July 30, 2005

Disclosure, Victims, and Browsers reveal anti-phishing approaches

A couple of articles on disclosure - one about the Cisco hole which was revealed at Blackhat, and another from Oracle's CSO who trots out some mild reasons why security reasons shouldn't cause trouble.

Security researchers generally work for free when they do public disclosure, and they represent the thousands or millions of users who cannot get help at any cost. As companies like Cisco and Oracle charge through the nose but don't offer any compensation for their victims, I think their case is weak. Some costings on burnt credit card numbers:

Canceling an account and reissuing cards is a costly proposition for card issuers. The process costs Discover $39 per account, according to Kniola. That’s why Discover prefers to monitor potentially compromised accounts if no suspicious activity has occurred rather than do blanket re-issues.

Both the bank and the credit card holder here are victims. More news from those who aren't victims. Microsoft, AOL and Mozilla recently revealed their anti-phishing strategies.

WholeSecurity, which is privately held, is helping Microsoft assemble and maintain a list of verified phishing sites, also known as a blacklist. When people try to visit a Web site on the list, IE7 automatically warns them via a dialog box that the site is fraudulent and suggests they "not continue to this Web site." At that point, people can close the Web page, or continue on if they choose.
WholeSecurity, via a project called the Phish Report Network, has thousands of Web sites in its blacklist and adds more all the time from the hundreds of new sites that contributors flag daily, said John Ball, senior product manager at WholeSecurity. Microsoft helped the company launch the Phish Report Network in February, along with Visa, eBay and eBay's PayPal unit, which all help to build and maintain the list.

America Online's Netscape unit introduced a new version of the Netscape browser in May with a similar feature. The company has compiled its own blacklist with the input of parent AOL, nonprofit privacy group Truste, VeriSign and security software company Paretologic.

Following on from Netcraft, that's 2 more votes for blacklisting. Oddly, after a year of humming and hahing:

The Mozilla Foundation has decided not to incorporate antiphishing technology into its increasingly popular Firefox browser, opting instead to focus on the e-mail side of the problem. An upcoming version of Mozilla's Thunderbird e-mail program is designed to alert users to messages containing links to phishing sites, said Chris Hofmann, director of engineering at the Mozilla Foundation.

Go figure. The problem with stopping it at the mailer is that the mailer hasn't proven that successful at dealing with ordinary spam (Tbird gets about 50% in my experience), it doesn't do anything for the bulk of Firefox users (those who do not use Thunderbird) and not all phishing comes from email.

The Thunderbird program will rely on a tool that automatically analyzes the attributes of links, rather than on a blacklist, Hofmann added. "The large volume of content, and the dynamic nature of the Web, make managing a list of potential phishing sites an incredibly hard job," he said.

Right, I'd agree with that. But Hofmann is only revealing half the story. Better technologies were on offer to Mozilla - TrustBar, Petnames and even stuff Mozilla had developed internally are winning converts as browser toolbars.

As reported we are now in an arms race. Only speed will help now:

For instance, more phishers are registering domain names for their sites rather than using numeric Web addresses, he said. Lin believes it's a response to the fact that Deepnet's browser has been warning people that sites lacking domain names are suspicious.

"The phishers will find some other way," Lin said. "It's like antispam. There are antispam programs, and spam still exists. We have anti-spyware, and spyware still exists."

Yup. For a solution that would take a year to conceive and roll out, it would probably take a month for a good phishing outfit to attack. Get used to it.

Posted by iang at July 30, 2005 01:26 PM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.