New Phishing Lures
The latest tactic used by phishers makes it hard to even know if you're being scammed.
The Anti-Phishing Working
, a consortium of 1,200-plus members "committed to wiping out
Internet scams and fraud," published its February
. Amongst the interesting information was a marked increase in
the number of "Phishing without a lure" attacks. These attacks involve
modifying the victim system via a vulnerability or other malware to direct it
to a fake site, and convincing the user that he's at a valid site. This is done
by placing a "Hosts" file on the victim's system which resolves Domain
Name lookups, rather than retrieving such information from an Internet DNS server.
The victim sees the correct URL in the browser, and any attempt to determine
that the site is fake would be largely fruitless. Such attacks typically target
a limited number of companies.
It's good to see such a large group of companies interested in e-commerce gathered
together working to solve this problem. Phishing is a key issue that could negatively
affect the public's use of, and confidence in, Web transactions.
Over the weekend of March 26-27, there were ten variants of MyTob
released. It seems that bot authors are moving away from using computer vulnerabilities;
instead, they're relying on users clicking on links or attachments. The use
of Instant Messenger programs to send a link to a victim, from a friend or person
known to the victim, has been popular.
One reason for the shift in tactics by bot authors is that there are simply
fewer networks with ports open to the Internet over which vulnerabilities can
be exploited; Code Red (inbound TCP 80) and Sasser (port 445) have convinced
admins to shut them down.
In addition, bot authors seem to not want to get into corporate networks, which
are far better monitored than many universities and broadband networks. Because
of this, the attempts the bot authors would like to make, such as spamming or
Distributed Denial of Service (DDoS) attacks, are more likely to fail. So while
the practice of sending viruses via e-mail attachments looks lame to the security-savvy
person, it remains the most effective method of infecting home users. The Instant
Messaging variation is new because of the medium being used, but the principle
is identical to e-mail attachments.
A laptop computer containing information on almost 100,000 alumni, graduate
students and former applicants was stolen from UC-Berkeley.
Organizations continue to have difficulty ensuring that such sensitive information
stay off of laptop computers and other frequently-stolen devices. This problem
is likely to continue, due to the need for such information at offsite events.
But it can't be stressed enough just how frequently such devices are stolen,
since it's much easier to tuck a nice thin laptop under your jacket or in your
briefcase than a nice large server.
Microsoft will incorporate "info-cards"
into its upcoming Windows version, code-named Longhorn, in order to fight identity
theft. The implementation, which has had several name changes over the years
(first Palladium, and now Next Generation Secure Computing Base (NGSCB)), is
based on hardware specific to the task of maintaining identity information.
The theory is that hardware, coupled with software, will allow trusted Web sites
to interact with the trusted data it needs on the user's computer. It could,
for example, be used by a banking site to allow a consumer to automatically
log in and retrieve account information simply by visiting the correct page.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Info-cards is another chapter in the never-ending search for the single sign-on
solution. Single sign-on used to mean one user ID and password got you access
to myriad resources. With info-cards, it may mean that multiple user ID and
password combinations get stored in a single location with a single mechanism
to retrieve the correct one (and only the correct one) for the site you're interacting
with. It will be interesting to see just how a machine verifies whom it's talking
to, and—maybe more importantly—how it informs the user that he is
interacting with the intended site.
The U.S. National Institute of Standards and Technology
(NIST) has released Special
Publication 800-66, An Introductory Resource Guide for Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule. HIPAA
goes into effect this Wednesday, at which time those covered by the Act must
have complied with its mandates.
Although it's 137 pages long, with many lengthy charts and graphs, it's a pretty
good read and introductory-level explanation of HIPAA requirements and mapping
to existing government standards.
The Fingerprint Alliance—British Telecommunications,
Cisco Systems, EarthLink, MCI, NTT Communications, Asia Netcom, Broadwing Communications,
Verizon Dominicana, XO Communications, and the University of Pennsylvania—has
established "an automated process for sharing attack profiles across service-provider
networks." Using Arbor Networks' Peakflow SP product, ISPs will be able
to share information which should assist them in identifying similar attacks.
Such cooperation should help to mitigate large Denial of Service (DoS) events,
such as extortion attempts, as well as minimize the impact of worms and other
large-scale network events.
ISPs have been sharing information for a while.
However, this new process is intended to be automated, thereby reducing the
time and some of the effort currently involved in coordinating various ISPs'
involvement in an event. On the downside, anything that automatically imposes
restrictions on an Internet connection based on a signature has the capability
to mistakenly block traffic. It will be interesting to see how these networks
fare the next time we have a large Internet event.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.