Yes, it would be easy to create a convincing spoof of CalNet (or, for
that matter, of bofa.com or ebay.com).
The best protection you have is to pay attention to the security
certificate, displayed in the bottom status bar on Firefox. If it looks
like what you expect (calnet.berkeley.edu, sitekey.bankofamerica.com)
and matches the URL, you have a pretty good indication that you're
connecting to the legitimate site.
More security-sensitive applications are starting to go to two-factor
authentication, requiring you to pair your password with some other
shared secret. BofA and Wells Fargo also are undertaking some measures
to avoid spoofs, allowing you to choose a custom image that will be
displayed when you connect, which will defeat certain kinds of
man-in-the-middle attacks.
David Radwin wrote:
> I'm not a programmer, but it seems to me someone could easily create a
> reasonably convincing spoof of CalNet. Is there any basis to my concern,
> and if so, what might be done (other than paying very close attention
> each and every time)?
>
> David
>
> At 1:41 PM -0700 7/24/07, Christoffer Heckman wrote:
>>
>> Our employees have worked on teams developing proofs of concept for
>> attacks such as what you mentioned Tom, showing that people would
>> happily send their information away to a phony AirBears site, facebook
>> site, or worse, banking sites.
>
-- Tom Holub (tom_at_LS.Berkeley.EDU, 510-642-9069) Director of Computing, College of Letters & Science 249 Campbell Hall <http://LS.berkeley.edu/lscr/>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable,
and the list's archives can be browsed and searched on the Internet.
This means these messages can be viewed by (among others) your bosses,
prospective employers, and people who have known you in the past.
This archive was generated by hypermail 2.2.0 : Tue Jul 24 2007 - 17:20:42 PDT