The formula here attempts to explain a paradox in security analysis:

If it is true that security is only as strong as its weakest link, why are not those who use insecure passwords, skip installing security patches, avoid updating or using antivirus software, and in general act insecure - not hacked and exploited continuously?

Because they do not!

A thought-provoking attempt to explain this puzzle, is presented in by Dinei Florêncio and Cormac Herley from Microsoft Research in the paper "Where Do All The Attacks Go?". The formula above is from this paper.

The paper attempts to demonstrate why the weakest-link model cannot be used for the most common type of Internet attacks.

One crucial point that the study makes is to point out the difference between targeted attacks and mass attacks. The former is focused on a known (potential) victim or victims, while the latter type of attack knows nothing about its (potential) victims. A targeted attacker may know her target and may thus exploit the weakest link. However, since the number of potential victims (all Internet users - around two billion) far outnumbers potential attackers the average Internet user's weakest link is unknown to attackers. And most importantly, it may not even be feasible for the attacker to look for.

The study shows - reasonably - that an attacker will try to maximize her potential revenue when she plans a mass attack. This means that the attack method any attacker chooses may not correspond to an individual user's weakest link. If there is another (even less severe) weakness in a sufficiently large part of the target population, it may be rational for the attacker to select that attack, as the expected revenue is larger, while the attacker's cost may be more or less the same.

From this another interesting observation can be made: Other persons' security behavior influence the security of an individual's security. Let us assume that lots of people have very weak passwords; which makes an attack exploiting weak passwords among that target group feasible seen from the attacker's point of view. However, if all people except one strengthen their passwords, the attack may no longer be the type of attack with the greatest expected economic gain, and the attacker will choose another type of attack. The one person who did not change his password benefits from others' secure behavior - he gets a free ride, as the other users' behavior protects the whole group.

The study makes two other points that further weaken the argument for using the weakest-link model for mass attacks where the potential victims and the attacker are unknown to each other:

• The potential victim may be protected by "exogenous events" (e.g. security competent third parties).
  Typically is a bank, which stops fraudulent attempt to transfer money from a compromised user.
• Several attackers may target the same victim.
  Each attacker's average revenue is thereby smaller, as it seems fair to assume that the total potential for exploiting a victim is a rather constant value.

Reading the study is highly recommended for an in-depth analysis of rational behavior for the attacker and for the end user. If both act rationally, they will maximize their expected gain/loss relative to the effort (cost) invested.

Amitay has analyzed more than 200 000 passcodes used in an app with a similar passcode setup screen to iPhone. His findings are astonishing and scary.

Let me go through some of his findings. Keep in mind that there are 10 000 different passcodes that users have to choose from when they select their four digits code.

The 10 most commonly used codes are

1. 1234
2. 0000
3. 2580
4. 1111
5. 5555
6. 5683
7. 0852
8. 2222
9. 1212
10. 1998

If you look at a numeric keypad, all of these seem like "logical" codes to choose if one was interested in a code that was easy to remember and type. The only exception is No 6 (5683) until you spot that this equals the numerical representation of the word LOVE.

The surprising issue is the frequency that these codes were used. Amitay's study shows that these 10 codes represent an astonishing 15% of all codes used. Statistically they should have been one tenth of a percent! This means that if you try these ten codes to unlock a mobile phone, you will succeed in approximately one in seven times.

I went a step further and checked the top 5 codes. In a perfectly random world, these should represent 0.05%. In the study, however, they represent more than 10%. I.e. by testing these top five passcodes on a locked phone, you will succeed one in ten times.

Amitay also looked at other types of code distribution. His findings indicate that people tend to use passcodes that represent important events in a person's life, like year of birth. Any code starting with the numbers 193* - 201* has a much higher probability for being used than what should be expected providing a statistically random code representation.

One may persume that the average person is less careful in selecting a passcode for his/her telephone than for the card used for money withdrawals from bank automats (ATMs). However, it seems naïve to presuppose that at least similar code selection mechanism applies.

