[Cryptography] phishing attack again - $300m in losses?
Tom Mitchell
mitch at niftyegg.com
Thu Feb 19 05:48:33 EST 2015
On Wed, Feb 18, 2015 at 8:04 PM, Andy Steingruebl <steingra at gmail.com>
wrote:
> On Mon, Feb 16, 2015 at 1:03 PM, ianG <iang at iang.org> wrote:
>
>>
>> The browser, or whatever we call the agent that handles the URL, has to
>> be able to defend itself. No ifs, no buts.
>
>
>
> Do you have a proposal for this? How exactly a browser should defend
> against any/all malicious software including software that doesn't exploit
> a technical vulnerability but the user simply installs because they are
> fooled into doing so?
>
Browsers as they are today are trouble in depth.
JavaScript has become a worthy language.
JavaScript is not the only script.
Marketing and other services has opened the entire page
to content the initial URI did not point to. Cascading style
sheets and obfuscation of JavaScript that make it darn hard
to understand the good or bad parts.
The objects a user clicks on in a browser window are not
known to the local machine and visual clues can be overloaded or
faked. Click to exit could map to "buy my toy for $$$$$"
The get for images is auditable by many and may be one
pixel in size behind something.
Browser users can take advantage of system DNS hints to block
known problem IP addresses and blocks of addresses. That is
fragile...
Worse are applications for android and on other phones.
Once loaded a useful free application could quietly activate
way too many things when triggered by a man in the middle
inserted bit pattern by a device impersonating a cell tower.
Running applications in a system level VM would help but would
tax a phone. Java and Dalvik VMs imply a lot could be done
but there is less protection and more portability as a goal set.
Multiple users each dedicated to an activity may be the best
personal sandbox approach. Logout Bob, Login as BobBankA
to access bank A. Logout and login as BobReadsNYTNews.
etc .... Next dedicated machines for each activity...
Older operating systems would roll a job out and roll another in
close to suspend to disk today. Suspend Bob, DMA BobBankA
in....
It gets much harder for a company with many employees all
sharing resources and communicating.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150219/3752f9d6/attachment.html>
More information about the cryptography
mailing list