Daily Bits

2007: The Year of Social Networking

by

An article at PC World does a great job of summarizing the major developments in social networking space in 2007 and ponders over the prospects and uncertainties for 2008.

One insightful point mentioned in the article is how innovation at start-ups startles tech giants. Google, the great Web firm that one-upped Yahoo in claiming the search crown and hailed as the poster child of innovation was beaten at the social networking front. All the major internet firms such as Yahoo, Google and MS were done in by FaceBook which sort of perfected the concept of applications around social networks.

Social Networking is moving from the domain of an ‘nice add-on’ feature to a must-have even at the enterprise level. Various organizations are now waking up to the possibility that to attract the next generation of talent, it is essential to incorporate the flavor of social networking and connectivity within the enterprise.

While there were major salvos fired at FaceBook’s walled garden approach to social networking apps (which it did counter by licensing the F8 platform), it will be LinkedIn’s progress in the API space that will be really interesting. Being a site for business networking, it is one network that will really see a boost with professional networking going beyond just the website to the Web as such.

But another shift that can also be expected is the increased availability of affordable feature-rich mobile phones and compelling mobile applications. Apart from the enterprise user, the benefits of mobile applications have not really trickled down to the casual user. 2008 will hopefully be the year when mobile applications especially for social networking will really take off. Since Google has made several bold moves in the mobile space, expect a lot of innovation in this front.

Overall, its been a great year for Social Networking and for 2008 there’s a lot to anticipate.

Keeping Your Windows PC Clean – Part 2: Malware and You

by

This is the second post in my “Keeping Your Windows PC Clean” series. If you haven’t yet, check out my first post on using Windows Update.

Virii Plush Dolls
Picture from Paul Holloway @ Flickr

I realize now that the first post may not have been one of the most exciting topics, but when talking about the more advanced elements of Windows troubleshooting I believe it’s important to have your basics covered. Today we’ll be moving on to the most common issues Windows users face: Malware.

What is Malware?

Malware is an umbrella term that includes such computing staples as viruses, trojans, and spyware. In terms of risk prevention, it’s best to keep all of the different sorts of malicious software in mind. Simply put, there’s more to worry about than spyware and viruses. You can read an exhaustively complete explanation of all the different types of malware at Wikipedia.

Here are a few steps you can take to hopefully prevent getting malware in the first place:

Pay Attention to What You’re Installing

Once you get used to installing Windows programs, the installation process tends to feel the same after a while. It’s often tempting to simply click Next until the installation is finished, blithely ignoring the options presented to you. While it may speed up the installation process, this also opens you up to unwittingly installing malware on your computer.

The solution to this is to simply pay attention and read everything you see during installation. While an antispyware program will save you if you install junk on your computer, it’s always better to avoid putting it there in the first place. Pay attention and you’ll notice far more software trying to sneak onto your system than you previously thought. Also, choose the “custom” installation option if possible to see exactly what the software is putting on your system.

Some examples of malware include the software that tries to sneak into your system when you install the Weatherbug application (just stay away from that entirely), and the variety of junk you’re presented with when installing RealPlayer.

Take note: This isn’t just good practice for preventing malware, it also prevents tons of legitimate software which I find wholly unnecessary. These sorts of things won’t actively harm your computer, but pile enough of them on and you’re bound to notice a performance decrease. Some examples of this includes the auto-updating features of Quicktime and the Google Applications, as well as anything that masquerades as a “helper application” in your system tray.

Be Wary When Using Downloaded Files

Semi-related to the topic above, you should also pay attention to the files you download from the web and P2P applications. If possible, make sure the files you’re downloading are “clean” (checking comments usually helps with this, if they’re available), and don’t contain any strange executables. Things to look out for include random .exe and .dat files when you only expected to find music.

If you have antivirus software (which will be covered soon in this series), you can scan the files you download to make sure they’re not harboring malware. This is a last resort method of course, and the best course of action is not to download anything from sketchy pirate sites at all.

Use Firefox and Internet Explorer 7

Anecdotally, I would guesstimate that around 80% of malware that the average user installs comes from Internet Explorer 6. It’s no big secret that IE6 was one of the biggest security holes in Windows XP. This had to do mainly because of the way IE6 was integrated into XP. The tight integration was seemingly a good idea to Microsoft for development reasons, but in reality it opened up some gaping security holes.

