Security Basics mailing list archives
Re: HOW TO PREVENT FHISHING ATTACKS
From: Paul Johnston <paul.johnston () pentest co uk>
Date: Tue, 08 Feb 2011 23:20:23 +0000
Hi, There's been some interesting advice on this thread. I agree that user education (or even shooting ;-) is part of the solution. But phishers only ever hope to capture a small percentage of people who receive their emails. And as Murphy's law goes, we can be sure this will be the small percentage that education doesn't reach. Multi-factor authentication can help. For example, a one-time password like a SecureID token at least only allows a phisher to login right there and then, it doesn't give them a password they can later use. Other types of multi-factor - I'm thinking a smart card that holds an SSL client certificate - can be completely resistant to phishing. At least if implemented right, some smart card login systems fail to achieve this proprety. There is the potential solve this at a technical level for passwords. The Secure Remote Password protocol (http://srp.stanford.edu/) has the same property as a well implemented smart card - you can authenticate to an untrusted party without revealing your authentication credential. However, not much software even supports SRP as of now, and if there was to be a move to it, browsers would have to support the old model for a long time. The users who could be phished would be the ones who'd enter their password in a non-SRP password box. Worth considering for the long-term though. (http://www.mail-archive.com/cryptography () metzdowd com/msg08767.html) For organisations likely to be phished, a lot of effort goes into identification and takedown. There are services (e.g. RSA/Cyota) that identify brand abuse in emails and efforts can be made to take down the website that users are lured to. Sometimes law enforcement capture malicious servers and identify lists of phished credentials. Some organisations choose to alert customers; others just put additional monitoring on the accounts. Looking at reports of incidence of phishing, some major brands are targeted less than others. It may be (and this is speculation on my part) that these brands have paid protection money to avoid this. Or perhaps they work harder at following the money trail after phishing has occured. One area that definitely has improved is browsers making clear what site you are dealing with. Thinking back to 2003 or so, there were many variants of "UI redress" attacks where it would look like you were dealing with the legitimate site, when really you were dealing with a phishing site. This has become much harder to do now, although "Frame spoofing" was a relatively recent common vulnerability that enabled this. It's also possible if there is just one unauthenticated cross-site scripting vulnerability in the brand's website. All told, I don't expect to see hugely more effort in preventing phishing, because the even-more-scary threat is silent, data capturing trojans. Many of the solutions mentioned in this thread are not effective against trojans. More effort is going on after-the-event controls like fraud detection. Regards, Paul -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: HOW TO PREVENT FHISHING ATTACKS Filiberto Moreno (Feb 02)
- Re: HOW TO PREVENT FHISHING ATTACKS John Renne (Feb 03)
- Message not available
- Message not available
- Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
- RE: HOW TO PREVENT FHISHING ATTACKS Jon Davis (Feb 08)
- Re: HOW TO PREVENT FHISHING ATTACKS Paul Johnston (Feb 10)
- RE: HOW TO PREVENT FHISHING ATTACKS Gadi Naveh (Feb 15)
- Message not available
- Re: HOW TO PREVENT FHISHING ATTACKS John Renne (Feb 03)
- Re: HOW TO PREVENT FHISHING ATTACKS Nikhil Manampady (Feb 07)
- <Possible follow-ups>
- Re: HOW TO PREVENT FHISHING ATTACKS Adam Pal (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Lynch, Gordon CTR NHRC (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Eggleston, Mark (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Craig S Wright (Feb 03)
- Re: HOW TO PREVENT FHISHING ATTACKS Patrick Kobly (Feb 03)
- RE: HOW TO PREVENT FHISHING ATTACKS Sacks, Cailan C (Feb 03)