I was out all day yesterday to attend the Anti-Phishing
Working Group meeting at Wells Fargo World HQ in San
Francisco. About one
hundred people from wide assortment of backgrounds were there, some
from law enforcement
agencies like the Secret Service and FBI, lawyers, prosecutors,
financial services,
e-tailers, solutions vendors, and security experts. APWG did
an impressive job
of pulling them altogether to focus on the phishing epidemic which
continues to grow.
While everyone wanted to pool resources to combat phishing, I
sensed a common desire
to protect details about ongoing APWG activities from the public
for various reasons.
Since I am not sure what APWG's policy is about blogging, I will
limit this post to
my thoughts and observations.
Toolbars
Warm receptions received by Account
Guard feature of eBay
Toolbar and Dan Boneh's SpoofGuard means
more toolbars in the near future. I predict we'll see about
ten security-related
toolbars released before this year is over. Since highly
integrated client-side
software like browser toolbars are one of my specialties, all this
is good news for
me but I couldn't help worrying about the oncoming glut of
toolbars, sidebars, and
deskbars causing confusion among users.
Microsoft
Microsoft needs to do more to combat phishing. Actually, they
need to do 'less'
by disabling or limiting use of hyperlinks and javascript in
Outlook and Hotmail.
Since phishing is causing real financial damages to companies and
individuals, Microsoft
created an arguably very large liability exposure by introducing
DHTML e-mail in Outlook.
My opinion is that hyperlinks in e-mail contents should require the
user to approve
each navigation after viewing a dialog that clearly indicate the
link destination.
This constraint can be eased depending on the age of the hyperlinks
because destination
phishing websites are more likely to be takendown or abandoned over
time. I
also think javascript should be disabled completely in e-mail
contents to protect
against new breed of javascript obfuscated webpages.
Hunters vs. Butchers
Law enforcement agencies are IMHO still in the hunter mode, meaning
hackers they find
and prosecute are more or less trophies for assuring the
public. Seen as services,
they are open to denial of service attacks by organized hackers
arming script-kiddies
to overload or slowdown cybercops. They need to think about
ways to shift-gear
from hunter to butchers mode now, if not just against
phishers, then for
homeland security.
Takedown.com
Most difficult part of fighting against phishing is taking down
phishing websites.
Differences and confusino in law and legal jurisdictions,
cross-language communication
issues, availability, authority verification problems, and other
issues make taking
down a fraud site a skill or an art of social networking,
ingenuity, and patience
which most companies do not have.
Solutions suggested so far like contacts and standards are useless
IMHO. A more
effective solution is to encourage entrepreneurs to startup
federated or franchised
businesses to offer takedown services around globe and around
the clock with the
local touch. Having middlemen like them solves most of
the issues mentioned
above.
Spoofback
Considering the difficulty with takedown, another options is to
'spoof back' by posting
phony information to the phishing websites in order to spoil the
goods by diluting
it with bad info. Instead of receiving 3,000 good responses,
phishers will receive
300,000 responses most of which will be bad. Another
variation is to post user
info leading to honeypots in order to phish the phishers. I
am not sure about
the legal issues, but hackback risk is no worse than the takedown
IMHO.
APWG Future Threat Models SIG
I have volunteered to participate in the Future Threat Models SIG
at APWG because
I am both highly creative and insanely paranoid which means I can
see blindspots where
none exists. :-) I probably won't be posting about
the activities
there but I will post my thoughts and publicize imminent threats
like the XSS
Network threat I posted about before.
The Anti-Phishing Working Group (APWG)is an industry
association focused on eliminating the identity theft and fraud that
result from the growing problem of phishing and email spoofing. The
organization provides a forum to discuss phishing issues, define the
scope of the phishing problem in terms of hard and soft costs, and
share information and best practices for eliminating the problem.
Where appropriate, the APWG will also look to share this information
with law enforcement.
Membership is open to qualified
financial institutions, online retailers, ISPs, the law enforcement
community, and solutions providers. Note that because phishing attacks
and email fraud are sensitive subjects for many organizations that do
business online, the APWG has a policy of maintaining the
confidentiality of member organizations.
It serves as a
public and industry resource for information about the problem of
phishing and email fraud, including identification and promotion of
pragmatic technical solutions that can provide immediate protection
and benefits against phishing attacks. The analysis, forensics, and
archival of phishing attacks to the Web site are currently powered by
Tumbleweed Communications' Message Protection Lab.
Other News: Anti-Phishing Working Group
Other News: Anti-Phishing Working Group12/31/2004 05:03 AM The Anti-Phishing Working Group provides lists of recent phishing
attacks and advice on how to defend against them.
Quality Assurance Working Group Updates Three Working Drafts
Quality Assurance Working Group Updates Three Working Drafts11/08/2002 08:17 PM 8 November 2002: The Quality Assurance (QA) Working Group has updated
three Working Drafts in its seven-part QA Framework: the Introduction,
Process and Operational Guidelines; and Specification Guidelines.
Learn more about the QA Activity and the roadmap for ensuring that W3C
technologies are well implemented. (News archive)
Secure Resolutions Upgrades Their Anti-Virus Engine to Include Anti-Spyware, Anti-Adware, Anti-Dialers, Anti-Hoaxes, Anti-Jokes, and Anti-Hacking Tools
Thunderbird in line for anti-phishing safeguards02/01/2005 08:53 PM A group of developers working on Thunderbird have come up with a new
anti-phishing feature. Can improved security safeguards aid in
Thunderbird adoption at the expense of other clients?
