Penetration Testing mailing list archives
Re: RE: Online Fraud Protection
From: josh.perrymon () packetfocus com
Date: 26 Jun 2006 02:44:56 -0000
I believe that Anti-Fraid measures *SHOULD* begin with information security. As a pentester working globally for very LARGE organizations I often used social engineering and directed phishing attacks to gain remote access when infrastructure and app attacks fail. Especially when the scope is VERY limited and we may only find an OWA server and a couple open ports. We have bypassed 2factor authentication and all of the current IDS/IPS/HIPS/COntent Security/BLAH goes here. Remember it's hard to detect an attacker that uses normal comm channels. The problem with an approach you may be taking using IE7<whatever> here is that whitelisting WILL NOT WORK for protection against directed phishing attacks. I have been using IE7 Beta for a while now and have performed over 40-50+ global phishing attacks and IE7 has not picked up our phishing site ONCE. This is because it uses M$ whitelist of KNOWN phishing sites. Same issue with Websense and other vendors that use the same approach. THe only way that IE7 phishing filter may be useful is if it interfaces with a widget that can detect these directed attacks( Small volume and very dynamic) then automatically update the phishing filter and deter the attack. ( NDA here... but we are working on something :) What about trending and controlling the attack is 2-3 users have already fallen for it??? So the core of this is USER EDUCATION. Your user base has to be aware of these type of attacks and company policy must be VERY CLEAR on what type of information support may ask for. If EVERY user knows not to submit this type of information the attack may fail. We work globally developing LMS and training content based on internal policies. Simply because the technology isn't available to stop current directed small volume, phishing attacks. Josh Perrymon CEO PacketFocus www.packetfocus.com josh.perrymon () packetfocus com ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Online Fraud Protection Umut Inetas (Jun 23)
- Re: Online Fraud Protection Adviser (Jun 25)
- Re: Online Fraud Protection Umut Inetas (Jun 26)
- <Possible follow-ups>
- RE: Online Fraud Protection Craig Wright (Jun 25)
- Re: RE: Online Fraud Protection josh . perrymon (Jun 26)
- Re: Online Fraud Protection Adviser (Jun 25)
- Re: books[Scanned] Davie Elliott - Eluse (Jun 27)