Next Gen Phishing Improves on Simple Spam

An anonymous reader writes "ZDNet has a writeup about the next generation of phishing. According to the article, as anti-spam engines improve and user education levels increase, phishers will find it easier to hack into web servers and deliver password stealing trojans using browser vulnerabilities or Web 2.0 technologies than spam. Tom Chan from Messagelabs is quoted: 'They are trying to compromise poorly protected Web sites — they basically go in and enter their own code into that Web server,' said Chan, who explained that victims of this new phishing era would not have to do anything wrong in order to get hooked. 'You have gone to a legitimate Web site, you have not made a mistake and done everything right, but then your information gets compromised... because [the phishers] have taken over servers that belong to other people.'"

Happened to us

[Exp315]

I'd call it hacking, not phishing, but this happened to us earlier this year. Our company web site at was hacked many times over a period of a month to insert code redirecting visitors to a Russian site that attempted to install a trojan. We knew that 's server was compromised because other users of the same server were also complaining about the same thing. 's reaction?: "We are aware of the problem and we are investigating". We abandoned our account there and moved to another web host after repairing our site every day (often several times per day) for a month.

Vouchsafe

[Doc+Ruby]

It's obvious that the current security practices we use on the Net are totally inadequate for our society. Most people have adopted some of us geeks' toys, like networks, email and multimedia - even custom T-shirts. But few of the normals have adopted some of the tools we geeks learned we needed to play with our toys without getting hurt. Geek posers are killing themselves, and dragging down our geek paradise with them.

The best solution to all this phishing, spam and other harvesting naive "normals" is the trust web. Everyone has a private key for signing assertions, and a contact list with trust levels. Every message is signed (or default untrusted) by the sender and vouchers. When enough vouchers sign a message, it is trustworthy. The Web contains vouching centers, including diverse security analysts signing messages (including each others' assertions). People subscribe to many vouch sources, as well as "vouchmasters" which publish formulas for securing transactions. This way, anyone who says a transaction is unsafe, and is vouched by someone else, makes that transaction at least subject to review, or blocked, depending on the person's policy. Which depends on whom they trust.

That is the kind of system I'd expect banks and governments to deploy for the public. They are the ones we are paying, and relying on, for security. There's so much efficiency to gain from security compared to the losses from insecurity that I expect a very diverse, competitive market of vouchers to thrive. The underlying tech, like PGP/GPG signing and other trustweb tools, already exists. There are already relatively informal vouchers, like CERT, DHS, and lots of independents.

What's needed are standards for trust degrees, and simple UIs for using the trust web without learning many new skills. UIs simpler than antiphishing techniques will win. UAs like Firefox and Outlook merely coloring buttons red to blue for degrees of trust, keeping personal info stored locally for standard submission to standard requests graded by risk and identified by trustworthyness would go very far. Onetime passwords for every transaction to prevent replay attacks would go even further. And local databases with audit trails of every transaction would make it even easier to use once a transaction is doubted.

All those features hook an automated trust web into many existing security practices already used by most people in person. A really secure regime would include privacy laws prohibiting transfer of personal info outside the transaction expressly required by the requester and expressly permitted by the sender. Putting personal info under copyright in detail, and a US Constitutional Amendment in general, would really lock our existing judicial/police/security system into a consistent defense of people as well as corporations.

The time is now. Why doesn't Novell's Evolution at least require PGP/GPG by default? Why doesn't Firefox keep personal info stored encrypted for form submissions with a separate log? Why don't banks issue onetime password credit "cards" for Web use? We've already gone far enough down the path that it's obvious Microsoft, the US government, Chase Bank aren't going to move first. Let's see some of the UIs start to make it easy, and force the backend of the trust web to catch up. I'm doing it in my own software. What are you doing?

Re:Vouchsafe

[krack]

Please take my comments as constructive, they are intended as such.

I think these things are not well- and widely-implemented for the same reasons that caused the dichotomy of MS releasing a DRM patch in 3 days but yet a security patch we must wait for while it goes through the "rigorous" testing process ends up corrupting my data.

Many humans do not seem to view security as an advantage; they view it as a (potentially unnecessary in their perspective) hindrance. In other words, there is no percieved profit in implementing security. If it costs you 10$/widget to secure each widget, and you can sell them without securing them, securing them actually cuts into the quarterly bottom line. You would only want to spend the money and time on security when you can't sell your widgets without it (regulation, bad PR, competition, etc). It is my perspective that this is why security, as a general rule, sucks.

Obviously, the rebuttal is that security is an investment, not overhead, and if you don't invest in the security of your widget you will eventually lose much more money than you made by skimping on the security.

I think you are right, it is long past time that we have effective, intuitive and 'just works' security in our F/OSS offerings. I think the reason we have not seen it yet is detailed in my third paragraph. I have no idea how to resolve these difficulties.

Re:What the article lacked...an example

[aliendisaster]

E-Bay really did that to themselfs by allowing outside code on the auctions. I guess a prettier auction is more important than security for the millions of e-bay users.