<<< Date Index >>>     <<< Thread Index >>>

RE: New whitepaper "The Phishing Guide"



I think if major vendors used signed emails, it would be a good step.
However, I'm not sure in the long run it will do much good.

First, the real problem isn't technical, it's educational.  Most users
sophisticated enough to download a public key, verify the fingerprint, and
install it on their keyring aren't going to be fooled by phishing attacks
anyway.

Second, as far as I know, there is no standard for encryption software.
Signing something with, say, PGP doesn't do a blind bit of good unless the
recipient has gone to the bother of downloading and installing PGP on their
system.  (See above.)  And if you haven't installed PGP, seeing the BEGIN
PGP SIGNED MESSAGE verbage on an email may give a false sense of security
when the message may have been signed by an invalid key, or may not have
been signed at all and the enclosed "signature" is random garbage.

Third, I can see a new variant of the phishing attack.  "WARNING:  OUR
SECURITY HAS BEEN COMPROMISED.  PLEASE CLICK ON THE LINK BELOW TO ADD OUR
NEW SECURITY CERTIFICATE TO YOUR KEYRING AND RE-VERIFY YOUR PERSONAL
INFORMATION".   (This also touches on the subject of key revokations, but
I'll leave that alone for now.)

Ben
  


-----Original Message-----
From: Aleksandar Milivojevic [mailto:amilivojevic@xxxxxx]
Sent: Thursday, September 23, 2004 9:57 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: New whitepaper "The Phishing Guide"


Gunter Ollmann (NGS) wrote:

[snip]

> While the Phishers
> develop evermore sophisticated attack vectors, businesses flounder to
> protect their customers' personal data and look to external experts for
> improving email security. Customers too have become wary of "official"
> email, and organisations struggle to install confidence in their
> communications.

Sometimes it's unbelivable how long it takes organizations to discover 
that email can be signed.  Especially nowdays when all major mail 
readers have support for at least S/MIME (and the really good ones have 
support for at least PGP ;-) ).

-- 
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

 
 
 
The information contained in this E-mail message and the documents accompanying 
this message are
privileged and confidential, and may be protected from disclosure.  Please be 
aware that any use, 
printing, copying, disclosure or dissemination of this communication may be 
subject to legal
restriction or sanction. If you think that you have received this E-mail 
message in error, please
reply to the sender.

For more information about Valmont Industries, Inc., please visit our web site 
at www.valmont.com