UGN InfoManager

.
Recent concerns have been raised about the Google & Firefox anti-phishing drive, after it was revealed that the publishing of raw data online contained usernames and passwords of phishing victims.

In Michael Arrington's Tech Crunch column, he shows the story behind Google’s much-discussed anti-phishing blacklist and how it contained confidential usernames and passwords of individuals, including credentials for accounts at banks and other financial institutions.

Google has not publicly discussed the error, although they quietly removed the offending data.

This points to the ever-growing erosion of the internet by the criminal element -- and the web industry's sometimes over-heroic efforts to curb it. *

Microsoft's new technology to fight phishing

But Google is not the only one trying to fight the plague. Robert McMillan, Techworld.com, reports that next month's RSA Conference in San Francisco, will see Microsoft's announcement that a number of websites have gone through a new certification process designed to make it harder for phishers to spoof them.

Further proof of "big boy" involvement brings in big players like VeriSign and Entrust. This is an excellent move on Microsoft's part, yet will it go over the top. I guess no one knows until it's too late. **

The problem is the big players, with deep pockets, can keep up and even take over to establish standards which are in their own best interests. But will smaller sites that haven't been spoofed be willing to pay for -- or even afford -- these certificates. No one knows yet.

Then there's the problem of the unreliable, unpredictable browser market. Will this be yet another standards takeover by Microsoft that only works in their browser? (Assuming they assimilate FireFox.) And, will they keep up? Some of them haven't even been able to cope with CSS, much less a whole new security certificate scheme.

You can read a recent report**** from Stanford University and Microsoft Research that claims the new Extended Validation SSL Certificates in IE7 are ineffective. So I guess the big question here is: "What if it doesn't work?" The report says "user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed."

Interesting to note that while writing this article, TWO new phishing attempts hit my email. One is a Polish criminal named Artur Ornatowski spoofing Chase Bank with a phishing page at his own web site, ornatowski.com. Can you believe that? The other is named "Komae-shi" from Japan spoofing the Bank of America. His site actually goes to the phishing page at "goodbox-pc.com" and if anyone else goes there other than the phish victim, it redirects to hercules21.jp, where Microsoft Vista is for sale. If that's not the "Pot calling the kettle hot" then I don't know what is.

Point made

The criminals keep doing what they're doing because they know no one will do anything about it. Big techno businesses in the U.S. seem to think that the solution is white-wash, and should be applied profitably. Which isn't the case.

Of course, I welcome your comments below.

Thanks for reading

Fred Showker, Editor/Publisher UG Net News

* Michael Arrington's Tech Crunch column
** Robert McMillan's Techworld article
*** Computerworld: Microsoft new antiphishing technology

**** Stanford University and Microsoft Research report PDF FILE