Continue reading »]]> 02 April 2010.

http://www.net-security.org/secworld.php?id=9096&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

Google analyzes millions of pages per day when searching for phishing behavior. This kind of activity is, of course, not done by people but by computers.

The computers are programmed to look for certain things that will identify the page as a phishing site. Those things are actually the same things that users should check when evaluating if a page is legitimate or not.

According to a post on Google’s official online security blog, the first step is looking at the URL- Does it contain words like “login” or “banking” or trademarks of the phishing target? Does it use an IP address for its hostname? Does it have a large number of host components, making the address unusually long? If the answer is yes to all of these questions, the page could be a phishing one.

The second step consists of analyzing the page – Does it contain a password field? Does the majority of the links point to the phishing target so that the phishing pages functions as the legitimate one would? Google’s computers check also the terms most often used on the page, and a telling terms like “password” raises a red flag.

The third step consists of a look-up of the hosting information – does the institution claim to be based in one country but the webpage is hosted on servers in another country and on a local ISP’s network? If the answer is yes, chances are high it’s not a legal site.

Lastly, checking to see whether the page is popular and checking the spam reputation of the domain on which the page is hosted will give you another clue – phishing pages are usually hosted on domains that have a (bad) reputation when it comes to spam sending.

When all these clues are combined and indicate that the site is likely set up for phishing purposes, it is put on Google’s blacklist that is used by the browsers to warn the users that they have landed on a malicious page.

“False positives” do happen, but they happen once every 10,000 checked pages, and even then it is usually a site set up for some other malicious purpose. The basis on which the classifier is trained to recognize phishing pages is provided by a sample of around ten million analyzed URLs in the last three months and an addition of current features, and it is executed once a day.

Phishers may use a number of techniques to try and bypass this system, but they can’t escape forever. The more people come to their site, the likelihood of someone recognizing it for what it is and reporting it to Google rises, so it’s just a matter of time before it gets flagged.

Continue reading »]]> William Maclean, Security Correspondent

Reuters

Feb 22, 2010

http://www.reuters.com/article/idUKTRE61L37B20100222

LONDON (Reuters) – The best weapon against the online thieves, spies and vandals who threaten global business and security would be international regulation of cyberspace.

Luckily for them, such cooperation does not yet exist.

Better still, from a hacker’s perspective, such a goal is not a top priority for the international community, despite an outcry over hacking and censorship and disputes over cyberspace pitting China and Iran against U.S. firm Google.

Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation, an EastWest Institute security conference heard last week.

Policy statements from governments around the world are dominated by the need to heighten national cyber defenses. As a result, too many cyber criminals are getting a free ride.

“Nations are in denial,” a cyber law expert told Reuters, saying national legislation was of limited use in protecting users of a borderless communications tool.

“It may take a big shock of an event to wake people out of their complacency, something equal to a 9/11 in cyberspace,” he said referring to the 2001 coordinated attacks on U.S. cities.

With a quarter of humanity connected to the Internet, cyber crime poses a growing danger to the global economy.

TARGET THE PERPETRATOR

The FBI tallied $264 million in losses from Internet crime reported by individuals in the United States in 2008 compared to $18 million of losses from 2001: These were probably a fraction of the losses caused to companies and government departments.

The menace extends to many sectors including control systems for manufacturing, utilities and oil refining, since many are now tied to the Internet for convenience and productivity.

A priority for regulators is to find ways of tracking down criminals across borders and ensuring they are punished, a tough task when criminals can use proxy servers to remain anonymous.

“We cannot postpone the debate until we are in the midst of a catastrophic cyber attack,” former U.S. Homeland Security Secretary Michael Chertoff told the conference.

“We must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air.”

Security experts say the ability to conduct disastrous mass cyber attacks is the preserve of some governments, well beyond the capacity of militant guerrilla groups like al Qaeda.

But it cannot be assumed that international organized criminal networks, long practiced at mass online fraud and theft, are not developing an interest in gaining this ability.

“Cyber crime is a very sophisticated crime with very sophisticated players and it takes a multinational effort to make sure we can enforce the law,” Dell Services President Peter Altabef told Reuters.

“Once you have identified who is at fault you really want to make sure, as a deterrent, that you can go to those jurisdictions and enforce the laws on the books.”

James Stikeleather, Dell Services Chief Technology Officer, told Reuters that tracking own criminals across borders could pose legal issues for drafters of multilateral regulation.

Giving an example, he said the more companies added the technology needed to give investigators the ability to attribute a crime, the more users’ privacy and anonymity would be reduced.

