-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/26/09 7:40 AM, Winfried Tilanus wrote: > Hi, > > Up to now jabber was used for legitimate applications like > microblogging, psychological counselling or battlefield information > systems. But is was inevitable we would witness the day jabber would be > used for one of the darkest activities on the internet, phishing: > > http://software.silicon.com/security/0,39024655,39527467,00.htm
The original blog posts referenced in that article is here: http://www.rsa.com/blog/blog_entry.aspx?id=1525 http://www.rsa.com/blog/blog_entry.aspx?id=1515 Let us look at the attack. The phishing incident happens via a fraudulent website that looks like your bank. Hold it. Now that the unsuspecting user has visited a fraudulent website, anything is possible! The criminals could use XMPP, SMTP, HTTP, IRC, or whatever they want at that point. The "problem" here is that XMPP is a distributed technology. Anyone can download and run their own XMPP server. What they do with that server is up to them. We -- and by "we" I mean the XMPP Standards Foundation, the IETF's XMPP WG, the developers of a particular XMPP server implementation, and the general XMPP community -- have no control over how XMPP technologies are deployed. In this case, some people have gotten creative about using XMPP instead of SMTP or IRC or some other technology in order to gather and deliver, in close to real time information, that is of interest to them. It just happens that the information these people are interested in relates to criminal activities in which they are engaged. Now, if these people had decided to use one of the public XMPP services (such as, say, the jabber.org IM service, of which I am the primary admin), then those who are interested in combatting this kind of crime might be able to contact the admins of said services and find out some identifiying data about those who are connecting (e.g., IP addresses). But since these people are in fact deploying their own infrastructure, it is outside of "our" control. There is nothing particular to XMPP in these attacks, other than the fact that the criminals are using a chat interface and then sending information through an XMPP server that they have installed on their own machines. These attacks are not being perpetrated against Jabber users, but against regular older Internet users via fraudulent websites, with XMPP as an information transport. There is nothing we can do about this kind of attack. However, we might want to look more seriously at XEP-0165 so that we can help prevent similar attacks over the real XMPP network. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq+gKAACgkQNL8k5A2w/vwMMgCfXdKXFraXEkgxYP8TfyU69wwG ZooAniTm7AdS7uvJLFM6f+ZCCzyQxKlf =13VE -----END PGP SIGNATURE-----
