No phishing or zipping or whatever, just “social engineering” which is a nice way of saying “taking advantage of people who aren’t security conscious” or, well, just plain stupid.

So software can make a good stab at minimising this problem Brian.

Yes. Plenty of solutions out there that help - but at the end of the day it’s up to the user. As with most bad and “evil” things these days I think education is the key - educating people though is a challenge.

But, just to put your quote “the software which is stupid and not the user” into perspective - recently there was a *lovely* virus going around via email. The virus was an executable contained inside a password protected zip file - virus scanners can not scan inside password protected zip files as everything is encrypted. The user however could read the password from the email, open the zip file, and run the exe. Was the software stupid - most definitely not. Was the user - well I suppose that depends on your point of view.

It’s almost impossible to write software to protect people when people still insist on doing silly things like above - once again, educating users is the key, but in the case above, whose responsibility is it to education the user? The company providing the email service to the user? The producer of their email client? The anti-virus company? The producer of the operating system? … the government?

It’s the same with phishing and anti-phishing software - it can help, but no one should rely on it 100%. If a person does, sooner or later they will be stung.

If you can’t make the software smarter, come up with ways to use it smarter.

@Brian

If you think that it is easy or possible for software to be this intelligent at the moment Tom then why can’t we please see your solution.

I am not a developer so I don’t personally have any solution to this - however, there are a series of toolbars listed on the Anti-Phishing.org website which do a good job - also, there is IE7’s anti-phishing capabilities to look forward to.

So software can make a good stab at minimising this problem Brian.

And what would you suggest be done? Software is dumb. It always has been and will most definitely be for the foreseeable future. All a computer or piece of software can do is it what it has been programmed to do and it’s is extremely difficult to program an intelligent piece of software - hence we don’t have true AI.

Sure, there are some excellent pieces of software that use advanced heuristics to find patterns and/or identify and classify items it has never come across before but saying that software is stupid because it allows a user to click on a phising like is fairly stupid.

How is the software to know that it is a phishing link? Sure, heuristics - great - but heuristics are also known “best-guess” solutions - by definition they are not definitive. It IS the user who is stupid - maybe the person was just duped into the click the link, or maybe the person is not aware of these scams, or maybe the phishing is so good that even someone working for the “real” company can be fooled by it but it is still the person that is stupid (read as “unaware” or “lazy” or “just plain stupid”).

However, Microsoft and other companies are tackling the problem straight on - the anti-phising features in IE 7 for example are fairly good, but once again they rely on a group or people (Microsoft employees in this case) actually checking reported sites to verify that they are, or are not, phishing sites.

If you think that it is easy or possible for software to be this intelligent at the moment Tom then why can’t we please see your solution.

P.S. Love the blog. Keep up the good work - but I had to pull you up on this one. YOU ARE WRONG

You are right, some of those phishing expeditions are very convincing and not everyone has an MSc in security and cryptography. How is a relatively new user supposed to know that banks or ebay or amazon do not ask for your password. I mean, I don’t know the first thing about microbiology, but that doesn’t make me stupid.

I have to agree that when a computer is infected either by malware or a rootkit, the first course of action should be to disconnect from any network and then reformat the hard drive before re-installing. That holds for all operating systems including windows, linux and mac osx. You just never know how clean your machine is after you attempt to remove the malicious executables. In fact, in many cases it is irresponsible not to reformat because attacks could continue to be launched from your PC or server without a full reformat.