Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firefox extensions for fighting phishing

from [Sean P. DeMerchant] Network Security [Permanent Link]
Subject: Re: Firefox extensions for fighting phishing
Date: Tue, 19 Jul 2005 02:28:17 -0700
----- Original Message ----- From: "Saqib Ali" <docbook.xml@gmail.com>
To: "Mamading Ceesay" <mamading@gmail.com>
Cc: <webappsec@securityfocus.com>
Sent: Saturday, July 16, 2005 7:26 PM
Subject: Re: Firefox extensions for fighting phishing


couple more:

Spoofstick http://www.corestreet.com/spoofstick/
Netcraft Toolbar http://toolbar.netcraft.com/ (This one is the BEST)

Outfoxed - http://getoutfoxed.com/
TrustBar - http://trustbar.mozdev.org/

The Netcraft toolbar is is next to useless. The last time I checked it could be fooled by a frameset. So if someone could hack a frameset onto the host server, i.e.,

http://www.somewhere.net/only_fools_would_click_on_this_link/login.html

then the frameset in login.html could reframe the entire page to:

http://www.steal_your_info.net/sucker.html

and Netcraft would tell you you were on www.somewhere.net which is
not terribly useful.

Albeit, I ran this test 6-8 weeks ago using IE. Nonetheless, until such a toolbar lists all the source websites or shows a warning when any data comes from an external site (adservers included) such tools are virtually useless for stopping phishing (they may stop some, but mostly they will give a false sense of confidence).

I have not tried the others.

Please note I do like some of the other services Netcraft provides (i.e., uptime for shared hosting, ...) so I am not just naysaying. But the Netcraft toolbar the last I looked is not terribly useful for stopping phishing completely and it will lie about the source of the content if you are in a frameset.

Take a look at:

http://www.abpo.net/rg.html

And note that images are served by abpo.net, yet the HTML with the exception of the frameset is served elsewhere.

In short, I think that far more sophistication is needed in anti-phishing tools before they will truly be valuable. Stopping 80% of problems may be good enough for government work, but anyone worth dealing with will can you for such junk (Microsoft, Sybase, Oracle, IBM, and etcetera would not except such slipshot quality from a database, why accept such junk for you financial transaction ;o).

my $0.02,

Sean P. DeMerchant

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PHP Session ID's, focus
Next by Date:  RE: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, Cyrill Osterwalder
Previous by Thread:  Re: Firefox extensions for fighting phishing, Saqib Ali
Next by Thread:  Re: Firefox extensions for fighting phishing, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]