WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (secure email) Proposal to anti-phishing

From: "Eric McCarty" <eric () piteduncan com>
Date: Mon, 24 Jan 2005 09:25:46 -0800
One example would be using PGP encrypted e-mail. If the mail is not
encrypted with a trusted key, instant drop/deny. 

Your right, managing this would be tough but there are dedicated staffs
which maintain Keys, Address Lists and oversee the approval/denial of
potential senders based off their need to communicate with the
organization. If you think about it, you usually have the people you
need to communicate with in your address lists, so denying messages from
senders not in your Address list would not result in losing any e-mail.

The problem with phishing is not (imnsho) corporate users, its home
users who don't know any better. The only solution to phishing is
education, simple as that.

Or we could unplug the internet?. =P


 

-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com] 
Sent: Monday, January 24, 2005 1:56 AM
To: Lyal Collins
Cc: webappsec () securityfocus com
Subject: Re: (secure email) Proposal to anti-phishing

You are talking about a secure email _network_, where only "trusted"
people can send emails to members. (i.e: a private mailing list).

You are suggesting a trusted system like this, right? And your argument
is that non-trusteds (phishers) can't get in and send emails
- fine, it may be true (depending on membership verification process).

How does this list communicate with the outside world? Customers?
Banks? ...? Do they have to become "trusted" too ? On what basis ?
Email address? Certificate? Who manages all this trust? Whats the
change-over timeframe to get the world onto this system as opposed to
the current one ?

I'm still a little confused as to what you are suggesting the solution
(the pratical solution) is here... because setting up such a trusted
network just isn't possible (and has been tried before, hasn't it ?)

If your idea is just about having a way to trust specific peoples'
messages (certificates) then fine, it's a system that would work on a
positive basis (customer: "Yes, this is from my bank, because the little
padlock is there..!") but not on a negative basis (customer:
"Hmm, it says its from my bank, but there is no pad lock... I will click
it anyway ... those banks, always stuffing things up.").

Implemented with my idea[1] from a long time ago, however, it could be
neat :)

But I still don't see your problem with Client-side certificates.

-- Michael
[1]
http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l


On Mon, 24 Jan 2005 18:54:46 +1100, Lyal Collins
<lyal.collins () key2it com au> wrote:

The attraction of secure emails are that 'phishers' have to compromise



every recipient's mailbox/secure email solution in the world, THEN 
launch a phishing attack against customers of select bank in order to 
get the rate of return they do today.
This seems a much harder, and less profitable sequence a phisher must 
go through, which has a higher probability of detection and 
convictability, increasing deterrence and decreasing the phishers

payback.


Lyal



-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com]
Sent: Monday, 24 January 2005 6:42 PM
To: Lyal Collins
Cc: webappsec () securityfocus com
Subject: Re: (secure email) Proposal to anti-phishing


Thats not really "Phishing" though, is it?
(http://en.wikipedia.org/wiki/Phishing) It is on one hand in that 
they are lured to the site, but they don't provide any information, 
it is stolen from them by the malware.

Sure, it's a problem that must be dealt with but to say that client 
side certificates are useless due to that is silly because that 
(compromised system) is a problem _no matter what_ solution is 
implemented ("secure" emails).

-- Michael


Lyal said:

-----Original Message-----
From: Michael Silk [mailto:michaelsilk () gmail com]
Sent: Monday, 24 January 2005 3:24 PM
To: lyal.collins () key2it com au; webappsec () securityfocus com
Subject: RE: (secure email) Proposal to anti-phishing


Lyal said:

The difference is that client-side SSL exists today in an

industry

standard platform independent manner that could be 
effectively deployed. (management is a different issue that 
I will be a

coward and

ignore for now.)


It's hard to see how changing the locaiton of a password 
verification actually makes any difference to accountholder 
security or phishing.


Is it? Surely it's easy to see. Phishing requries the

user to enter

the password in a website. If they don't need to do this (or 
only enter partial password) because of certificate, then I 
think it's pretty easy to see how that is an advantage.


Seen the newer generaitons of phishing, where going to the

faked bank site

loads up the user's PC with spyware, keyloggers et al?

Certificates are compromised as soon as any malware enters

the machine -

which is useless in this phishing scenario.






And then there's the pragmatic fact that people will pay

Microsoft

protection-racket funds for Microsoft anti-spyware to 
protect themselves transparently in the background from the

crappy software

Microsoft *SOLD* them in the first place...and they will do

this long

before they'll use any of the "secure email"
solutions today that require user interaction & thought.

But I'm all for an global standard secure email solution if

you happen

to have one of those handy,


Actually, my company does - if anyone wants to buy it.


Global, is it? Who buys it then? How does it work? Care

to share more

details, because there is not much information on your

site. Doesn't

seem any different to what PGP would provide.

It's also rather interesting that you claim it "encrypts"

everything,

but also analyses it for spam, viruses ... now just how does it 
do that :) ?

And what is "content checked". Seems far to "big brother" for my



liking.
Previous By Date Next
Previous By Thread Next

Current thread: