Question on the state of the security industry

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Jul 5 04:31:58 EDT 2004


Steve Furlong <sfurlong at acmenet.net> writes:

>On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:
>
>> Here's my question - is anyone in the security
>> field of any sort of repute being asked about
>> phishing, consulted about solutions, contracted
>> to build?  Anything?
>
>Nothing here. Spam is the main concern on people's minds, so far as I can
>tell.

I never considered phishing to be much of an issue until about a month ago,
when I had a long discussion with someone at a security conference about a
scale and type of phishing you never really hear about much.  Not small-scale
script-kiddie stuff but large-scale phishing run as a standard commercial
business, with (literally) everything but 24-hour helpdesks (if you can read
Portuguese you may be able to find more info at http://www.nbso.nic.br/). 
Some of this I've already covered in the "Why isn't the Internet secure yet"
tutorial I mentioned a while back: Trojans that control your DNS to direct you
to fake web sites, trojans that grab copies of legit web sites from your
browser cache and render them asking for your to re-validate yourself since
your session has expired, trojans that intercept data from inside your browser
before it gets to the SSL channel, etc etc.  This isn't stuff that only
newbies will fall for, these are exact copies of the real site that look and
act exactly like the real site.

This stuff is the scariest security threat I've heard of in (at least) the
last couple of years because it's almost impossible to defend against.  There
is simply no way to protect a user on a standard Windows PC from this type of
attack - even if you can afford to give each user a SecurID or crypto
challenge-response calculator, that doesn't help you much because the attacker
controls the PC. It's like having users stick their bank cards into and give
their PIN to a MafiaBank branded ATM, the only way to safely use it is to not
use it at all.

The only solution I can think of is to use the PC only as a proxy/router and
force users to do their online banking via a small terminal (not running
Windows) that talks to the PC via the USB port, but it's not really
economically viable.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list