[cap-talk] Phishing with YURLs and Petnames

Toby Murray toby.murray at dsto.defence.gov.au
Tue Feb 14 18:20:46 EST 2006 

This is all fairly interesting discussion. The main point I see 
essentially relates to user expectations. That is, users are used to 
receiving links in email. How many times do you send an interesting news 
item to people you know via email? This is fine for ordinary links. 
However, when we start talking about authority carrying YURLs, the story 
is different. When receiving a capability (YURL) through a 
non-capability channel (eg. email), all assumptions about trust go out 
the window.  This fine if users understand this. However, I think most 
cannot be expected to make this distinction. (As usual, this is a total 
generalisation with no real evidence to back it up -- we can argue over 
whether it's acceptable if people like).

When receiving a cap over a non-cap channel, users will necessarily try 
to use other means to guage the trustworthiness of the entity the cap 
addresses. My point with the original email was that users might be 
likely to use things like the domain name from the YURL (which can 
easily be spoofed).

The Petname tool will indicate "untrusted" or whatever. However, that 
was why the original email hinted at this and indicated to the user to 
add the petname themself as soon as they visited. In this sense, the 
user is given a statement (from a somewhat questionable authority) to 
expect that the petname tool will indicate "untrusted" and to accept 
this as OK. The phisher is trying to alter the user's normal 
expectations in this instance by leveraging the trust the user has in 
the domain name and the trust the user has in the Petname tool. By 
making explicit reference to the Petname tool the phisher it trying to 
increase the level of trust the user will be imputing to the email 
sender. ("I trust Petname tool. yurl.net told me to use the Petname 
tool. This email makes explcit reference to this tool AND [appears to 
be] from yurl.net. Therefore, I'll trust the email when it tells me to 
violate my usual assumptions".).

I tend to think that saying "Users should not trust an introduction over 
an insecure channel, full-stop" (yeah i've paraphrased Sandro to use 
Aussie dialect) is too much to ask, but maybe I'm wrong.

thanks,
Toby



-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list