UK Home >  OUT-LAW News >  OUT-LAW Radio

New anti-phishing tech

OUT-LAW Radio, 07/06/2007

We investigate a new anti-faker technology that hopes to beat phishing, and we hear about some quirks in the UK's anti-smoking laws.

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to OUT-LAW Radio, the weekly podcast that keeps you up-to-date on all the twists and turns in the world of technology law. Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we hear about a new system designed to prevent phishing attacks, and we investigate the byzantine complexities of new anti-smoking laws for cars.

But first, the news.

  • One stop shop patent fetches £2.5 million at London auction; and
  • airline passenger data must be restricted, say Lords.

A 10-year-old US patent for one-stop internet shopping has been sold at auction in London for £2.5 million. That one sale represented more than half of the revenue raised at the unconventional London auction.

Auction firm Ocean Tomo was behind the sale. The firm is a pioneer of live intellectual property (IP) auctions, having already held such sales in New York and Chicago in the past year. Intellectual property is more commonly the subject of trade sales or private deals, but the auctioning of IP in lots could commoditise IP assets.

The star of the London auction was lot 19A, 'Methods for internet shopping with a one-stop shopping cart'. Filed in 1997 by a New Zealand mother of three, the patent is for technology which allows a shopper to search for goods in the databases of several shops through one website. A patent for audiovisual text messages was also sold for £440,000.

Airline passenger information collected by US authorities must not be used for general law enforcement activities and must be deleted after three-and-a-half years, the House of Lords has said.

In a just-published report on the information airlines pass to US authorities, known as passenger name records (PNR), the Lords said that a "better balance" needs to be struck between privacy and security.

But though it was critical of some elements of PNR deals in the past, the Lords' European Union Committee said that the exchange of PNR data is a necessary element of counter-terrorism policy.

The Lords said that data collected must be tightly controlled, and used properly, which means only using it for the purposes for which it was collected in the first place.

That was this week's OUT-LAW News.

Email may be an astonishingly quick, easy, efficient way to stay in touch and do business, but for many it has become something of a liability. Spam distracts your attention and clogs up the network. Phishing attacks, more dangerously, try to fool you into thinking fake emails are actually from your bank or somewhere like eBay so they can take your account details and rob you blind.

The battle against the virtual hooligans behind these messages has been long and hard-fought. Software filters, reporting tools and blacklists operated by internet service providers have all played their part, but spam and phishing continue to pollute email and scam innocent users. Basic communication and online banking and shopping are harder and harder with every passing fraudulent byte.

Well, a new fix is in town, courtesy of some of the biggest names in email. Yahoo, CISCO, Sendmail, Strongmail and others have put their differences aside to collaborate on a system which they hope will beat the bandits.

It's called Domainkeys Identified Mail, or DKIM. Dennis Dayman is director of deliverability at email infrastructure firm Strongmail systems.

Dayman: DKIM, in the technical sense, is the email authentication framework that basically is addressing forgery issues and the way that we do that is using DKIM which is cryptography to verify who sent the message. Now, again, it’s a very technical explanation. One of my good friends actually gave a great analogy not too long ago where he said that authentication is like a licence plate on a car. The licence plates on a car do not actually affect the way the car drives or really tell you or really give you a sense that that person is a good driver or not, but they create an accountability that affects the behaviour of that person. So if a red Ford truck did something wrong then the police would stop all red trucks and examine to see exactly who they were and then obviously affect everybody at the same time. But, if you were not a red Ford truck and you had a licence plate and they knew exactly who they were looking for then they could easily just pick out that one red truck and so again in actuality what DKIM does is that it allows us to first identify the source of an email. Did this person send that email and if they did then we go to a second process which is not really tied in to DKIM but DKIM helps support this, and that’s looking at the reputation of that sender. Are they a good sender? Are they spammers? Do they have a lot of complaints?

The technology works using digital signatures that prove that an email came from where it says it did. Primarily an anti-phishing, rather than anti-spam, tool, it allows a web domain owner to sign outgoing mail. The receiving system checks that mail's digital signature with the domain's one to make sure they match.

By comparing these two signatures, the system makes sure that a mail coming from, for example, bankofireland.com does actually come from that address.

Email pioneer Eric Allman is founder of another email company, Sendmail.

Allman: The intent is primarily initially to deal with phishing so if I get something from a big bank and I can prove it really is from that big bank, it will mean something very different to me than something I cannot prove was from a big bank and was probably a forgery.

Jim Fenton is an engineer with routing giant Cisco, one of the main movers behind the technology. He explained that the system puts much of the onus to identify and authenticate emails and users on the internet service provider.

Fenton: The philosophy behind DKIM is that the email address really belongs to your ISP for example, and if perhaps somebody got kicked off the service because of abuse or something like that, we want that ISP to be able to control the ability to apply these signatures. In other words the ISP is who needs to take responsibility for the addresses in their domain because they are the people that determine who is a valid user.

There is a problem, though. In order to work at all, this technology needs to be used at both ends of an email transaction. That means your employer or your ISP or your mail provider needs to have signed up. Traditionally, technologies that can only work at all once they have mass adoption have fared pretty poorly.

The system's proponents concede this, but say that they have already made serious progress. On the consumer side, Yahoo is using an early version of the technology while gmail already uses DKIM. Allman said that large financial institutions, who arguably stand to gain most from it, are on the brink of adoption.

Allman: Sendmail Inc has been working with a bunch of large financial institutions, many of whom are customers to help them get DKIM deployed for signing their outgoing mail since they tend to be big phishing targets, they are very very interested in us. I don’t know of any that have actually put it into production yet but there are many that are experimenting with it and should have it out probably within a couple of months.

One huge boost to the technology is that it has just been approved by the internet engineering task force, the all-powerful body of engineers which can adopt some technologies as standards, creating a framework for the inter-operability that makes the internet work.

So does the system combat spam? The answer is that it could, but only as a side effect. If the technology takes off, email systems will be suspicious of any unsigned emails, and can blacklist any mails that are signed, but come from domains that typically send out spam.

Sendmail's Allman explains that this technology may not be designed for spam, but it could be a major weapon against it.

Allman: It’s incidental to spam so we may get into a position where we force spammers to at least be traceable back to where they came from.  That makes it easier to take action against them.  But once again, it is an indirect effect but I think it is a very real effect for spammers.

We turn to employment news, where all of England is aquiver at the prospect of the smoking ban which comes into effect on the first of July. But while drinkers fret about pubs, we have discovered that perhaps it should be drivers who are worried. The problem is that the UK's four nations all have slightly different laws about smoking on the road, ranging from different kinds of sign requirements to the question of which vehicles are actually covered by the law.

Smoking ban rules are pretty simple for buildings, which tend to stay put. But vehicles can move between the four countries, which means all laws could apply.

In Scotland cars are mostly exempt, but not in the other countries, where cars must be permanently smoke free if they qualify for the ban. The laws were all introduced at different times using slightly different language.

Sara Sawicki is an employment specialist at Pinsent Masons, the law firm behind OUT-LAW, and says that there is a way for employers to ensure that their vehicles always comply.

Sawicki: If, let’s say you have employees who travel to England and Wales, Northern Ireland and Scotland, you may decide to have a consistent approach and introduce the more rigorous position as it applies in England, Wales and Northern Ireland and apply it also to Scotland because there’s nothing that stops you from introducing a policy which bans smoking in work vehicles.

Unbelievably, some of the biggest differences are in the no smoking signs that the law says you must display. Different countries demand different sizes, while Scotland – lax on eligibility – is strict on signage. Again, Sawicki has a solution.

Sawicki: The signage that is included in the vehicle should be the international no smoking sign, which should be at least 75mm in diameter, which would meet the requirement in Wales and Northern Ireland.  There is no size requirement in Scotland and the size requirement in England is 70mm in diameter but going for the larger sign would probably be the most pragmatic course of action but also to adopt the Scottish requirements as to wording, which essentially requires there to be a sign about who a complaint may be made to if, let’s say, another person is smoking in the vehicle.

That's all we have time for this week, thanks for listening.

Why not get in touch with OUT-LAW radio? Do you know of a technology law story? We'd love to hear from you on radio@OUT-LAW.com.

Make sure you tune in next week; for now, goodbye.

OUT-LAW Radio was produced and presented by Matthew Magee for international law firm Pinsent Masons.

OUT-LAW Recommends

Free OUT-LAW seminars
- Making your contract work
- Information security
Six cities, October & November

This week's podcast
Are ISPs about to betray our trust?

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.