Re: Article - A solution to phishing

[Robert Hajime Lanning <robert.lanning () gmail com>]

Well, SSL/TLS does not stop MITM.  It will stop session snooping and hijacking,
when the session is legit.

What happens if I am tricked into going to the phishing site, then the
phishing site
(on my behalf)  makes the SSL/TLS connection to the real site.  They
will now have
all the information/connectivity they need to pull off the fake login.
 (by actually
doing a real login in the background.)

Without enduser education on checking valid site identifiers (SSL/TLS Cert and
actual URL usage.)

On Tue, 30 Nov 2004 07:43:57 -0800, Jeremiah Grossman
<jeremiah () whitehatsec com> wrote:
> I have spent a good amount time investigating the technical merits of
> the Passmark solution. While the system does have a few design /
> implementation problems, we shouldn't count man-in-the-middle attacks
> among them.  As I understand the system Passmark thwarts MITM in two
> ways, SSL/TLS and Session Cookies.
>
> SSL/TLS
> Its recommended that this system is used over a secure encrypted
> connection. Hence no connection style MITM attacks.
>
> Session Cookies
> An attacker cannot directly access the image themselves because a valid
> Session Cookie is required. This cookie is acquired by the user early
> in the process by password verification. Second, the URL of the image
> is unguessable.
>
> Regards,
>
> Jeremiah-
>
> PS. Michael, kudos on your attempt to put forth a solution concept.
> Creative thought among the many minds here will find something workable.
>
>
>
>
> On Monday, November 29, 2004, at 07:20  PM, Michael Silk wrote:
>
> > Hi Dave,
> >
> >       Re "PassMark" ... This implementation is still easily susceptible to
> > MITM attack ... The phishing site could simply take the Image from the
> > real site.
> >
> >       Not to mention the education issue ... Users could easily be fooled
> > to completely forget about the image anyway:
> >
> > Example:
> > ------------------------------------------------
> > Welcome User,
> >
> > IMPORTANT NOTICE: We have removed our image-authentication service due
> > to security concerns. We have improved our login system to use "best
> > practice ..." ...
> >
> > Username: [               ]
> > Password: [               ]
> >        [ Login ]
> > ------------------------------------------------
> >
> > -- Michael
> > -----Original Message-----
> > From: Dave Jevans [mailto:djevans () teros com]
> > Sent: Tuesday, 30 November 2004 6:35 AM
> > To: Mark Burnett; webappsec () securityfocus com
> > Subject: RE: Article - A solution to phishing
> >
> >
> > Email authentication to prevent spoofing of email addresses will solve
> > 85% of phishing attacks in their current form.  At the Anti-Phishing
> > Working Group we recommend a two-step adoption of SenderID/SPF and
> > then email signing (most likely with Yahoo's Domain Keys or an IIM
> > derivative).  See more about this at
> > http://truste.org/about/authentication.php
> >
> > Mark, you point out that authenticating a website to a consumer is
> > necessary.  www.passmarksecurity.com has an interesting image-based
> > approach that requires no software or hardware on the end user
> > machine.
> >
> > There are also a lot of things that can be done on the application
> > security side to detect and reduce phishing.  These include:
> >  - preventing cross-site scripting
> >  - detecting load spikes
> >  - preventing image referrals
> >  - detecting NDN bounce floods
> >  - detecting account takeovers
> >  - detecting phishing site testing prior to attack launch
> >  - application forensics
> >
> > Dave
> >
> > Night job: Chairman, Anti-Phishing Working Group.  www.antiphishing.org
> > Day job:   Sr. VP, Teros.  www.teros.com
> >
> >
> >
> > -----Original Message-----
> > From: Mark Burnett [mailto:mb () xato net]
> > Sent: Monday, November 29, 2004 8:15 AM
> > To: webappsec () securityfocus com
> > Subject: Re: Article - A solution to phishing
> >
> > I have been watching this thread with great interest and although the
> > basic concept that Michael describes is interesting and might help
> > reduce phishing, as others have pointed out it is still vulnerable to
> > a number of other threats and heavily depends on a number of
> > assumptions that might not be realistic.
> >
> > Nevertheless, the fundamental issue with phishing is not that an
> > attacker can obtain your credentials, but that an attacker can trick a
> > user into entering credentials in a fake web form. This is because it
> > is easy to create a fake web site that looks exactly like the original
> > and it is easy to direct the user to that site using deceptive links
> > in e-mails, browser vulnerabilities, DNS spoofing or poisoning, ARP
> > spoofing, stealth proxies, cross-site scripting, HOSTS file
> > modification, bookmark modification, trojans, social engineering, etc.
> >
> > Protecting authentication credentials is also a problem, but the
> > solution to phishing is more one of authenticating the site rather
> > than authenticating the user. First solving the issue of
> > authenticating the site makes it easier to solve the problem of
> > authenticating the user.
> >
> >
> > Mark Burnett
> >
> >
> > ------------------------------------------------------------------
> > Hacking the Code: ASP.NET Web Application Security
> > http://www.hackingthecode.com


-- 
END OF LINE
       -MCP