[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] what if phishing went away?

From: "Andre Maisonneuve" <Andre.Maisonneuve@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] what if phishing went away?
Date: Wed, 26 Jul 2006 09:15:17 -0400
------_=_NextPart_001_01C6B0B5.89B1E3C6
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

in order for phishing to be profitable, it has to target individuals or =
organizations where information or money can be stolen.
It seems odd that if such individuals or organizations are at serious =
risk of being stolen information or funds, they still use un-secured, =
browser-based mechanism to exchange data.
Good products do exist to prevent phising and it seems to me that it is =
only prudent management to implement them for any sensitive information =
exchanges. With such products, both  the sender and the receiver of data =
are authenticated and they cannot be impersonalized by third parties. =
Furthermore, the applications they use for these exchanges are also =
authenticated and cannot be impresonalized.
Using already available secure message and file exchange systems in a =
systematic manner will go a long way to protect information and make =
data exchanges imune to phishing attacks.
Andre
=20

________________________________

From: Matt Fisher [mailto:mfisher@spidynamics.com]
Sent: Wed 26/07/2006 1:49 AM
To: Brian Eaton; Web Security
Subject: RE: [WEB SECURITY] what if phishing went away?



I don't know .... I'd imagine that the majority of phishing is backed by
just few crime syndicates who are probably pretty well organized and too
agile to really delay too much with technology.  If it were hundreds or
thousands of independents then you could have a decent "wash out" effect
with tech fixes, but I think that the relatively centralized command and
control (this is an assumption) makes it easier to hit them in the
pocketbook (ie the laundering infrastructure) than elsewhere.=20


-----Original Message-----
From: Brian Eaton [mailto:eaton.lists@gmail.com]
Sent: Tuesday, July 25, 2006 8:47 PM
To: Web Security
Subject: [WEB SECURITY] what if phishing went away?

I've been mulling over one of RSnake's recent blog entries:

http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/

If browser-based antiphishing filters become widespread, will phishing
stop being profitable? Or will there be more clever phishing
techniques that evade the blacklists and the heuristics?  (How long
before the blacklists get DDOSed?)

And if the browser based filters make phishing an uneconomical scam,
will that make technologies like passmark, dynamic security skins, and
transactional authentication obsolete?

It seems like blacklists have an important role to play, but they
won't do much to prevent small, targeted, phishing-style attacks.  I'd
like to see improvements in web authentication UIs regardless.  I
could imagine a scenario where the major phishing attacks stop being
an issue because of blacklists.  At that point, a lot of the economic
incentive for improving web site authentication via other technologies
would vanish.

Admittedly, a world where phishing is too minor a problem to worry
about would be a nice problem to have.

Regards,
Brian

------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-------------------------------------------------------------------------=
---
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




