lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <98A515E12184F54F912C1C2FE41ECD5505AF475F@valmaila.na.valmont.com>
Date: Fri, 24 Sep 2004 09:04:34 -0500
From: "Dehner, Benjamin T." <Ben.Dehner@...mont.com>
To: bugtraq@...urityfocus.com
Subject: RE: New whitepaper "The Phishing Guide"



I think if major vendors used signed emails, it would be a good step.
However, I'm not sure in the long run it will do much good.

First, the real problem isn't technical, it's educational.  Most users
sophisticated enough to download a public key, verify the fingerprint, and
install it on their keyring aren't going to be fooled by phishing attacks
anyway.

Second, as far as I know, there is no standard for encryption software.
Signing something with, say, PGP doesn't do a blind bit of good unless the
recipient has gone to the bother of downloading and installing PGP on their
system.  (See above.)  And if you haven't installed PGP, seeing the BEGIN
PGP SIGNED MESSAGE verbage on an email may give a false sense of security
when the message may have been signed by an invalid key, or may not have
been signed at all and the enclosed "signature" is random garbage.

Third, I can see a new variant of the phishing attack.  "WARNING:  OUR
SECURITY HAS BEEN COMPROMISED.  PLEASE CLICK ON THE LINK BELOW TO ADD OUR
NEW SECURITY CERTIFICATE TO YOUR KEYRING AND RE-VERIFY YOUR PERSONAL
INFORMATION".   (This also touches on the subject of key revokations, but
I'll leave that alone for now.)

Ben
  


-----Original Message-----
From: Aleksandar Milivojevic [mailto:amilivojevic@....ca]
Sent: Thursday, September 23, 2004 9:57 AM
To: bugtraq@...urityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"


Gunter Ollmann (NGS) wrote:

[snip]

> While the Phishers
> develop evermore sophisticated attack vectors, businesses flounder to
> protect their customers' personal data and look to external experts for
> improving email security. Customers too have become wary of "official"
> email, and organisations struggle to install confidence in their
> communications.

Sometimes it's unbelivable how long it takes organizations to discover 
that email can be signed.  Especially nowdays when all major mail 
readers have support for at least S/MIME (and the really good ones have 
support for at least PGP ;-) ).

-- 
Aleksandar Milivojevic <amilivojevic@....ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

 
 
 
The information contained in this E-mail message and the documents accompanying this message are
privileged and confidential, and may be protected from disclosure.  Please be aware that any use, 
printing, copying, disclosure or dissemination of this communication may be subject to legal
restriction or sanction. If you think that you have received this E-mail message in error, please
reply to the sender.

For more information about Valmont Industries, Inc., please visit our web site at www.valmont.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