lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0c0201c65553$71a36ce0$2101a8c0@othello>
Date: Sat Apr  1 07:14:00 2006
From: niceman at att.net (Mike Nice)
Subject: [HV-PAPER] Anti-Phishing Tips You
	ShouldNotFollow


1) Any different social engineering besides "login to your bank
account".  For example, "Chase will pay you $20 to fill out a short
survey!"  (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).

    This should be tip #5, back to the old 'don't click on anything from 
your bank in an E-mail - for any reason'.

3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)

   Tip #4 works precisely because it defeats pharming, MITM and type-alike. 
The Cert box is nearly impossible to spoof because you would have to spoof 
the actual bank's certificate.  Any error and your browser will pop up a 
warning dialog that the host name on the SSL cert doesn't match the name of 
the host.    That's only assuming that some corrupt CA hasn't issued a 
second SSL cert for the real bank host name.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