funsec mailing list archives
RE: The end of Phishing in sight?
From: Blanchard_Michael () emc com
Date: Tue, 18 Oct 2005 10:09:29 -0400
I like the idea of the USB fob, with the button on the fob that the user has to press, or even better a fingerprint reader on the fob. The fingerprint reader would be a cool thing for marketing too. They should hand out USB extension cables with the fobs too, as not everyone has a USB port in the front of their computer... Make it as easy as possible for the user to use, and he'll be more likely to use it. Michael P. Blanchard Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I Office of Information Security & Risk Management EMC ² Corporation 4400 Computer Dr. Westboro, MA 01580 email: Blanchard_Michael () EMC COM -----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: Monday, October 17, 2005 5:39 PM To: Blanchard, Michael (InfoSec) Cc: funsec () linuxbox org Subject: Re: [funsec] The end of Phishing in sight? Blanchard_Michael () emc com wrote:
If we, the security community, could design and build the securest
online
bank, what would we use?
If I have to work within the limitation that end-users are pretty gullible, and will fall for things like phishing emails and bad or missing SSL, then I'm pretty screwed. However, even with that, here's my best attempt given 60 seconds, off the top of my head: Give the user a USB device that can do challenge-response, has the bank's cert built into it, and checks the signed challenge from the bank. User has to hit a button or maybe provide a fingerprint to activate it. Token has its own private key. Maybe give it some extra brains, and have it be able to keep a counter as well, to preclude rollback attacks. Maybe give it lots of brains, and have it do the processing in the token. In other words, a cut-down in-token version of Palladium. The key points are: -Challenge-response (helps with some limited flavors of MITM) -Checks SSL cert on its own (can't skip, or fake a different cert) -Doesn't give the user a chance to click "yes, ignore the warning, let me see the dancing pigs" -Requires physical user presence to activate (to guard against remote attacker-drive activation) -Important calculations are done in a (hopefully) secure piece of hardware. At this point, I *think* you have to compromise the user's box for a technical attack. of course, a good local rootkit, and the user is still vulnerable to attack. Ryan _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The end of Phishing in sight?, (continued)
- Re: The end of Phishing in sight? Blue Boar (Oct 17)
- RE: Re[2]: The end of Phishing in sight? Blanchard_Michael (Oct 17)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: Re[2]: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: The end of Phishing in sight? Mark C (Oct 17)
- Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: Re[4]: The end of Phishing in sight? Marius Gheorghescu (Oct 17)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
(Thread continues...)