The caveat of this is: Don't use passcodes that are too obvious to protect any of your systems. A person with bad intent may be able to access your valuables only by performing some educated, qualified guessing. Taking a few minutes memorizing a "random" code may be a good investment in time.

The blog's author - Joshua Long - uses the web browser Opera to illustrate his point. While Opera software recently published version 11.11 of Opera, the version available from Mac App Store is version 11.9. The JoshMeister blog points out - correctly - that this may jeopardize those who purchase Opera from App Store, as they will not get the latest version, which often has incorporated new security updates.

From the blog:

Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

The reason for this delay seems to be that Apple needs time to perform its approval procedures before any product is placed on its Mac App Store.

However, this issue is not restricted to Mac App Store. The point the blog makes is just an example of a more general problem, which includes software for all popular operating systems: 

This may be the case for downloads from

• resellers' web pages,
• software webshops,
• popular download sites,
• result pages from web searches,

and perhaps the one source that you can be almost certain that is outdated:

• program installers available from CDs/DVDs.

The reasons for why the software is outdated may be perfectly legitimate, and in some instances a sound part of the provider's quality control regime. Nevertheless, it will often be some delay between when the vendor makes the latest installer available as an Internet download and when this is populated among other entities that distribute the software installer.

Using older versions of software is a dangerous activity. Most malicious software exploits vulnerabilities that are known and usually patched by the vendor. If you are running a previous generation of popular application, there is a high probability that this has vulnerabilities known to cybercriminals and exploits exist. Exploits may even be available for purchase from the many commercial malware kits; see e.g. this security article from Norman.

In order to avoid running outdated and vulnerable software, you should follow some easy procedures:

1. Check if there is a "check for new version" option in the application.
   If yes, run this immediately after installation. 
2. If the application has any kind of "check for updates by regular intervals" option, you should turn this on.
3. If there is no update option available from within the application, you should visit the software vendor's web site to check if you are using the latest version.
   If there is a newer version available, you will most likely have a safer Internet presence if you update to the later version (by following the vendor's updating instructions). 

Google Music is a new offering from Google, released as a beta service a few days ago. It is currently only available in the United States.

Google Music is a service, which in the beta phase allows users to upload as much as 22 000 songs free of charge. Whether the service will be free after release remains to be seen. You will be able to access your uploaded songs from different devices (computer, smartphone, etc.), a feature which is particularly useful if you want to listen to your music from several locations.

Currently Google Music beta is only available by invitation from Google.

And this invitation-only restriction is what the scammers abuse, as reported by Mashable earlier this week. They send fake invitations to participate in the Google Music program.

These types of invitations may of course have links to web pages that may seem similar to the real Google Music site, and will presumably be used either to harvest your personal information and/or to infect your computer with malicious software (e.g. fake antimalware).

You should not click on any links in any form of invitation to participate in using Google Music. This includes invitations that your friends may forward by email, tweet, post on Facebook etc. 

Mashable writes in the abovementioned warning:

Any person or website claiming to be “giving away” Google Music invites is lying, a fact we’ve just confirmed with Google representatives. Because of the way invites are handed out, they’re linked to specific Google Accounts. In other words, one person can’t request an invite and pass it on; the invite has to be requested and accepted by the same Google Account.

Be vigilant to avoid being a victim of a scam for something that isn't even publicly released as a service!

A news story from Associated Press reveals a horror story about a person with a new wireless router, which was not password protected.

Suddenly he found himself lying on the floor surrounded by assault weapons, accused of being a pedophile and a pornographer. The family's computers, iPads and iPhones were confiscated and it took days before investigators established that downloading illegal material was done by others using the unprotected wireless network.

It turned out that the police used the IP address or router id belonging to innocent owner of the router, to identify the owner (through information obtained from his Internet Service Provider). This then became the reason for the actions taken against the router's owner.

This story is just one in a series of similar incidents where innocent people are suspected for criminal activity because others used their unsecured wireless routers.

At least two lessons should be focused upon regarding this:

1. If you do not secure your wireless router with a password it may (read: will) be used by others.
   Illegal activity going through your router may be traced back to you.
2. Law and order representatives should not a priori assume that the stream of data that goes through an unsecured router belongs to the owner of the router.

It is tempting to suggest that "all problems" will be solved if everyone secure their wireless routers. Persons (most?) with illegal intent will then be unable to use the router for their activities.

An article from Electronic Frontier Foundation (EFF) 27 April this year, however, makes some interesting points, worth contemplating.

The author advocates the view that wireless networks as such are for the common good. When we are in e.g. public places like parks, airports, restaurants, it is useful to have access to an open wireless network. There may be lots of perfectly legitimate reasons for this; for example the need to find the nearest sports store (by use of your smartphone), checking if the email you waited for has arrived (using e.g. your laptop), checking the weather forecast before you buy tickets for the sightseeing trip by boat (using your smartphone again).

The EFF article points out that the root of the problem is not the open wireless network itself. The problem is that the communication through the network is open. This can be solved by introducing secure (encrypted) communication protocols as a standard method even in open wireless networks.

Interesting point of view!

Selected security articles from Norman about issues with wireless networks 

• Firesheep - an eye-opener or a tool for criminals (2010)
• Data harvesting by mistake (2010)
• Public wireless access points - the world at your fingertips or risky business (2007)
• Security in wireless networks (2005)

For some strange reason Easter in Norway is traditionally the high season for reading crime and thrillers. One reason may be the need to fill several consecutive days away from work (the public holiday lasts five days!) with some action.
This Easter I had targeted a book that turned out to deserve a blog item on Norman's security blog.

As far as I can remember, this will be the first book review to appear on Norman's web site.

Thriller writers are increasingly using hacking, cracking, malware and cyberspace as part of their intrigue. Unfortunately many thriller writers are a bit sloppy in their research, and the plot therefore tend to suffer from improbable events and little knowledge of what is really possible to accomplish for a clever software expert - hero or villain.

My chosen thriller this Easter comes from the opposite camp. The author of Zero Day is the well-esteemed software security expert Marc Russinovich. He has been an employee by Microsoft since 2006, is the author of Sysinternals Windows administration and diagnostic tools, and is a contributor to several technical books and articles. Zero Day is Russinovich's first fictional thriller.

The story begins with several seemingly unrelated serious computer malfunction incidents. These take place around the world and in completely different environments. A few security experts from the private and public sector get independently involved in the investigation, and they soon get a glimpse of something sinister that may be disastrous for the Western societies. Several links to the terrible 9/11 events appear, as the story proceeds.

Heroes of both genders become involved in a cat-and-mouse game around the world - fighting cybervillains, struggling against incompetent national security organizations, and fighting to enroll the vendors of antimalware software on their side.

The book's strength is its knowledge about malicious software, and the severe potential this represents in the hands of someone with sufficient resources and imagination. I must admit that I more than once during my reading reflected on Stuxnet and how this piece of malware - allegedly - was designed and deployed, as well as how its payload performed.

This credibility of the malware used in the story, combined with good action, ensures that Zero Day is a book hard to put down. Less impressive is the depth of the characters, which admittedly is hardly why one reads thrillers in the first place.

One may argue that Russinovich uses the book also as a political statement regarding modern societies' approach and ability to deal with malware and cyberterrorism. In my view, this is a strength rather than a weakness of his book.

I particularly liked the ending, which of course shall not be revealed here.

I read the book through almost without any breaks, which in itself is a good recommendation.

This is a matter that I must (shamefully) admit I did not reflect upon until I earlier this week read SecurityNewsDaily's post "Digital Afterlife: How to Safeguard Online Accounts After Death".

We may have thought through and prepared for distribution of our material belongings after our death by writing a last will and/or making other types of arrangements. I bet, however, that I'm not the only one who has not made any kind of regulation regarding my digital belongings.

All my different credentials and accounts used as a Norman employee will be taken care of according to procedures defined by the company.

The abovementioned posting points out accounts that may be compromised even after a person's death, and be used in a way that may be wounding for spouses, relatives and friends. The solution may be to arrange for a relative or friend to terminate personal accounts if sudden death happens. Several readers of this blog have personal web sites and/or blogs that may be useful for others, regardless of whether the author is alive or not. It may be wise to decide how to deal with such - this may include future payments to the Internet providers or other entities.

What about the private email accounts that I use for communication with friends. These are free email accounts (e.g. Gmail and Hotmail accounts) that will continue to exist even if I don't. What should be done with these - if anything - and by whom? I may have stored private images and documents in the many free Internet locations that are available. What should be done with these - by whom?

Some countries may have legislation in place that regulates the heirs' access rights to accounts that are set up in that country, regardless of any predefined procedures on your side. Accounts governed by another country's legislation, or the many offerings that are available "in the cloud", may be a different matter.

What will happen with the Facebook account, my Twitter account, and presence in other social networks?

Some providers of free email delete the account if there have been no actiivity during a certain period. This may also be the case for other Internet services, and you should take this into account when you decide what to do (if anything).

Another puzzle: I - and presumably many others - have several accounts, Internet presences - "cyberpersonas" - that are my private. Some of these are not known to anyone but me. What will happen to those? Do we even want that spouses, relatives or friends should know about these and their content?
In many cases, not without reservations, I'm sure!

Some of my cyberpersonas will most likely just stop being active if I should pass away. This of course will be sad (I hope) for these cybercharacters’ friends and acquaintances, but that will be the lesser evil...

The more I ponder these issues, the more problems that need to be addressed, come up. I'm pretty sure the same will happen to many of this blog posting's readers.

Fatal accidents usually happen without warning, and it's therefore wise to make the arrangements when one is able to. This also applies for our cyberlives.

Happy Easter - I hope I didn't ruin it by morbidity!

The malicious application tweeted two messages similar to the following to the infected users' followers:

directly followed by:

Those who clicked the link and allowed the application to connect to their Twitter account were infected.

The point I want to make in this posting is:

We have learned to be on guard against malware scams in communication vehicles like email and - to some extent - instant messaging systems like Windows Live Messenger. However, whenever we are presented with quite unsophisticated scams like these Twitter messages in a new channel, we fall for them.

The lesson to learn from this is that we must be better to distinguish between the medium and the message. It is the message that should be scrutinized, regardless of the medium that is used to present the message.

If you were one of those infected by this Twitter worm, you should revoke Profile Spy's access rights in your Twitter client (Settings -> Connections).

Today I received two similar e-mails from Marriott and Hilton warning me that their e-mail lists have been stolen from Epsilon. Nice that they warn me, isn’t it? Well… Let’s see how they are doing that…

The subject “An important message from Hilton HHonors“ is a typical one that could be from a phishing mail. But as a well respected customer, they will address me with my name. They always do when they send me the regular account updates.

But in the warning e-mail they address me as “Dear Customer,”???
Now this starts to be suspicious. It is almost like a Paypal phish. At every security conference there is at least one presentation showing cases where ignorant people fall into these phishing traps. And here we are, a regular warning looks like a phishing mail.

But the Marriott is not doing the same, right? They will make sure the warning e-mail is done right, don’t they?

Of course not… And this one is even worse… It contains a link to a FAQ to a “Marriott” domain, or so you think: “Marriott-email.com”.

After I checked the registrar data, it does belong to Marriott, no problem there, but to have a clickable link in a dubious e-mail and where the link contains tracking information???

You would think that given the data that was stolen, a warning for phishing attempts or an apology would be constructed carefully, and not having all the signs of a phishing mail itself.

In that blog I wrote

“Another curious effect we may see is people offering their IPv4 numbers for $ale on e.g. auction sides as eBay. Wherever ISP’s have not transferred to IPv6, this can be a booming business.”

Today the “Internet Governance Project” published that Nortel, a Canadian telecommunications manufacturer, sold its legacy IPv4 addresses for $7.5 million to Microsoft. Given that they had 666.624 IPv4 addresses, that sets the price at $11.25 per IPv4 address.

Since 2009 Nortel has been in financial trouble and need to pay of the creditors, someone realized that their block of IPv4 addresses has a value. Given the economic situation several large companies and financial institutions are, this may only be the beginning.

$11.25 per IPv4 address… Anyone putting up a higher bid?

If this because normal behavior to sell IPv4 blocks in case of financial problems, it seems likely this will become an interesting territory for cybercriminals trying to sell IPv4 ranges that are not theirs.

Caveat emptor (Buyers beware)!

Now what will Microsoft do with all those addresses… Maybe sink them to make sure IPv6 is implemented worldwide much faster? Use them for Cloud Services? Use them for...

To be followed (I’m sure)…
 

In its meeting in San Francisco, USA last week, the ICANN Board finally approved .XXX as a sTLD.

In line with the long and controversial process since .XXX was first introduced as a possible TLD, the disputations remained throughout the process. The Board's decision was made against the advice of ICANN's Governmental Advisory Committee (GAC). Even within the board the decision was not unanimous - according to ars technica, nine board members voted in favor of .XXX, three opposed and four abstained.

Interestingly, objections against the .XXX top level domain, have come from both representatives from the adult entertainment industry and from those skeptical to this industry. See the link below for summary and analysis of comments.

The .XXX top level domain will be managed by the company ICM Registry, According to a blog item from ICM Registry, there were 187 000 pre-registered .XXX domains in November 2010. As of this writing, the counter on that blog has reached almost 300 000 pre-reserved domains.

Most likely the rest of this year will give an indication about the popularity of this new top level domain. My guess is that many of the companies operating in the adult entertainment industry, will continue to keep the .com suffix, and perhaps register an additional .xxx suffix pointing to the same content.

Links to further information about the .XXX process:

• ICANN: 18 March 2011 Draft Rationale for Approving Registry Agreement with ICM’s for .XXX sTLD
• ICANN: Summary and Analysis of Comments for Revised Proposed Registry Agreement for .XXX sTLD and Due Diligence Documentation
• ICM Registry: About .XXX & Why We Need A .XXX Extension
• ICM Registry: Launch Process

Last month, a variant of SpyEye was successful in stealing credentials and modifying transactions using a Man in the Browser attack. Norman’s Snorre Fagerland made a detailed description of SpyEye, which you can find here…

Today we learned that in The Netherlands, the damage caused by internet banking fraud quintuples... I can hear many people say “The Netherlands, that tiny country the size of a post-stamp”. But the fact is that the broadband internet distribution in The Netherlands is extremely high almost all household have a broadband internet connection. And due to the economic crisis lots of people changed to online banking (banks started to charge more and more money for manual transactions, etc).

And where The Netherlands is still a very popular place for East European criminals that try to skim banking and credit cards, this year the last batch of cards will be equipped with a chip replacing the magnetic stripe. So all the more reasons for (cyber)criminals to move online banking fraud.

We already have seen cybercriminals active on social media chatting to innocent people and through complex and advanced social engineering, trying to obtain logon credentials and bank transaction numbers. At first they just sent a link for you to click, but with many people now using some kind of personal firewall combined with plugins that will advise if a site is safe or not, complemented with stricter security models in the browsers, that started to fail. But of course by chatting to you and having the skills of a con-man, they are slowly tricking you into revealing more and more information.
With the rise of smartphones and people want to do banking almost everywhere, the trend of doing your bank business on the smartphone is also increasing.

And smartphones are safe, it is not a PC!!!

If you believe the above line, you are eligible to become a victim of online banking fraud. Although the number of mobile malware is small, relatively almost 0 compared to malware for stationary computers, it is on the increase as well. And when many people start to use smartphones for online transactions, the cybercrime situation will get worse.

Norman is monitoring the market closely and already thinking ahead of possible attack scenarios and how to counter these.

We have to assemble a way to outsmart smart attacks. And being the pro-active company we are, we will as we think ahead!

For now:

Don’t be the next victim…

Secure your computer before banking online…

And apply common sense…You would not tell me your pincode either! Right?

