Re: RE: Online Fraud Protection

From: josh.perrymon@packetfocus.com
Date: Sun Jun 25 2006 - 22:44:56 EDT

Next message: Umut Inetas: "Re: Online Fraud Protection"
Previous message: Dave: "testing vulnerable web application."
Maybe in reply to: Craig Wright: "RE: Online Fraud Protection"
Next in thread: sifo: "books"
Reply: sifo: "books"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) I believe that Anti-Fraid measures *SHOULD* begin with information security. As a pentester working globally for very LARGE organizations I often used social engineering and directed phishing attacks to gain remote access when infrastructure and app attacks fail. Especially when the scope is VERY limited and we may only find an OWA server and a couple open ports.

We have bypassed 2factor authentication and all of the current IDS/IPS/HIPS/COntent Security/BLAH goes here.

Remember it's hard to detect an attacker that uses normal comm channels.

The problem with an approach you may be taking using IE7<whatever> here is that whitelisting WILL NOT WORK for protection against directed phishing attacks. I have been using IE7 Beta for a while now and have performed over 40-50+ global phishing attacks and IE7 has not picked up our phishing site ONCE. This is because it uses M$ whitelist of
KNOWN phishing sites. Same issue with Websense and other vendors that use the same approach.

THe only way that IE7 phishing filter may be useful is if it interfaces with a widget that can detect these directed attacks( Small volume and very dynamic) then automatically update the phishing filter and deter the attack. ( NDA here... but we are working on something :)

What about trending and controlling the attack is 2-3 users have already fallen for it???

So the core of this is USER EDUCATION. Your user base has to be aware of these type of attacks and company policy must be VERY CLEAR on what type of information support may ask for. If EVERY user knows not to submit this type of information the attack may fail. We work globally developing LMS and training content based on internal policies.

Simply because the technology isn't available to stop current directed small volume, phishing attacks.

Josh Perrymon
CEO
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: Umut Inetas: "Re: Online Fraud Protection"
Previous message: Dave: "testing vulnerable web application."
Maybe in reply to: Craig Wright: "RE: Online Fraud Protection"
Next in thread: sifo: "books"
Reply: sifo: "books"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT