WebApp Sec mailing list archives
Re: Anti-Phishing, why it doesn't work
From: robert () dyadsecurity com
Date: Mon, 24 Jan 2005 10:41:16 -0800
Joseph Miller(joseph () tidetamerboatlifts com)@Mon, Jan 24, 2005 at 11:34:48AM -0500:
If you don't mind paying $1500 for a 15" 3D monitor, this is the choice for you (not to mention the added cost of redeveloping operating system desktops for secure applications).
This type of OS rewrite goes well beyond just the presentation level. You can read a little bit about what sun did for X in TSOL here: http://docs.sun.com/app/docs/doc/816-1042/6m7g4ma8g?a=view We're working on X extensions for an SE Linux base to allow for similar functionality.
If I can gain access to a person's display (via email software vulnerabilities, specially formed HTML pages, etc), I can pretty much make it look like anything I want to.
This would be possible with a 3D monitor too. When you have an unenforceable and unmodeled security policy, you should expect the unexpected to happen.
We all know that the number one reason why Anti-Phishing mechanisms do not work is because of dumb users.
I don't blame the users. They just want to use the computer. They shouldn't be expected to be security experts (what ever that means). If they go to the wrong website or open the wrong file, the worst thing that should happen in their email client or web browser would lock up. Users would then just reopen the failed application. MAC/DTE/RBAC may be a more suitable direction to start with. Perhaps we can add 3D monitors after we have a functional TCB :). Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033
Current thread:
- Anti-Phishing, why it doesn't work Joseph Miller (Jan 24)
- Re: Anti-Phishing, why it doesn't work Felix Berger (Jan 24)
- Re: Anti-Phishing, why it doesn't work robert (Jan 24)
- Re: Anti-Phishing, why it doesn't work Jeremiah Grossman (Jan 24)