Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Article - A solution to phishing [Passmark]

from [Jeremiah Grossman] Network Security [Permanent Link]
Subject: Re: Article - A solution to phishing [Passmark]
Date: Mon, 1 Dec 2003 13:07:22 -0800
Before I get into more nitty gritty technical details, let me be clear on a couple of things for the readers.
Im not affiliated with Passmark in any way. Also, I can only comment on my observations the best I can recall when I looked at it. Some of my details may be off.

Let us begin...


On Wednesday, December 1, 2004, at 12:05  PM, Adam Shostack wrote:

Huh?  If "This cookie is acquired by the user early in the process by
password verification,"  then how does passmark prevent me from
phishing?  Does the user need two passwords to get in?

Thats a very good question, and I had the very same one. The first time a user authenticates (username/password) , they must do so without any "image" validation. After which they get their persistent session cookie. I assume the first time you authenticate is a matter of trust. The same username and password is used on all future authentication attempts in combination with the session cookie. So, you could phish the user on the first attempt.

If the users IP changes at some point in the future, change comps, or blitz their cookies... then the process starts over. One weakness might be informing the user why they must authenticate again without an image. But this is the way things work best I can tell.

They have a demo you check out:
https://www.largebank.com/large_bank/reg_demo_1.do


Also, what does it matter if the URLs are unguessable?  I need to show
up at my bank and login.  At which point, the bank needs to show me
some authentication.  If the bank has to show me an authenticator,
then a phisher can steal that image.

The validation image URL needs to be unguessable because the Phishers page could include an image tag src to the remote URL. When the validation image is requested, passively through the Phishers page, the user's session cookie is sent along and then the image is properly displayed. I think this requirement basically tries to ensure the validation image only shows up on the proper pages and not off-domain.

I'm perfectly willing to accept that there are clever ways to do this, could you explain what they are?

You and me both. The Passmark system is clever, but does appear to have its inherent technical and social limitations. Trying to get all the details laid out and digestable for why these types of solutions works or doesnt is difficult.


Regards,

Jeremiah-




[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Article - A solution to phishing, Robert Hajime Lanning
Next by Date:  RE: Account Lockouts, David LeBlanc
Previous by Thread:  Re: Article - A solution to phishing, Adam Shostack
Next by Thread:  Re: Article - A solution to phishing, Robert Hajime Lanning
Indexes:  [Date] [Thread] [Top] [All Lists]