Re: Protecting from phishing

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

Tracking Devious Phishing Websites 
Technology Review (10/16/09) Naone, Erica 

Internet security experts have discovered that many phishers are using a trick called a flux, which allows a fake Web 
site to rapidly change its URL, making it difficult for defenders to block phishing sites or warn unsuspecting users. 
New research has found that about 10 percent of phishing sites are now using flux. Indiana University professor Minaxi 
Gupta says that because phishers often have access to thousands of hijacked machines they can quickly move a site 
around the Internet, protecting it from security professionals while keeping the fake site operational. To use a flux, 
phishers must control a domain name, giving them the right to control its name server. The phisher can then set the 
name server so it directs each new visitor to a different set of machines, rapidly cycling through the thousands of 
addresses available within its botnet. If the name server also is moved to different locations on the Internet, it is 
particularly difficult for defenders to pinpoint a central location where the fake site can be shut down. Gupta has 
identified several methods for detecting a flux and suggests that flux detection should be incorporated into the domain 
name system itself, because only a fraudulent site is likely to use a flux. There are some legitimate reasons for using 
a flux, but a legitimate flux looks different from a flux on a botnet. Shortening the detection time of phishing sites 
by even a few hours can make a major difference and make the scams less profitable for criminals, Gupta says.
View Full Article: http://www.technologyreview.com/web/23747/?a=f 


Paul
========================================
Paul L. Kendall, CGEIT, CHS-III, CISM, CISSP, CSSLP
Accudata Systems, Inc.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
Rosenblatt
Sent: Monday, October 19, 2009 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Protecting from phishing

Interesting idea .. it's called 1 and 1/2 factor authentication .. something that you know (your ID and password) and 
someplace that you are (your IP address).

It works for banks because they basically have one point of contact - their banking web page. For this to be effective, 
you would have to implement it in every 
authenticated touch point that you have - not just email (that would only stop the bad guys from using your systems to 
send spam)

Not that this would be a bad thing, but I can see that unless you have a common access front end for all of your 
services, it would be a lot of work to build.

Keep us informed as to how it goes .. it would be an interesting talk at the SPC.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Monday, October 19, 2009 2:12 PM -0400 John LaPrad <jrl () svsu edu> wrote:

> We have had multiple users, faculty and students fall for phishing exploits in the past few months. We have an 
> education program, we block spam (some still
> slips through), we wrote custom filters to make sure no one replies to phishing emails (they started embedding links 
> to websites instead) and these phishing
> attempts are still working occasionally.  I was wondering if it would be reasonable to front the email servers with a 
> system, like some banks do, where the
> system remembers your IP and whenever you connect from a new IP, you have to take some additional step before getting 
> in.  I think that this would stop the
> phishers.
> Is anyone doing something like this, or heard of it?
> Maybe I am missing something, and this simply would not work ?
> I appreciate any feedback.
>
>
> John LaPrad
> CISSP, CNE, CCNA, CCDA
> Manager of Network Services
> Saginaw Valley State University
> Phone: 989-964-7134
> Fax: 989-964-7446



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel