(sigh)
We remain willing to answer anyones legitimate questions about the product.

Sestus Data Administration

@SestusData

No we don't this is a security forum not a marketing forum.
I'm starting to think you're a spam chatbot.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

To Gareth,
I understand that this is a security forum. Believe me, if I were a marketing guy, I would be going on and on about its strengths, its low prices, etc. Have I said anything like that? Not much, right? No, my job is to put out correct information and answer questions in forums and other venues.

On a personal note, the original poster started this thread and asked the forum members for their opinions of PhishCops(R). I offered to assist those members who may have any questions. Simple as that. But that was simply too much for some people like Thrill, who see people in my position as targets for their hate. They use forums like this to vent and attack other people, rather than for sharing information and learning. Im used to it, but it is difficult sometimes to maintain my temper when confronted with such vile language and ridiculous nonsense. Personally, I wish the forum moderators would close the thread as it is taking too much of my time responding to the nonsense and unrelated topics. In any event, I work within guidelines and answer to a boss, and (thankfully), he has said I may no longer respond to posts by Thrill, which saves me considerable time.

Anyway, no I am not a bot. As I said before, I work for the company and it is my job to make sure correct information is published online and also to provide answers in forums such as these. Hopefully, through all of this, the original poster will get his questions answered, and others who have a sincere interest in learning how the product works will be able to have their questions answered.

Sestus Data Administration



Edited 1 time(s). Last edit at 06/02/2008 03:57PM by SestusData.

There, I removed your product name from the Subject of this thread, hopefully this will convince you, and your boss to leave these forums to their users. No one here requested information from YOU, Sestus Data and/or PhishCops personnel. They requested OUR opinions.

As for the language, prior to you calling me an idiot there was absolutely no abusive language on these postings.

And while you are right, and I have a very deep seeded hatred towards ignorant people, my original postings were merely poking fun at some of your own statements that point out the fact that you and your company do not take security seriously by thinking that your 'demo' site does not deserve to be as protected as your production servers.

Wow, you keep on making the hole larger and larger:

Quote

From: "sla.ckers.org robot" <h@ckers.org>

SestusData has reported a message. The reason given was:
------------------------------------------------------------------------
The user Thrill being abusive and using profanity on this forum.

<http://sla.ckers.org/forum/read.php?13,20059,22722#msg-22722>
------------------------------------------------------------------------
Forum: News and Links
Subject: Re: Opinion on Phishcops/Virtual Tokens
Author: thrill
IP: 127.0.0.1
Date: 06/02/2008 01:11PM

First you accuse me of hiding behind my anonymity, then I request you reveal yourself as well and you act like a 4 year old whose candy was just taken. Get a clue and grow up. The thread no longer has your shitty product on the title so go away.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 06/02/2008 04:25PM by thrill.

To Cryptic,
You suggested that Thrill was not responsible for the repeated blocks on member IPs, yet He is apparently able to receive private posts to the forum moderators, block IP addresses of those whom he disagrees with, and his picture shows him wearing a forum-logoed T-shirt. I think you may be mistaken Cryptic.

In any event, if anyone has any questions that they would like me to answer regarding PhishCops(R), let me know. As long as this forum thread remains active, I am required to make myself available to its answer any PhishCops(R)-related questions from its members. Personally, I wish the forum thread would go away but thats not within my power.

Quote

and his picture shows him wearing a forum-logoed T-shirt

Yes! I must be the one blocking you since my t-shirt says so!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Part of me does not want to contribute anymore to this flamewar (although, lolcow amirite?)
But I need some clarification before I work on a little project:

SestusData Wrote:
-------------------------------------------------------
> To Tx,
> Next, while the request may be coming from the
> users browser, in a man-in-the-middle attack it is
> the fraudsters device that is connected to the
> authenticating website, hence the term
> man-in-the-MIDDLE.
In a browser based MITM scenario it is the legitimate users computer that is connected to the website; hence the "browser based" portion.

> Obviously, the first challenge
> for the fraudster would be to obtain the users
> key, not an easy task in this situation. But lets
> suppose the fraudster could infect the victims
> computer with malware and obtain the key.
Except that it could be read by javascript in the DOM, or if the site isn't using SSL (like your demo site), can just be plucked from the air for a wireless connection (for example).

> Since
> the fraudsters computer is likely different than
> the users, the key would not validate and
> authentication would fail on that point alone.
> But lets suppose the fraudster manages to clone or
> replicate the users device to the authenticating
> website...
Or somehow manages to invent a magical language that can somehow 'script' the behavior of the users' browser.

> the fraudster is still connecting from
> a different IP address. This would render the key
> invalid and authentication would fail.
Except that auth would succeed in the scenario I've laid out

> So, lets
> suppose the fraudster attempts to construct a
> valid key on their own. Even if the fraudster can
> spoof the users IP address to the authenticating
> server, the fraudster cannot construct a valid key
> for that IP without access to non-disclosed
> server-side PKI keys on the authenticating servers
> website which are used in the key exchange.

Nobody needs to validate a new IP, when the users browser would do. Besides I haven't even looked into the potential for using CSRF to add machine profiles or modify contact information.


>
> Finally, XSS is NOT widely used for phishing.
um, yes it is. Not as common as setting up a webpage at myspace.com-index.cfm.com or something, but it's still fairly common.
Although, I'm sure phishers wouldn't utilize XSS anyway, it's not fair to PhishCops(R).

> the point is, even if a
> PhishCops(R)-equipped website had an XSS hole,
> this would have no impact of the PhishCops(R)
> authentication process. It is apples and oranges.
> One is not affected by the other.

Can I quote you on that?

>
> PhishCops(R) is not snakeoil. It is a
> cryptographic multi-factor authentication process
> that uses mathematics algorithms to produce and
> validate PKI keys.

oh shit, nm, I didn't realize you had "mathematics algorithms" on your side.

> Billion-dollar corporations use
> PhishCops(R). So, no, it is not snakeoil.

lol

Considering the other software that Sestus Data is known for (google search brings up some screensavers, some sort of image downloader called WebPirate and a popup blocker called NetPopper), I totally believe the company is offering a Real(R) Solution(R) and not SnakeOil(R)


btw, this thread is now ~#4 in a google search for "PhishCops"

-tx @ lowtech-labs.org

To Tx,
Do you have a specific question or are you making general comments? Some of your comments are valid, other are not, but Im not sure which ones (if any) you want me to address.

As you know, I have given you straight answers to your other questions but this time you sounded more sarcastic than sincere. In short, your assessment is simply wrong. If you doubt it, try your approach and see for yourself using our demo site.

Sestus Data Administration

Finally!

To all concerned. I have been instructed to cease communication on this forum, for which I am EXTREMELY grateful as it has been one of the biggest wastes of my time in a long time. Lots of flaming, abuse, and general nonsense, with the occasional exception of Tx who at least asked a couple of legitimate questions.

In any event, I know that Tx may have had some unanswered questions. Tx, in fairness to your last post, If you wish to learn more, you can contact me using our regular website contact form. Just indicate in the body of the message that you wish your contact to be forwarded to Jill K.

For those of you who remain, you have my sincere pity that you must endure posters such as Thrill who waste everyones time, offer abusive profanity when they dont get their way, and try to block posters they disagree with.


Signing off for good this time.
Jill K

Sestus Data Administration

thrill cannot block IP addresses

-id

GB2/WebPirate SestusData.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Quote

Jill K

Somehow, that explains a lot.

I wonder if I can help get this thread up to #2 on google when you search for PhishCops(R)

--thrill - Your tyrannical forum moderator galore.

Wow this guy just doesn't give up. He's posted enough content on this thread to make a small book and for what?

LOL @ him 'reporting the message' only to learn thrill is a mod. "Mommy thrills is being mean to me, he pointed and laughed at the poor security of my demo site."

heh.. well, the name of Jill, at least to me, entails Female in species, which might explain why she only seemed able to give 'scripted answers' rather than a full 'logical' explanation of the concerns brought up by others and myself.

Which in itself makes me feel bad for her.. normally women are quite a bit more civil at the beginning, but from the start she seemed insulted at the fact that someone had found a flaw.

But I still have to give credit to tx for providing the greatest quote in this thread though:

Quote

oh shit, nm, I didn't realize you had "mathematics algorithms" on your side.

I almost snorted water out of my nose when I read that.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

This thread is now about sexual objectification of women. So Jill, what will it be? Tits? GTFO?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

interesting, instead of Godwin'd this thread has been thrill'd...

new internet law?

"Any thread with a female author and sufficient babbling will degrade to "she can't argue while having tits""?

I always thought they degraded to:

"How YOU doin?"

-id

Well, we can't use the old "hey baby, what's your number".. obviously her number is 1 bad comment and you're in the dog house buddy..

And just because I'm in the sharing mood, and to put to ease the question of whether I have a heart or not, I'll share with you guys 2 x-rays of the arteries in my heart.. before and after shots of when I got my stent put in about 5 years ago:




Some might argue that those are the best pictures of me.. heh..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Sorry to be joining this late, but it's been a crazy last few days. I just wanted to respond to the one post that was directed to me:

Quote

If you were to check other security vendors websites, you would see that many do not employ protections against sql injection or cross-site scripting on their web sites, EXCEPT where their web pages are used to access confidential information. If the web page or its underlying database has no access to such information, most do not bother deploying such security protocols at all.

I think gaging yourself against the vast amount of bad security companies out there is a little dangerous. Personally, there is very little chance I would recommend your services to any of the multi-billion dollar companies I consult with that actually have these problems based on statements like this. It's just not enough to do the bare minimum. And if you compare yourself to the sheer volume of just terrible security companies out there as a good standard, it's hard to believe you are any better, technically - and no doubt you aren't.

Quote

To suggest that a security vendors product offering must be evaluated based on the level of security applied to their company website simply shows your alarming lack of understanding of basic security principles. The Federal Aviation Administration does not use SSL certificates on their website. Does that mean they are not protecting the security of our air traffic communication channels? Of course not. The Department of Defenses website throws an unhandled server error when invalid characters are posted from their online forms. Does that mean our military is incompetent? Of course not. Again, it is the difference between a theoretical understanding of security principles and actual experience with their proper application.

A number of times you said that your customers protect themselves from XSS. I don't know who your customers are, but I think you are probably mistaken, and therefore giving dangerously unprofessional advice. Given the sheer volume of XSS vulnerabilities out on the Internet, it's implausible that all of your customers are 100% secure, with an average defect rate of 1 vulnerability per 10,000 lines of code and 1 per 1,000 lines based on the DHS reports when they were testing open source apps. That means that if there is anything that can be maliciously used on those sites and if that malicious use ends in a depredation of your security, that's problematic.

And I would be extremely hesitant to use any of those websites you mentioned as best of breed in security - each of them have vulnerabilities in them as do the vast majority of sites just like them. I know because in my own consulting engagements many of these sized companies and organizations when audited have many critical vulnerabilities in them.

Now, let me answer the original question, because I think it's worth talking about. Phishcops, like any multi-factor service has flaws (mostly around malware as malware has begun to start pulling certs because they know they are being used as second factor). The Phishcops website said that it is "stronger" than most multi-factor auth, but that is actually not a true statement. It may be more convenient, but it is not stronger for a number of reasons. The primary one is that because it is not actually something you "have" but rather something that is on a computer, which may not even be in your possession, like a Citrix server for instance. Therefor it can be stolen (physical theft), re-purposed used by other people who have access to the same computer and so on.

Now, the most important thing to ask yourself is how likely is any of that to actually happen, and what risk are you reducing by it's use. Legitimately second factor has some benefits from a risk mitigation perspective. Having personally been involved in the single greatest consumer deployment of second factor auth in the history of the Internet, I can say without a doubt in my mind that there are nearly enough problems with it as there are benefits. Mostly they revolve around mobile computing, multi-user systems and so on. I have never been super keen on these types of things as a solve, but due to huge constraints placed on banks to implement "something" like second factor authentication. In that case, banks have opted towards things like Sitekey which is hugely flawed (see the MIT papers on it for more details), and tools like Phishcops. Without really spending time looking at it, I would be extremely hesitant to give this tool a thumbs up.

However, SestusData was actually correct in the assessment that XSS is rarely used in Phishing attacks as a percentage. I've seen hundreds of examples of it, but it's probably too complicated to explain why and how it worked without examples and in the context of what SestusData was saying those attacks would have been irrelevant to their technology in all but a very few cases. The risks associated with XSS are low. The risks associated with malware, however, are extremely high and growing in volume and sophistication. That means it's not actual security, just risk mitigation that makes the bad guys move to less attractive targets. Please read http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=133816 for my feelings on a run-faster-than-the-guy-next-to-you type security.

Lastly, no, Thrill has never had access to our firewall, SestusData was being blocked because they kept pulling the same files over and over again in fairly rapid succession. The anti-DDoS protections on the firewall don't take into account people who flood the server with requests by hand. We have an RSS feed for a reason, please use it - it does work, I promise. Thrill is just a moderator on the forum and a friend of ours. Enough conspiracy theories.

- RSnake
Gotta love it. http://ha.ckers.org

rSnake, I think you've said it all. However, I think one of your comments deserves a tounge-in-cheek response. You said:
-------------------------------------------------------
> Without really spending time looking at it, I would be
> extremely hesitant to give this tool a thumbs up.
-------------------------------------------------------

Wouldnt that be true of any product? Have you ever given a product the thunbs up that you havent spent time looking at? Just thought that was funny!

We have phishcops at my credit union which is also where I work and I happen to know that it does work from behind citrix becuase we use citrix here at work. I think it places a key on the physical device and its the key that is being checked, not the server. So, it is checking something you have. Our examinors showed us in their guidelines that something on a computer like a key meets their definition of something you have. So I think you are wrong on that one. But its a good assessment anyway.

Just FYI.
Oh. one other thing. When we got it installed at our company we tested it for vulnerabilities to malware. While it is not 100 percent effective, it is resistant to malware, which is quite an achievement in my mind since I know of no other program that has ANY resistance to malware. We are very pleased with it. Its a lot better than shitkey... oops, I meant sitekey.

EarlyBurd

@EarlyBurd, I totally understand your pain. You must install something and this is probably one of the least intrusive solutions to your regulatory duties - holes and all.

Although I personally think your examiners are just being nice to you. If you don't physically "have" the machine, how can they say it is something you "have"? The logic alludes me. However, I understand they just want something that meets requirements too - they aren't getting paid to hack into your machines. They also aren't out to bust your chops over technicalities, even if those technicalities are where vulnerabilities live.

I'm not sure how using phishcops (as a consumer) via Citrix or remote desktop would install the device on your local machine. I think we are talking about something different. Thin clients almost never install anything other than the access agent on the consumer's device. If Phishcops has come up with a way to do that, it's probably a vulnerability in the Citrix/Remote Desktop clients themselves.

Being slightly resistant to malware is nice and all, but it won't actually stop the bad guys who need to get around it to make money in my experience. They are a crafty bunch. But if it works for you from a cost perspective and convinces assessors that you're doing the right thing, that's all you can really ask for.

- RSnake
Gotta love it. http://ha.ckers.org

@RSnake, actually it doesn't integrate with the citrix. We use an active X control version of citrix that we access from a webpage amd phishcops is used on the webpage to wrap around the control. So once we complete the phishcops login the citrix window is visible.

Being nice to me? Hah! Had to laugh at that one. The last thing that our examiners are is nice. But they recognize that, short of deploying hardware tokens, which no one wants to do for cost reasons, they recognize that pulling a key back from the machine and validating it is the next best thing. And your wrong about saying it is something you have. The examinor actually showed me in their guidance where it says that validating a key retrieved from a computer meets their definiton of something the user has. It also says validating a token or key that is retrieved from an alternate communication channel, like email or telephone also meets the definition of something the user has. That one seemed a stretch for me, but thats what it said. So, by their own guideline docs, phishcops is validating something the user has. But you are right about the rest. As long as it keeps the examiners happy, and our members find it easy to use, thats all that matters.

- Earlyburd

Examiners aren't the brightest bunch. Glad it's working for you.

- RSnake
Gotta love it. http://ha.ckers.org

Quote

Finally, XSS is NOT widely used for phishing.

Err bank + XSS + Phishing
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/01/10/XSS_2B00_phishing-in-Italian-bank-hack.aspx

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yup, there are a few examples of XSS phishing, but it's pretty rare compared to normal Phishing and malware. I think it's just normal phishing attacks are easier, since they don't require any interaction with the target, but just another compromised host - which are a dime a dozen.

- RSnake
Gotta love it. http://ha.ckers.org

Life is funny.. here we are 2+ years since this thread and someone who knows my username came to ask my opinion of this product and pointed out this thread.

So PhishCops(R) is no more and has been re-branded (shocker!!).. their big word now is Virtual Token™.. they were awarded a trademark for the term on February 23, 2010..

Glad to see they're still relying on a bookmark to perform authentication though.. makes me feel all warm and fuzzy inside! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill