lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 30 Jul 2008 10:07:13 -0500
From: "Robert Holgstad" <rholgstad@...il.com>
To: stuart@...erdelix.net, full-disclosure@...ts.grok.org.uk
Subject: Re: simple phishing fix

I think you are the new greatest troll of FD

On Wed, Jul 30, 2008 at 3:14 AM, lsi <stuart@...erdelix.net> wrote:

> Thank you all for your comments.  However, I cannot disagree more
> fully.
>
> It doesn't matter that the blacklist is not complete, if a scammer
> tries to phish a bank that's not on the list, eg. is not popular, he
> won't make much money, because it's a small bank and the probability
> of him hitting an email address which works, and is an address of a
> customer of that tiny bank, and the customer gets suckered, and all
> other security mechanisms fail, is very small.
>
> The scammer knows this and so he targets the popular banks.
>
> Therefore, the blacklist only needs to contain popular banks.
> However there is almost no penalty to add another 500 to the list,
> it's a simple filter, it's fast.
>
> I do agree that the more banks on the list, the better, but there are
> not millions of banks in the world, it's not a problem to list all
> the major banks, and many of the smaller banks as well.
>
> As the blacklist is deployed, the average revenue per mail (ARPM)
> will fall.  The more it is deployed, the more the ARPM will fall.
> The ARPM does not need to hit zero.  As soon as the ARPM falls below
> the average cost to send each mail, phishing will be economically
> unviable.
>
> Eg. it might still be technically feasible, however it will no longer
> be profitable to be a phisher.
>
> Repeat, phish do not need to be completely eliminated.  Once they are
> reduced below a certain level, it will become economically infeasible
> to be a phisher.  The invisible hand [1] will do the rest of the work
> for us.
>
> Other bits:
>
> I agree that by opening a hole in your phish firewall (eg. permitting
> traffic from the Bank of Foo) you are making yourself slightly less
> protected, however if a user has a blacklist where he has to
> specifically ALLOW traffic from a certain bank that user will be well
> aware that he has opened a hole in his phish wall and will be
> extremely attentive when he actually gets a mail.  (I'm appalled that
> some banks actually use email, how cheap are they?  If my bank did
> that, I'd complain, and consider changing banks.)  As with a real
> firewall, it's not a total solution, but one layer of several.
>
> The blacklist catches variations, of course the common variations are
> listed as well, again, every combination is not required, because the
> probabilities of failure rapidly stack up once the scammers start to
> get too imaginative with their variations (eg. they will have to use
> more and more obscure variations, which will trick less and less
> users).  I hear unicode will make life interesting, I'm looking
> forward to some samples.
>
> Blacklists do work.  They are successfully used in many applications,
> the Spamhaus blocklist, the denyhosts SSH tool and desktop AV
> software all spring to mind.  Blacklists don't work *when the content
> they are checking is polymorphic*.  Phish, by definition are NOT
> polymorphic.  We are talking banks here, they do not change their
> names very often.
>
> I think that is an important point.  The problem space is a lot
> smaller once you start working with a finite list of domainnames.  A
> blacklist is feasible in these circumstances.
>
> I agree my list is small, you'll note however it contains most of the
> biggest banks, I didn't choose them, they self-selected, by being
> sent to me.  That's why they are the biggest banks, because the
> scammers target those banks.  There's obviously no reason why the
> list could not contain every large bank in the world.  I could maybe
> hunt down some stats to add banks I don't get phished for, but that
> would just slow down my filter!  If others were to use it they'd want
> to customise it.  Because the blacklist is on the client machine, the
> user is free to add banks they get hammered with, and free to remove
> banks they want to correspond with.
>
> Don't forget that "achovia." can be listed, to catch wachovia.com,
> vvachovia.com, vvachovia.co.uk etc.
>
> Think about it, most people have no need to accept mail from every
> bank in the world.  That is accept ALL. Using the blacklist means
> they are now denying all bank traffic. (OK, denying all on the list,
> I agree that it's not a complete deny all, because we cannot know the
> names of all banks in advance.  I do regret confusing the discussion
> by mentioning DENY ALL, I was hoping to explain my analogy to a
> firewall, eg., it blocks everything by default and then lets in what
> you tell it to let in, I do accept that unlike a real firewall it can
> be got around by using an unlisted name, it's really DENY MOST.)
>
> > "(x) Mailing lists and other legitimate email uses would be affected
>
> Irrelevant.  They are affected already. They are the victims of
> spoofing.  It's either block their mails, or users suffer the spoofs.
>  Given than suffering the spoofs means bank-originated mails are
> useless in any case, that means the only available course of action
> is to deny all bank email traffic.
>
> > my Bayesian filter gets these anyway
>
> My spam filter misses some, hence my post, however following this
> comment I have checked my config and the Bayesian plugin is disabled
> ;)  Thank you for the suggestion.
>
> [1] http://en.wikipedia.org/wiki/Invisible_hand
>
> ---
> Stuart Udall
> stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists