[Cryptography] phishing attack again - $300m in losses?
Andy Steingruebl
steingra at gmail.com
Wed Feb 18 23:04:01 EST 2015
On Mon, Feb 16, 2015 at 1:03 PM, ianG <iang at iang.org> wrote:
>
> The browser, or whatever we call the agent that handles the URL, has to be
> able to defend itself. No ifs, no buts.
Do you have a proposal for this? How exactly a browser should defend
against any/all malicious software including software that doesn't exploit
a technical vulnerability but the user simply installs because they are
fooled into doing so?
AV? Nope. Plenty of reasons that won't work.
Crowd-source the info on bad software - doesn't work against one-off
attacks.
Force code signing - doesn't work well when the attackers steal the keys of
legit software. This has happened a few times over the last 3 years.
Force installs only from "approved sources" - nope. and you'll get killed
by the anti-paladium crowd about how you're taking their freedom away to
run whatever software they want to on their machine.
I'm open to suggestions but hand waving and "someone really ought to do
something" is pretty weak sauce - Especially since this isn't what most
people would call phishing (the article got it wrong) and the original
point and the quote from Gates was about more traditional phishing that
steals users credentials rather than socially engineering users into
installing malware.
--
Andy Steingruebl
steingra at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150218/18b23cd2/attachment.html>
More information about the cryptography
mailing list