Security Basics mailing list archives
Re: Anti-Phishing with digital watermarking
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Mon, 29 Sep 2008 19:34:24 +0200
On 2008-09-29 Razi Shaban wrote:
- Alerts based on client-side scripting won't work when scripting is disabled in the browser, which is the more secure setting to begin with. So, to enable this kind of alert, you'd have to lower the overall security of the browser.People who have enough tech knowledge to disable scripting are not the target audience of phishing. Those are the people least likely to fall for it. It is rather the people who don't know what a "script" is that are going to be susceptible.
Disabling JavaScript doesn't take any kind of technical knowledge. And especially the people who don't know what a script is should disable client-side scripting entirely rather than rely on JavaScript to tell them whether they're secure or not.
- With client-side scripting enabled, phishers can most easily use the very same technology to rewrite those parts of the included original page they don't like.I'm not even sure what this means,
I suspected as much.
but this watermarking (for lack of a better term) can be removed. All watermarking can be removed. However, this watermarking is not meant to show up on the user's screen, but rather to make the original author aware of the phishing attempts.
Same difference. It doesn't matter whether the script raises a popup on the user's desktop or sends a message back to the company. The phisher can use both client- and server-side scripting to rewrite those parts of the original page he doesn't like.
- Even with client-side scripting disabled, phishers can still use server-side scripting to rewrite those parts of the original page they don't like, because they're acting as a man-in-the-middle.If the phisher is not aware of or cannot find the exact code responsible for the phone-home reaction, they can't remove it.
Underestimating an enemy sounds kinda risky to me. What makes you believe your little phone-home is so hard to detect for the bad guys?
A general response to your ideas on disabling client side scripting is easily refuted by the idea of scale. Phishing does not target one, it targets many. If one user ? hell, seventy ? have all the protection afforded by modern technology, the phone-home reaction will still take place. Why? Because any phishing worth mentioning is viewed thousands of times, and at least one of the users being targeted will be running IE5 with absolutely no security. The goal of this is, again, to make the original author aware of the phishing, not to prevent it altogether.
Which, of course, is totally unreliable (and thus utterly pointless as a security measure), because you make way too much assumptions (client has JavaScript enabled, phisher doesn't check the used website for phone- home code, phisher uses the original website in the first place, ...). Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
Current thread:
- Anti-Phishing with digital watermarking Alcides (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- Re: Anti-Phishing with digital watermarking Ron (Sep 26)
- Re: Anti-Phishing with digital watermarking Umil (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 26)
- RE: Anti-Phishing with digital watermarking Matt Flynn (Sep 26)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 29)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 29)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Ryan Greenier (Sep 30)
- Re: Anti-Phishing with digital watermarking Ansgar Wiechers (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)
- Re: Anti-Phishing with digital watermarking Razi Shaban (Sep 30)