Most of the hacking techniques described in the 1994 book Secrets of a Super-Hacker are now laughably out of date. But not all of them. A few are not only still effective, but far more effective in the current era of ubiquitous internet access. As the author notes early in the book, some attacks are timeless:
Phishing via email would be a whole lot harder if companies would digitally sign their newsletters. In all my years on the internet, Iâve NEVER received a digitally signed email. Like others, I, too, am always getting real emails from the companies I do business with that contain links. If those emails were signed, Iâd feel a lot better about them. For instance, I get Microsoftâs TechNet and MSDN Flash newsletters. Those things are chock full of links. Not only are they not signed, sometimes they purportedly come from a named individual on the Microsoft newsletter domain and not from the domain itself. I have no idea whether they are valid or phishing attempts. Surely, any company that does business on the web (especially Microsoft) must have some kind of certificate. Why donât they use one to sign their emails?
Most people should not use the web, at least not someone who couldnât set the time on their VCR.
Furthermore, a good percentage of those who do shouldnât buy things or do financial business on the web.
Personal computers quit being personal as soon as we moved off of Windows 3.11. Now they are â1984-esqueâ adapter units into the Matrix.
People who incorrectly identified legit sites as illegitimate sites shouldnât be considered to have done the wrong thing. Any site which presents a login/password form without SSL has blown it and people are right to be refuse to interact with it.
And another thing: Those alerts you get for self-signed certificates on production servers? Pure evil. Regular people have no idea what they mean and just try to figure what to click to continue with whatever they are doing regardless of the stern wording. We knew that. But I wanted to point out there is common practice which makes this even worse than usual. Many sites put self-signed certificates into production and then tell people who complain to just click through the warning alert. How stupid is that? The sites are too cheap to get a proper certificate, or perhaps they use software which is architected to scale poorly such that proper certificates are cost-prohibitive, and then the site takes the attitude that its users are being unreasonable when they try to protect themselves. cPanel, Iâm looking at you.
Hack != Crack.
This might not work for the average user, but I would love to see a âdetailsâ section in the warning notice that explained which traits of the page triggered the warning. That would help people learn what to look for even when there is no warning.
I just picked a random site from PhishTank and tested it with IE 6. It did not give any warning or whatsoever and merrily continued showing the page. The mere thought of number of users still using IE 6 give me shudders!
I havenât read the study in detail but it seem to me that itâs sort of missing the point. The issue is surely how to train people to only use their bookmarks to reach important sites in the first place. If people donât click on links in e-mails and on the web in the first place, itâs less important that they are an expert on how to tell a phishing site from one thatâs not.
Also if people are told to expect a mix of real and fake sites, they may feel that they have to put half real and half fake and if they err on the side of caution as they might in real life, they might feel they are putting too many as fake.
IE6 doesnât have any phishing filter whatsoever installed so donât be surprised 
My mom has just started using the Internet recently, and this sort of thing terrifies me.
How do you explain to a total neophyte how to identity that poorly defined âshadinessâ that gives away a scam on the Web?
It scares the crap out of me that I pretty much have to rely on Internet Explorer to protect her from this stuffâŚunless I want to sit there with her the entire time sheâs using her computer and personally check the validity of each and every site she browses to.
âThe issue is surely how to train people to only use their bookmarks to reach important sites in the first place.â
Thatâs how I taught my parents to do: âOnly use this bookmark here to open the Internet Banking page. Period. Never, ever, give any attention to any e-mail you receive from your own bank.â Theyâve never been caught (yet), although Iâm sure theyâd not succeed in that study.
delirium:
Thatâs fine and dandy, but (IMHO) on the other side, we also need to teach companies not to send e-mail out with web links in them. Itâs a major convenience, but it would be a lot simpler to teach neophytes âdonât click on any link that comes from e-mail.â Instead, I get e-mails from capital one saying âHey! Your statement is ready! Click here to check it!â
Also, Jeff: Phishtank is a cool resource, but it really just band-aids the problem. Iâm part of a group that combats phishing websites, and the general consensus is that phishtank, while a very good repository of data, doesnât actually DO anything besides say âyup, thats a phish!â
While this is arguably useful for the reasons you stated, this only helps people who use the phishtank feed. The sizable majority of people on the website do nothing to remove the phish. Which is the real-world equivalent of watching a mugging and doing nothing.
Just a plug for one of the groups that do stuff (not the one Iâm involved with: a href="http://wiki.castlecops.com/PIRT"CastleCopsâ Phishing Incident Reporting and Termination Squad/a a crack group individuals that handle termination of phish. If you ever get a phish, submit it to them.
Just my $0.02
To Matt Blodgett: You do not have to rely on IE. Install FireFox and also install the âMcAfee SiteAdvisorâ plugin/extension. Not only does this give you one extra line of defense, it also rates search results from the major engines. After you install it, with the pluging, go to Google, search on screen savers. To the right of the results one each line you will see either a Green check, yellow or red X. The sites that are know for bad things will be marked with the red xâs. I put this on my wifeâs pc and we have had no issues for over a year with spyware and the likes. And yes the siteAdvisor helps with Phishing too.
To Jeff: Good article!
Hey I have that book !
Ah the memories⌠it was my first âcomputer securityâ book
They are really smart, I have maximum variation for paypal hacks. I have also made a post for it.
Some are with https, some https://paypal.com.something.com and rest is all paypal look. The emails are smart too the anchor text is for paypal.com but the link to some other sites.
http://www.idealwebtools.com/blog/paypal-hacking/ has more variations.
Stonehat: Youâre probably going to have to give that one up. So few people know thereâs a distinction, and even fewer care.
What about DOS attacks by inclusion of real sites to blacklists?
Personally, I suspect the quoted study is flawed in several ways.
I might fail some of the sample âis this website phishing?â tests, but that doesnât make me susceptible in the real world as I would never end up logging in to a phishing site anyway.
Why?
Well, despite several of my financial servicesâ attempts to defeat my browserâs autocompleting feature, I have forced my browser to autocomplete part of my login information. As a result, when I login to PayPal, if I make a typo in the URL, (or otherwise end up at a phishing site) the login information wonât complete and Iâll be suspicious.
Unfortunately, one day one of my banks will find a way to completely block autocomplete, at which time either they will indemnify me against any successful phishing attacks or I will find a bank with a focus on security rather then one so devoted to wasting my time.
More importantly though, phishing IS solvable using a security technique that does not rely on the user being responsible for the identification AND authentication mechanisms.
Right now, bank security is âsomething you knowâ online, and âsomething you knowâ AND (âsomething you haveâ OR âsomething you areâ) in person. We need to get âsomething you haveâ into the picture when banking online.
In other words, if the user is not capable of revealing their password in a trivial way, it will stop phishing in itâs tracks.
Smartcards are one solution. Client side certificates are another.
Neither are a perfect security solution themselves, but both can stop phishing completely if properly implemented.
People should follow one simple rule: never click in a link in an email. Always use bookmarks to go to banking shopping sites.