Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] simple phishing fix

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] simple phishing fix
Date: Tue, 29 Jul 2008 20:12:42 +1200 
lsi wrote:


Of all the approaches below I like the simple list of strings in the 
email client (the first link).  This is because it's a DENY ALL 
policy.  ...


"simple" -- yes.

"DENY ALL" -- nope...


From your first post, it's clear that you receive samples from a _VERY_ 

limited sliver of the bank, credit union and other financial target 
phishing that goes on each and every day...


From a purely theoretical perspective, to make your preferred approach 

"DENY ALL" you would have to have ongoing access to an oracle identifying 
the domains of ALL financial institutions, so your block list could be 
updated in a timely manner as domains are added and removed...

As no such oracle exists, a "deny all" approach along the lines you 
suggest is _practically_ impossible.


...  The other approaches below, AFAICS, use ACCEPT ALL and then 
try and find reasons to block the mail.  ...


Which is actually what your suggested approach does, even if it could be 
practically implemented -- it accepts all Email (or at least all incoming 
Email delivery connections) then tries to find a reason to block it (From 
address domain on block list).


...  The first approach simply 
blocks them all!   ...


...for some interesting and unknowably odd value of "all".


...  Sure, you want to receive mail from the Bank of 
Foo, just don't put bankoffoo.com in your list!   


Thereby letting through the phish for the target(s) of most danger to you 
-- get suckered by a Foo Bank phish as a Foo Bank customer and you may be 
in trouble, but getting suckered by a Bar Bank phish when you are only a 
Foo Bank customer and no harm is done.

Also, your preferred approach entirely fails to deal with "close but not 
quite" domain "spoofing" -- info@vvachovia.com rather than 
info@wachovia.com, suport@foo_bank.com rather than support@foo-bank.com 
(the real Foo Bank domain), etc, etc, etc.

In short, as is commonly the case in such matters, the quick'n'dirty, I-
just-thought-of-the-ultimate-solution-to-the-phishing-problem-AND-it's-
REALLY-SIMPLE solution is so far from complete that it's all but 
useless...


Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] simple phishing fix, Stian Øvrevåge
Next by Date:  Re: [Full-disclosure] how to request a cve id?, John D. Reason
Previous by Thread:  Re: [Full-disclosure] simple phishing fix, lsi
Next by Thread:  Re: [Full-disclosure] simple phishing fix, Raj Mathur
Indexes:  [Date] [Thread] [Top] [All Lists]