Feds Pressured on Phishing

WASHINGTON—As phishing scams, identity theft and other online schemes proliferate, the private sector is calling on the federal government to take a leadership role but is stopping short of requesting new laws. Such demands, however, are turning the spotlight back on private industry, which—observers looking for an even stronger governmental response say—has made meager progress of its own in the fight against online scams.

Key service providers and security vendors voiced dissatisfaction with government efforts to improve cyber-security at a U.S. House of Representatives hearing on identity theft here last week. Whats lacking from the government, said top officials from such companies as Entrust Inc. and eBay Inc., is willingness to use its buying power and the bully pulpit to motivate the private sector.

“When was the last time you heard [Department of Homeland Security Secretary] Tom Ridge talk about this? All they talk about is physical security,” William Conner, CEO of Entrust, in Addison, Texas, told eWEEK.

In April, the National Cyber Security Summit Task Force, a group of more than three dozen corporations and organizations, issued an information security policy framework, which had been requested by DHS. But since then, Conner said, there has been no progress.

In Washington last week to testify at the hearing, Conner said that what is not needed is a series of piecemeal laws. Measures addressing industry-specific data requirements, such as the Health Insurance Portability and Accountability Act, and specific cyber-crimes, such as the CAN-SPAM Act, are not sufficient to make the Internet a safe place, he said.

There are, however, proposals on the horizon that hold promise for reducing the number of phishing messages that reach users, a major step toward preventing identity theft, experts say. One idea is the DomainKeys mail authentication system developed by Yahoo Inc. and under consideration as a standard by the Internet Engineering Task Force.

/zimages/3/28571.gifClick hereto find out why the Internet Engineering Task Force recently shut down the MARID anti-spam working group.

The system acts as an authentication layer at the mail gateway and uses public-key cryptography to ensure that senders are authorized to send mail from a given domain. For service providers or enterprises to implement the system, they simply generate a public- and private-key pair and then publish the public key in their DNS (Domain Name System) records.

DomainKeys has been implemented in the latest versions of Sendmail Inc.s popular MTA (mail transfer agent) software. Two of the nations largest ISPs, America Online Inc. and EarthLink Inc., also have expressed interest in implementing the system. Yahoo plans to implement the technology on its own Yahoo Mail product by the end of the year, according to Miles Libbey, anti-spam product manager at Yahoo, in Sunnyvale, Calif.

Security experts say DomainKeys development has done something that the governments penchant for holding hearings does not: It improves understanding of spam and phishing.

“There are still some disconnects. A lot of the committees dont understand the connections,” said Howard Schmidt, former White House security adviser. Schmidt, now vice president of security at eBay, in San Jose, Calif., a frequent victim of phishing scams, said the company has a full-time staff dedicated to investigating fraudulent e-mails.

Still, Rep. Adam Putnam, R-Fla., warned last week that the private sector has done little to convince legislators that mandates arent needed. Last year, Putnam drafted a bill requiring security reporting by public companies, but the bill was never introduced.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

/zimages/3/77042.gif

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page