[fc-discuss] Financial Cryptography Update: Microsoft, Office SP2, anti-phishing, security patches, the real situation, and the arms race.

iang@iang.org iang@iang.org
Thu, 29 Sep 2005 16:03:00 +0100 (BST)


 Financial Cryptography Update: Microsoft, Office SP2, anti-phishing, security patches, the real situation, and the arms race. 

                           September 29, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000554.html



------------------------------------------------------------------------

In security pennies, Microsoft released SP2 for Office with some
attention to phishing:

========8<======
The most noteworthy enhancement is the addition of a new Phishing
Protection feature to Outlook 2003's Junk E-mail Filter. This feature
will be turned on by default for users who have Office 2003 SP2 and the
latest Outlook 2003 Junk E-mail Filter Update, the company said. 
========8<======
http://www.pcmag.com/article2/0,1895,1864265,00.asp

To which I say the most noteworthy thing is that either the press or
Microsoft thought that anti-phishing is the most important thing.  Yet,
to me, a Junk email filter improvement that picks up phishing emails is
so underwhelming that I hesitate with embarressment to ask this
question:  why is it that  big browser companies like Mozilla and
Microsoft think that they can address phishing at the email level by
expanding their bayesian filters?

Any comments out there?  What am I missing?

There are security enhancements in the SP2 pack, but as one wit had it:
"Cool!	Now ... will it work?"	The security disaster continues:

http://www.webuser.co.uk/news/news.php?id=68968
=======8<========
A new report from the Information Security Forum (ISF) warns that
Trojan-based attacks are becoming more sophisticated and harder to
stop.  The ISF - a not-for-profit organisation with 260 members
including half of the Fortune 100 - believes this sophisication will
see Trojans soon take over from email phishing.  But, it warns,
phishing is still big business - more than a third of ISF members have
been affected by phishing attacks.
=======8<========

Yes, this is the well known conclusion.  Trojans can take over the
Microsoft Windows computer and do the lifting of account information
without the user having to do *anything*.  Once there was enough
finance developed in the early clumsy email phishing model to invest in
virus/trojan based attacks, this move was inevitable.

What does this mean?  The underground shift that the press dare not
speak of will firm up, and the decade(s) long domination of Microsoft
Windows will end, I predict.  People never had a real reason to shift
from Microsoft computers before, but nobody was stealing their money
before.  Long term view:  sell Microsoft, buy Apple.

https://www.financialcryptography.com/mt/archives/000264.html

Jean sends this snippet to me, and it speaks to the general security
view:

http://www.fxcentre.co.uk/uk/news.asp?ukts+20050925_14047_80360
=======8<========
Periodic attacks against computers by vandals, terrorists, and
allegedly by governments such as that of China, have raised
cyber-security to the top of the computer community's agenda.

Computer experts warn. National security officials sound alarm. Banks
clamor. The press writes sensational stories. And the public seems
fascinated by the exotically named and poorly understood threats.
Everybody, it seems, agrees that cyber security needs to be beefed up.

Today indeed there may be a deficit of computer security. But it seems
inevitable that tomorrow we will have too much of it. How can there be
too much security? Security tends to prevent bad things from happening.
But it also prevents some good things from emerging.

Some cyber-security makes private and societal sense, of course. Backup
file systems, decentralisation, firewalls, password, all of these are
reasonable measures. But since they do not stop determined intruders,
the tendency is for increased security measures.

How much should a company spend for its computer security? Total
security is neither achievable nor affordable. Instead, a company would
engage in some form of cost-benefit analysis, in which it compares the
cost of harm avoidance with the benefit of such reduced harm.

But in the real world, the data for such calculation is systematically
skewed in the direction of exaggerated harm and understated cost of
prevention. Take the cost of harm.
...
=======8<========

So more than a few people have recognised that we've been spending big
and talking big on security for the last decade or so and it's now
getting worse.	What's the misconnection here?	That is indeed a topic
of current research, but at least it has started to enter the radar
screens of security thinkers.

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/