RE: MSN Webcam / Chat Spoof

["Richard M. Smith" <rms () computerbytesman com>]

Having a more complete cert would raise the bar for social engineering
attacks like the one being done at the fake MSN Web site.  Right now,
the ActiveX control gives the impression that it is coming from
Microsoft.  

Another fix for this kind of problem is that Internet Explorer checks
with the issuing agency to see if a cert has been revoked before the
ActiveX control is allowed to be installed.

Richard

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Monday, May 12, 2003 1:34 PM
To: Richard M. Smith
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] MSN Webcam / Chat Spoof 


On Mon, 12 May 2003 10:09:32 EDT, "Richard M. Smith"
<rms () computerbytesman com>  said:

> My question:  Why can't an Authenticode certificate present the
> following information to a user:
>
>    - Company name
>    - Street address
>    - Phone number
>    - Web site URL
>    - Contact Email address
>    - Company logo
>    - Link to a product description page

OK.. .So you get a cert - now other than "phone number", is there
anything
there that *really* increases your confidence level (given that you have
2 http:// and a mailto: URL, and they could all point at a hijacked
server)?

Remember that there has already been one well-publicized case of
Verisign
issuing a bogus Microsoft cert - there's no proof they haven't made the
same social-engineering whoops on possibly *dozens* of lesser-known
software
houses.

And after the dot-bombed era, there's probably a *lot* of places that
had
certs and went belly up - and said certs went out the door when the
servers
they were on got surplused.  I'm sure snooping around the right hacker
IRC channels will find you a pointer to a black-market cert that you can
have
a copy of....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html