Re: AOL uses anti-phishing blacklist from Cyota
* Frank Hecker: * It is interesting to contemplate Cyota or someone else offering an analogous service to individual users, e.g., implemented through an IE add-on or Firefox extension that does real-time checks of the blacklist. Such a browser plug-in reveals your surfing habits to a central authority. I doubt that this is a desirable goal, and I think it's a big issue with Netcraft's approach. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: AOL uses anti-phishing blacklist from Cyota
Gervase, Gervase Markham wrote: Frank Hecker wrote: * This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check. Even if that's true, it could not be in the future. And I would hope such events would be rare enough to cause an out-of-time CRL update and corresponding OCSP update. There is nothing that disallows an OCSP responder from providing up-to-date information, even though it isn't required by RFCs to be more up-to-date than CRLs. FYI, currently NSS always looks at CRLs, if available locally, and it looks at OCSP if enabled. So in some cases, NSS will check both. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: AOL uses anti-phishing blacklist from Cyota
Frank Hecker wrote: * In theory this approach is not dependent on any browser features, since at a minimum AOL as an ISP could just block connection attempts in the cloud. However it may be that AOL is planning some special UI in the AOL client to support phishing-specific warning messages. The press release is not clear on whether this feature will work with non-AOL clients connecting through the AOL network. Why go to the trouble of hacking something into a browser then getting everyone to upgrade when you can just throw up an error message and have the site blocked by transparent proxies that carry a black list of URLs... Could even go so far as allowing the user to over-ride if they really really want to, would help with the false positive situation, where an innocent site is blocked because of poor list management etc... * This approach is also not dependent on SSL, much less on CA revocation Everyone keeps mentioning SSL and phishing, and the only person to have claimed to have seen an ssl phishing attack actually had a certificate signed by a built-in CA, while it might occur in future, this will require a LOT of user education, after all people are stupid enough to open up zip files and still infect themselves, until the level of education increase (highly unlikely at the current rates), I don't see that SSL will be considered much benefit to the guys doing phishing attacks as it would increase the risk of tracking them down, verses little or no real benefit. * This approach is obviously analogous to anti-spam blacklists. Whether it will be more effective in practice than anti-spam blacklists is an open question; I can think of points both for and against this. However The against depends on how they handle blocking, if they do it in some kind of sane manner where they verify each address, rather then blindly accepting requests then maybe, otherwise they'll end up like a lot of RBL's in that they are over zealously added to and end up doing harm (and getting sued?) to real businesses. RBL's in some cases are ok, others aren't, it's all about the implementation... * Apparently Cyota originally marketed their FraudAction anti-phishing service to banks, presumably to support banks' effort to shut down If their list of current clients is valid and anything to go by it looks like they managed to get business from a fair few banks... * It is interesting to contemplate Cyota or someone else offering an analogous service to individual users, e.g., implemented through an IE add-on or Firefox extension that does real-time checks of the blacklist. Implementation issues aside, this would directly provide information to phishers as to whether or not their sites were on the blacklist yet, but I presume they could determine that anyway just by trying to connect to it through AOL or another ISP offering the service. There is going to be a time frame that they won't be black listed, not to mention not everyone will be subscribed or use the service, so this will simply increase the number of hacked sites used, or increase domain registrations before spam then dump random domains in random emails... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: AOL uses anti-phishing blacklist from Cyota
On 4/20/05, Frank Hecker [EMAIL PROTECTED] wrote: I thought this was interesting: http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369 The basic summary: AOL will try to block AOL members' attempts to connect to phishing sites, using a blacklist of suspected phishing sites provided by Cyota http://www.cyota.com/. Some brief comments: * In theory this approach is not dependent on any browser features, since at a minimum AOL as an ISP could just block connection attempts in the cloud. However it may be that AOL is planning some special UI in the AOL client to support phishing-specific warning messages. The press release is not clear on whether this feature will work with non-AOL clients connecting through the AOL network. Google has a report phishing feature and a phishing detection feature in GMail. Perhaps they will work together to improve the over all safety of the community. * This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check. Actually in the common case of a CA operating an OCSP responder the revocation information can be as current as the request even if the relevenat CRL isn't updated for hours (or days). That is OCSP revocation is as timely as identifying operational policy violation so I suggest you turn OCSP checking on in your personal browser configuration as that will save you from some phishing, pharming, and homograph attacks. * This approach is obviously analogous to anti-spam blacklists. Whether it will be more effective in practice than anti-spam blacklists is an open question; I can think of points both for and against this. However certainly anything that limits the expected lifetime of a phishing site is a good thing, and if browsers and other factors were to force phishing sites to use domain names (as opposed to IP addresses) and SSL certificates (even domain-validated ones) then this puts a minimum cost in place per phishing site to weigh against the expected revenue for the few hours a site might be up before being blocked. I agree, if I can paraphrase - limiting the benefits of fraud reduces fraud. * Apparently Cyota originally marketed their FraudAction anti-phishing service to banks, presumably to support banks' effort to shut down phishing sites impersonating them. Clearly if I were Cyota I would be trying to market this now to every major ISP, since it would clearly be a feature ISPs could market to their users (as AOL is doing), at least until every ISP implements something like this. This is an active market. There are several companies offering take down or monitoring related services for FIs and other high value targets, including VeriSign. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: AOL uses anti-phishing blacklist from Cyota
Frank Hecker wrote: I thought this was interesting: http://media.timewarner.com/media/newmedia/cb_press_view.cfm?release_num=55254369 The basic summary: AOL will try to block AOL members' attempts to connect to phishing sites, using a blacklist of suspected phishing sites provided by Cyota http://www.cyota.com/. Some brief comments: * In theory this approach is not dependent on any browser features, since at a minimum AOL as an ISP could just block connection attempts in the cloud. However it may be that AOL is planning some special UI in the AOL client to support phishing-specific warning messages. The press release is not clear on whether this feature will work with non-AOL clients connecting through the AOL network. The approach is also similar to that of Netcraft's plugin and I think Trustbar and/or Comodo might have similar intentions. * This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check. The average basket of slave boxes was something like 10k for $500 .. these are scary numbers; and it makes me wonder just how one goes about shutting down a distributed attack with any speed. Even if you know all the 10k IP numbers up front, I'd imagine your router admins would have some rude things to say about being asked to block so many. * This approach is obviously analogous to anti-spam blacklists. Whether it will be more effective in practice than anti-spam blacklists is an open question; I can think of points both for and against this. However certainly anything that limits the expected lifetime of a phishing site is a good thing, and if browsers and other factors were to force phishing sites to use domain names (as opposed to IP addresses) and SSL certificates (even domain-validated ones) then this puts a minimum cost in place per phishing site to weigh against the expected revenue for the few hours a site might be up before being blocked. I suspect that the blacklist provider will come under serious attack, both in concert with phishing attacks, and more strategically. Do they have the werewithall to be a single point of failure? * It is interesting to contemplate Cyota or someone else offering an analogous service to individual users, e.g., implemented through an IE add-on or Firefox extension that does real-time checks of the blacklist. This is more or less there with Netcraft's plugin, has anyone tried it? All in all, I am skeptical; I think it moves the bar up a few cm, but more steroids moves it down again, so it's another short term fix like the 2 factor tokens that are being sold now. We'll see! It's a free market in security solutions. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security