“PLAYING WITH FIRE”

“Probably the sticking point among the governments will be ‘where is the appropriate level of attribution versus anonymity or privacy for what people are doing (online)’.”

Datuk Mohammed Noor Amin, chairman of the U.N.-affiliated International Multilateral Partnership Against Cyber Threats, said failure to regulate could perpetuate cyber “failed states.”

He cited impoverished countries where customers can purchase unregistered SIM cards with mobile Internet capability, giving them the ability to commit online crime such as identify theft against people in rich nations without fear of being traced.

He said it was in the interest of rich nations to help poorer countries develop the capacity to crack down on this kind of abuse, because their own citizens were being targeted.

“Governments tend to look at their self-interest. But it’s actually in their own interest to collaborate,” he said.

Altabef said the growing rate and scale of international cyber attacks threatened to undermine the trust between nations, businesses and individuals that was necessary for economies and societies to act on the basis of the common good.

Complacency was also a problem, delegates said. “Nations take for granted the Internet is going to be ‘on’ for the rest of our lives. It may not necessarily be so,”.

“Imagine the Internet being down for two to four weeks,” he said. This would “rain disaster” on online businesses as well as transport, industry and governmental surveillance systems.

“People have realize the Internet is an integral part of every country, politically, socially and business-wise.”

“Not to focus on cybersecurity is playing with fire.”

Continue reading »]]> We’ll ignore this window if you close it

By Cade Metz in San Francisco

Posted in Security, 27th January 2010 00:28 GMT

http://www.theregister.co.uk/2010/01/27/google_toolbar_caught_transmitting_data_when_disabled/

Google has updated its browser toolbar after the application was caught tracking urls even when specifically “disabled” by the user.

In a Monday blog post, Harvard professor and noted Google critic Ben Edelmen provided video evidence* of the Google toolbar transmitting data back to the Mountain View Chocolate Factory after he chose to disable the application in the browser window he was currently using.

The Google toolbar offers two disable options: one is meant to disable the toolbar “permanently,” and the other is meant to disable the app “only for this window.”

In a statement passed to The Reg, Google has acknowledged the bug. According to the statement, the bug affects Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 for Internet Explorer. An update that fixes the bug is now available here, and the company intends to automatically update users’ toolbars sometime today.

The statement also says that the bug does not occur if you open a new tab after disabling the toolbar for a particular window. In the statement, Google goes on to say that the bug disappears if you restart your browser, but this doesn’t quite make sense. If you’re interested in disabling Google toolbar for a particular window, you aren’t going to close that window.

“For that option to work as its name promises, Google Toolbar must cease transmissions immediately,” Edelman says. “Fact is, the ‘Disable Google Toolbar only for this window’ option doesn’t work at all: It does not actually disable Google Toolbar for the specified window.”

It would appear that in saying the bug is fixed when the browser relaunches, Google is referring to a second bug Edelman uncovered. The Harvard prof also found that the toolbar continued to transmit data when he attempted to disable it through Internet Explorer’s “Manage Add-ons” window.

With the Google toolbar, certain “enhanced features” require the transmission of data back to Google servers. These features include the ability to view a website’s Google PageRank, essentially a measure of its importance on the web at large, and the new Sidewiki, a means of adding meta-comments to webpages. Using a network monitor, Edelman confirmed that if “enhanced features” are activated, Google collects domain names and associated directories, filenames, URL parameters, and search terms.

The user chooses whether to turn on “enhanced features,” but Edelman argues that it’s much too easy for a user to do so without completely realizing the consequences. The toolbar’s standard installation routine launches a “bubble message” that pushes readers to turn on the features, he says, and it’s less than clear about what data is being transmitted.

“The feature is described as ‘enhanced’ and ‘helpful,’ and Google chooses to tout it with a prominence that indicates Google views the feature as important,” Edelman writes. “Moreover, the accept button features bold type plus a jumbo size (more than twice as large as the button to decline). And the accept button has the focus – so merely pressing Space or Enter (easy to do accidentally) serves to activate Enhanced Features without any further confirmation.”

Yes, he continues, the message points out that the toolbar “tells us what site you’re visiting by sending Google the url.” But he argues this stops short of explaining that it collects everything from directories, filenames, and URL parameters to search keywords.

What’s more, Edelman says, turning off “enhanced features” is more difficult than turning them on – especially for the average Joe. It appears that the features can’t be turned off unless you uninstall the entire toolbar. Or “disable” it. But that doesn’t always work. Or at least it didn’t until Edelman noticed it didn’t.

* Video evidence at

(http://www.benedelman.org/spyware/images/googletoolbar-jan10/disablex-video-012110.html)