True Andy, But the vast Majority aren't so Savvy, and aren't Phishing aware. I guess from a morality point of view... Is it in an ISP's best interest to protect its customers interests? The last helpdesk issue is not resolved until the last user is dead. Russell Sharpe NetConNZ NetConNZ(a)paradise.net.nz PO Box 47035 Trentham Upper Hutt Ph +64 4 9717665, Cell +64 21 742 773 Fax +64 4 9717635, Cell Fax +64 21 342 776 -----Original Message----- From: Andy Linton [mailto:asjl(a)citylink.co.nz] Sent: Monday, 19 September 2005 16:15 To: David Robb Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New phish - Westpac David Robb wrote:

On Mon, 19 Sep 2005, Jeremy Strachan wrote:

...

Given the alternative is our users bank accounts being cleaned out - I'm all for Telco and/or ISP's blocking access to the site.

How many people on this list fall for this sort of thing? (Rhetorical question only - please don't email replies to me or the list)

So you say it's ok for bank phishing. What about ebay/trademe/other auction/sales sites?

Perhaps the correct response is some (more) user education and then allow evolution to take over - those people who are too stupid to work this out lose all their money and then they can't use the Internet any more. While ISPs will lose revenue from them they're probably the ones who cause 90% of the help desk calls and so profitability goes up and we all get more time for beer. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Perhaps the correct response is some (more) user education and then allow evolution to take over - those people who are too stupid to work this out lose all their money and then they can't use the Internet any more.

I don't buy this line of reasoning any more. Don't open attachments from people you don't know. Don't open attachments from people you do know. Don't open attachments that have innocent looking icons like a text file. Don't preview emails that have attachments. Now we're in an arms race where trying to send any email attachments around the internet is a sure fire way of getting someone to blackhole your entire email for "malicious content"[1]. Even experienced users running around with all the latest antivirus and ad zappers and everything can *still* occasionally get infected with spyware.[2] How do you expect users to keep up? [1]: True story: "Email me the zone file! oh, I'm sorry, we don't accept .com files, .zip files, .doc files, .pdf files or files with .'s anywhere in the name other than the 4th to last charactor, or ones that contain the phrase "smtp"...." [2]: We don't need everyone to post their stories about how they use program X and they haven't had any spyware/viruses/whatever. We know.

On Mon, 19 Sep 2005, Andy Linton wrote:

David Robb wrote:

Perhaps the correct response is some (more) user education and then allow evolution to take over

There was a paper linked off Slashdot the other day about "The Six Dumbest Ideas in Computer Security". Well up there was "User Education". Most people just don't want to know about computers. They want it to work, and trying to teach them not to do stupid things is like trying to teach a pig to talk - it's a waste of your time, and it annoys the pig. They will learn when it bites them on the arse. Until then, we're better off trying to be a little proactive and stop them getting bitten in the first place. By that I mean keeping the dog in a cage, not trying to teach them not to bend over in front of the snarling rottie. -- Matthew Poole "Don't use force. Get a bigger hammer."

Likewise the ISP, if theyre fairly certain theres no harm and no good, then no harm in a block there too. Difference is that at the ISP level,

Ugh. Should have said 'if theyre fairly certain theres no harm and some good, then no harm in a block there too. Oh, and forgot to addendum my message; The use of the word 'idiot' is colloquial and in good humour, just incase anyone was offended. You never know :) PS: My last email to NZNOG had a bounce from an administration-bot at the IRD. If you're from IRD.govt.nz - be advised... The following information details the events that prevented delivery of this message: =========================================================== Content within this message was disallowed. =========================================================== - Not sure which content it disagreed with. Mark.

Matthew Poole wrote:

about computers. They want it to work, and trying to teach them not to do stupid things is like trying to teach a pig to talk - it's a waste of your time, and it annoys the pig.

So your solution is act a ventriloquist for the pig? (:-) I'm not suggesting a whole heap of education and I believe it should come from the banks along the lines of: We will never, never, never email you and ask you to change your password by clicking on a link etc. You will need to come into the branch and do it there. If you do follow links and get stung then we'll treat it along the same lines as "so you met this guy in a pub and he said 'can I borrow your ATM card and pin number for ten minutes'.....".

They will learn when it bites them on the arse. Until then, we're better off trying to be a little proactive and stop them getting bitten in the first place. By that I mean keeping the dog in a cage, not trying to teach them not to bend over in front of the snarling rottie.

Hello? "They will learn when it bites them on the arse" but "we're going to stop them getting bitten in the first place". So how will they learn?

Banks should be proactive in these type of things. westpacs phish would of been stopped if they had SPF records. Quite a number of Banks in the States and other places have started to put SPF records in to stop this phishing (This is what SPF is used for (not Anti-Spam)) The IRD/SSC/Treasury (the 3 most important NZ government areas) have SPF records (and they use -all which is good). Before you reply. I've heard all the Anti-SPF abuse before. Yes it can break forwarding, but people shouldn't forward without your permission (and then you change your SPF records to allow this) Thanks Craig http://www.spam.co.nz/spf ----- Original Message ----- From: "Matthew Poole" To: Sent: Monday, September 19, 2005 5:31 PM Subject: Re: [nznog] New phish - Westpac

They could but if you use it to establish an SSL session it has to be a 'personal certificate' in the browser store and the process of getting it into the browser will fox most IT people never mind mom and pops. Also browser versions, service packs and the weather all mean that there are millions of permutations of problems. Certificate management is the killer - if you look at how Landonline works it uses this approach as its a closed group of users and the cert mgmnt issues is less. Certs in retail banking have always caused big problems/high support costs. Colin. Russell Sharpe wrote:

I agree,

I'm not a application Security expert, but why can the banks issue a authentication Certificate, and only allow connections to those who are authenticated?

Russell Sharpe rsharpe(a)paradise.net.nz Ph +64 4 9717665, +64 21 742 773 Fax +64 4 9717635, +64 21 342 776

-----Original Message----- From: Craig Whitmore [mailto:lennon(a)orcon.net.nz] Sent: Monday, 19 September 2005 17:52 To: Matthew Poole; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] New phish - Westpac

Banks should be proactive in these type of things. westpacs phish would of been stopped if they had SPF records.

Quite a number of Banks in the States and other places have started to put SPF records in to stop this phishing (This is what SPF is used for (not Anti-Spam)) The IRD/SSC/Treasury (the 3 most important NZ government areas) have SPF records (and they use -all which is good).

Before you reply. I've heard all the Anti-SPF abuse before. Yes it can break forwarding, but people shouldn't forward without your permission (and then you change your SPF records to allow this)

Thanks Craig http://www.spam.co.nz/spf

----- Original Message ----- From: "Matthew Poole" To: Sent: Monday, September 19, 2005 5:31 PM Subject: Re: [nznog] New phish - Westpac

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- *Colin Slater* Director Securify NZ Ltd IT Security and Risk Management *p*: 021 190 1112 *e*: colin.slater(a)securify.co.nz *w*: www.securify.co.nz

Craig Whitmore wrote:

The IRD/SSC/Treasury (the 3 most important NZ government areas) have SPF records (and they use -all which is good).

That is good to hear that it's been implemented there. As I've posted before, some arbitrary digging has shown that the only [major] financial institution in NZ using SPF is american express. Worrying that no local banks have implemented it.

Before you reply. I've heard all the Anti-SPF abuse before. Yes it can break forwarding, but people shouldn't forward without your permission (and then you change your SPF records to allow this)

You can't control what people do on their own platform, and it is certainly well within my rights as a mail recipient to forward email from one mailbox to another. You should not prevent me from doing that, and it would be foolish to say "shouldn't forward without your permission". [Well documented case: Steve's issue with NZNOG registrations earlier this year.] aj.

On 19-Sep-2005, at 08:52, Craig Whitmore wrote:

Banks should be proactive in these type of things. westpacs phish would of been stopped if they had SPF records.

Humour! But you forgot the ":-)".

On Mon, 2005-09-19 at 16:15 +1200, Andy Linton wrote:

Perhaps the correct response is some (more) user education and then allow evolution to take over - those people who are too stupid to work this out lose all their money and then they can't use the Internet any more. While ISPs will lose revenue from them they're probably the ones who cause 90% of the help desk calls and so profitability goes up and we all get more time for beer.

Harking back to NZNOG04, sounds to me like an argument about the toaster and the lego set. Some folks may argue that being able to use a global computer network to help you acheive more in less time is not evolution. But I dare say that those people are related to the same people who used to sit around the cave fire and say "hey look, there goes another flash bastard breathing through his nostrils" :-) jamie