PS: I hope the problem does not get worse otherwise I have to figure out what is the next step after quintuple... But I’m afraid I have to :-(
 

The technique used by this security app  - Android Market Security Tool - has received some criticism from the security community. Without asking for user consent, Google pushed an application to users and executed the app, which performed several actions. This was seen as dubious, and similar to behavior known primarily from malicious programs. The fact that Google had to invoke such technique, is highlighting a general problem with Android's security model.

However, this Android Market Security Tool was also published on some Chinese sites in a trojanized version. Unlike Google's legitimate security tool, the malicious app has to be downloaded, and the criminals behind must use social engineering techniques to persuade installation on mobile devices.

Since this is malware that disguises itself as a legitimate security application, it may be the first instance of fake antimalware for mobile devices.

Not surprisingly: The criminals in the mobile device sphere are using the techniques that are proven successful in the more traditional computing domain.

More widespread malware for handheld devices will emerge.

Several examples in the first two months indicate that this forecast will turn out to be valid.

Perhaps the most interesting incident affected users of devices running Google's Android operating system. Tuesday 1 March, Google's Android team was made aware that malicious apps were available for download from Android Market.

TechCrunch reports that Google has confirmed that in total 58 malicious apps were available, and downloaded to approximately 260 000 devices, before they were removed from Android Market.

It turned out that the malicious programs were modified copies of legitimate apps. The malware, called DreamDroid, is therefore a trojan. IBM Internet Security Systems X-Force has made a detailed technical analysis of the malware.

In a blog posting 5 March, Google described the steps that the company had taken in order to mitigate the situation:

1. Removed the malware from Android Market,
2. Removed the malware from the devices that had installed the app(s),
3. Pushed a security update to the affected devices, which reversed the exploits that were used,
4. Added security measures to avoid apps using similar exploits from distribution through Android Market.

Only Android versions prior to 2.2.2 are vulnerable.

The security update mentioned in item 3 is called Android Market Security Tool.

The action described in item 2 above is the so-called "kill switch" or "Remote Application Removal Feature". It is described in "Android Market Business and Program Policies":

Product Removals: From time to time, Google may discover a Product on the Market that violates the Android Market Developer Distribution Agreement or other legal agreements, laws, regulations or policies. In such an instance, Google retains the right to remotely remove those applications from your Device at its sole discretion. If that occurs Google will make reasonable efforts to recover the purchase price of the Product, if any, from the originating Developer on your behalf. If Google is unable to recover the full amount of the purchase price, it will divide any recovered amounts between the affected users on a pro rata basis.

Google also used the kill switch last summer.  In a blog posting Rich Cannings, Android Security Lead, wrote:

While we hope to not have to use [the remote application removal feature], we know that we have the capability to take swift action on behalf of users’ safety when needed.

As Aaron Gingrich in Android Police pointed out in a blog item:

Openness – the very characteristic of Android that makes us love it – is a double-edged sword.

My guess is that this is not the last time that Google will have to use the kill switch. 

part 1, part 2, part 3, part 4, and part 5.

Recently we were contacted again, the same drill, but things got a bit more professional (on the scammers side).

After the usual introduction, I asked for some details on the anonymous person trying to claim the name. Of course they don’t know who it is. All they have is a numbers-only e-mail address.

Of course I responded trying to poke a bit, similarly to the messages you can find in the part1-5 blogs.

Now interestingly, the scammer in the second e-mail announced that the Chinese Spring Festival is coming which required us to resolve the matter as soon as possible. That is a weird reason? Why would a festival block a domain registration? The internet continues 24/7.

I did enjoy their explanation of the “Internet Keyword” though. An internet trademark, wow! I wonder how the Chinese government will help me defend my “internet trademark” in the United States. Maybe I can waive my Chinese certificate and people will honor it (grin).

I decided to play along a bit more and request the application form. You can find the form at the bottom of this blog. If you compare it to the forms used in the earlier scams, you will see that not too much has changed other than the “domain name registrar’s” name and logo.

Suddenly there was no rush anymore, the disputed domains were frozen in “their company” and saved for us.

Being the polite person I am, I confirmed receipt of the application form and actually got an Out Of Office notification. Seems that scammers do take a week off to celebrate a festival.

I deciced not to write and to wait what would happen. For a solid two weeks I was not contacted until Monday 21 February.

Time to end it. In my usual style I they were informed that we knew all along that this was a scam. Their reaction was actually another attempt to convince me that they are absolutely honest. But ehhh… Who is “ume” that I have to contact? The next incarnation of the Domain Name scammers?

Google is one of the really big players in the advertisements market, and it should not come as any surprise that Google has information about surfing habits. After all, Google has information about almost everything else...

Your surfing habits on web pages, which use Google's advertisements, generate your own personal Google profile. The categories that you (supposedly) are most interested in are stored, and may be customized (new added and current removed). The technology relies on storing a cookie, unique for each user and web browser.

Based on this cookie information, the Google advertisements that you see will presumably correspond with your own interests. The idea is that this will be beneficial for you, the company that advertises products to organizations and individuals, and Google - everyone wins(?).

See the image below, which show how one person has customized his/her interests in order to receive advertisements based on some particular categories/demographics.

Google has included an easy one-click option to opt out to the system with customized advertisements. This result is not that you avoid advertisement, but that those you see are selected randomly, and not based on your preferences.

As discussed in the abovementioned security article, there are both pros and cons associated with customized advertisements. Google's easy system for anyone to opt out is therefore welcomed.

Below are some links from Google, which explain the system in more detail:

• Interest-based advertising: How it works 
• Frequently Asked Questions
• Configuring your Google Ad Preferences

• celebrity news
• disasters
• holidays / annual events

The two former are difficult for the cybercriminals to prepare for in advance (at least in detail), while events of the latter type return regularly. Cybercriminals therefore have the time and thereby great potential to set up quite convincing schemes in order to trick their potential victims.

Valentine's Day this year is Monday 14 February, and it is wise to raise your awareness against attempts to use this event to trick you into performing actions that may harm you. Emails masquerading as sent from your friends, fake postings on Facebook and other social media, malicious web advertisements using Valentine's day as the trigger... The list of tools, which cybercriminals have at their disposal to try to trick you, is long.

As usual good precautions are:

• use updated security software
• use sound skepticism
• think before you click

According to Wikipedia, Valentine's Day is

an annual commemoration held on February 14 celebrating love and affection between intimate companions.

Hopefully your Valentine's Day will be a day of celebration and not be ruined by cybercriminal activity that succeeds in tricking you.

[For those of you who did not notice: This blog item's title is a slight variation of email body belonging to one of the most infamous email malware, LoveLetter.]

As I mentioned in my blog from 17 January "IPv4: IPcalypse", the available number of IPv4 addresses was reaching zero. That has happened, IANA Central Registry of IPv4 addreses is exhausted. Not on the predicted 11 February 2011, but 8 days earlier, today, 3 February 2011. It will be a little while more (it may even take the rest of this year) before the Regional Internet Registry (RiR's) pools of reserved IPv4 addresses will be exhausted as well, but don’t hold your breath as you may miss that.

The fact that there are no more IPv4 addresses available does not mean the internet will stop (you’re reading this message online, right?), but for those that want to put a website online and do not have an IPv4 address, that would be a bit difficult.

When there is a shortage, there are always people that will take advantage of it and hope to make some $$$ on it. I will not be surprised if there will be a lot of smart website hosters that will take advantage of the lack of IPv4 addresses this and offer very cheap sub-domaining where the websites will all reside behind the same IPv4 Number. The URL’s will start to look like:

Another curious effect we may see is people offering their IPv4 numbers for $ale on e.g. auction sides as eBay. Wherever ISP’s have not transferred to IPv6, this can be a booming business.

And where corporate organizations and people switch over to IPv6 both externally and internally, there will be a lot of 2nd hand hardware s routers being offered on auction sides as well. Of course these would be IPv4 only (why otherwise sell them) but this may not be advertised.

