Re: [users@httpd] phishing problem
On 12 juil. 2011, at 18:49, Sander Temme wrote: > > On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote: > >> Hi, >> >> Apache servers are not victims of phishing attacks. >> Users are victims of phishing attacks. >> >> As the OP is french, I'm continuing in french: > > Patrick, remember that one of the reasons we have these conversations on a > mailinglist is that others can also benefit from the information exchanged. > You're not just talking to Frank, you're talking to all of us. Keeping the > conversation in English will ensure maximum benefit. the french text was just a development of the too first english lines. This all thread is absolutely off topic: there is no sense in "ensuring maximum benefit" then, IMHO. regards, Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2 smime.p7s Description: S/MIME cryptographic signature
Re: [users@httpd] phishing problem
On Jul 12, 2011, at 1:37 AM, Patrick Proniewski wrote: > Hi, > > Apache servers are not victims of phishing attacks. > Users are victims of phishing attacks. > > As the OP is french, I'm continuing in french: Patrick, remember that one of the reasons we have these conversations on a mailinglist is that others can also benefit from the information exchanged. You're not just talking to Frank, you're talking to all of us. Keeping the conversation in English will ensure maximum benefit. Thank you, S. > Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une > attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou > de bêtise), et ça se situe donc directement au niveau de l'utilisateur. > Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. > Tu peux toujours proposer des services en https, si les utilisateurs se > moquent de la validité des certificats, c'est mort. > > Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est > passé, donc impossible de te donner des pointeurs vers de la doc. > Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un > serveur "pirate", il n'existe aucune configuration d'apache qui peut les > protéger, puisque par définition, les utilisateurs arrivent sur un serveur > qui n'est pas le tien. > > On 12 juil. 2011, at 10:20, Frank Bonnet wrote: > >> Hello >> >> Few weeks ago we discovered that two of our apache servers >> has been victims of phishing attack. >> >> The first one is running squirrelmail webmail and the second one >> in running our extranet services for students and professors. >> >> Both of them are using https and require authentication. >> >> The two phising pages had the same look and feel than original servers >> of course ! >> >> The "traps" has been used to grab users's login and passwords as usual. >> >> The attack has been performed by "real" hackers that have been paid >> by some students to hack passwords of "interresting" people. >> maybe some hacked DNS or Internet routers has been compromised/used ? >> >> I would be VERY interrested by ANY documentation about that kind >> of phising techniques and HOW to fight them ( if possible ) also >> I would be interrested by any apache gurus advices ... >> Would it be possible to configure something in apache to track down >> that kind of problem ? any log analyzer that could help ? >> >> Thank you very much > > Patrick PRONIEWSKI > -- > Administrateur Système - DSI - Université Lumière Lyon 2 > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] phishing problem
On 07/12/2011 10:33 AM, Giles Coochey wrote: On Tue, July 12, 2011 10:20, Frank Bonnet wrote: Hello Few weeks ago we discovered that two of our apache servers has been victims of phishing attack. The first one is running squirrelmail webmail and the second one in running our extranet services for students and professors. Both of them are using https and require authentication. The two phising pages had the same look and feel than original servers of course ! The "traps" has been used to grab users's login and passwords as usual. The attack has been performed by "real" hackers that have been paid by some students to hack passwords of "interresting" people. maybe some hacked DNS or Internet routers has been compromised/used ? I would be VERY interrested by ANY documentation about that kind of phising techniques and HOW to fight them ( if possible ) also I would be interrested by any apache gurus advices ... Would it be possible to configure something in apache to track down that kind of problem ? any log analyzer that could help ? If you are saying that someone made a copy of your website and somehow lured people in to login to those websites under the guise that they were in fact your website then: The best defence against this is the education of your userbase. This attack is essentially a social engineering attack and your users need to be educated to mitigate the risk. When your user enters a password, make sure they take a look at the situation before doing so. 1. Is the connection HTTPS 2. Is the certificate provided correct 3. Does the URL look correct and so on. If anything looks a bit 'phishy' then they should call your helpdesk. You do have a helpdesk, don't you? As it is a social engineering attack there is relatively little you can do on the technical side to mitigate the risks here. OK I understand .. there is nothing to do after all - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] phishing problem
Hi, Apache servers are not victims of phishing attacks. Users are victims of phishing attacks. As the OP is french, I'm continuing in french: Comme je ne dis plus haut, tes serveurs ne peuvent pas être victimes d'une attaque de phishing. Un phishing c'est une attaque par abus de confiance (ou de bêtise), et ça se situe donc directement au niveau de l'utilisateur. Le seul moyen de lutter contre le phishing c'est d'éduquer les utilisateurs. Tu peux toujours proposer des services en https, si les utilisateurs se moquent de la validité des certificats, c'est mort. Tu ne donnes pas assez de détails pour qu'on puisse comprendre ce qu'il s'est passé, donc impossible de te donner des pointeurs vers de la doc. Quoi qu'il en soit, si les utilisateurs ont été dirigés à leur insu vers un serveur "pirate", il n'existe aucune configuration d'apache qui peut les protéger, puisque par définition, les utilisateurs arrivent sur un serveur qui n'est pas le tien. On 12 juil. 2011, at 10:20, Frank Bonnet wrote: > Hello > > Few weeks ago we discovered that two of our apache servers > has been victims of phishing attack. > > The first one is running squirrelmail webmail and the second one > in running our extranet services for students and professors. > > Both of them are using https and require authentication. > > The two phising pages had the same look and feel than original servers > of course ! > > The "traps" has been used to grab users's login and passwords as usual. > > The attack has been performed by "real" hackers that have been paid > by some students to hack passwords of "interresting" people. > maybe some hacked DNS or Internet routers has been compromised/used ? > > I would be VERY interrested by ANY documentation about that kind > of phising techniques and HOW to fight them ( if possible ) also > I would be interrested by any apache gurus advices ... > Would it be possible to configure something in apache to track down > that kind of problem ? any log analyzer that could help ? > > Thank you very much Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2 smime.p7s Description: S/MIME cryptographic signature
Re: [users@httpd] phishing problem
On Tue, July 12, 2011 10:20, Frank Bonnet wrote: > Hello > > Few weeks ago we discovered that two of our apache servers > has been victims of phishing attack. > > The first one is running squirrelmail webmail and the second one > in running our extranet services for students and professors. > > Both of them are using https and require authentication. > > The two phising pages had the same look and feel than original servers > of course ! > > The "traps" has been used to grab users's login and passwords as usual. > > The attack has been performed by "real" hackers that have been paid > by some students to hack passwords of "interresting" people. > maybe some hacked DNS or Internet routers has been compromised/used ? > > I would be VERY interrested by ANY documentation about that kind > of phising techniques and HOW to fight them ( if possible ) also > I would be interrested by any apache gurus advices ... > Would it be possible to configure something in apache to track down > that kind of problem ? any log analyzer that could help ? > If you are saying that someone made a copy of your website and somehow lured people in to login to those websites under the guise that they were in fact your website then: The best defence against this is the education of your userbase. This attack is essentially a social engineering attack and your users need to be educated to mitigate the risk. When your user enters a password, make sure they take a look at the situation before doing so. 1. Is the connection HTTPS 2. Is the certificate provided correct 3. Does the URL look correct and so on. If anything looks a bit 'phishy' then they should call your helpdesk. You do have a helpdesk, don't you? As it is a social engineering attack there is relatively little you can do on the technical side to mitigate the risks here. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org