Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Smells like a phish, is a fish?

from [Damhuis Anton] Network Security [Permanent Link]
Subject: RE: Smells like a phish, is a fish?
Date: Fri, 28 Oct 2005 11:53:08 +0200 

Hi,

Signing an email authenticates the origin of an email,
(a) but it still does not stop the contents of the email to be read, while in 
transit (as far as I know).
(b)It also does not stop the contents being read after an elapsed period of 
time.

(a) If an attacker saw the message the link in the message while being 
transmitted, copied the link into a browser, they would get access to the 
account.

(b) If the email lay dormant on the email server for some time, and is then 
opened, it would/could still give access to that account.

That is why I say that something must always be kept secret. It will make sure 
in both cases that someone could not get access to an account.

Another Example
===============
Lets assume there is web site that requires the user to enter their email 
address and password to log in.

If the user forgets their password, it can be sent to them. An attacker at that 
point has all the information from the email while in transit, and while stored 
somewhere. Most likely the request would still be valid after 3 weeks.
The site should have a timeout on the sent password. It should also require the 
user to change their password as soon as they log in (thus making the 
information in the email invalid).

Regards
  Anton

-----Original Message-----
From: Tom Stowell [mailto:jts@deforest.k12.wi.us]
Sent: 27 October 2005 08:27
To: Damhuis Anton; Ofer.Shezaf@breach.com; vanderaj@greebo.net;
webappsec@securityfocus.com
Subject: RE: Smells like a phish, is a fish?


Greetings,

You say "email is sent over an unencrypted link". I say, why?

I would put forth that phishing is going to be a problem until there is a 
secure, open, widely deployed standard for source-authentication of email.

S/MIME, for example. Maybe businesses should start signing messages, and teach 
their customers to not trust ones that don't have the "golden padlock."

Tom

Confidentiality Warning
=======================

The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Smells like a phish, is a fish?, Todd Hendricks
Next by Date:  J2EE Application Security Code Review, Yousef Syed
Previous by Thread:  RE: Smells like a phish, is a fish?, Tom Stowell
Next by Thread:  RE: Smells like a phish, is a fish?, Tom Stowell
Indexes:  [Date] [Thread] [Top] [All Lists]