Up Next: Quarantine Phishing (Was: Dutch ISPs to collaborate and take responsibility for bottedclients)

Jeroen Massar jeroen at unfix.org
Tue Oct 6 18:09:20 UTC 2009


mark [at] edgewire wrote:
> The end problem is still users and really, these users will click on
> anything that has a bright and shiny button which says, Ok. Really, does
> setting up a portal help? Perhaps a "sandboxed"  area which has some
> information on securing their machine and keeping it clean may be the
> way to go but how much more of a resource will it chew up?

And then the nice phisher people come in and they replicate the
quarantine website of various providers (just check IP address, you know
the ISP and present the appropriate page) after having lured them to
some site they control.

Then they simply have a nice big "Install this cool tool to update your
computer" link et voila.

The problem with all of that boils down to what people have to
believe... and how to properly inform them of that...

Yes, I think the sandbox/quarantine style things is the way to go for
the time being, but there are other more important things that need
fixing. (afaik) Most people will get infected by clicking on something
at one point in time on some weird website, even after having googled it
etc. The problem is that it is really hard to show to the user that a
site is 'trustworty' or not, especially as everyone can just get an SSL
certificate for faceb0ok.com and m1crosoft.com and soon also for all the
nice variants in the IDN space, thus SSL doesn't state anything, it just
makes the connection secure (aka unsniffable unless there is a 3 letter
acronym doing so, or they have access to either end). And that would not
help much either as even Facebook and other such sites have been used to
distribute worms, thus it becomes really hard to do it on a domain
basis, as what is on a domain at point X in time, will be different at
point Y, thus distributing lists becomes problematic too. The company
that can come up with a proper universal solution to that problem (and
patent it so they can actually get the moneyz) will probly end up doing
quite well. Most likely though it means restricting user freedom, which
is the counter problem as that is something one doesn't want, and when
there is an option to disable it, then people will just disable it.

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091006/e0fc3558/attachment.sig>


More information about the NANOG mailing list