Openid sites web in phishing

Dow Jones Reprints: This copy is for your personal, non-commercial use
only. To order presentation-ready copies for distribution to your
colleagues, clients or customers, use the Order Reprints tool at the
bottom of any article or visit

Regular Internet users know how difficult it can be to manage all of
the different user names and passwords required by the many Web sites
they frequently visit. Wouldn’t it be better if there were a simple
and secure way to log on to all Web content?

See the complete Inc. have attacked the “single sign-on” problem with
a variety of solutions, none of which has been widely adopted. Windows
Live ID, for example, only works with Microsoft-owned and -affiliated
sites. Critics say that another attempt, Security Assertion Markup
Language, produced by an alliance led by Sun, is too complex and
cumbersome for the average Web site.
Some users are promoting what they say is a simpler solution, created
by a blogging-software developer in San Francisco, that has been
adopted by thousands of Web sites. OpenID, as it’s called, is
attracting serious attention from Microsoft, AOL, Inc., each of which
says it is looking at ways to use the software across its own
extensive Internet properties. Microsoft recently adopted OpenID for
use with its HealthVault Web site, an online service that allows
consumers to store, manage and selectively share medical data.

OpenID is open-source, or nonproprietary, meaning others can adapt it
to their own needs. It was created in 2005 by the blogging-software
company Six Apart Ltd. for users of its , a blogging and social-
networking site that is now owned by the Russia-based Internet company
SUP. The software continues to be used mainly by blogs that require
user IDs and passwords, and by social networks. But proponents predict
it will become an important building block in an industrywide effort
to make it easier to surf the Web without so many passwords.

Such a goal can help online businesses as well. Web-site operators
spend millions each year helping users recover forgotten passwords,
according to Cambridge, Mass.-based Forrester Research Inc. Companies
also lose business whenever a customer fails to negotiate the log-in
process.

“OpenID provides a way of transcending the walled-garden model and
moving freely between different sites,” says Joseph Smarr, chief
platform architect of the social-networking site . Plaxo Inc.,
Mountain View, Calif., is an early adopter of the standard. “This
results in increased traffic, which is not only good for our business,
but everyone else’s too.”

Some critics have raised privacy and security concerns about OpenID,
saying the technology makes it easy for issuers of the IDs to track
users’ activities on the Web. Others cite concerns about vulnerability
to phishing, a form of Web fraud. But more than 22,000 Web sites
already accept OpenID, according to the OpenID Foundation, an
industry-supported nonprofit. Bill Washburn, executive director of the
Portland, Ore., foundation, says he expects that number to reach
50,000 before the end of the year.

Despite its promise, however, OpenID remains a far-from-universal
passport. For example, there are multiple issuers and versions of
OpenID, and each site that uses OpenID decides which version or issuer
it will accept. Major issuers include , a Web site run by JanRain
Inc., an open-source developer and designer of OpenID software based
in Portland, Ore. Yahoo and AOL also issue OpenIDs for use on both
affiliated and nonaffiliated sites, but currently neither company
accepts it on their main Web sites. A spokesperson for JanRain
acknowledges that different versions currently result in inconsistent
user experiences. But the company says that as more sites adopt OpenID
2.0, a new, more secure version, inconsistencies in user experiences
will disappear.

The format of the IDs looks slightly different for each site that
issues them. But they all work on the same principles. Those who go to
MyOpenID.com choose a user name and password and provide an email
address. They will then be assigned a Web-site address that serves as
their OpenID. Afterward, when the users visit selected sites, they
type their OpenID into the dialog box next to the OpenID icon. Their
browser is then redirected to MyOpenID.com, where they type in their
OpenID password.

In this way users can gain access to any OpenID-enabled Web site.
However, they are always bounced back to their OpenID provider to
authenticate their identity. So OpenID doesn’t eliminate the need to
log in altogether, but it enables users to use the same credentials to
sign into different Web sites.

Figuring out which sites accept which version of OpenID is mostly done
by trial and error, although it’s fairly common for sites to trust
MyOpenID as an identity provider. Some sites have an OpenID selector
or a pop-up menu with a list of the OpenID providers they accept.

Registered Yahoo users can get OpenIDs from . Yahoo.com itself still
requires members to sign in with a unique and Yahoo-specific user name
and password and doesn’t accept OpenIDs from other providers. “We’re
still in the evaluation and development phase,” says Raj Mata, senior
director in Yahoo’s membership platforms division. “As the technology
matures and consumers become more comfortable with OpenID, we’ll
explore how best to incorporate it into our properties and across the
Yahoo Network.”

Time Warner Inc.’s AOL incorporates users’ AOL or instant-messaging
screen names into the OpenIDs that it issues. While AOL itself doesn’t
accept sign-ins using its OpenID, it will work on such AOL sites as .
The company says it is working on adopting technology that will allow
it to roll out OpenID across its larger sites, including AOL itself.

Representatives of AOL and Yahoo, meanwhile, say it is likely at some
point in the future that each company will accept OpenIDs issued by
the other.

Privacy advocates have criticized OpenIDs because the companies that
issue them theoretically can track all of the Web sites that users
visit, giving the issuer a much more coherent view of a person’s
online activity than was previously possible. OpenID issuers could
then offer marketers targeted advertising opportunities for which they
can charge premium prices, says Pam Dixon, executive director of the
World Privacy Forum, a nonprofit based in Cardiff by the Sea, Calif.

Some security experts and privacy advocates also warn that OpenID
users are at heightened risk from phishing attacks. This is when a
fake Web site masquerades as a real one to capture user names,
passwords and other sensitive information such as credit card details.
Obtaining someone’s OpenID could provide a master key to many of the
Web sites the OpenID user frequents, along with personal data the user
has divulged on those sites.

The OpenID Foundation’s Mr. Washburn concedes phishing is a valid
concern, but says this criticism can be directed at most of the Web,
where users and sites interact with relatively little security.
Moreover, he says, OpenID in its current form isn’t meant to become
the dominant protocol for single sign-ins. As an open-source
technology, he says, it is simply a platform for others to build on.

Several OpenID providers are looking for ways to bolster the
software’s security features and so make it better protected for
commercial transactions. Recently AOL partnered with VeriSign Inc. to
bring AOL users a strong authentication option, whereby they can use
their AOL-issued OpenIDs in combination with security tokens issued by
VeriSign, a Mountain View, Calif., provider of third-party-
authentication solutions.

Microsoft, meanwhile, is using OpenID to authenticate users of its
HealthVault medical-records site. The site accepts authentication from
two OpenID providers: VeriSign and TrustBearer Labs, a privately held
provider of authentication devices such as smart cards, based in Fort
Wayne, Ind.

A Microsoft spokesperson says the software giant is also looking at
incorporating OpenID into some of its other products, but that
compatibility issues remain. The spokesperson says vulnerability to
phishing is a concern, and that Microsoft is working with a number of
companies on a possible fix.

Meanwhile, Mr. Washburn sees increasing opportunities in a wide-open
playing field. “It is not a competition where one technology will
emerge as the clear victor, such as was the case with Blu-ray vs. HD-
DVD,” he says. In the end, he says, “there will be no one solution,
but instead a well-articulated array of flourishing identity services
catering for the massive spectrum of needs out there.”

—Ms. Mills is a reporter for Dow Jones Newswires in London.
Write to Elaine Mills at .

Please fill out all required fields. Please enter a question. The
Question description should not be more than 2000 characters. Please
choose a category Please choose a SubCategory The language you used
does not comply with community standards. Please re-enter.

Your question to the Journal CommunityYour comments on articleswill
show your real name and not a username.

Why use your real name? The Journal Community encourages thoughtful
dialogue and meaningful connections between real people. We require
the use of your full name to authenticate your identity. The quality
of conversations can deteriorate when real identities are not
provided.

Create a profile to avoid this message in the future. (As a member you
agree to use your real name when participating in the Journal
Community)

The phishing google site it’s

While phishing is a problem, giving one company the power to block any
site that it wishes at the browser level never seemed like a good idea

Actually, giving a single company this kind of authority is usually
not a bad idea. Spamhaus and email, for example.

The issue is about trust. Even with this goofup, I trust google (
although their response to this could change that ). Hell, I trust MS
here too, to a limited extent.

Yeah. While I reflexively rankle at the idea of blocking a whole
swathe of domains like that, it’s unfortunately clear that services
like dyndns and mine.nu are going to be overrun with phishers and
scammers because they’re just as convenient to them as they are to
non-malicious Internet users.

We need to educate users to check the URL before entering anything.
Any time you rely on a technological solution to a social problem you
end up with woes.

It’s just not going to happen. We like to think that “everyone” is
capable of understanding what is going on when they browse the web,
but that’s wishful thinking.

It will be a LONG time until you can ever hope that the general public
is as smart as the malicious few out there. Until then technology
solutions will continue to be needed, desired and our best bet in
combating this. Hell, they always will.

I don’t know anything about the FWT site; it may be fine. However, do
remember that just because a site is trustworthy over time doesn’t
mean it is trustworthy today, on this visit. I just had that driven
home for me the other day. In my off time, I am a youth soccer coach.
The website for our league has been fine for several years. Last week
I visited it and got the malware warning from FireFox. I checked with
the webmaster and sure enough, they had gotten hit with a SQL
injection attack and had indeed gotten malware of some sort hosted on
the site. So, FWT may be a false positive – but it is at leat possible
that they also got successfully attacked. We really don’t have a good
system to evaluate trust on the fly due to the dynamic nature of
internet content. A page that was fine 20 minutes ago may attack you
now.

Granted, I can see there are opportunities for abuse here, but if the
owners of dynamic dns domains don’t properly police their “customers”
and spammers and/or other malicious websites start using it, then
Google has every right to blacklist the entire domain. Of course, it’s
arguable exactly how much can be done to prevent it, but if you’re
really concerned about not getting your site blocked, go ahead and
blow the $7 a year on your own domain, or use a smaller ddns service
that can actually pay attention to the nature of the hosts it’s
serving.

As far as having any one third party responsible for maintaining a
blacklist, exactly how else do you intend to do it? You can always
create your own blacklist, but that would first require you to “enjoy”
the sites you would prefer get blocked automatically. You’ll just have
to trust someone to make that reasonable decision for you. Sure, there
will be some mistakes, but that’s the price you pay for protection.

Granted, I can see there are opportunities for abuse here, but if the
owners of dynamic dns domains don’t properly police their “customers”
and spammers and/or other malicious websites start using it, then
Google has every right to blacklist the entire domain.

Countries have been banned from sites, email, IRC channels and so on
with this argument. Just so you know, some ISPs have defacto
monopolies in their countries, and everyone there get the same domain.
Any idiot that say ‘let ban *.il, or *.es, because I got 10 spam
messages from there’ should be fired on the spot. In fact, if he works
at google whoever hired him should be fired, too.

I don’t get why you are getting annoyed that I (and probably many
others) do things like this?

In my mind giving this power to Google is the most objectionable thing
related to the company. I know somebody who has had his legitimate
business ruined because Google mistakenly added his site to this list.
Why? Because it was hosted on the same physical server as a truly
objectionable web site.

People need to stop childishly sneering at Windows users and take
their focus away from Microsoft. The terrible Goliath is clearly
Google now. Even when it’s not being evil it causes trouble just by
being *clumsy*.

The terrible Goliath is clearly Google now. Even when it’s not being
evil it causes trouble just by being *clumsy*.

No, Google doesn’t filter by IP address. But because the site was
hosted on the same server as a bad site it added a URL block for the
innocent too. Do you see?

Secondly, the issue isn’t about me using Firefox/Google. It’s about
customers who did and were told that the site they had browsed to was
malicious. The business lost a valuable customer this way and folded.

No, Google doesn’t filter by IP address. But because the site was
hosted on the same server as a bad site it added a URL block for the
innocent too. Do you see?

Doesn’t sound like a very professional business if it was using the
same domain that the bad site was on. Considering one can get a.com
for 6USD a year, there really is no excuse.

It’s about customers who did and were told that the site they had
browsed to was malicious. The business lost a valuable customer this
way and folded.

This company obviously wasn’t doing very well to begin with, or did
things properly to begin with either – This is not surprising.

You are not going to convince me that they couldn’t of done anything
to change the outcome, even when they became aware of the situation.

What I do find interesting is the fact you claim Google did this, when
the anti-phishing filter in the most popular browser, IE is ran by
Microsoft. The most popular search engine is Yahoo! – which does not
using any phishing data from Google.

I would assume the original AC is lying because Google’s practices on
filtering bad sites were disclosed long ago on [stopbadware.org]

This is the first time we’ve heard about Google (or any others) making
a bad block. As long as Google fixes this expediently, I’d say that
it’s an acceptable margin of error and the amount of phishing sites
blocked is by far worth it. Now, if wikileaks suddenly gets blocked
for ‘phishing’, something is definitely awry.

Any maintained blacklist of any reasonable size is going to end up
with false positives. It’s one of those things you just have to
accept. People notice and report it, the entry gets removed, and we
move on.

Putting anti-phishing filters into browsers just shifts the
responsibility of good security practices from the user to some
blacklisting company. What incentive is there to be weary about
suspicious sites if you can count on the almighty Google to hold your
hand while you browse the Web? This makes about as much sense as
someone installing parental controls in their machine and declaring
that their Internet connection is now “kid-friendly.”

I’ve never had these filters turned on, and I’ve never exposed my
financial data to others by accident. Usually this has something to do
with me hovering the mouse over links and checking the URL in the
status bar.

If you’re serious about blocking phishing sites, you have to accept
some collateral damage. Blocking by URL stopped working last year;
most attacks have unique URLs now. Many have unique subdomains. So you
have to block at the second-level domain level to be effective.

We publish a [ebay.com] Click on that URL. It says “ebay.com”, right?
It looks like eBay, right? It’s not.

On the other hand, “tinyurl.com”, which used to be popular with
phishers, has been able to get off the blacklist by cracking down on
misuse of their service. It’s possible to do redirection competently.

When we started our list last year, it had about 175 exploited
domains. After some serious nagging and an article in The Register,
we’re down to 46. And only 11 have been on the list for more than
three months; the others come and go as exploits are reported and
holes plugged. So this is a problem that can be solved.

I’m glad to see Google taking a hard line on this. It’s necessary that
sites that do redirection feel the pain when they accept redirects to
hostile sites. Google can apply much more pain that we can. Few sites
will want to be on Google’s blacklist for long.

This is something that strikes me as the first time Firefox really
pushed something out by default that shouldn’t be. Just for one
example, people who are on LTSP networks, say, 200 users, will ALL
download anti-phishing, anti-malware blacklists from Google, each in
their own home directory. There’s no way that I know of, anyway, to
share this data – SQLite seems to make it impossible. That’s the first
mistake in creating a compatible, light web browser.

The second mistake is enabling website blocking based on 3rd party
blacklists by default. This is basically Microsoft UI thinking – “You
*need* this because you don’t know any better.” Screw that. I mean,
make it a checkbox on setup – “Use Google-provided anti-malware
blacklists” Simple as that. I spent weeks trying to find out why,
after just a few Firefox instances were launched on an LTSP server,
none more would load – part of this was because every user logging in
was trying to download the anti-malware stuff from Google, saturating
the line, and preventing Firefox from loading for the first time.

I hope the Firefox devs will take all scenarios into account when
making changes. It seems lame that every user needs all of the stuff
in places.sqlite. And even if you argue with that, at the LEAST make
it cross-DB compatible, so you can put everyone’s in a nice big
central MySQL database.

The corollary of this is, of course, that you should still be wary of
single points of failure, even if you do not believe they will fail
you on purpose.

Shit happens. Yes, it sucks, but it happens. Now, should we try to
blow up the googleplex? No. Google are not blocking based on a secret
agenda here, and you can bypass it or turn off the feature. OK, it’d
be nice if you could choose who provides the service, but overall,
it’s not that big a deal.

Of the 4329 pages we tested on the site over the past 90 days, 0
page(s) resulted in malicious software being downloaded and installed
without user consent. The last time Google visited this site was on
09/21/2008, and suspicious content was never found on this site within
the past 90 days.

Malicious software includes 7523 scripting exploit(s), 2911 trojan(s).
Successful infection resulted in an average of 0 new processes on the
target machine.

Over the past 90 days, mine.nu/ appeared to function as an
intermediary for the infection of 183 site(s) including
culportal.info, mipt.ru, baikal-discovery.ru.

Yes, this site has hosted malicious software over the past 90 days. It
infected 932 domain(s), including bernard-becker.com, mipt.ru,
dhammasara.com.

In some cases, third parties can add malicious code to legitimate
sites, which would cause us to show the warning message.

* Return to the previous page. * If you are the owner of this web
site, you can request a review of your site using Google Webmaster
Tools. More information about the review process is available in
Google’s Webmaster Help Center.

Presumably if Google thinks some subdomains are malicious, they
actually know which ones are in fact malicious? Owing to the fact that
they found them in the first place? I’m wondering if the reason they
just blocked the entire domain was because some attackers are just
registering lots of subdomains as a fast-flux method.

Um, no. The list is supplied by Google. When Firefox blocks a site,
press the ‘Why was this site blocked?’ button to see Google’s warning
about it ( [google.com] in this case).

The phishing de wall-street un

Business newswire Wall-Street.ro edited by online publisher
InternetCorp was target of a phishing attack. Many internet users
received an e-mail with the message “Congratulations! You won an
iPhone!”. Wall-Street informs its readers that the messages were
not sent by the company and takes measures to stop the fraudulent
process.

Fii primul care comenteaza articolul “Wall Street ro target of first
phishing attack on domestic online publishing”

NOTA: Articolele realizate de catre redactia Wall-Street nu pot fi
preluate decat cu acordul nostru scris. Pentru detalii va rugam sa ne
contactati la

Banca Comerciala Carpatica (BCC) a lansat, marti, un card de debit in
euro convertibil in lei pentru persoanele care calatoresc frecvent in
tari… Indicele sectorului societatilor de investitii (BET-FI)
crestea puternic, cu 4,18%, in debutul sedintei de tranzactionare de
miercuri, pe un…

L M Mi J V S D 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
22 23 24 25 26 27 28 29 30 31

Catalog firme din: · · · · ·
· · · · · · ·
· · · · · · ·
· · · · · · ·
· · · · · · ·
· · · · · · ·
·

Al davis oakland raiders’s research users up

Cheques or money orders can be mailed with your request to: Sun Media
Research Centre 333 King Street East Toronto, Ontario M5A 3X5 Canada
Other research services available are:

$75.00 (plus GST) for up to ten articles on any one topic. This is a
research, information service offered to professionals, students,
businesses, internet users.

The al davis just win baby research sun story

THIS SELF-PROMOTER IS OUCHO STINKO The story you are searching for
is available in its entirety via email, fax or mail for $12.00 (plus
GST), payable with credit card (include expiry date). Just call the
Sun Media News Research Centre at 416-947-2258 or toll free at
1-877-624-1463 with information about the story and supply the
following:

Cheques or money orders can be mailed with your request to: Sun Media
Research Centre 333 King Street East Toronto, Ontario M5A 3X5 Canada
Other research services available are:

$75.00 (plus GST) for up to ten articles on any one topic. This is a
research, information service offered to professionals, students,
businesses, internet users.

This site is updated by 4:00 a.m. MST each day and includes stories
and columns from the day’s print edition of The Edmonton Sun.

Religulous release’s research toronto sun

Ian Gillespie! Read the latest from our City columnist, who profiles
the most interesting people in London

If campaigns are fought one skirmish at a time, consider the Toronto
International Film Festival ground zero for next year’s Oscar race.
The story you are searching for is available in its entirety via
email, fax or mail for $10.00 (plus GST), payable with credit card
(include expiry date). Just call the Sun Media News Research Centre
at 416-947-2258 or toll free at 1-877-624-1463 with information about
the story and supply the following:

Certified cheques and money orders can be mailed with your request to:
Sun Media Research Centre 333 King Street East Toronto, Ontario M5A
3X5 Canada Other research services available are:

$75.00 (plus GST) for up to ten articles on any one topic. This is a
research, information service offered to professionals, students,
businesses, internet users.

LANGLEY, B.C. – A man is dead after he crashed through a second-storey
window, naked and bleeding from a chest wound, and was hit with an
RCMP Taser.

Sun research media in religulous movie

Sun Media writers interviewed dozens of celebrities at the Toronto
International Film Festival, which concluded yesterday. Here are some
of the more engaging quotes from those interviews: The story you are
searching for is available in its entirety via email, fax or mail for
$12.00 (plus GST), payable with credit card (include expiry date).
Just call the Sun Media News Research Centre at 416-947-2258 or toll
free at 1-877-624-1463 with information about the story and supply the
following:

Cheques or money orders can be mailed with your request to: Sun Media
Research Centre 333 King Street East Toronto, Ontario M5A 3X5 Canada
Other research services available are:

$75.00 (plus GST) for up to ten articles on any one topic. This is a
research, information service offered to professionals, students,
businesses, internet users.

This site is updated by 4:00 a.m. MST each day and includes stories
and columns from the day’s print edition of The Edmonton Sun.

Research thanks sun in pimples

Ian Gillespie! Read the latest from our City columnist, who profiles
the most interesting people in London

Many people would jump at the chance of getting back years. But when I
ask, “Would you want to revisit those acne years when you were the
butt of jokes from classmates?” many say, “Thanks, but no thanks.”
The story you are searching for is available in its entirety via
email, fax or mail for $10.00 (plus GST), payable with credit card
(include expiry date). Just call the Sun Media News Research Centre
at 416-947-2258 or toll free at 1-877-624-1463 with information about
the story and supply the following:

Certified cheques and money orders can be mailed with your request to:
Sun Media Research Centre 333 King Street East Toronto, Ontario M5A
3X5 Canada Other research services available are:

$75.00 (plus GST) for up to ten articles on any one topic. This is a
research, information service offered to professionals, students,
businesses, internet users.

Thousands of Canadians hoping to put annoying telemarketers on
permanent hold jammed a government website Tuesday, trying to register
their numbers for the national Do-Not-Call List.