Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Anti-Phishing, why it doesn't work

from [Jeremiah Grossman] Network Security [Permanent Link]
Subject: Re: Anti-Phishing, why it doesn't work
Date: Mon, 24 Jan 2005 10:31:22 -0800

On Monday, January 24, 2005, at 08:34 AM, Joseph Miller wrote:

We all know that the number one reason why Anti-Phishing mechanisms do not
work is because of dumb users. But there are other reasons why many
mechanisms may fail. IMHO, the computer display is another major culprit.

In my opinion, if users are dumb then this is precisely the reason why a workable solution is essential. While on the Web, users have very limited set of utilities assisting them in making educated decisions. They are on they're own so to speak. And if this is the case, we really can't expect users to defend themselves successfully.

An analogy might be something like a train station. Train stations have numerous warning signs, brightly colored paint, loud speakers, and sometimes even security guards all screaming "stay off the tracks". Also the trains themselves have loud horns heard from far far far away. These measures effectively help even dumb "people" make the proper decision to stay off the tracks and not get clobbered. Sure people still get hit by trains, but there a lot being done preventatively and the number of incidents is probably lower (Though I don't know for certain).

About your computer display observation, you make a good point. I also see the problem as that we can't be certain that the web site we're looking at is what we think it is. We HOPE it is, but can't be certain. So what assistance does a user really have? They could look for the little 10x10 pixel lock symbol. Which arguably doesn't help prevent phishing anyway. They can look and try to understand the URL in the location bar. But again, for any number of reasons, people are not going to be able to decipher URL's. Addressing an avenue of attack, cryptographically signed email. Anything else I missed?

The point is the technology solutions available to prevent phishing are a far cry from where they need to be. We can't give up on users because they might be dumb. Depending on the situation, any one of us could be considered dumb when tossed outside our element.


Regards,

Jeremiah-


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Smart card proposal, Rogan Dawes
Next by Date:  RE: (secure email) Proposal to anti-phishing, Lyal Collins
Previous by Thread:  Re: Anti-Phishing, why it doesn't work, robert
Next by Thread:  RE: (smart cards) Proposal to anti-phishing, Evans, Arian
Indexes:  [Date] [Thread] [Top] [All Lists]