Friday, April 13, 2007

Phish 2.0

Richard Stiennon points out a most excellent post from Christopher Soghoian's blog on phishing attacks against PassMark and similar technologies (with movies!). I teach a home computer security class through my employer's corporate training program, and this very issue (Does PassMark prevent phishing?) came up in a class I taught yesterday. Chris' work proves what I suspected - no, PassMark accounts can still be phished quite reliably.

In his post about Chris' work, Richard concludes, "Its a war of escalation and banks have to stay ahead." It is a war of escalation. Most of infosec is. However, while banks have a vested interest in making financial transactions on the web safe for customers, it's the customers that have to stay ahead. If you can trick someone into clicking a link and believing that web site is something it's not, then there's not much the bank can do. MiTM is like trump here - it even beats tokens and other 2-factor authentication mechanisms as long as the phisherman can intercept that traffic as well. That's why I also believe that the owning of public wireless networks will continue to grow in prevalence.

The real work to be done is the client software vendors. If Outlook warned you or outright prevented you from clicking sender-supplied "a href=" links, then phishing would be all but over. Similarly, if Microsoft made IE's SSL cert warning messages more dramatic, or even cached error-free certificates for later comparison, MiTM against SSL would be over as well.

I think that following links in e-mail or IM is going to have to become like leaving your car unlocked at the mall. Nobody locks the car for you, even though the technology probably could, but you know that if you don't, you could get robbed. Unfortunately, a lot of people are going to lose a lot of money in the mean time.

No comments: