Full Disclosure mailing list archives
Fwd: [HV-PAPER] Anti-Phishing Tips You Should NotFollow
From: "Anonymous Squirrel" <anonymous.squirrel () gmail com>
Date: Fri, 31 Mar 2006 18:30:46 -0500
On 3/31/06, Mike Nice <niceman () att net> wrote:
http://www.hexview.com/sdp/node/24 (Show this article to your computer-illiterate spouse to confuse him/her even more :)Better yet, do the right thing and implement Tip #4: Go to the secure SSL login page of your bank. Verify the URL. Verify that the SSL certificate was issued to your bank by examining its properties. Now bookmark the SSL page. Tell your computer-illiterate spouse to *always* go to the bank login via favorites with the page you just bookmarked. If there are any popup warnings from the browser [such as from certificate name mismatch], do no log in. This catches all variations of Pharming, man-in-the-middle, and type-alike sites. It offers no protection from local trojans/keyloggers.
I'll agree that Step #4 protects against one variant of the phish attack. But there are so many others: 1) Any different social engineering besides "login to your bank account". For example, "Chase will pay you $20 to fill out a short survey!" (of course, after filling out the survey you must provide your debit card number or account login information to get the $20). Another example is spoofing a retailer's site to get debit and credit card information, or spoofing the IRS. 2) Any attack against the user's computer. Keyloggers, software that listens for an authenticated connection than inserts transactions, host file alterations. 3) Any attack that spoofs the SSL cert box (The Codefish web site had a good example...what ever happened to Codefish, anyway?...pharming, MITM, and type-alike can fit in here, too) Honestly, the only way to defeat phishing is to improve computer configurations and managment, to educate users, and to allow only smart users near the Internet. None of those is likely to happen, so we'll have to deal with phish forever. That's just like in the physical world. After thousands of years, we still have people performing con jobs. -- Although I've found many nuts, I'm back to being anonymous, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow, (continued)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Jasper Bryant-Greene (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Michal Zalewski (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Marcos Agüero (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Jasper Bryant-Greene (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow Dave Korn (Mar 31)
- Re: Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow ad () heapoverflow com (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Valdis . Kletnieks (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow <...> (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You Should Not Follow Michal Zalewski (Mar 31)
- Message not available
- Fwd: [HV-PAPER] Anti-Phishing Tips You Should NotFollow Anonymous Squirrel (Mar 31)
- Re: [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow Mike Nice (Mar 31)