Thursday, November 9, 2006

US.gov tunes out scathing RFID privacy report. US.gov tunes out scathing RFID privacy report. DHS committee study 'disavowed' An external security advisory committee reporting to the US Department of Homeland Security has produced a highlight critical report (PDF) advising against the use of RFID technology in government documents. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:07:22 PM

Blair bangs ID card drum Blair bangs ID card drum. PM in biometric hard sell Tony Blair has once again seen fit to toss his prime ministerial two penneth into the ID cards debate. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:53:05 PM

USA to ground all travellers until 'cleared'. USA to ground all travellers until 'cleared'. Security as a blanket presumption of guilt No one will be permitted to board an aircraft or a marine vessel leaving or bound for the United States until cleared by the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection (CBP), under proposed regulations. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:50:39 PM

'Supercerts' Aim to Highlight Legit Web Sites. 'Supercerts' Aim to Highlight Legit Web Sites. Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot "phishing" scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site? That's precisely the aim of CA/Browserforum, a security effort by the major Web browser makers and certificate authorities, or companies who sell and issue Web site security certificates. Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree. The problem is that hardly anyone knows to check the data included in SSL certs, and even then making sense of it all is probably beyond the grasp of the average computer user. In addition, phishers increasingly are buying and incorporating SSL certs to make their scam sites appear more legitimate. Worse still, the checks that the certificate authorities currently do to verify that those seeking SSL certs have a legitimate claim to the Web site name listed on the requested cert are largely automated and not terribly hard to fool. In February, Security Fix wrote about a phishing scam that had applied for and received an SSL cert for an actual credit union in Utah. CA/Browserforum aims to create a market for a kind of "supercert" known as "extended validation" SSL certificates. EVSSL certs would cost quite a bit more but in theory also include more rigorous vetting of the identity and legitimacy of any requesting entity. More importantly, by working with browser makers Microsoft, Mozilla, Opera Software and KDE, the two groups can agree on standardized methods for modifying the display of the visitor's browser Window in more obvious ways to let users know when they are at the legitimate site of a super-cert holder. For example, the browser could be made to turn green around the address bar when the user visits what the browser recognizes as the real Bank of America site. Bruce Schneier, a cryptography expert and chief technology officer for Counterpane Internet Security, applauded the goals of the CA/Browserforum, calling the current SSL cert validation process "laughable." "It's a serious problem that people on the 'Net don't know the difference between a real Web site and a clever fake," Schneier said. "I think laying this infrastructure could be useful along with other things in the browser to make it more obvious," when users are at a legitimate site, he said. "This is a big problem, and this is a piece of the solution, not the solution by itself." [Security Fix] 9:37:54 PM

Report: Phishers Hooking Fewer (But Fatter) Victims. Report: Phishers Hooking Fewer (But Fatter) Victims. First the good news: While the number of phishing attacks continues to increase, fewer victims report falling for the scams than a year ago. The bad news: Those who did get hooked by a phishing e-mail lost a lot more than the average 2005 phishing victim, and had a harder time recovering that money to boot. The findings come from a study released today by Gartner Inc., a report that includes data from some 5,000 adults who took the company's online survey in August. According to Gartner, the average loss per phishing victim nearly quintupled from $257 in 2005 to $1,244 in 2006. Perhaps more importantly from the victims' perspective, the average percentage that victims were able to recover dropped from 80 percent in 2005 to about 54 percent in 2006. Gartner estimates that at least part of that shift is due to a change in tactics by the scam artists. While financial institutions remain the top targets of phishing attacks, fraudsters are using less-conventional or fictitious brands -- such as made up sweepstakes contests -- that have weaker or non-existent fraud controls, the report posits. The top two targeted institutions from the Gartner survey results were eBay and PayPal, echoing similar findings this week in a study released by Phishtank, a community-based anti-phishing network. Gartner said that bank and credit card company refunds to consumers who lose money because of phishing attacks are declining as a percentage of total refunds, while reimbursements from non-financial services companies such as PayPal and retailers, are growing. According to Phishtank, some 1,493 distinct scam sites impersonated PayPal in the month of October alone, with another 1,210 phishing sites targeting eBay. As major financial institutions have embraced a variety of commercial anti-phishing technologies -- from site take-down services to back-end fraud detection -- many phishers have found it more expedient to expand the scam playing field. According to a recent report from the Anti-Phishing Working Group, phishing e-mails and Web sites targeted at least 148 different brands in August, up from just 84 in January. "When we first started seeing phishing attacks a few years back people kept saying this was a problem that was going to die down, go away," said Gartner analyst Avivah Litan. "Instead what they're doing is becoming more elusive. Instead of just saying here, come give us your credit card number, they try to lure people with $250 gift cards at Target if they sign up for a sweepstakes right away. The problem is that unlike with the banks, victims have a much harder time getting their money back when they fall for these types of scams." Anyone interested can check out the Gartner report here. [Security Fix] 9:34:37 PM

© Copyright 2006 Paul Hardwick. Last update: 12/6/06; 4:04:13 AM.