Gone Phishing !

2006-06-17T02:53:00Z

Over the last few years we have all experienced the constant barrage of Phishing attacks. These are not only a pain for all of us as end users, as we carefully pick through our email trying to figure out what’s real and what isn’t, but also an unending headache for those trying to run the commercial web sites we link to. So let’s take a step back for a moment to look at how these attacks are possible, after all we’re smart people we shouldn’t be fooled that easily ….

There are three distinct steps to any Phishing attack for the sake of making this simple let’s just call them Casting the Bait, Reeling in the Catch and Stealing the Prize.

Casting the Bait – since the initial goal of the phisher is to get you to go to their web site the first thing to do is to deliver you a URL in an email message. This email has to convince you that not only is it from a real company but that you should take the additional action of clicking on the link it contains. We’ve all seen the “there has been a change in your account details and we need you to verify them” email, complete with nice graphics and company logo’s from a familiar company. The first few times we see these we naively click on the link and off we go to who knows where to try and verify our account details. Of course given the amount of spam we all receive it’s not surprising that at times it’s hard for us to tell the good mail from the bad. In recent years many efforts have been made to reduce the amount of spam and as the junk mail filters have become more sophisticated we are weeding out a lot more than we used to, but there is still more work to be done.

Reeling in the Catch – have you ever thought about how easy it is to fake a web site, think about that for a moment if I go up to any webtsite today I bet I can copy half their logo’s and art work straight off of their home page. In no time at all a half decent web designer could mock up a site that is close enough to the real thing to fool 90% of the people who saw it. In fact that’s what Researchers at Harvard University and UC Berkeley did in order to do some research on Phishing. Now compare that with how hard it is to fake a real brick and mortar business, say a bank or a book store. One of the reasons so many people get phished is because it is very hard for most users to tell the difference between a fake site and the real site. In fact many users today have no idea what any of the so called security measure’s we have in place today even mean. Ask some of your non-technical friends to explain what an SSL certificate is and how they can tell when a site has one. Now ask them how they know that’s a real cert and not one that was issued to a spurious company in Nigeria. On the whole we as an industry have come up pretty short in terms of protecting our users from going to sites that they can’t identify.

Stealing the Prize – in many cases the prize is your username and password. Firstly this is because the Phisher can now get access to the site that they faked, secondly the chances are you also use that username and password other places, and they are going to go after those too. But wait I hear you cry, I have several password that I use on different sites depending on the value associated with an account. So imagine this, you get tricked into going to a fake site, it asks you for your username and password, you type them in and “User Authentication Failed, please try again”. So you think to yourself maybe I used one of my other username and password pairs, so you try again, failed. Eventually you think maybe I just typed the password wrong the first time! So you re-enter it and the site lets you in (and redirects you to the real site), now the Phishing site not only has the username and password for the site they faked, but chances are they also stole the other 4 combinations you use. And yes this happened to someone I know, oops. So username and passwords aren’t solving the problem today of how we get users to authenticate to our sites. And we need to keep it simple enough that all users from the technically savvy to novice users can just as easily and securely authenticate, without the need for username and password.

So as you can see the method of attack is pretty straight forward and if wasn’t for the fact that we prefer to operate on the right side of the law, I’m sure we could all make a pretty decent living doing it. One of the big challenges for us as an industry is that it covers multiple technologies email clients, browsers, SSL certificates and user authentication systems, all of which may be provided by different vendors, any one of which doesn’t feel like they can solve the problem. Over the next few weeks I’m going to cover each of these topics and explain the work that we are doing here at Microsoft to address these issues and in addition other industry wide efforts I come across. I’m not saying that we can stop these attacks completely but by changing the rules a little we can at least start to fight back. Lets face it we are dealing with some pretty sophisticated criminals intent on stealing from all of us if they can, we just have to make it a lot harder for them to do their job.

To Blog or not to Blog that was the question!

2006-06-16T22:14:00Z

Well for the longest time I have resisted the temptation to leap into the blogging arena, but no more, the question is answered. My name is Steven Woodward and I am a Technical Evangelist in the Windows Server evangelism team here in Redmond. Within the team I am one of the evangelists who covers Identity and Access Management (the others being Vittorio Bertocci, Donovan Follette and Nigel Watling). For the last year I have been working on The Identity Metasystem and InfoCard now called Windows CardSpace™ (which keeps the marketing folks happy but I’m just going to call it CardSpace), during which time I have presented to and met with many in the industry to discuss our vision for how to improve user authentication and identification. During that time I have also had the honor to work with Kim Cameron, the man behind the vision, whose desire for openness and inclusion with respect to the Identity Metasystem has driven much of the industry momentum we see now.

I’ve learned a lot over the last year about how people plan to use this technology, other projects that are being worked on in parallel both within Microsoft and in the rest of the industry, and I’m going to use this as the place to share my thoughts and get feedback from you on where we are heading.

For those not familiar with The Identity Metasystem or CardSpace here are two simple explanations of what they are and how they relate.

The Identity Metasystem is a mechanism for using a subset of the WS-* protocols to publish the security policy of a web site or service, exchange this information with a user and retrieve security credentials that match those policies from an identity provider.

CardSpace is the Windows client component of the Identity Metasystem which presents those security credentials to the user in a friendly, easy to understand user interface, aka an Identity Selector.

Since all of the WS-* protocols are released publicly there are many other initiatives, other than Microsoft’s, working on to develop interoperable solutions, there are also other initiatives to develop Identity Selector’s for other platforms, look for more on these in the coming weeks.

You can find out even more information by going over to our newly created community site that covers all of the NetFX 3.0 technologies (WCF, WF, WPF and CardSpace). There you will find links to whitepapers, samples and guides on how to get started.

Steve's Identity Corner

Gone Phishing !

To Blog or not to Blog that was the question!