Phishing attacks: will we ever stop them?

Technical solutions against phishing -- the spoofing of legitimate Websites and emails -- are emerging, but we may not be able to legislate our way to complete security.

As recently reported here at this site, a recent IBM survey concludes that mass phishing attacks -- in which users receive phony emails that prompt them to either log into malicious sites or to send confidential data -- have been on the wane. However, in their place have been smarter (if you can call phishing "smart"), more targeted phishing expeditions. This new threat even has a cute name: "spear phishing."

Phishing emails still are wreaking havoc -- witness the recent attack on the International Monetary Fund, for example, that allegedly arose from  phishing e-mails.

The question is: along with lots and lots of user education, does technology offer countermeasures against phishing?  Technology, so far, has been fairly effective in the battle against spam, and there are some good defenses against outright hacking.

Unfortunately, as David Talbot explains in MIT Technology Review, the war against phishing is still an uphill battle against a crafty enemy. That enemy may be criminals looking to steal money, and could even be agents of foreign governments seeking to compromise government officials.

One measure that will help stem the tide, called DNSSEC, or Domain Name System Security Extensions, has already been adopted by  66 of 306 top-level domains (such as .org, .com, .gov, and national domains). The way phishers spoof their malicious sites is to hide the numerical Internet address of their sites behind the spoofed named address (such as a bank name). DNSSEC adds information that can be used to verify that the numerical Internet address is the right one associated with the name being presented.

However, about 1% of specific companies or organizations have adopted DNSSEC, meaning it's still years away from deployments, says Talbot. As he describes it, DNSSEC "verifies that a domain name points to the correct Web server."

In an example of the law of unintended consequences, Talbot also warns that pending legislation before the US Congress could also undermine the effectiveness of DNSSEC. Senate Bill S. 968 is intended to "prevent online threats to economic creativity and theft of intellectual property" (PROTECT IP) and mandates Internet service providers, under court orders, to block websites peddling stolen media or counterfeit pharmaceuticals, and redirect a Web user attempting to visit such a site to a takedown notice.

He quotes the concerns of Paul Vixie, chairman and chief scientist of Internet Services Corporation, a nonprofit developer of Internet software and protocols:

Such redirection is what DNS hackers try to do, and what DNSSEC aims to prevent. "If we end up with legislation on that point, it will be impossible to do end-to-end DNSSEC because it will be illegal in some cases."

Vixie and several other Internet security experts have published their objections to the PROTECT IP bill on pertaining to the DNS filtering requirements in the legislation.

Ultimately, until technology completely locks down the threat, end-user training and consumer education remain the best barriers against malicious threats.

This post was originally published on Smartplanet.com