Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Anti-Phishing, why it doesn't work

from [robert] Network Security [Permanent Link]
Subject: Re: Anti-Phishing, why it doesn't work
Date: Mon, 24 Jan 2005 10:41:16 -0800 
Joseph Miller(joseph@tidetamerboatlifts.com)@Mon, Jan 24, 2005 at 11:34:48AM 
-0500:

If you don't mind paying $1500 for a 15" 3D monitor, this is the
choice for you (not to mention the added cost of redeveloping
operating system desktops for secure applications). 


This type of OS rewrite goes well beyond just the presentation level. 
You can read a little bit about what sun did for X in TSOL here:
http://docs.sun.com/app/docs/doc/816-1042/6m7g4ma8g?a=view

We're working on X extensions for an SE Linux base to allow for similar
functionality.


If I can gain access to a person's display (via email software
vulnerabilities, specially formed HTML pages, etc), I can pretty much
make it look like anything I want to. 


This would be possible with a 3D monitor too.  When you have an
unenforceable and unmodeled security policy, you should expect the
unexpected to happen.


We all know that the number one reason why Anti-Phishing mechanisms do
not work is because of dumb users.


I don't blame the users.  They just want to use the computer.  They
shouldn't be expected to be security experts (what ever that means).  If
they go to the wrong website or open the wrong file, the worst thing
that should happen in their email client or web browser would lock up. 
Users would then just reopen the failed application.

MAC/DTE/RBAC may be a more suitable direction to start with.  Perhaps we
can add 3D monitors after we have a functional TCB :).

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: (secure email) Proposal to anti-phishing, Lyal Collins
Next by Date:  RE: Proposal to anti-phishing, Lyal Collins
Previous by Thread:  Re: Anti-Phishing, why it doesn't work, Felix Berger
Next by Thread:  Re: Anti-Phishing, why it doesn't work, Jeremiah Grossman
Indexes:  [Date] [Thread] [Top] [All Lists]