Re: [Full-disclosure] Request for comments: anti-phishing storefront approach
On Fri, Jun 03, 2005 at 07:37:28PM -0400, Doug Ross wrote: Given the recent PR regarding Bank of America's SiteKey (which seems to me to be susceptible to MIM attacks), I'd appreciate any feedback on this anti-phishing approach: http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html Your example includes the notion of a CAPTCHA-style warning image that says ...If any of the three items aren't true or don't look right, DON'T SIGN IN. Couldn't one just as easily--and just as falsely--expect customers to obey a warning that says If you don't see a valid SSL 'lock' icon in your browser window, DON'T SIGN IN? Both cases are essentially identical, only the former requires more work by me to verify--I have no idea what the last check number I wrote was, and depending on my ISP, it's likely that I'll appear to be connecting from some place 300 miles from my current location, yet with verifying SSL, all I have to do is check to see if a little icon is up in the window. As you say Bank of America needs to use SSL on their login page. But if you're talking about training users--and that's necessary, because otherwise, phishers can just remove the warning reminder bit from their fake login pages--you may as well just train them to look for valid SSL certs. On a side note, I have to wonder how much of this appears to be magic to the ordinary user, to the extent that you could make all sorts of statements in the name of security and the user would buy it. For instance, a phisher could put a fake Verisign button on his site that, when clicked, does something different than the real Verisign ones do. Or, better yet, a box that says If the above image does not read 'AUTHENTIC,' do not sign in. Users would assume that some sort of verification were going on. Never mind the mechanism. -- Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Not even the NSA can get it right
On Wed, May 25, 2005 at 11:42:45PM -0400, Paul Kurczaba wrote: To the NSA's advantage, I truly believe that the NSA.gov site is a natural honeypot. If you think of all the people that try to break in to it, the NSA looks at their logs and says Sweet!, we've learned something new today. Keep on comming... just my $0.02 Valdis and I discussed this a little bit off-list. He disagrees, but I contend that anything that the NSA could learn from such would be useless to their two primary goals--securing intelligence, military, and other government and private sector infrastructure, and conducting interception/decryption/info war on foreign (or domestic?) enemy targets. Consider: www.nsa.gov is NOT a tempting target, thus the likely attackers are stupid kiddies. Stupid kiddies are not going to use anything new to the NSA on www.nsa.gov. The NSA therefore learns a) what the kiddies know, and b) who the kiddies are (assuming they don't disguise themselves well) (a) is relatively useless; it's sole value *might* be in indicating what is public and thus not likely to work against a target, but given that they are going against targets with far more resources than the average kiddie, this is a poor, if not worthless, indicator of such. (b) is useless, because the NSA does not conduct law enforcement operations against cyber criminals, nor, from what we've all heard, do they cooperate overly well with the agencies that do. So they've really got nothing to gain from wasting valuable employee time on such a stupid matter. Even the NSA hires underpaid civil servants--and I don't think it was a top-secret spook who coded the ColdFusion behind the front page. Feel free to let your own imaginations run wild, though. I've heard some real convincing stories indicating that the Masons were behind the September 11 attacks, too. According to netcraft, they are running IIS. You can verify this for yourself by looking at the server headers--or running an OS fingerprinting tool against them. Sure, they could be spoofing it, but see above. -- Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Security issue in Microsoft Outlook
On Mon, May 23, 2005 at 01:25:35PM -0700, David Cleveland wrote: I was able to duplicate. After creating the url link, I put the cursor right after the 'www.' And typed in the 'foo-labs.info'. Then I delete everything after 'info' and sent it. The link read foo-labs and went to cybertrion. After much trials and tribulations, I was able to replicate this. And you know what? IT'S THE EXACT SAME RESULT AS IF SOMEONE HAD CLICKED EDIT AND CHANGED THE URL! So, what this means is that there is a bug in Outlook by which one can, if one has not clicked off the link since creating it, create a link, alter it, and not have the target altered to the new URL. I say bug in quotes because what presumably is going on is the function that updates the target is not called, leaving the old target in there. Is this a security risk? NO! The reporter is a troll or a moron! Since my prior sarcasm was apparently lost on some readers, THIS IS A FEATURE OF HTML! Links can point to other places than the text in between the link tags! If they couldn't, there'd be no point to having links! If you have a problem with this, go back to using Gopher--or better yet, stop using the Internet. We'll all miss your valuable input. Once and for all: THIS IS NOT A VULNERABILITY. Now, can we all let this stupid thread die? Thanks and have a great day. :) -- Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/