- Joined
- Nov 11, 2003
- Messages
- 9,900
- Reaction score
- 118
- Location
- Ahwatukee, AZ
- Can others edit my Photos
- Photos NOT OK to edit
Microsoft anti-phishing software raises Internet privacy concerns
By Mike Ingram
17 September 2005
A phishing filter developed by Microsoft and to be included in the next release of the Windows operating system has raised concern amongst privacy advocates.
The filter software is to be included in Internet Explorer 7 but has been
released early as an extension to existing versions of the Windows web
browser.
Phishing is the term given to the use of fake web sites in order to steal the identities of users. Phishing fraud normally starts with computer users
receiving emails appearing to be from banks, credit card companies, or sites
such as eBay and PayPal, requesting account updates. Links are provided to
web sites that seem legitimate but in fact store the information, to be used
for illegal activity. Unwary users are duped into giving up their Social Security, credit card and bank account information.
The increase in phishing attacks has prompted a new genre of software known as anti-phishing tools. Most of these come as extensions to the web browser, most commonly Internet Explorer. Two such tools are CallingID, and SpoofGuard from Dan Boneh and John Mitchell of the Stanford Security Lab.
Netcraft also provides a toolbar for Internet Explorer and Firefox, which
assists users in identifying phishing sites.
Anti-phishing software uses a combination of different methods in an attempt
to spot spoof sites. Domain analysis is used to verify domain registrations
using a number of criteria and from a number of sources. Session analysis is
used to determine if a site uses properly encrypted communications and spot
other telltale signs of a spoof site. Most of these programs are known as
client-side, in that they operate on the users own computer without sending
data to a server.
Microsofts anti-phishing software is controversial in that it sends a users browsing activity to Microsoft servers for comparison against lists of sites know to be either good or bad. According to the Microsoft web site:
Phishing Filter is a feature in Internet Explorer 7.0 that helps determine
whether a Web site is legitimate or a so-called phishing Web site. Internet
Explorer 7.0 is only available to a select group of developers and is not
expected for general release within the next year. The phishing filter
software is to be made available as an extension to existing versions of
Internet Explorer over the next few weeks. The web site specifies three
checks designed to help protect users from phishing scams:
1. It compares the addresses of web sites that a user attempts to visit to
the addresses of sites that have been reported as legitimate. This list is
stored on the users computer.
2. It analyzes sites that a user attempts to visit by checking those sites
for characteristics common to phishing sites.
3. If the user chooses, Phishing Filter sends the addresses of web sites
that a user attempts to visit to Microsoft to be checked against a
frequently updated list of reported phishing sites.
It is this last point that has come in for the most criticism. Privacy campaigners argue that this allows Microsoft to track Internet use. Kevin
Bankston, a lawyer and Internet privacy expert with the San Francisco-based
Electronic Frontier Foundation, has said this is potentially a wholesale
handing over of ones privacy to Microsoft. I would say, right now, definitely dont use this. If youre careful, you dont need this.
As the software becomes integrated into the next generation of Microsoft
Windows, however, users will have little option but to use it. While the
sending of information to Microsoft is optional, many users will not realize
the significance of what they are doing.
The problem of Internet security is a serious one, which needs to be addressed at many levels. Technology can assist in this and some of the new
client-side anti-phishing software does seem to be effective. In the case of
Microsofts server based solution, however, too many questions arise for
this to be considered a legitimate response to the problem.
Microsoft has, of course, insisted that it has no intention of tracking a users web browsing activity and says it does not store the information sent by the phishing filter. We dont store that information, Greg Sullivan, Microsoft Windows group product manager, said. There is no server event log, no data base, no hosted event file.
Kevin Bankston told the Australian publication the Age that the information
may be too valuable for Microsoft to ignore in the longer term. There are
clear financial imperatives for them to choose to make use of this
information in the future and start logging it, he said. It is not hard to
imagine the gold that could be mined out of that information.
In fact, decisions as to the retention of such information may not be left
to Microsoft at all. In the aftermath of the terrorist attacks of September
11, 2001, and those in London in July this year, there have been increasing
demands by security forces internationally for broader access to electronic
data and for Internet Service Providers to be required to log certain data.
There is also a question of the freedom of the Internet as a means of mass
dissemination of information, open to all. Microsoft proposes to maintain a
white list of sites deemed legitimate. Officials say the list of approved sites, which Microsoft calls the list of highly trafficked legitimate web sites, will number in the tens of thousands. The list is being provided by Nielsen NetRatings, which measures Internet traffic. ICANN, the Internet Corporation for Assigned Names And Numbers, reported in August that there are 43 million active registered domain names worldwide, meaning that only a tiny percentage of sites will make it to the Microsoft list.
Michael Aldridge, a product planner with Microsofts technology care and
safety group, told the Age the company would not be vetting which web sites are contained on the list. It is based ... purely on traffic. We make no
judgments on content.
For inexperienced users, the prospect of error messages to the effect that
their identity may be stolen if they proceed to a selected site could prove
intimidating enough to have them avoid the site all together. There is a very real danger that the phishing filter will have the effect of creating a two-tier Internet, with sites designated as safe or not, supposedly on the basis of the number of people visiting them on a list controlled by the worlds largest software corporation.
