Educause Security Discussion mailing list archives
Re: Phishing Links
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Thu, 8 Jul 2010 08:46:28 +1000
Hi James, On 08/07/10 04:05, James Farr '05 wrote:
It is hard to educate some users on the difference between legitimate and phony web links in email, and it is easy enough to fake a website. For that reason I would like to propose that no official college communication is sent with an active link in it.
<snip>
Would this solution cause more harm than good? What are your thoughts/rules? */IITS will never ask you for your password. Never email your password to anyone./*
I have been having some thoughts about this situation for some time now. Others have covered reasons why phishing and spam work (send lots of messages where lots >'000s or '000,000s but there is still a small percentage of replies) and there has been comment on educating the users.
I don't know how to stop the problem. I think that users can only be educated to a certain extent and that will not stop the very small percentage who reply. And the reason that this approach still works for the spammers and phishers is that the environment that everyone exists in allows these kinds of activities. It's the bad with the good and I think that the only way to stop phishing or spamming is to change the environment in which users exist. Then you get into whitelisting and other exciting things which are usually very different to the way higher educational institutions work. (AFAIK QUT hasn't ever tried whitelisting of applications.)
I really liked what Bill Cheswick said a few years ago, about how your 'password' only needed to be as much as two characters, say 'em', and that 'password' only had to be padded by as much or as few random characters in front or behind it! So your password for today would be 'fdskahteowyqutj_em_piuqpurehfkdl;sa' and for tomorrow it could be 'rerererereem' :p Heck of a system to implement, though...
Anyway, food for thought, I know what I don't know and I don't know what I don't know...
Cheers, -- Greg Vickers Phone: +61 7 3138 6902 Project Manager, IT Security Program Queensland University of Technology, CRICOS No. 00213J
Current thread:
- Re: Phishing Links, (continued)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
- Re: Phishing Links Pete Hickey (Jul 07)
- Re: Phishing Links Martin Manjak (Jul 07)
- Re: Phishing Links Ben Woelk (Jul 07)
- Re: Phishing Links Martin Manjak (Jul 20)
- Windows 0-day David Opitz (Jul 21)
- Re: Windows 0-day Greg Williams (Jul 21)
- Re: Windows 0-day Greg Williams (Jul 27)
- Re: Phishing Links Pete Hickey (Jul 07)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
- Re: Phishing Links Flynn, Gary - flynngn (Jul 07)
- Re: Phishing Links James Farr '05 (Jul 08)