Stanford security experts unveil ''SPOOFGUARD''

[ZOverLord]

It’s an online con that is growing fast and stealing tens of millions of dollars.

An e-mail seemingly from a financial institution instructs you to log on to a legitimate-looking Web site. Such “phishing” attacks exploit a universal weakness in online security: passwords.

To read the rest of the story and download this new utility please go here:

http://testing.onlytherightanswers.c...article&sid=15

[hesperus]

Interesting tool, although I am not sure how necessary if proper precautions are taken.

1. Never give out a password at the prompt of an email. No company would ask for info this way.

2. Connect to sensitive sites (banking, etc.) with a shortcut that refers to to the IP, not the DNS. (Borrowed from a suggestion on this site, can't remember whose. Sorry).

There is virtually no way you will end up at the wrong site this way.

The password hash part of the project is interesting. It takes a regular password and the DNS and spits out something (using a 'pseudo random function' -- someone else more mathematically inclined will have to judge how well this would work) unique to the site. Makes complicated passwords easier to use and could reduce the number of passwords one has to remember, since one password would look totally different from site to site.

[rapier57]

I am skeptical. The one thing in the article that looks very promising is the SpyBlock, and I'm not sure about that. Granted, these guys are "experts" and they have a bunch of interns working for nothing or grad assistant pay (=next to nothing) helping them out. Yeah, right, I'm gonna put their stuff on my system and bet the farm on it. Any time someone claims to "change all that" I get nervous.

Besides, there is nothing new about what they are proposing. Symantec (Norton) has a similar product in its current security suite (the password manager and security manager or something). I'm sure you can get similar features from McAfee or the others. One of our users recently had her system claim our email server was attacking her system and locked her out of reading email on her OWA account (something to do with redirection).

Phishing wouldn't be such a huge deal if users would just understand that banks and other financial institutions do not send email asking for account numbers and passwords. What we really need is a program that will send a virtual fist out of the screen and punch the user silly when they even think about responding to one of those inane emails.

[Riot]

I think that all you really have to do is try and use some commonsense when opening up e-mail and reading it. most people should know that companies never ask for your passwords and stuff to that nature through an e-mail and always look at the site address and make sure it is the correct site you are on and not something like www.ebau.com or www.eboy.com.

[hesperus]

Common sense for people who get screwed by these things is :

1. If it looks official it is.

2. I always enter my password at the site when I use it, why not now.

3. If I my account is disabled I will be pissed and it will be a hassle to get it going again.

4. Computers _always_ have glitches and need updating.

[rapier57]

Yeah, there there is the "I thought it would be better to be safe than sorry!" Problem is, those folks are almost always sorry afterward.

[Riot]

Common sense for people who get screwed by these things is :

1. If it looks official it is.

2. I always enter my password at the site when I use it, why not now.

3. If I my account is disabled I will be pissed and it will be a hassle to get it going again.

4. Computers _always_ have glitches and need updating

Yes I know, but let me put it this way. I think that common sense is the best way to go if you have it which as you all know most people dont have any common sense so what really should be done i guess for the avrage user is to open up an e-mail account and dont use it for any thing else except for your accounts with your bank, ebay, and any thing like paypal. People should then at least check using the very little but hopefuly still existing common sense to check that e-mail to see if it is a real e-mail for the company.

Hey but if all else fails go back to doing things the old fashion way, get your ass of the chair and go to the back and the store to get what you want, but fopr me that will neavor happen.