Security Watch

New Phishing Lures

The latest tactic used by phishers makes it hard to even know if you're being scammed.

• By Russ Cooper
• 04/18/2005

Human Factors
The Anti-Phishing Working Group, a consortium of 1,200-plus members "committed to wiping out Internet scams and fraud," published its February 2005 report. Amongst the interesting information was a marked increase in the number of "Phishing without a lure" attacks. These attacks involve modifying the victim system via a vulnerability or other malware to direct it to a fake site, and convincing the user that he's at a valid site. This is done by placing a "Hosts" file on the victim's system which resolves Domain Name lookups, rather than retrieving such information from an Internet DNS server. The victim sees the correct URL in the browser, and any attempt to determine that the site is fake would be largely fruitless. Such attacks typically target a limited number of companies.

It's good to see such a large group of companies interested in e-commerce gathered together working to solve this problem. Phishing is a key issue that could negatively affect the public's use of, and confidence in, Web transactions.

Malicious Code
Over the weekend of March 26-27, there were ten variants of MyTob released. It seems that bot authors are moving away from using computer vulnerabilities; instead, they're relying on users clicking on links or attachments. The use of Instant Messenger programs to send a link to a victim, from a friend or person known to the victim, has been popular.

One reason for the shift in tactics by bot authors is that there are simply fewer networks with ports open to the Internet over which vulnerabilities can be exploited; Code Red (inbound TCP 80) and Sasser (port 445) have convinced admins to shut them down.

In addition, bot authors seem to not want to get into corporate networks, which are far better monitored than many universities and broadband networks. Because of this, the attempts the bot authors would like to make, such as spamming or Distributed Denial of Service (DDoS) attacks, are more likely to fail. So while the practice of sending viruses via e-mail attachments looks lame to the security-savvy person, it remains the most effective method of infecting home users. The Instant Messaging variation is new because of the medium being used, but the principle is identical to e-mail attachments.

Physical
A laptop computer containing information on almost 100,000 alumni, graduate students and former applicants was stolen from UC-Berkeley.

Organizations continue to have difficulty ensuring that such sensitive information stay off of laptop computers and other frequently-stolen devices. This problem is likely to continue, due to the need for such information at offsite events. But it can't be stressed enough just how frequently such devices are stolen, since it's much easier to tuck a nice thin laptop under your jacket or in your briefcase than a nice large server.

Privacy
Microsoft will incorporate "info-cards" into its upcoming Windows version, code-named Longhorn, in order to fight identity theft. The implementation, which has had several name changes over the years (first Palladium, and now Next Generation Secure Computing Base (NGSCB)), is based on hardware specific to the task of maintaining identity information. The theory is that hardware, coupled with software, will allow trusted Web sites to interact with the trusted data it needs on the user's computer. It could, for example, be used by a banking site to allow a consumer to automatically log in and retrieve account information simply by visiting the correct page.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Info-cards is another chapter in the never-ending search for the single sign-on solution. Single sign-on used to mean one user ID and password got you access to myriad resources. With info-cards, it may mean that multiple user ID and password combinations get stored in a single location with a single mechanism to retrieve the correct one (and only the correct one) for the site you're interacting with. It will be interesting to see just how a machine verifies whom it's talking to, and—maybe more importantly—how it informs the user that he is not interacting with the intended site.

Governance
The U.S. National Institute of Standards and Technology (NIST) has released Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. HIPAA goes into effect this Wednesday, at which time those covered by the Act must have complied with its mandates.

Although it's 137 pages long, with many lengthy charts and graphs, it's a pretty good read and introductory-level explanation of HIPAA requirements and mapping to existing government standards.

The Fingerprint Alliance—British Telecommunications, Cisco Systems, EarthLink, MCI, NTT Communications, Asia Netcom, Broadwing Communications, Verizon Dominicana, XO Communications, and the University of Pennsylvania—has established "an automated process for sharing attack profiles across service-provider networks." Using Arbor Networks' Peakflow SP product, ISPs will be able to share information which should assist them in identifying similar attacks. Such cooperation should help to mitigate large Denial of Service (DoS) events, such as extortion attempts, as well as minimize the impact of worms and other large-scale network events.

ISPs have been sharing information for a while. However, this new process is intended to be automated, thereby reducing the time and some of the effort currently involved in coordinating various ISPs' involvement in an event. On the downside, anything that automatically imposes restrictions on an Internet connection based on a signature has the capability to mistakenly block traffic. It will be interesting to see how these networks fare the next time we have a large Internet event.