The Messaging Anti-Abuse Working Group (MAAWG) and the Anti-Phishing Working Group (APWG) have published Anti-Phishing Best Practices for ISPs and Mailbox Providers. The report characterizes phishing messsages and makes recommendations for detecting and containing them. It also includes a section on how to best handle service support incidents.
The key topics include:
- The nature of phishing attacks
- Inbound protection schemes
- Web traffic filtration
- Outbound traffic filtration
- Pharming and DNS cache poisoning attacks
- Phishing and customer support calls
- Communications with targets
The report describes methods for detecting and blocking, including Bayesian filters, which learn from examples, blacklists, fingerprinting schemes, which detect phishing-specific techniques, and URL based filters. In addition to these technieques, the report recommends using sender authentication when available and encouraging end users to employ client side filters.
The MAAWG and APWG report make the point that phishers often launch their attacks from comprimised computers so filtering outbound traffic can help reduce the volume of phishing attacks if any computers on your network have been comprimised.
Pharming is a variation on phishing that uses fraudulent DNS entries to redirect users to phishing sites. The fundamental vulernability lies in the trusting design of DNS. The report recommends providers keep thier DNS software up to date and access sites with certificates enabled.
Can You Trust Your Firmware?
InformationWeek is reporting that the Bureau of Industry and Security within the U. S. Commerce Department has been attacked by Chinese hackers to the point where the department is replacing hardware. Has it gotten to the point that reformatting a hard drive isn’t even enough?
John Heasman’s presentation at the Black Hat conference described how the Advanced Configuration Power Interface could be used to comprimise a computers BIOS. In a National Public Radio piece this morning, the possiblity of comprimising a printer was discussed. “How often do you update your printer?” was asked and leads us to the more general question, what do we need to lock down?
We used to think in terms of vulnerabilities in operating systems, network services, and applications, but that may not be enough for long. It looks like we’re at the point where we can’t trust firmware. I suspect we will start seeing a lot more digitally signed code, including firmware, in the future.
