Microsoft: Phishing Bad, Users Complicit, Education Best Defense - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:23 PM

Microsoft: Phishing Bad, Users Complicit, Education Best Defense

Microsoft, along with Trust-e and RSA Security, summarized the plague of phishing attacks as the "fastest-growing form of online fraud," but offered little new in terms of advice or technology.

Microsoft Tuesday summarized the plague of phishing attacks as the "fastest-growing form of online fraud in the world today," but offered little new in the form of either advice or technology.

Among the few tidbits: use of Sender ID on Microsoft's free Web-based Hotmail service will lead to similar support for the sender authentication scheme in Outlook and Exchange later this year.

Mike Nash, the chief security executive at Microsoft, and others from companies including Truste and RSA Security, pointed to the dangers of phishing to both consumers and businesses, with emphasis on the latter.

"The long term damage phishing can do to brands is the real concern," said Fran Maier, the executive director and president of Truste, in an hour-long Webcast Tuesday morning.

Phishing attacks, which typically begin with e-mails that pose as requests from actual firms to update accounts or provide other personal identity information, direct unwary consumers to bogus Web sites that may in some cases use addresses similar to the real deal.

"Companies need to have a clear banding strategy that says, 'we never ask for anything via e-mail,'" Maier added. "Companies also have to be clear on where and how they redirect URLs to other companion sites."

Phishing can strike at businesses in other ways, said Craig Spiezle, a director in Microsoft's technology safety group. "In the business environment, there's also private information and intellectual property that can be at risk to phishing attacks," he said.

Nash and the others concentrated their advice on the educational aspects of defending against phishing attacks, in some cases coming close to blaming users for the problem.

"Users will open about anything," said Burt Kaliski, the vice president of research and chief scientist at RSA Security. "The human element," he went on, "is the weakest link."

But Kaliski also blamed ancient technology. He took the current username/password authentication scheme -- often the only info a phisher is after -- to task. "User authentication is basically the same as in the days of mainframes. There has to be a way to improve the confidence consumers have in logging in." He suggested integrating enhanced authentication within the browser or the operating system, or both as being ultimately easier than hammering into users how dangerous phishing attacks can be.

"Let's face it, users are one of the most difficult part of the process to 'reprogram,'" he said.

RSA's SecurID two-factor authentication technology recently made the news when it announced early this month that E-Trade would equip its upper-end customers with free one-timepassword tokens.

Nash spent much of the time touting spam defenses as the best way to prevent phishing attacks, even though evidence is increasing that the most sophisticated phishers are turning to other attack avenues, including malicious code and spyware, to rip off identities.

"Implement protections to reduce spam," he said, recommending multi-layered defense at the gateway, server, and end-point; relying on the more security-conscious Internet Explorer 6.0 included in Windows XP SP2 (which includes a pop-up blocker and spotlights possibly fraudulent URLs in the address bar); and publishing the Sender Policy Framework (SPF) record for legitimate business domains.

Hotmail, he said, has been using Sender ID -- Microsoft's sender authentication scheme that's partially based on SPF -- for the past two months, and has found that it reduces the amount of spam, and may trim the amount of phishing spam users receive.

About one-fifth of the e-mails received by Hotmail's users originated from a domain that had published an SPF record, said Nash, and of that number, about a quarter showed evidence of domain spoofing. While domain spoofing isn't a phishing-only phenomenon -- "regular" spammers almost always spoof their sending addresses, too -- Nash said a more extensive use of Sender ID and SPF would help the fight against phishing.

Hotmail's use of Sender ID, a Microsoft spokesperson said separately, has meant "notable improvements in the accuracy of its SmartScreen filtering process." SmartScreen is the name Microsoft gives to its anti-spam technology within Exchange and the Outlook client. "Microsoft will provide support for [Sender ID and SPF] in Outlook and Exchange later this year," the spokesperson added.

Nash did not give any additional information on the upcoming Internet Explorer 7.0, which is scheduled to appear in beta this summer, reportedly with additional protection against phishing and other malicious attacks. Nor did Nash respond to a question asking for a status update on the browser.

When asked about what kind of anti-phishing and/or anti-spam defenses might be under consideration for Longhorn, the next-generation Windows, a Microsoft spokesperson said, "It's a little early to discuss security features in Longhorn, as many of the ideas are being finalized right now," and the usual "we're listening to customers, and evaluating the feature set."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll