[cap-talk] Phishing with YURLs and Petnames
toby.murray at dsto.defence.gov.au
Mon Feb 13 23:07:08 EST 2006
Sandro's message got me thinking.
I'm curious to discover how one might defend against the following sort
of phishing attack that employs YURLs and tries to effectively render
the Petname tool useless. Before getting into it, let me just say that I
think the ideas behind both YURLs and Petnames are great. I'm not trying
to dis' anyone's ideas here, but merely just throwing up a scenario for
--- Begin Toby's quick and dirty YURL/Petname based phish ---
Dear yurl.net member,
After months of hard work we are proud to announce the immediate
availablability of the yurl.net misdirectory. This unique service allows
you to store links to your favourite sites online, allowing them to be
shared amongst multiple machines and with other users, while ensuring
that you remain in tight control.
Existing yurl.net account holders are entitled to use this service
absolutely FREE of charge.
You may access your account using the following secret links:
The above link may be used to EDIT your bookmark collection. ANYONE who
knows this link can edit your bookmarks.
The above link may be used to VIEW your bookmark collection. ANYONE who
knows this link can view your bookmarks.
These secret links should be managed with care. Therefore, we recommend
the use of the Petname tool in order to allow you to manage your secret
links. When visiting each of the above links for the first time, ensure
you add a petname for each. Then, in future, simply enter the chosen
petname into the petname toolbar in order to use each of the above
links. Whenever you use the yurl.net misdirectory, you can be assured
that you are not the victim of so-called "phishing" attacks by checking
for the presence of the appropriate petname in the petname toolbar.
We hope you enjoy this new service and welcome feedback from all of our
the yurl.net team.
--- End Toby's quick and dirty YURL/Petname based phish ---
The problem here is that we can trust a web of links (YURLs). Petnames
allow us to work effecitvely within this web of links (especially if we
track the 'reputation' of various links and allow this to affect the
reputation of those links that they introduce us to). But as soon as we
break out of this web of links, we seem to be back to "square one" (back
where we started). If user education is the solution, then I'm not sure
how much extra security we have gained.
Advanced Computer Capabilities Group
Information Networks Division
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk