Yet more reasons to switch from Windoze to anything else. The Register is reporting that MessageLabs has intercepted a small number of phishing emails containing a sophisticated new attack that does not require the recipient to click on any links.

The attack exploits another hole in Windoze to install scripts on the box so that the next time the user logs into their online banking the information will be stolen.

Interestingly, there is also a statistic at the end from MessageLabs claiming that they detect between 80 and 100 new phishing web sites every day. I noted last month that I had seen a sudden increase in the number arriving in my inbox; this seems to be another problem that is on the rise. Something needs to happen to improve the security of Windoze, and soon.

Over at the Register they have published a security report comparing Windows and Linux [PDF]. The results are as expected, but the report does a good job of debunking the FUD that Microsoft is spreading about the security of their excuse for an operating system.

Those system administrators out there still running Microsoft based servers for anything need to read this and then install something that actually might be able to do the job in a secure fashion. Windows will never be secure until it is completely redesigned and rewritten to be so. The design of Windows is simply flawed in such a way that it can never be secure. Above all though, remember that no software, including operating system software, is 100% secure. Keep watching for updates and make sure you install them (Linux, or perhaps even better FreeBSD system, will significantly reduce the amount of work you have in this area though!).

For desktop users the problem is a little more complex as the only really viable alternative for general use is Mac OS X, but it requires special, and often expensive hardware. The problem is that Windows requires more attention than any other OS I’ve used, but most of the people using WinXP do not have the required skills to maintain it securely – myself included much of the time. Keeping up with all the flaws is a full time job, and I don’t want a second job!

One of my favourite tech-news sources, The Register, was hit by a DDOS attack yesterday. I noticed that the site was inaccessible in the early hours of the morning here in California.

It is sad that there are people out there who think that it is smart to take down somebody else’s site. It’s a shame that those people cannot spend their time contributing their own content to the world instead of just destroying other people’s. And why attack a news site like the Register?

Of course, it would also help if the thousands of zombie Windoze boxes that enable people to run these attacks so easily were not on the internet. I think it is about time that Windoze boxes were banned from connection to the internet until MS completely re-writes the whole OS in a secure way (assuming that they know how to do that). Either that, or bill them for each one of these attacks that originates from machines running their crappy excuse for an OS.

And, while we’re on that subject, I have a better plan for controlling spam too. Rather than Bill’s plan that would have us all pay him to send email, I propose something that would charge MS for every spam email sent via a zombie Windoze box. That should be enough of an incentive for MS to actually plug the holes in the OS.

In addition to an increasing number of Nigerian/419 scam emails arriving in my mailboxes, I have noticed that there are a lot more phishing emails.

According to the folks over at the Anti-Phishing Working Group, these attacks are on the rise. In July 2004 they had almost 2000 attacks reported, almost a third of which were against Citibank. My experience would go much further than that since almost all the phishing emails I see are Citibank ones, including the one I received tonight that prompted this posting.

I have a proposal for dealing with these in a more pro-active way… I think that one way to make these attacks less useful to the criminals behind them would be to flood them with false information. That would make finding the real card details in their data much, much harder. Since most are simple CGI or PHP scripts processing HTTP post forms, it is a simple matter to extract the names of the form fields that they are interested in (username, password, account number, PIN etc) and create a script that generates random responses for usernames pulled from a dictionary of common names. More sophisticated solutions might also verify that the credit card number being submitted is actually a valid number (i.e. it passes the Luhn algorithm validation), or perhaps provide username variations (e.g. adding a numeric suffix to the username).

Finally, an old article at BankersOnline.com talking about a phishing attack that took place on January 25, 2004, seems to go way over the top. The introductory paragraph states that “terrorists leveraging resources in Korea, and posing as United States government representatives, attacked our country in an attempt to undermine the security of our banking systems.” It goes on to say that the “reaction should be immediate neutralization of the threat.”

Update [October 21, 2004]:The BBC is running a story about the sophistication of phishing attacks now, and also some possible techniques that they might employ in the future. Seems that phishing is in the news these days. Let’s hope that the message gets out to as many potential victims as possible.