Monday, August 18, 2008

On phishing

A quote from myself:

At first, I thought this was going to be an article about usability :)

As far as phishing goes, there's no way to differentiate a legitimate UI from a fishy one. All an attacker needs to do is copy the legitimate UI. Even if they could somehow be differentiated, statistically speaking, there will always be a large number of users that will always respond to certain prompts with muscle memory, and there will always be a variety of newly deployed social engineering attacks that don't attempt to spoof any famous vendors in particular.

Profiling is pretty ineffective too: there's no correlation between language proficiency or graphics design skill and the intent to harm for profit. Also, just because you can tell a js popup from a real AV one, doesn't mean everyone else can do it too: keep in mind that Jeff's question pertains to a naive user.

Sandboxing also only does so much. If the user says "yes yes yes password yes uac yes I'm the administrator for this computer, so install and run this already", the whole sandbox goes right out of the window. Proclaiming one-sidedly to be the super admin for your aunt's computer seems kinda awkward too imho: it's like gifting her with a kitchen knife set and saying "i'll keep the keys to the scabbards, just in case". There was even a case in the news recently where a tech support kid hacked a woman's webcam by abusing that meme of "putting trust in the technical expert".

There are way too many attack vectors. If users can't decide on their own when to click on the close button instead of the ok button, no amount of code or UI tweaks ever will.

No comments:

Post a Comment