I think if major vendors used signed emails, it would be a good step. However, I'm not sure in the long run it will do much good. First, the real problem isn't technical, it's educational. Most users sophisticated enough to download a public key, verify the fingerprint, and install it on their keyring aren't going to be fooled by phishing attacks anyway. Second, as far as I know, there is no standard for encryption software. Signing something with, say, PGP doesn't do a blind bit of good unless the recipient has gone to the bother of downloading and installing PGP on their system. (See above.) And if you haven't installed PGP, seeing the BEGIN PGP SIGNED MESSAGE verbage on an email may give a false sense of security when the message may have been signed by an invalid key, or may not have been signed at all and the enclosed "signature" is random garbage. Third, I can see a new variant of the phishing attack. "WARNING: OUR SECURITY HAS BEEN COMPROMISED. PLEASE CLICK ON THE LINK BELOW TO ADD OUR NEW SECURITY CERTIFICATE TO YOUR KEYRING AND RE-VERIFY YOUR PERSONAL INFORMATION". (This also touches on the subject of key revokations, but I'll leave that alone for now.) Ben -----Original Message----- From: Aleksandar Milivojevic [mailto:amilivojevic@xxxxxx] Sent: Thursday, September 23, 2004 9:57 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: New whitepaper "The Phishing Guide" Gunter Ollmann (NGS) wrote: [snip] > While the Phishers > develop evermore sophisticated attack vectors, businesses flounder to > protect their customers' personal data and look to external experts for > improving email security. Customers too have become wary of "official" > email, and organisations struggle to install confidence in their > communications. Sometimes it's unbelivable how long it takes organizations to discover that email can be signed. Especially nowdays when all major mail readers have support for at least S/MIME (and the really good ones have support for at least PGP ;-) ). -- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 The information contained in this E-mail message and the documents accompanying this message are privileged and confidential, and may be protected from disclosure. Please be aware that any use, printing, copying, disclosure or dissemination of this communication may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender. For more information about Valmont Industries, Inc., please visit our web site at www.valmont.com
