Download these IBM resources today! Webcast: Hacking 101--The Top 10 Attacks in Web Applications Learn about the three most common web application attacks, including how they occur and what can be done to prevent them. eKit: Web Application Security Discover how IBM Rational AppScan Standard Edition can help you detect vulnerabilities in your Web applications. The new Web Application Security eKit provides you with valuable resources, including whitepapers, demos, and additional information on the benefits of testing your Web applications. Tutorial: Create Secure Java Applications Productively This is the first in a two-part tutorial series creating secure Java-based Web applications using Rational Application Developer, Data Studio and Rational AppScan. eKit: Web 2.0 Developer Take advantage of open, flexible Web 2.0 technologies, like social software and mash-ups. The IBM Web 2.0 Developer eKit has been updated with the latest best practices & technologies from IBM. Current Newswire: KDE Developer Quits A User's Freedom to Choose Microsoft Rebuilds Open Source Sandcastle In Note To Judge, Hans Reiser Asks For New Lawyer Michael Robertson, Where's the Cash? Identi.ca Launches, an Open Source Twitter Guinness Bestows Download Record on Firefox Barracuda Networks Countersues Trend Micro Openmoko to Release Linux Handset Tomorrow Private St. Louis School Goes Linux

Systems Administrator Care.com US-MA-Waltham Post A Job | Post A Resume

By Brandioch Conner

Here's a security concept for everyone: "if you can't do it securely, then don't do it at all."

This particularly applies when it would be far more "convenient" to do it in an insecure fashion. I'm not talking convenience here, I'm talking security. So, how this applies to phishing is, don't use email to send links or account information. Some sites are sort of getting around to this. One such is eBay. Now eBay will include a copy of all legitimate correspondence they send you in your email account at eBay.

Of course, the problem is if someone can match their website close enough to fool you into entering you eBay username/password on their server and do a man-in-the-middle attack on your account (and including their own phishing email in what you see) you're still 100% compromised. And all that takes is time and skill to set up.

Given the limits of email right now (including SPF and such), it is impossible for the average user to know whether or not a specific email is legitimate or not. Sure, www.ebay.com is easy to verify, but is www.myebaysecurity.com also legitimate? Should I click on the enclosed link? SPF, rDNS, and everything else can confirm that that IP address is legitimately assigned to that name.

So, the easiest solution would be to not send email with links. Yes, I am aware that this will mean the end of the cute HTML email ads that you send/receive. That's the part about "if you can't do it securely then don't do it at all." There's no use in crying about what you can't do if you can't do what you want to do in a secure fashion.

It's 2005 and the technology has advanced enough for any financial site (that means any site that involves money being exchanged) to run its own web-email-type system. They wouldn't even need it to be SMTP-capable. It would only be used for outside people reading their email from that business and sending email to employees inside that business and for employees at that business to send/receive email from the clients connected to it.

This isn't to say that you'd have to check that email account all the time to see if you have email. Again, this is 2005. We have all kinds of means of alerting people when they need to check something. We can send a text message to their pager or cell phone, we can leave a voice message on their pager, cell phone or home phone. It would even be possible to send a text only email without any links telling them that they have email at such-and-such bank/auction site/whereever and that they should go there to check it. Since they should already know the web site name (they have used it before, right?) they shouldn't need to have it spelled out for them in the email.

It is economical for a bank to have a computer call phones and leave voice messages if you need to contact the bank (they already do this) but it is not economical for the phishers to do that (even if they're running skype or whatever). And it gets even easier if the bank (or whatever) allows you to choose the text message to be sent to your pager/cell phone.

The best part is that this would not require 51%+ of the email servers to be upgraded or modified or anything else. For this to work for a specific bank/site it would only require that they change. And the technology is 100% available (and Open Source) today.

It should be noted that this does not in any way describe any method for securing financial transactions done over the Web. This is just a method to kill phishing attempts and the losses associated with successful compromises.

Related Stories:
Free Software Magazine: Who's Behind that Web Site?(Jul 12, 2005)
internetnews.com: Few Browsers Safe From Latest Spoofing Flaw(Jun 23, 2005)
ZDNet Australia: Thunderbird Gets Podcasting Support(Jun 02, 2005)

Index Mode   |   Flat Mode   |   Thread Mode   |   Thread Flat     Talkback(s) Name  and Date   People aren't interested in security    Richard Oct 7, 2005, 07:13:58     Good Luck!    blackhole Oct 7, 2005, 09:20:10     Home | Search Talkbacks | Customize View    Top of Page   Enter your comments below: * Your Name: * Your Email Address: * Subject: CC: [will also send this talkback to an E-Mail address] * Comments: Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content. Fields marked with * are required!

Microsoft Article: The Progress and Promise of Deep Zoom
Intel eBook: Managing the Evolving Data Center
Article: How Developers Can Blend Messaging, Voice and Conferencing with Next-Generation Applications
eKit: Web Application Security
Intel Whitepaper: Comparing Multi-Core Processors for Server Virtualization