Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New whitepaper "The Phishing Guide"

from [Dehner, Benjamin T.] Network Security [Permanent Link]
Subject: RE: New whitepaper "The Phishing Guide"
Date: Fri, 24 Sep 2004 09:04:34 -0500 

I think if major vendors used signed emails, it would be a good step.
However, I'm not sure in the long run it will do much good.

First, the real problem isn't technical, it's educational.  Most users
sophisticated enough to download a public key, verify the fingerprint, and
install it on their keyring aren't going to be fooled by phishing attacks
anyway.

Second, as far as I know, there is no standard for encryption software.
Signing something with, say, PGP doesn't do a blind bit of good unless the
recipient has gone to the bother of downloading and installing PGP on their
system.  (See above.)  And if you haven't installed PGP, seeing the BEGIN
PGP SIGNED MESSAGE verbage on an email may give a false sense of security
when the message may have been signed by an invalid key, or may not have
been signed at all and the enclosed "signature" is random garbage.

Third, I can see a new variant of the phishing attack.  "WARNING:  OUR
SECURITY HAS BEEN COMPROMISED.  PLEASE CLICK ON THE LINK BELOW TO ADD OUR
NEW SECURITY CERTIFICATE TO YOUR KEYRING AND RE-VERIFY YOUR PERSONAL
INFORMATION".   (This also touches on the subject of key revokations, but
I'll leave that alone for now.)

Ben
  


-----Original Message-----
From: Aleksandar Milivojevic [mailto:amilivojevic@pbl.ca]
Sent: Thursday, September 23, 2004 9:57 AM
To: bugtraq@securityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"


Gunter Ollmann (NGS) wrote:

[snip]


While the Phishers
develop evermore sophisticated attack vectors, businesses flounder to
protect their customers' personal data and look to external experts for
improving email security. Customers too have become wary of "official"
email, and organisations struggle to install confidence in their
communications.


Sometimes it's unbelivable how long it takes organizations to discover 
that email can be signed.  Especially nowdays when all major mail 
readers have support for at least S/MIME (and the really good ones have 
support for at least PGP ;-) ).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

 
 
 
The information contained in this E-mail message and the documents accompanying 
this message are
privileged and confidential, and may be protected from disclosure.  Please be 
aware that any use, 
printing, copying, disclosure or dissemination of this communication may be 
subject to legal
restriction or sanction. If you think that you have received this E-mail 
message in error, please
reply to the sender.

For more information about Valmont Industries, Inc., please visit our web site 
at www.valmont.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: New whitepaper "The Phishing Guide", Dehner, Benjamin T. <=
Previous by Date:  Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, Jose Rey
Next by Date:  RE: Correction to latest Colsaire advisories, advisories
Previous by Thread:  New XSS vulnerabilities in paFileDB 3.1 final, alireza hassani
Next by Thread:  Re:[3] Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue, advisories
Indexes:  [Date] [Thread] [Top] [All Lists]