------_=_NextPart_001_01C6B0B5.89B1E3C6
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">=0A=
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">=0A=
<HTML>=0A=
<HEAD>=0A=
=0A=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7638.1">=0A=
<TITLE>RE: [WEB SECURITY] what if phishing went away?</TITLE>=0A=
</HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText26441 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>in order for =
phishing to be =0A=
profitable, it has to target individuals or organizations where =
information or =0A=
money can be stolen.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>It seems odd that if such =
individuals or =0A=
organizations are at serious risk of being stolen information or funds, =
they =0A=
still use un-secured, browser-based mechanism to exchange =
data.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Good products do exist to =
prevent phising =0A=
and it seems to me that it is only prudent management to implement them =
for any =0A=
sensitive information exchanges. With such products, both&nbsp; the =
sender and =0A=
the receiver of data are authenticated and they cannot be impersonalized =
by =0A=
third parties. Furthermore, the applications they use for these =
exchanges are =0A=
also authenticated and cannot be impresonalized.</FONT></DIV>=0A=
<DIV dir=3Dltr>Using already available secure message and file exchange =
systems in =0A=
a systematic manner will go a long way to protect information and make =
data =0A=
exchanges imune to phishing attacks.</DIV>=0A=
<DIV dir=3Dltr>Andre</DIV>=0A=
<DIV dir=3Dltr>&nbsp;</DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Matt Fisher =0A=
[mailto:mfisher@spidynamics.com]<BR><B>Sent:</B> Wed 26/07/2006 1:49 =0A=
AM<BR><B>To:</B> Brian Eaton; Web Security<BR><B>Subject:</B> RE: [WEB =
SECURITY] =0A=
what if phishing went away?<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<P><FONT size=3D2>I don't know .... I'd imagine that the majority of =
phishing is =0A=
backed by<BR>just few crime syndicates who are probably pretty well =
organized =0A=
and too<BR>agile to really delay too much with technology.&nbsp; If it =
were =0A=
hundreds or<BR>thousands of independents then you could have a decent =
"wash out" =0A=
effect<BR>with tech fixes, but I think that the relatively centralized =
command =0A=
and<BR>control (this is an assumption) makes it easier to hit them in =0A=
the<BR>pocketbook (ie the laundering infrastructure) than =0A=
elsewhere.&nbsp;<BR><BR><BR>-----Original Message-----<BR>From: Brian =
Eaton [<A =0A=
href=3D"mailto:eaton.lists@gmail.com";>mailto:eaton.lists@gmail.com</A>]<B=
R>Sent: =0A=
Tuesday, July 25, 2006 8:47 PM<BR>To: Web Security<BR>Subject: [WEB =
SECURITY] =0A=
what if phishing went away?<BR><BR>I've been mulling over one of =
RSnake's recent =0A=
blog entries:<BR><BR><A =0A=
href=3D"http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter=
/">http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/</A>=
<BR><BR>If =0A=
browser-based antiphishing filters become widespread, will =
phishing<BR>stop =0A=
being profitable? Or will there be more clever phishing<BR>techniques =
that evade =0A=
the blacklists and the heuristics?&nbsp; (How long<BR>before the =
blacklists get =0A=
DDOSed?)<BR><BR>And if the browser based filters make phishing an =
uneconomical =0A=
scam,<BR>will that make technologies like passmark, dynamic security =
skins, =0A=
and<BR>transactional authentication obsolete?<BR><BR>It seems like =
blacklists =0A=
have an important role to play, but they<BR>won't do much to prevent =
small, =0A=
targeted, phishing-style attacks.&nbsp; I'd<BR>like to see improvements =
in web =0A=
authentication UIs regardless.&nbsp; I<BR>could imagine a scenario where =
the =0A=
major phishing attacks stop being<BR>an issue because of =
blacklists.&nbsp; At =0A=
that point, a lot of the economic<BR>incentive for improving web site =0A=
authentication via other technologies<BR>would =
vanish.<BR><BR>Admittedly, a =0A=
world where phishing is too minor a problem to worry<BR>about would be a =
nice =0A=
problem to =0A=
have.<BR><BR>Regards,<BR>Brian<BR><BR>-----------------------------------=
-------------------------------------<BR>----<BR>The =0A=
Web Security Mailing List:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR><BR>The =0A=
Web Security Mailing List Archives:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><A =0A=
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> =0A=
[RSS =0A=
Feed]<BR><BR><BR>--------------------------------------------------------=
--------------------<BR>The =0A=
Web Security Mailing List:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR><BR>The =0A=
Web Security Mailing List Archives:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><A =0A=
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> =0A=
[RSS Feed]<BR><BR></FONT></P></DIV>=0A=
=0A=
</BODY>=0A=
</HTML>
------_=_NextPart_001_01C6B0B5.89B1E3C6--
Follow-Ups:
- RE: [WEB SECURITY] what if phishing went away?
  - From: RSnake
References:
- RE: [WEB SECURITY] what if phishing went away?
  - From: Matt Fisher
Prev by Date: RE: [WEB SECURITY] what if phishing went away?
Next by Date: RE: [WEB SECURITY] what if phishing went away?
Previous by thread: RE: [WEB SECURITY] what if phishing went away?
Next by thread: RE: [WEB SECURITY] what if phishing went away?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site