===========================
This is interesting...
By Mike Ingram
17 September 2005
A phishing filter developed by Microsoft and to be included in the next release of the Windows operating system has raised concern amongst privacy advocates.
The filter software is to be included in Internet Explorer 7 but has been
released early as an extension to existing versions of the Windows web
browser.
Phishing is the term given to the use of fake web sites in order to steal the identities of users. Phishing fraud normally starts with computer users
receiving emails appearing to be from banks, credit card companies, or sites
such as eBay and PayPal, requesting account updates. Links are provided to
web sites that seem legitimate but in fact store the information, to be used
for illegal activity. Unwary users are duped into giving up their Social Security, credit card and bank account information.
The increase in phishing attacks has prompted a new genre of software known as anti-phishing tools. Most of these come as extensions to the web browser, most commonly Internet Explorer. Two such tools are CallingID, and SpoofGuard from Dan Boneh and John Mitchell of the Stanford Security Lab.
Netcraft also provides a toolbar for Internet Explorer and Firefox, which
assists users in identifying phishing sites.
Anti-phishing software uses a combination of different methods in an attempt
to spot spoof sites. Domain analysis is used to verify domain registrations
using a number of criteria and from a number of sources. Session analysis is
used to determine if a site uses properly encrypted communications and spot
other telltale signs of a spoof site. Most of these programs are known as
client-side, in that they operate on the users own computer without sending
data to a server.
Microsofts anti-phishing software is controversial in that it sends a users browsing activity to Microsoft servers for comparison against lists of sites know to be either good or bad. According to the Microsoft web site:
Phishing Filter is a feature in Internet Explorer 7.0 that helps determine
whether a Web site is legitimate or a so-called phishing Web site. Internet
Explorer 7.0 is only available to a select group of developers and is not
expected for general release within the next year. The phishing filter
software is to be made available as an extension to existing versions of
Internet Explorer over the next few weeks. The web site specifies three
checks designed to help protect users from phishing scams:
1. It compares the addresses of web sites that a user attempts to visit to
the addresses of sites that have been reported as legitimate. This list is
stored on the users computer.
2. It analyzes sites that a user attempts to visit by checking those sites
for characteristics common to phishing sites.
3. If the user chooses, Phishing Filter sends the addresses of web sites
that a user attempts to visit to Microsoft to be checked against a
frequently updated list of reported phishing sites.
It is this last point that has come in for the most criticism. Privacy campaigners argue that this allows Microsoft to track Internet use. Kevin
Bankston, a lawyer and Internet privacy expert with the San Francisco-based
Electronic Frontier Foundation, has said this is potentially a wholesale
handing over of ones privacy to Microsoft. I would say, right now, definitely dont use this. If youre careful, you dont need this.
As the software becomes integrated into the next generation of Microsoft
Windows, however, users will have little option but to use it. While the
sending of information to Microsoft is optional, many users will not realize
the significance of what they are doing.
The problem of Internet security is a serious one, which needs to be addressed at many levels. Technology can assist in this and some of the new
client-side anti-phishing software does seem to be effective. In the case of
Microsofts server based solution, however, too many questions arise for
this to be considered a legitimate response to the problem.
Microsoft has, of course, insisted that it has no intention of tracking a users web browsing activity and says it does not store the information sent by the phishing filter. We dont store that information, Greg Sullivan, Microsoft Windows group product manager, said. There is no server event log, no data base, no hosted event file.
Kevin Bankston told the Australian publication the Age that the information
may be too valuable for Microsoft to ignore in the longer term. There are
clear financial imperatives for them to choose to make use of this
information in the future and start logging it, he said. It is not hard to
imagine the gold that could be mined out of that information.
In fact, decisions as to the retention of such information may not be left
to Microsoft at all. In the aftermath of the terrorist attacks of September
11, 2001, and those in London in July this year, there have been increasing
demands by security forces internationally for broader access to electronic
data and for Internet Service Providers to be required to log certain data.
There is also a question of the freedom of the Internet as a means of mass
dissemination of information, open to all. Microsoft proposes to maintain a
white list of sites deemed legitimate. Officials say the list of approved sites, which Microsoft calls the list of highly trafficked legitimate web sites, will number in the tens of thousands. The list is being provided by Nielsen NetRatings, which measures Internet traffic. ICANN, the Internet Corporation for Assigned Names And Numbers, reported in August that there are 43 million active registered domain names worldwide, meaning that only a tiny percentage of sites will make it to the Microsoft list.
Michael Aldridge, a product planner with Microsofts technology care and
safety group, told the Age the company would not be vetting which web sites are contained on the list. It is based ... purely on traffic. We make no
judgments on content.
For inexperienced users, the prospect of error messages to the effect that
their identity may be stolen if they proceed to a selected site could prove
intimidating enough to have them avoid the site all together. There is a very real danger that the phishing filter will have the effect of creating a two-tier Internet, with sites designated as safe or not, supposedly on the basis of the number of people visiting them on a list controlled by the worlds largest software corporation.
===========================
This is interesting...
![[No title]](/data/xfmg/thumbnail/33/33494-b043d63ade80615498faca324203747a.jpg?1619736004)
