Educause Security Discussion mailing list archives
Re: Phishing Links
From: Ben Woelk <fbwis () RIT EDU>
Date: Wed, 7 Jul 2010 16:34:41 -0400
We handled the authenticity of messages a little differently. We have a signature standard with required elements. In addition, any message that arrives with the term "password" gets a warning prepended to it. Our signature standard is at http://security.rit.edu/signaturestd.html BTW--There was a discussion about phishing about a month ago on this list that provides examples of what member institutions are doing. Ben Woelk '07 Policy and Awareness Analyst Information Security Office Rochester Institute of Technology Ross 10-A204 151 Lomb Memorial Drive Rochester, New York 14623 585.475.4122 585.475.7920 fax ben.woelk () rit edu<mailto:ben.woelk () rit edu> http://security.rit.edu/dsd.html Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645 Follow us on Twitter: http://twitter.com/RIT_InfoSec From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary - flynngn Sent: Wednesday, July 07, 2010 4:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing Links One of the things I've been mulling about is to post the email to a web site, accessible to the recipients, for large scale communications or anything associated with: 1. passwords 2. client configuration changes 3. finance 4. other sensitive transactions Then it would be a matter of training people to manually browse to the soon to be well known web site to verify any messages associated with those topics. Of course, there would be the overhead of managing the web site but I would think for bulk mail type scenarios, a bulk mailer program could be programmed to: 1. Get a list of recipients (since it has to do that anyway) 2. Get the message contents (since it has to do that anyway) 3. Assign a unique identifier to the message (probably made up of date/time/sender information to make it easy to create and easy for a recipient to look up) 4. Post the message contents to a web page using a path making the unique identifier a usable URL 5. Alter the access controls to the web page to be accessible only by the recipients (assuming access control is necessary) The recipient who wanted to verify the message would go to the well known web site, perhaps prominently displayed on a portal, look for the unique identifier in the list of messages, and be able to verify its legitimacy. The key would be training people NOT to click a link in the message to get to the verification web site and getting people who send messages with sensitive subjects to use the system. On 7/7/10 2:05 PM, "James Farr '05" <jfarr () UTICA EDU> wrote: It is hard to educate some users on the difference between legitimate and phony web links in email, and it is easy enough to fake a website. For that reason I would like to propose that no official college communication is sent with an active link in it. Problems, Some clients while trying to be helpful make links clickable that I do not want clickable. Links can be inserted as a picture, but not all clients show pictures by default. We can give directions to a website, in order to check your mail go to our homepage, click on login and select webmail, but some users cannot/will not follow those instructions. Would this solution cause more harm than good? What are your thoughts/rules? IITS will never ask you for your password. Never email your password to anyone. James Farr Information Security Officer Instructional Technologist Utica College jfarr () utica edu <mailto:jfarr () utica edu> 315-223-2386
Current thread:
- Re: Phishing Links, (continued)
- Re: Phishing Links Eric Case (Jul 07)
- Re: Phishing Links Joel Rosenblatt (Jul 07)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
- Re: Phishing Links Pete Hickey (Jul 07)
- Re: Phishing Links Martin Manjak (Jul 07)
- Re: Phishing Links Ben Woelk (Jul 07)
- Re: Phishing Links Martin Manjak (Jul 20)
- Windows 0-day David Opitz (Jul 21)
- Re: Windows 0-day Greg Williams (Jul 21)
- Re: Windows 0-day Greg Williams (Jul 27)
- Re: Phishing Links Pete Hickey (Jul 07)
- Re: Phishing Links Eric Case (Jul 07)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
- Re: Phishing Links James Farr '05 (Jul 08)