a few hours ago a dozen people kill me on the list because I told my
users to check hostnames on email headers. You said that end users
don't have the skill level or the time to do it.
Now, a "great idea" of making a whitelist of what users click on their
email and also asking them why they click what they click comes!
How do you treat shortened/obfuscated/tracking urls? You are
underestimating phishers as if they write links like
http://www.google.com. A link to the same location can be
http://bit.ly/someobfuscatedstring. And you are also overestimating
the end users as if they were "matrix operators". The user can simply
answer you: "I trust it because the link takes me to google"
What domain/hostname do you use in reputation? bit.ly ?
This "whitelist" can be poisoned by sending a first email pointing to
the good location. Then you add bit.ly to your list ....then I send a
second email pointing to an evil location !
C.
P.S for those with linear reasoning, stop before writing "people
should use www.google.com when they want to go to www.google.com". It
was an example !
2012/12/10 Paul Smith <paul(_at_)pscs(_dot_)co(_dot_)uk>:
On 10/12/2012 16:47, Dave Crocker wrote:
On 12/10/2012 6:56 AM, Rich Kulawiec wrote:
We see examples all day, every day, of sites
that have been hijacked by attackers and now host malicious content where
formerly there was something innocuous.
...
To wit: users should never follow "important" links in email. They
should (for example) bookmark their bank's web site, and *always*
use the bookmark.
There is the kernel of an implementable idea here:
1. Create a whitelist of links the user employes regularly through its
browser. For an extra measure of safety, query the user about how much they
'trust' the site associated with each link. (The question needs to be put
to them with better language than asking about trust.)
2. Have the email client distinguish between links that are
whitelisted and those that aren't.
I don't have any idea how much incremental safety this actually would
provide, but I think it's worthy of testing.
Surely this would be a browser feature (or 'Internet Security Software'
feature) rather than an email client feature.
The email client will not necessarily have any access to web browser
history.
The web browser should know that being called from an email client is
'different' from the user clicking on a bookmark or typing in a URL in the
browser. Then, the browser could say to the user 'You've never accessed this
site before, are you sure you want to do it?', or whatever
The problem is that to have any idea of reputation you'd have to go on the
hostname, not the full URL, as many email URLs will be 'unique' to have some
tracking information in them (yes, I know it's bad, but you won't get banks
to get rid of that, unfortunately), so each email will have different URLs
in, even if the final destination is the same.
So, the question is, is having a hostname reputation for the user better
than having no reputation, or not? I'd say yes because it would probably
catch 99% of the bad links that I see in phishing/spam, others would say no
because it won't catch 100%.
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg