lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun Apr  2 01:20:39 2006
From: anonymous.squirrel at gmail.com (Anonymous Squirrel)
Subject: [HV-PAPER] Anti-Phishing Tips You
	ShouldNotFollow

On 4/1/06, Mike Nice <niceman@....net> wrote:
>
> 1) Any different social engineering besides "login to your bank
> account".  For example, "Chase will pay you $20 to fill out a short
> survey!"  (of course, after filling out the survey you must provide
> your debit card number or account login information to get the $20).
>
>     This should be tip #5, back to the old 'don't click on anything from
> your bank in an E-mail - for any reason'.

It't not that simple.  With all of the outsourcing nowadays, the
phisher only has to indicate that the survey is being "impartially"
conducted by a third party.  Then the phisher can even supply a
non-bank link without obfuscation!  Really, all we are dealing with
here is tricking the human into going to the web site.  Saying "dont
click on anything" only guards against one social engineering tactic. 
The rest are left on the table.

>
> 3) Any attack that spoofs the SSL cert box (The Codefish web site had
> a good example...what ever happened to Codefish, anyway?...pharming,
> MITM, and type-alike can fit in here, too)
>
>    Tip #4 works precisely because it defeats pharming, MITM and type-alike.
> The Cert box is nearly impossible to spoof because you would have to spoof
> the actual bank's certificate.  Any error and your browser will pop up a
> warning dialog that the host name on the SSL cert doesn't match the name of
> the host.    That's only assuming that some corrupt CA hasn't issued a
> second SSL cert for the real bank host name.
>

You must not have visited Codefish.  The spoof wrote a https:  web
address in the address bar, and wrote the bottom of the browser to
look just like an SSL connection, complete with a lock. When the lock
was clicked, it popped up something that looked just like the cert
box.  Very well done indeed.

I'm continually amazed by the belief that the cert box is sacrosanct. 
If the underlying box is compromised, all bets are off.

Powered by blists - more mailing lists