lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY101-DAV4673DCAB6ED738C903EE0DE7C0@phx.gbl>
Date: Thu Jun 29 05:10:26 2006
From: drellman at hotmail.com (Saeed Abu Nimeh)
Subject: Are consumers being misled by "phishing"?

Because it is not only social engineering. There are two parts of the
attack 1) social engineering aspect and 2) technical subterfuge. A
trojan that changes your local host file is not social engineering. This
trojan can be downloaded via a hole in your ie browser with no much
effort from an attacker. then the trojan changes your host file and
rather than pointing you to paypal.com 1.1.1.1 it points you to 2.2.2.2
I discussed a similar point with my colleagues and could not get an
answer: Does phishing have to satisfy both conditions in the definition,
i.e. social engineering AND tech subterfuge or one is enough: social
engineering OR tech subterfuge. Also, in one of the conferences a guy
argued that you can not call it identity theft, because if someone
steals your identity you will never exist, you have to call it
impersonation! so it depends.
2 cents,
Saeed

mikeiscool wrote:
> On 6/29/06, n3td3v <n3td3v@...il.com> wrote:
>> I believe the industry coined up "phishing" to make more money out of
>> social engineering. Its obvious now that both are over lapping. Only
>> the other day Gadi Evron was trying to coin up a phrase for "voice
>> phishing". Why can't we cut to the chase and drop the (ph)rases and
>> call it straight forward SOCIAL ENGINEERING.
>>
>> I believe your average single mom and retired couple will easily
>> become confused if we keep throwing new catch phrase buzzwords at
>> them. If we could just call it social engineering, then the world
>> would be a less confusing place for the average social engineering
>> vitcim.
>>
>> When Yahoo had "paydirect" (an online bank in partnership with HSBC,
>> which was later dropped by Yahoo!) there was an exploit for obtaining
>> account information you wanted from any Yahoo Account. So hundreds of
>> script kids had this exploit which was released by hackers in the
>> localised Yahoo security community. The technique was to get the
>> account information via the web-based exploit in the Yahoo Paydirect
>> service, then phone up Yahoo Customer Care and give them the account
>> information, and hey ho, customer care sends you a new password.
>> Around a hundred script kids were phoning customer care. I alerted
>> Yahoo what was going on, but Yahoo Customer Care didn't stop accepting
>> partial Yahoo account info in exchange for a new password. It was to
>> be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix
>> the bug straight away, so it led to hundreds of accounts being
>> compromised and never recovered. After this incident, and still to
>> this day Yahoo Customer Care are easily socially engineered via the
>> telephone if you offer them partial yahoo account information.
>> (shocking)
>>
>> Point being, web-to-voice social engineering has been around forever,
>> just a few smart guys are trying to coin a phrase, which is only going
>> to confuse the mess that is "phishing". The name phishing should never
>> have been coined, and I warn the industry not to add on anymore
>> variants to the phishing term, which is in all means just social
>> engineering.
>>
>> Phishing was a big mistake by the industry, now the last thing we need
>> is "voice phishing" or any other (ph)rases...
>> See comments section of:
>> http://www.digg.com/security/Say_Hello_to_voice_phishing_2
> 
> but calling it something different allows gadi to add another item on
> his list of things to complain about. we all know there are only three
> security issues: bugs, design faults, and social enginering. let the
> idiots have their terms, there is nothing you can do about it.
> 
> -- mic
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