Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: anti-phishing implementation

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: anti-phishing implementation
Date: Sun, 21 Aug 2005 08:18:27 +1000 
The recipient trusts the gateway (or sending server) to verify the
sender is known and trusted to not send spam.

The gateway, or more likely, a company's mail server is configured to
authenticate the sender's ID before passing the mail. And of course, to
perform spam/virus checking on low-trust mail (that is. mail from
senders who  do not identify themselves, just like the difference
between addressed mail and bulk mail in letterboxes )

Gateways can easily authenticate senders by simple extensions to SMTP.

Ciphire has done it, my company has done it, as have numerous other
entities.
Phishers won't be able to be trusted by the gateways, there no phishing
mail reaches any recipient except as low-trust email.  This distinction
allows even low-skilled recipients to see the phisher's email is
suspect.

If the sender identity can be verified by the recipient, and the gateway
is trusted, the recipient is able to have a greater level of confidence
in the email.  

Lyal

On Sat, 2005-08-20 at 12:55 +0200, Irene Abezgauz wrote:

Lyal, 

I am not sure I quite understand the concept you have introduced of
gateway-recipient trust. The recipient trusts his gateway and therefore
trusts that gateway that all email sent from that gateway is indeed
valid and not malicious in any way?

What I'm trying to understand mainly is feasibility. How is the gateway
going to determine between "right" and "wrong". How can the gateway
authenticate senders? That will require a large database of who is who
and good anti-spoofing mechanisms since the whole system is going to
rely on the information of who the sender is. 

Have I completely misunderstood you?

Irene  

----------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com
 

-----Original Message-----
From: Lyal Collins [mailto:lyal.collins@key2it.com.au] 
Sent: Saturday, August 20, 2005 7:33 AM
To: 'Bjorn Borg'; bugtraq@securityfocus.com;
focus-virus@securityfocus.com; focus-ms@securityfocus.com;
honeypots@securityfocus.com; pen-test@securityfocus.com;
security-basics@securityfocus.com;
security-management@securityfocus.com; forensics@securityfocus.com;
webappsec@securityfocus.com; secureshell@securityfocus.com
Subject: RE: anti-phishing implementation

There is another strategy that the industry has almost totally ignored -
allow the recipient to verify the sender's identity.  Not verifed ->
delete
the email.
This does not mean S/MIME, PGP or added email headers etc, but may also
use
those techniques as well.
It means the sender and recipient can trust each other that the email
they
send each other, and thus can treat all other email as suspect.
In the distributed internet, this would probably be best implemented in
selected gateways that authenticate senders, so the trust is
gateway-recipient, rather than the more complex sender-recipient, sicne
the
former scenario has less trust paths than the latter.

This needs no databases, and no arms race of trying to keep up with
spammers
tools.

Lyal



-----Original Message-----
From: Bjorn Borg [mailto:bjorn.brg@gmail.com] 
Sent: Friday, 19 August 2005 11:30 PM
To: bugtraq@securityfocus.com; focus-virus@securityfocus.com;
focus-ms@securityfocus.com; honeypots@securityfocus.com;
pen-test@securityfocus.com; security-basics@securityfocus.com;
security-management@securityfocus.com; forensics@securityfocus.com;
webappsec@securityfocus.com; secureshell@securityfocus.com
Subject: anti-phishing implementation


Hi everyone,

I just started to develop an anti-phishing tool for my thesis.

The tool should have two tasks. First one is to detect and prevent known
attacks from web-based and POP3 emails. Second is to analyze emails'
content
to identify unknown phishing email and spoofed link.

To make the first task work, I need a full database of known phishing
emails, links. Anybody know where I can get this database?

I really appreciate any suggestion about how to make this tool work,
sources,...

Many thanks,

Bjorn
Kungliga Tekniska Hogskolan, Stockholm, Sweden

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date:
8/19/2005
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: anti-phishing implementation, Irene Abezgauz
Next by Date:  RE: Entrust - Identity Guard - Any experience?, ken kousky
Previous by Thread:  RE: anti-phishing implementation, Irene Abezgauz
Next by Thread:  Re: anti-phishing implementation, Bjorn Borg
Indexes:  [Date] [Thread] [Top] [All Lists]