Of course the non-availability of IPv4 addresses will be misused for social engineering as well where messages like “We still have IPv4 addresses available, click here…” will try to get to click on the link and end up at malicious websites.

More than ever, this is the time to switch to IPv6. If you are putting a new website online, doing this at an ISP or hoster that is already supporting IPv6 may save you some problems in the (near) future. When you buy new hardware (routers, switches, network appliances, etc) make sure they do support IPv6 as well.

IPv4 is dead, long live IPv6!!!

BTW: You did not click on the link for available IPv4 addresses, did you?

Firesheep's functionality is possible because the communication between a user's browser and the web site (e.g. the social network site) is sent in clear text. The data between the user and Facebook are transmitted by means of HyperText Transfer Protocol (http), 

Obviously this has potentially severe implications with respect to privacy and security in general.

Facebook announced its plans to enable secure communication in a blog posting 26 January titled "A Continued Commitment to Security". Facebook users will be able to use the more secure communication method Hypertext Transfer Protocol Secure (https), and the snooping options that Firesheep and similar technologies utilized, are no longer possible.

Secure communication is not implemented for all users yet, nor is https set up as the default communication protocol. Facebook wrote:

We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.

Communications through and information on Facebook is often highly personal, and it is of course imperative that this remains secure, and under the users' own control. It is therefore highly recommended that you enable the Secure Browsing option in Facebook's Account Settings as soon as this becomes available for you.

(Image taken from Facebook's blog posting)

Hopefully Facebook will quickly implement https as the default setting. Otherwise lots of users will presumably continue to publish sensitive personal information unsecurely.

AMTSO is a non-profit organization and therefore we do as much as possible ourselves. For that purpose I also act as the webmaster for AMTSO. As the AMTSO Members liked to have online forum, the board decided to implement that. Last Friday evening I started to implement and configure the forum. Quite an interesting task taking a crash course on Style Sheets, user rights, etc.

On the Monday 24 January in the late afternoon I announced the forum in the AMTSO Members List (a closed mailing list) and changed the website to have a link to the forum.

When I checked user-database the next morning, I was surprised. Not because of the number of AMTSO Members that registered, but more the number of non-members that (tried to) register. In under 10 hours of the existance of the forum I had 10 different registrations of people I didn’t know. And all (but one) were using a gmail-account…

In the mean time, that number increased well over 10.

After some initial research (isn’t Google a great search engine), I discovered that all of the addresses that registered are also registered to dozens and dozens of domains, or better the forums on those domains. And the messages they have (tried to) send in those forums are all spam.

That is also obvious from some of the signatures they create to be added to every post:

It seems that there is an active community that is searching for forums to spam their messages in, maybe even use Google Search for that.

Google is able to find the forum and is conveniently placing all the pages (and physical URL’s) in their search engine. It was rather easy to stop the registration of the forum spammers. Blocking the registrations from gmail, hotmail and such is a first step. Another step is to alter the robots.txt file to contain a DISALLOW. For the AMTSO Website that was easy:

Disallow: /forum/*

That did the trick. It would even make sure that the messages in the forum are not indexed . But of course that are the search-caches.

For some weird reason the spammers did not send a single message yet to the AMTSO forums. Maybe because we just set it up and there were no messages yet (there are now). Nevertheless, we took a pro-active approach and try to block them pre-maturely. The members of AMTSO have been asked to register using their corporate e-mail accounts and if they desire otherwise, announce it before registration. Free e-mail providers as gmail and hotmail will be blocked from registering.

Oh yes… While looking for all those e-mail addresses I stumbled over a nice list: Stop Forum Spam. And actually to no surprise, all the e-mail addresses, even with matching IP numbers (it is great to be an admin and to be able to see all that). And all the people on our AMTSO forum that I questioned for their motives are actually on that list as known forum spammers.

So be sensitive when you start a forum, take the required precautions and take the additional time to look at the new registrations the first days after you enabled the forum. You may be in for a surprise with some unknown registrations. Of course preventing search engines from finding your forum helps, but if you want to be publicly found, this may not be desirable.