSL login page of your bank.  Verify the URL.   Verify that the SSL
certificate was issued to your bank by examining its properties.  Now
bookmark the SSL page.  Tell your computer-illiterate spouse to *always* go
to the bank login via favorites with the page you just bookmarked.  If there
are any popup warnings from the browser [such as from certificate name
mismatch], do no log in.   This catches all variations of Pharming,
man-in-the-middle, and type-alike sites.   It offers no protection from
local trojans/keyloggers.



I'll agree that Step #4 protects against one variant of the phish
attack.  But there are so many others:

1) Any different social engineering besides "login to your bank
account".  For example, "Chase will pay you $20 to fill out a short
survey!"  (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).
Another example is spoofing a retailer's site to get debit and credit
card information, or spoofing the IRS.

2) Any attack against the user's computer.  Keyloggers, software that
listens for an authenticated connection than inserts transactions,
host file alterations.

3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)

Honestly, the only way to defeat phishing is to improve computer
configurations and managment, to educate users, and to allow only
smart users near the Internet.  None of those is likely to happen, so
we'll have to deal with phish forever.  That's just like in the
physical world.  After thousands of years, we still have people
performing con jobs.

-- Although I've found many nuts, I'm back to being anonymous,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: RSA HAVE CRACKED PHISHING, NO SERIOUSLY, n3td3v
Next by Date:  [Full-disclosure] n3td3v group slams RSA for encouraging illegal anti-phishing tactics, n3td3v
Previous by Thread:  Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should NotFollow, Mike Nice
Next by Thread:  Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should Not Follow, vuln
Indexes:  [Date] [Thread] [Top] [All Lists]