Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Article - A solution to phishing

from [Jimi Thompson] Network Security [Permanent Link]
Subject: Re: Article - A solution to phishing
Date: Tue, 30 Nov 2004 22:10:57 -0600 
I would think that this would redirect the "phishing" to try to get
people to give up access to their email accounts instead.  In
addition, it's ridiculously easy to sniff email.

2 cents,

Jimi


On Tue, 30 Nov 2004 14:57:20 +1100, Michael Silk <michaelsilk@gmail.com> wrote:

(sorry to double-post ...)

Dave,

You suggest that the solution is to verify email addresses.

How often do you actually _look_ at the adress, however ? How often
would a user ?

Most, if not all, mail clients will just display the name of the
person we are communicating ... i.e. this will come from "Michael
Silk" but is actually a different account then the one I used to post
the original webappsec message. How many people noticed? Probably
no-one.

The point is that you don't need to spoof the _address_ (domain) to
trick users, you only need to spoof the _display name_ that appears.

-- Michael



-----Original Message-----
From: Dave Jevans [mailto:djevans@teros.com]
Sent: Tuesday, 30 November 2004 6:35 AM
To: Mark Burnett; webappsec@securityfocus.com
Subject: RE: Article - A solution to phishing

Email authentication to prevent spoofing of email addresses will solve
85% of phishing attacks in their current form.  At the Anti-Phishing
Working Group we recommend a two-step adoption of SenderID/SPF and
then email signing (most likely with Yahoo's Domain Keys or an IIM
derivative).  See more about this at
http://truste.org/about/authentication.php

Mark, you point out that authenticating a website to a consumer is
necessary.  www.passmarksecurity.com has an interesting image-based
approach that requires no software or hardware on the end user
machine.

There are also a lot of things that can be done on the application
security side to detect and reduce phishing.  These include:
- preventing cross-site scripting
- detecting load spikes
- preventing image referrals
- detecting NDN bounce floods
- detecting account takeovers
- detecting phishing site testing prior to attack launch
- application forensics

Dave

Night job: Chairman, Anti-Phishing Working Group.  www.antiphishing.org
Day job:   Sr. VP, Teros.  www.teros.com




-- 
Thanks,

Jimi
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Article - A solution to phishing, Adam Shostack
Next by Date:  Re: Article - A solution to phishing, Adam Shostack
Previous by Thread:  RE: Article - A solution to phishing, Michael Silk
Next by Thread:  Re: Article - A solution to phishing, Rogan Dawes
Indexes:  [Date] [Thread] [Top] [All Lists]