[funsec] The end of Phishing in sight?

Blanchard_Michael at emc.com Blanchard_Michael at emc.com
Tue Oct 18 09:09:29 CDT 2005

I like the idea of the USB fob, with the button on the fob that the user has
to press, or even better a fingerprint reader on the fob.  The fingerprint
reader would be a cool thing for marketing too.

  They should hand out USB extension cables with the fobs too, as not
everyone has a USB port in the front of their computer...  Make it as easy
as possible for the user to use, and he'll be more likely to use it. 

Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I 
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 
email:  Blanchard_Michael at EMC.COM 

-----Original Message-----
From: Blue Boar [mailto:BlueBoar at thievco.com] 
Sent: Monday, October 17, 2005 5:39 PM
To: Blanchard, Michael (InfoSec)
Cc: funsec at linuxbox.org
Subject: Re: [funsec] The end of Phishing in sight?

Blanchard_Michael at emc.com wrote:
>   If we, the security community, could design and build the securest
> bank, what would we use?  

If I have to work within the limitation that end-users are pretty 
gullible, and will fall for things like phishing emails and bad or 
missing SSL, then I'm pretty screwed.

However, even with that, here's my best attempt given 60 seconds, off 
the top of my head:

Give the user a USB device that can do challenge-response, has the 
bank's cert built into it, and checks the signed challenge from the 
bank.  User has to hit a button or maybe provide a fingerprint to 
activate it.  Token has its own private key.  Maybe give it some extra 
brains, and have it be able to keep a counter as well, to preclude 
rollback attacks.  Maybe give it lots of brains, and have it do the 
processing in the token.

In other words, a cut-down in-token version of Palladium.  The key 
points are:

-Challenge-response (helps with some limited flavors of MITM)
-Checks SSL cert on its own (can't skip, or fake a different cert)
-Doesn't give the user a chance to click "yes, ignore the warning, let 
me see the dancing pigs"
-Requires physical user presence to activate (to guard against remote 
attacker-drive activation)
-Important calculations are done in a (hopefully) secure piece of hardware.

At this point, I *think* you have to compromise the user's box for a 
technical attack.  of course, a good local rootkit, and the user is 
still vulnerable to attack.


More information about the funsec mailing list