[cap-talk] Phishing with YURLs and Petnames

[Toby Murray]

Hi cap-talk,

Sandro's message got me thinking.

I'm curious to discover how one might defend against the following sort 
of phishing attack that employs YURLs and tries to effectively render 
the Petname tool useless. Before getting into it, let me just say that I 
think the ideas behind both YURLs and Petnames are great. I'm not trying 
to dis' anyone's ideas here, but merely just throwing up a scenario for 
debate.


--- Begin Toby's quick and dirty YURL/Petname based phish ---

Dear yurl.net member,

After months of hard work we are proud to announce the immediate 
availablability of the yurl.net misdirectory. This unique service allows 
you to store links to your favourite sites online, allowing them to be 
shared amongst multiple machines and with other users, while ensuring 
that you remain in tight control.

Existing yurl.net account holders are entitled to use this service 
absolutely FREE of charge.

You may access your account using the following secret links:

httpsy://38dkcjdskcd.yurl.net/misdirectory/adkrdf409r9d;dkcudkduuldi943lcduelf
The above link may be used to EDIT your bookmark collection. ANYONE who 
knows this link can edit your bookmarks.

httpsy://38dkcjdskcd.yurl.net/misdirectory/39dldfldic.d;;;dofortcpedoel509r89s
The above link may be used to VIEW your bookmark collection. ANYONE who 
knows this link can view your bookmarks.

These secret links should be managed with care. Therefore, we recommend 
the use of the Petname tool in order to allow you to manage your secret 
links. When visiting each of the above links for the first time, ensure 
you add a petname for each. Then, in future, simply enter the chosen 
petname into the petname toolbar in order to use each of the above 
links. Whenever you use the yurl.net misdirectory, you can be assured 
that you are not the victim of so-called "phishing" attacks by checking 
for the presence of the appropriate petname in the petname toolbar.

We hope you enjoy this new service and welcome feedback from all of our 
users.

Yours sincerely,
the yurl.net team.

--- End Toby's quick and dirty YURL/Petname based phish ---

The problem here is that we can trust a web of links (YURLs). Petnames 
allow us to work effecitvely within this web of links (especially if we 
track the 'reputation' of various links and allow this to affect the 
reputation of those links that they introduce us to). But as soon as we 
break out of this web of links, we seem to be back to "square one" (back 
where we started). If user education is the solution, then I'm not sure 
how much extra security we have gained.

thanks,
Toby

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.