Microsoft: Phishing Bad, Users Complicit, Education Best Defense - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
3/15/2005
03:23 PM
50%
50%

Microsoft: Phishing Bad, Users Complicit, Education Best Defense

Microsoft, along with Trust-e and RSA Security, summarized the plague of phishing attacks as the "fastest-growing form of online fraud," but offered little new in terms of advice or technology.

Microsoft Tuesday summarized the plague of phishing attacks as the "fastest-growing form of online fraud in the world today," but offered little new in the form of either advice or technology.

Among the few tidbits: use of Sender ID on Microsoft's free Web-based Hotmail service will lead to similar support for the sender authentication scheme in Outlook and Exchange later this year.

Mike Nash, the chief security executive at Microsoft, and others from companies including Truste and RSA Security, pointed to the dangers of phishing to both consumers and businesses, with emphasis on the latter.

"The long term damage phishing can do to brands is the real concern," said Fran Maier, the executive director and president of Truste, in an hour-long Webcast Tuesday morning.

Phishing attacks, which typically begin with e-mails that pose as requests from actual firms to update accounts or provide other personal identity information, direct unwary consumers to bogus Web sites that may in some cases use addresses similar to the real deal.

"Companies need to have a clear banding strategy that says, 'we never ask for anything via e-mail,'" Maier added. "Companies also have to be clear on where and how they redirect URLs to other companion sites."

Phishing can strike at businesses in other ways, said Craig Spiezle, a director in Microsoft's technology safety group. "In the business environment, there's also private information and intellectual property that can be at risk to phishing attacks," he said.

Nash and the others concentrated their advice on the educational aspects of defending against phishing attacks, in some cases coming close to blaming users for the problem.

"Users will open about anything," said Burt Kaliski, the vice president of research and chief scientist at RSA Security. "The human element," he went on, "is the weakest link."

But Kaliski also blamed ancient technology. He took the current username/password authentication scheme -- often the only info a phisher is after -- to task. "User authentication is basically the same as in the days of mainframes. There has to be a way to improve the confidence consumers have in logging in." He suggested integrating enhanced authentication within the browser or the operating system, or both as being ultimately easier than hammering into users how dangerous phishing attacks can be.

"Let's face it, users are one of the most difficult part of the process to 'reprogram,'" he said.

RSA's SecurID two-factor authentication technology recently made the news when it announced early this month that E-Trade would equip its upper-end customers with free one-timepassword tokens.

Nash spent much of the time touting spam defenses as the best way to prevent phishing attacks, even though evidence is increasing that the most sophisticated phishers are turning to other attack avenues, including malicious code and spyware, to rip off identities.

"Implement protections to reduce spam," he said, recommending multi-layered defense at the gateway, server, and end-point; relying on the more security-conscious Internet Explorer 6.0 included in Windows XP SP2 (which includes a pop-up blocker and spotlights possibly fraudulent URLs in the address bar); and publishing the Sender Policy Framework (SPF) record for legitimate business domains.

Hotmail, he said, has been using Sender ID -- Microsoft's sender authentication scheme that's partially based on SPF -- for the past two months, and has found that it reduces the amount of spam, and may trim the amount of phishing spam users receive.

About one-fifth of the e-mails received by Hotmail's users originated from a domain that had published an SPF record, said Nash, and of that number, about a quarter showed evidence of domain spoofing. While domain spoofing isn't a phishing-only phenomenon -- "regular" spammers almost always spoof their sending addresses, too -- Nash said a more extensive use of Sender ID and SPF would help the fight against phishing.

Hotmail's use of Sender ID, a Microsoft spokesperson said separately, has meant "notable improvements in the accuracy of its SmartScreen filtering process." SmartScreen is the name Microsoft gives to its anti-spam technology within Exchange and the Outlook client. "Microsoft will provide support for [Sender ID and SPF] in Outlook and Exchange later this year," the spokesperson added.

Nash did not give any additional information on the upcoming Internet Explorer 7.0, which is scheduled to appear in beta this summer, reportedly with additional protection against phishing and other malicious attacks. Nor did Nash respond to a question asking for a status update on the browser.

When asked about what kind of anti-phishing and/or anti-spam defenses might be under consideration for Longhorn, the next-generation Windows, a Microsoft spokesperson said, "It's a little early to discuss security features in Longhorn, as many of the ideas are being finalized right now," and the usual "we're listening to customers, and evaluating the feature set."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Commentary
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll