Comments

Steven PlunkettMay 19, 2005 4:09 PM

A lot of this goes back to trust. I think it's ironic that in a world where people are so dubious of one another, we're often so happy to just hand over sensitive information without really thinking about how's asking for it. Obviously phishing technology is getting more sophisticated, but the simple social engineering side of it is interesting as well.

Bill NicholsMay 19, 2005 8:00 PM

Not sure how many others have seen this, but it's new enough that it's not yet widely disseminated.

The battle is escalating, what I don't see is any acknowledgement by the "white" side that their rules don't really matter ...

http://www.tomshardware.com/hardnews/...

Marc de WitMay 20, 2005 3:57 AM

Interesting notice on Tomshardware indeed.

I recall Microsoft reserving the right to gather information about one's Microsoft Windows OS. But i will look that up in the license agreement that one agrees to when one buy's a copy of their software.

So, nothing new here, unless one values their privacy. But then they should not use a Microsoft product in the first place.

I am curious what the responce in the security field wil be. When will the crawler be released and what are the reactions of the users who get scanned?

Time will tell.
Marc

Clive RobinsonMay 20, 2005 6:13 AM

Just read the HonneyMonkey artical on the Register which TomsHardware points to,

Some points to note,

1, Only 7000 sites a day
2, MS chose the sites

Correct me if I am wrong but don't Phishers send people to their "private site" made to look like a public site...

So I am not sure the MS approach is going to get one large bunch of the criminals...

Pardon me if I sound cinical but if you take Lance Spitzner of the HoneyPot projects coment (quoted in the artical)seriously,

"As the bad guys are constantly adapting their tools and tactics, so too must we"

You realise that the odds are in favour of the phishers with the MS approach as described.

So even if MS find something what do they do, There bod Wang says "legal action" well that's going to go nowhere quickly, so the site will stay up for a very long period of time, or the Phishers adapt and move on.

When that becomes clear I guess Wang and Co will then start talking about ways to get a faster response suchas "black lists" oh what an oportunity for DoS attackes etc ;)

Personaly I think this is another MS attempt to ward of bad press and "being seen to be doing something" to effectivly sweep the real issues under the carpet.

Remember if you don't agree say so ;)

AndrewMay 20, 2005 6:16 AM

Marc, I don't think you read the page properly or understand what the Microsoft Honeymonkey project is doing. It consists of few specially set up computers trawling through publicly available web pages looking for new malicious web content (pages that attempt to install malware and spyware). The honeymonkeys allow themselves to be compromised so the malware and exploit methods can be studied.

Users are not being scanned, nor are they doing the scanning.

Steve RoylanceMay 21, 2005 6:26 AM

Phishing relies upon one thing. When you arrive at a site you have no means to verify what you see. Verification of logos, trademarks and page content is now possible. www.contentverification.com has the answer.....enjoy ;-)

Marc de WitMay 22, 2005 7:42 AM

Andrew,

I skimmed the text and thought microsoft was going to actively hunt for the scammers. Thanks for pointing out i was wrong, if it's honeypots they use the no harm is done here.

Anyway, i hope microsoft is serious about enlarging their security efforts for their software products, and for once take the protection of their customers personal information at heart.


Yours truely

Gregg LeonardJune 1, 2005 11:14 PM

Phishing is an insidious way of exploting those ignorant of the risks of doing anything important online. Many end-users feel the convenience far outweighs the risks. Multi-factor authentication does bring us a step closer to solving many security issues but fails to solve the security end-around caused by the user themselves.

Someone once said that "Desperate times call for desperate measures"... Now I don't think this is quite the desperation they had in mind, but it is certain this problem will only get worse unless a realistic solution is found. The methods used to exploit the end-user will only become more pervasive and creative as the simpler schemes become innefective. It appears to me that the only solution is a rather unconventional approach.

Lets stop trusting the end-user!

Using a zero-knowledge algorithm and locking it down with a username/password at the user token level would solve this issue. A given website would create a secret to be shared with the token possessed by the end-user. The user then provides a username/password which then encrypts the shared secret used for the calculation of the Zero-Knowledge handshake.

The downside is of course that each website would have to create a seperate shared secret for every user, but the upside is that the end user cannot divulge that which really grants them access to the site. This may not be the most elegant way of solving this problem, but it is perhaps a step in the right direction.

Lets all have a reality check on whether we should be trusting the end-user.

Regards,
Gregg Leonard - Ironclad Tech Svcs

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..