Comments: A hand of Pennies

> http://www.honeynet.org/papers/phishing/


I wonder about the number of *fake* honeypots out there...

If a naive friend of Ivan had a vulnerable machine tweaked to report back hijacking for the purpose of phishing, Ivan could phish the phisher's phishing, or, in other words, harvest the same data the phisher harvested through his innocent friend's machine. It would be easy for Ivan to protect his friend from prosecution by proving his machine was compromised, and highly improbable that the 'authorities' would detect 1) Ivan was deliberately monitoring the vulnerable machine 2) had harvested the harvested identity data.

Posted by HB at June 16, 2005 07:09 AM

Too Cunning :-)

I suspect you would have to be a bit lucky and get access to the right machine; as phishing is generally a multi-phase operation, and different phases go over different machines and different channels. You wouldn't want to monitor the mail-out machines, you'd have to get the web-server machines.

It might also be a cover for an inside job I suppose, so as to rake out the data as an insider, and if ever there was an investigation one could simply point at the naive machine that had been compromised.

Posted by Iang at June 16, 2005 07:19 AM

Speaking of insiders raking out data. How does one identify the source of the leak of a secret known by more than two people? I am almost convinced that it is theoretically impossible and hence we have a huge tragedy-of-commons situation with every secret shared by three or more parties: if the per-individual slice of the shared cost of compromise is significantly lower than the private benefit of selling the secret, it will be sold. Hence, I tend to be suspicious of any system where more than two people have access to any particular secret.

Posted by Daniel A. Nagy at June 17, 2005 05:24 PM

I do not think phishing per se is illegal under anything more than tort or trademark law. If your friend uses the information for financial fraud then, duh, its illegal. If your friend does not us the information for fraud then it is not illegal but it is also without value. In one case your friend is phishing. In the other case your friend is taking a risk with no benefit.

Security can be evaluated based on the risk in a large system. "I know the data" is not itself fraud or every merchant who sells on the net (START YOUR ACCOUNT, not PAY FOR YOUR PURCHASE) would be busted.

-Jean

Posted by L Jean Camp at June 20, 2005 02:56 PM

In spy novels, the mole is caught by feeding in lots of tracer secrets to different people and seeing which tracers pop up on the other side.

Posted by Spy v. spy at June 24, 2005 06:34 AM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x55ee48305848) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.