lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat Apr  1 00:30:52 2006
From: anonymous.squirrel at gmail.com (Anonymous Squirrel)
Subject: Fwd: [HV-PAPER] Anti-Phishing Tips You Should
	NotFollow

On 3/31/06, Mike Nice <niceman@....net> wrote:
>
> > http://www.hexview.com/sdp/node/24
> >
> > (Show this article to your computer-illiterate spouse to confuse him/her
> > even more :)
>
>    Better yet, do the right thing and implement Tip #4:  Go to the secure
> SSL login page of your bank.  Verify the URL.   Verify that the SSL
> certificate was issued to your bank by examining its properties.  Now
> bookmark the SSL page.  Tell your computer-illiterate spouse to *always* go
> to the bank login via favorites with the page you just bookmarked.  If there
> are any popup warnings from the browser [such as from certificate name
> mismatch], do no log in.   This catches all variations of Pharming,
> man-in-the-middle, and type-alike sites.   It offers no protection from
> local trojans/keyloggers.
>

I'll agree that Step #4 protects against one variant of the phish
attack.  But there are so many others:

1) Any different social engineering besides "login to your bank
account".  For example, "Chase will pay you $20 to fill out a short
survey!"  (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).
Another example is spoofing a retailer's site to get debit and credit
card information, or spoofing the IRS.

2) Any attack against the user's computer.  Keyloggers, software that
listens for an authenticated connection than inserts transactions,
host file alterations.

3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)

Honestly, the only way to defeat phishing is to improve computer
configurations and managment, to educate users, and to allow only
smart users near the Internet.  None of those is likely to happen, so
we'll have to deal with phish forever.  That's just like in the
physical world.  After thousands of years, we still have people
performing con jobs.

-- Although I've found many nuts, I'm back to being anonymous,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