Blog Archives

<>< [Phish / Fish] ing attacks are still viable

Fairly uninteresting from a technical point of view, but worth noting as a perpetual problem. The Register reports on a recent fishing attack against hotmail and other web based email users. Phishing, Fishing, <><, all refer to what is known

Posted in Hacks, Cracks, and Attacks Tagged with: , ,

Users are the weakest link

Not a week goes by without some new problem surfacing in day to day communication security. The newest stems from a black hat talk by Moxie Marlinspike of thoughtcrime.org. This attack is not sky-is-falling immediate action required bad, but is instead of the depressingly presentable variety. Moxie’s new attack is actually quite elegant and has a retro vibe to it in exploiting the most vulnerable link in any security chain: the user.

His setup for the attack examines website deisng as it relates to SSL security. He observes users do not type HTTPS, but rather encounter it from HTTP such as login boxes which post to HTTPS urls. Seperating the feedback mechanisms into positive and negative, he also notes triggering the positive mechanisms (little locks, changing colored address bars, etc) is not so bad while triggering negative mechanisms (invalid security certificate, problem encountered with the website’s certificate etc) are game killers.

Posted in Hacks, Cracks, and Attacks Tagged with: , ,