Will A Reactive Anti-Phishing System Work?09/14/2004 05:25 AM Realizing that phishing scams are a big deal these days, Symantec is
now launching their
own anti-phishing system to help combat the problem. Of course,
since phishing relies more on social engineering to trick people into
revealing their bank account, credit card and/or other private info,
it's hard to see how a company could launch an effective anti-phishing
service. Symantec's works the same way many early anti-spam systems
worked: by creating a bunch of fake accounts, monitoring the results
and using them to build a database of phishing sites to block. It
certainly could help, but it might depend on how quickly it works.
Unlike the situation with spam, where it's not quite as awful if a few
messages get through, a phishing site that still gets a bunch of
victims is certainly problematic for those people. While it's unclear
if there's any better solution, a reactive solution to phishing may
just be too little too late.
Symantec Rolls Out Anti-Phishing Service
Symantec Rolls Out Anti-Phishing Service09/13/2004 02:30 PM The company unveils a new offering intended to help financial
institutions fight phishing attacks and online fraud.
NetCraft Launching Anti-Phishing Service01/07/2004 06:39 PM "Phishing" scams, where a scammer sends a fake email pretending to be
from a legitimate site and tries to get people go to a real-looking
site and give away all their personal details and/or passwords, are
becoming increasingly popular. However, as scams grow, so do the scam
fighters. NetCraft, known for monitoring what systems are used to
host websites, is going to launch
a phishing detection service. Since they already keep track of
registered domain names, and crawls sites, recording their home page.
The service will specifically look for domain names that are similar
to the names of companies that sign up for the service - while also
comparing actual websites to try to catch phishing sites before they
have a chance to scam people. Sounds like a useful service.
Phishing attacks rose in February, says group03/29/2005 11:03 AM The number of phishing attacks grew slightly during February, and
there was also increased malicious software use, a group that monitors
attempts at online identity theft said on Tuesday.
Anti-Phishing Bill Introduced Just To Make It Even More Illegal
Anti-Phishing Bill Introduced Just To Make It Even More Illegal07/13/2004 03:47 AM Maybe I missed the note, but I was under the impression that
"phishing" (tricking people into filling out their personal info into
a site they believe is a financial site like Paypal or their bank, but
which is really the scammer's own site) was already pretty damn
illegal. After all, it is tricking someone into revealing their bank
account info, which will then most likely be used to steal money from
them. However, just for good measure, a new anti-phishing bill has
been introduced in the Senate, making sure it's even more
illegal. The argument for doing this is that it's currently
difficult to prosecute those scammers involved with phishing, but it's
not entirely clear why. It seems like setting up a website to defraud
people out of their bank account or credit card info should be an open
and shut case of fraud.
News: Phishing attacks rose in February, says group
News: Phishing attacks rose in February, says group03/30/2005 05:42 PM The number of phishing attacks grew slightly during February, and
there was also increased malicious software use, a group that monitors
attempts at online identity theft said on Tuesday.
Brief: 17 companies form group to fight phishing, spoofing
Brief: 17 companies form group to fight phishing, spoofing06/15/2004 04:23 PM The companies, including AT&T Wireless, IBM, Best Buy and ABN Amro,
plan to announce the formation of the Trusted Electronic
Communications Forum to promote technology standards, best practices
and prosecutions against cybercriminals.
Phishing attacks rose slightly in February, says group
Phishing attacks rose slightly in February, says group03/29/2005 01:59 PM The number of phishing attacks grew slightly in February at the same
time the use of malicious software use was rising, according to the
Anti-Phishing Working Group.
Netriplex Adds Phishing Detection to its Anti-Spam Solution
Netriplex Adds Phishing Detection to its Anti-Spam Solution06/18/2004 03:10 AM Netriplex announced today that as a result of the exponential increase
in phishing and spoofing via email, it has implemented anti-fraud
technology into its spam filtering service. The addition of this
technology effectively stops fraudulent attempts at grabbing user
names, passwords and other sensitive information from recipients of
this type of email. [PRWEB Jun 18, 2004]
OK - so unless it's not already obvious - the future has MUCH to do
with reich media interfaces - those 'webapp'-like entities that exist
in a webpage, but act like a "normal" app.
I'm in love with a company called Laszlo Systems - and they've got
abunch of new stuff coming down the pipe.....
So my friend Andrew Woolridge wants everyone to know - there's a
Laszlo User Group meeting coming up......
Here's Andrew's pitch......
Next User Group Meeting: Tuesday July 27, 2004
At: Laszlo San Francisco Office
Time: 6:30 pizza; 7-9 pm meeting
A group of Laszlo enthusiasts have organized the Laszlo User Group.
Meetings occur monthly at the Laszlo Systems offices in San Francisco,
CA. Free pizza is often served. Members typically discuss and demo
their latest projects. They also hear updates from as well as discuss
issues directly with the Laszlo engineering team.
Ping ID to host first users group meeting04/19/2005 09:56 AM Next month, in conjunction with Digital ID World in San Francisco,
Ping Identity will hold its first (I believe) PingFederate Users Group
meeting. The meeting is free to all members of the users group.
Membership of the users group is free to everyone who uses the
PingFederate server. The PingFederate server is free to download from
Ping Identity. See a pattern here? Grok Description matches for Anti-Phishing Working Group Meeting GrokA matches for Anti-Phishing Working Group Meeting
Anti-Phishing Working Group Meeting
The following phrases have been identified by the grok system as matching this entry:
