Steve Furlong <[EMAIL PROTECTED]> writes: >On Wed, 2004-06-30 at 06:49, Ian Grigg wrote: > >> Here's my question - is anyone in the security >> field of any sort of repute being asked about >> phishing, consulted about solutions, contracted >> to build? Anything? > >Nothing here. Spam is the main concern on people's minds, so far as I can >tell.
I never considered phishing to be much of an issue until about a month ago, when I had a long discussion with someone at a security conference about a scale and type of phishing you never really hear about much. Not small-scale script-kiddie stuff but large-scale phishing run as a standard commercial business, with (literally) everything but 24-hour helpdesks (if you can read Portuguese you may be able to find more info at http://www.nbso.nic.br/). Some of this I've already covered in the "Why isn't the Internet secure yet" tutorial I mentioned a while back: Trojans that control your DNS to direct you to fake web sites, trojans that grab copies of legit web sites from your browser cache and render them asking for your to re-validate yourself since your session has expired, trojans that intercept data from inside your browser before it gets to the SSL channel, etc etc. This isn't stuff that only newbies will fall for, these are exact copies of the real site that look and act exactly like the real site. This stuff is the scariest security threat I've heard of in (at least) the last couple of years because it's almost impossible to defend against. There is simply no way to protect a user on a standard Windows PC from this type of attack - even if you can afford to give each user a SecurID or crypto challenge-response calculator, that doesn't help you much because the attacker controls the PC. It's like having users stick their bank cards into and give their PIN to a MafiaBank branded ATM, the only way to safely use it is to not use it at all. The only solution I can think of is to use the PC only as a proxy/router and force users to do their online banking via a small terminal (not running Windows) that talks to the PC via the USB port, but it's not really economically viable. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]