Re: Phishing Links

[Ben Woelk <fbwis () RIT EDU>]

We handled the authenticity of messages a little differently. We have a signature standard with required elements. In 
addition, any message that arrives with the term "password" gets a warning prepended to it.

Our signature standard is at http://security.rit.edu/signaturestd.html

BTW--There was a discussion about phishing about a month ago on this list that provides examples of what member 
institutions are doing.

Ben Woelk '07
Policy and Awareness Analyst
Information Security Office
Rochester Institute of Technology
Ross 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623
585.475.4122
585.475.7920 fax
ben.woelk () rit edu<mailto:ben.woelk () rit edu>
http://security.rit.edu/dsd.html

Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645

Follow us on Twitter: http://twitter.com/RIT_InfoSec


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
Gary - flynngn
Sent: Wednesday, July 07, 2010 4:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing Links

One of the things I've been mulling about is to post the email to a web site, accessible to the recipients, for large 
scale communications or anything associated with:
1.      passwords
2.      client configuration changes
3.      finance
4.      other sensitive transactions

Then it would be a matter of training people to manually browse to the soon to be well known web site to verify any 
messages associated with those topics. Of course, there would be the overhead of managing the web site but I would 
think for bulk mail type scenarios, a bulk mailer program could be programmed to:
1.      Get a list of recipients (since it has to do that anyway)
2.      Get the message contents (since it has to do that anyway)
3.      Assign a unique identifier to the message (probably made up of date/time/sender information to make it easy to 
create and easy for a recipient to look up)
4.      Post the message contents to a web page using a path making the unique identifier a usable URL
5.      Alter the access controls to the web page to be accessible only by the recipients (assuming access control is 
necessary)

The recipient who wanted to verify the message would go to the well known web site, perhaps prominently displayed on a 
portal, look for the unique identifier in the list of messages, and be able to verify its legitimacy.

The key would be training people NOT to click a link in the message to get to the verification web site and getting 
people who send messages with sensitive subjects to use the system.



On 7/7/10 2:05 PM, "James Farr '05" <jfarr () UTICA EDU> wrote:
It is hard to educate some users on the difference between legitimate and phony web links in email, and it is easy 
enough to fake a website. For that reason I would like to propose that no official college communication is sent with 
an active link in it.
Problems,
Some clients while trying to be helpful make links clickable that I do not want clickable.
Links can be inserted as a picture, but not all clients show pictures by default.
We can give directions to a website, in order to check your mail go to our homepage, click on login and select webmail, 
but some users cannot/will not follow those instructions.

Would this solution cause more harm than good?

What are your thoughts/rules?

IITS will never ask you for your password.  Never email your password to anyone.

James Farr
Information Security Officer
Instructional Technologist
Utica College
jfarr () utica edu <mailto:jfarr () utica edu>
315-223-2386