After Service Pack 2 for XP was released, IE became a bit more bearable with a few security upgrades. Then came Internet Explorer 7 which offered greatly improved security (especially for Vista users), but unfortunately still couldn’t compare much to Firefox.

My advice for this section boils down to this: Use the latest version of Firefox for your primary web browsing, but also make sure to have Internet Explorer 7 installed because you need to have some version of IE installed. You might as well have the most secure version. (Of course if you followed my advice from the first column, you’d already be covered.)

Coming Up Next Time

The next article in this series will cover what you need to do to remove malware from your system. I didn’t include it in this one because it’s honestly a very different topic, and if you followed my advice in this section to heart you may never actually need to remove any malware 😉

Also, I realize that everyone has their own theories when it comes to computer maintenance, so I welcome you to offer your suggestions for avoiding malware in the comments.

Google and Its Doodles

by

Google’s got a way of keeping its users uptodate with latest on content. And that extends right from the most compelling links to the very doodles that appear on the home page. The Doodles (the Google logo) have a very interesting history in themselves – having been produced for the first time in 1999 by Sergey and Larry themselves after they attended the Burning Man Festival.

And the oodles have gone all the way from the commemoration of Louis Braille’s birthday to the once-every-122-years Transit of Venus. And the man behind the Google Doodle, Dennis Hwang does the doodles only as a small part of his job as Google’s International Webmaster.

You could also go ahead and send in details on any event that you feel needs to be reflected on the Google home page.

And if you’ve noticed recently, Google’s present doodles are ‘in-the-making’ holiday doodles. Click on the image and you are led to a page with a set of holiday images and quizzed on what to expect next.

Another first from Google I think, doodles for a doodle in the making. Its the face of the company to the world and it reflects the real-time dynamism that has made it the powerhouse of the Web.

Keeping Your Windows PC Clean – Part 1: Using Windows Update

by

Windows Vista LogoWorking in tech support, I constantly run into a wide variety of users who seem to know very little about taking care of their Windows computers. This isn’t necessarily their fault, since most people simply don’t have the time or patience to dig beyond the surface-level workings of their computers. Ideally, users shouldn’t have to worry about the way their computer works, but that sort of blissful utopia is still several years away in my opinion.

Luckily for the uneducated Windows users out there, it’s actually much easier to take care of their computers than they think. This series of posts will offer simple and free ways for even the greenest users to maintain their computers. Let’s start with something basic:

Keeping your computer up to date with Windows Update

Despite Microsoft’s penchant for buggy operating systems, in truth they do a good job of keeping both Windows XP and Vista up to date. Of course, to take advantage of these updates you need to make sure you’re actually downloading and installing them. You can do this manually from Windows XP by going to WindowsUpdate.com in Internet Explorer (not Firefox), or in Vista by navigating to Start Menu > Control panel > Windows Update.

Check for updates by clicking the appropriate buttons or links in XP/Vista, and then simply proceed through the installation process. If you’re an XP user who hasn’t updated in a while, you may be asked to go through some extra updates before you’re allowed to install actual Windows Updates.

You can also configure both Windows XP and Vista to download and install your updates automatically. Personally, I recommend just enabling the option to download updates but not install them automatically. When Windows installs your updates automatically it also reboots your computer once it’s done, and this could pose a problem if you accidentally leave an unsaved document open. You’ll end up losing all of the unsaved data.

To enable automatic downloading in Windows XP, navigate to Start > Control Panel > Automatic Updates. Choose the option to “Download Updates for me, but let me choose when to install them”, and click OK.

To enable it in Windows Vista, navigate to Start > Control Panel > Windows Update and select the Change Settings option on the left side of the window. Choose “Download Updates for me, but let me choose when to install them”, check off the two check boxes at the bottom of the screen, and click OK.

vistawindowsupdate.jpg

Once automatic downloading is enabled, you will receive notices in your system tray telling you when you have updates to install. You can either install them by clicking on the relevant icon, or, my personal favorite, choose to “Shut Down and install updates” when you click Start > Shutdown.

