[Cryptography] phishing attack again - $300m in losses?

ianG iang at iang.org
Fri Feb 20 07:33:24 EST 2015


On 19/02/2015 04:04 am, Andy Steingruebl wrote:
> On Mon, Feb 16, 2015 at 1:03 PM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
>
>
>     The browser, or whatever we call the agent that handles the URL, has
>     to be able to defend itself.  No ifs, no buts.
>
>
>
> Do you have a proposal for this?

No of course not -- I gave up years ago trying to support proposals to 
browser vendors who stuck their fingers in their ears and sung lalalala 
until people went away.

The only role left for the open security world is to look at the browser 
vendors and say your security is broken, until they give in.

> How exactly a browser should defend
> against any/all malicious software including software that doesn't
> exploit a technical vulnerability but the user simply installs because
> they are fooled into doing so?


Nah.  This whole "it can't be done because I can't see it" routine is a 
waste of time.  Same with the whole "you aren't providing a solution, 
you're just whinging" copout.

If the browser vendors and the mailer vendors and the others are serious 
about protecting users, they will sit down and start working on the problem.

That can be done -- but the first step is to acknowledge that *there is 
a problem*.

Get over the denial.

This can be done, and google for one is doing it.  Mostly internally, 
they are not doing it so much in the open as to admit that there is a 
problem at the systemic level.  I suppose we have to blame American 
lawyers for that, they won't let security people tell the truth, so 
there is a culture of lying about security in American corps.


> AV?  Nope. Plenty of reasons that won't work.
>
> Crowd-source the info on bad software - doesn't work against one-off
> attacks.
>
> Force code signing - doesn't work well when the attackers steal the keys
> of legit software.  This has happened a few times over the last 3 years.
>
> Force installs only from "approved sources" - nope.  and you'll get
> killed by the anti-paladium crowd about how you're taking their freedom
> away to run whatever software they want to on their machine.
>
> I'm open to suggestions but hand waving and "someone really ought to do
> something" is pretty weak sauce -  Especially since this isn't what most
> people would call phishing (the article got it wrong)


Nor, adusting the terms of the attack minutely so it's not addressed by 
the claimaint, dismissed, next please.

Let's start with something simple.  Do we agree that there is a problem?

> and the original
> point and the quote from Gates was about more traditional phishing that
> steals users credentials rather than socially engineering users into
> installing malware.


Wellll.... of course Gates' quote was a tad out of date.  He made it in 
2005?

Where did the 'install malware' thing come from? the industrial hacking 
machine.  Where did the industrial hacking machine come from?  The 
industrial phishing machine.  Where did the industrial phishing machine 
come from?

The head-in-sand act of the browser vendors.  In 2005.

A sense of history helps :)



iang


More information about the cryptography mailing list