You’d be surprised at the sort of performance improvements that you get from making sure your computer is up to date, not to mention the numerous security benefits, so it’s always a good idea to make sure you’re doing so.

What is Phishing? An Introduction

by

whatisphishing.jpg

The Internet is a vast world, so vast that it somehow is an existence similar to our real world: IP addresses for home addresses, e-mails for snail mails, even calling-enabled messengers for telephones and mobile phones. But a world is not a complete world without its prevailing crimes, right? If so, which crime is as widespread in the Internet as robbery is to the real world? It’s phishing.

Phishing is an act of illegally acquiring sensitive information, like usernames and passwords, from an unsuspecting user. Like fishing, the word it originated from where you use worms as bait to catch fishes, of course, phishing uses trustworthy websites (usually the online transaction types like e-bay and PayPal), e-mails, and online messengers for bait to catch unaware users and get sensitive information from them. But unlike computer viruses, which attack the computer’s internals, phishing deals a more serious damage in a personal, commonly financial level.

There are numerous ways for malicious Internet connoisseurs to phish out sensitive information. People who depend on Internet-based transactions should be wary of these phishing techniques that we will discuss next.

Link Manipulation

The most common of all phishing techniques in existence is link manipulation which, as the name states, directs your browser to a website different from the original website you are to visit through fiddled links. Link manipulation usually comes in the form of an e-mail message from what you think is your trustworthy website. Let’s look at a scenario that shows how link manipulation works.

You are checking your e-mail account when suddenly you receive a notice telling you to protect your PayPal account. As you click on the e-mail message link, you read through a seemingly original PayPal message, telling you that PayPal administrators have “noticed” that you attempted to log in using a foreign IP address (a clever alibi, I must say). In the middle of the baffling message appears a highlighted sentence telling you to verify your account, followed by the manipulated link. And after that, a frightening message appears: “If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.” That really leaves you no choice but to follow their manipulated link. Since you cannot afford to temporarily lose access to your virtual bank account, you clicked on the link, which opened the website created by the phisher. On the webpage, you are asked to enter your username and password to “log in” to your account. Thinking that you are furthering the security of your PayPal account, you provided the username and password, et voila! The phisher now knows your username and password and can eventually use them for his gain!

Often, such spoof websites have very minute differences from the original so the link can go unnoticed from a careless eye. Phishers use subdomains in order for their spoof link to keep a reference to the spoofed website, without really connecting to it. Also, phishers trick their victims by using deceiving anchor texts, words or phrases that stand for a link in a website. Through it, the spoof website looks legitimate since the anchor texts act as cover for the phishing link. And on a more complicated note, phishers can also use redirectors of Uniform Resource Locators or URLs to hide their phishing links behind trustworthy websites and domains.

What if you installed an anti-phishing filter to detect phony text contents of e-mail messages and web pages? Think you are safe enough? Think again. Phishers have seen through this, and their methods evolved from phony, plain text messages sent via e-mail providers. Filter evasion methods include using other web objects like images to avoid their manipulated links from being detected by filters.

Website Forgery

Phishers can also use fake web pages to phish out information. This method is known as website forgery, which comes in two devilishly wise packages.

The first method of website forgery uses scripting methods to conceal the manipulated link in the web page’s address bar. Commonly, phishers imitate the address bar logos of trustworthy websites and put them beside URLs of their deceiving website. Further, the phisher’s scripts can even close the address bar containing the phisher’s link, replacing it with an address bar containing the genuine URL to obscure the website’s identity.

The second method of website forgery is done through exploitation of a website’s flaws. Cross-site scripting or XSS uses a website’s programming defects to trick an unsuspecting visitor. XSS is a very convincing phishing technique, because what it does is open the authentic website wherein the victim fills up forms for usernames, passwords, and other confidential information. But upon submitting the page, XSS scripts start working, linking you, the persuaded victim, away from the authentic website and into the phisher’s own. Sometimes, the phisher wouldn’t even need their own websites, for their script is enough for the deception to occur. Such phishing attack is difficult to detect just by merely “looking around” the website. Without prior knowledge on scripting and the like, you will never know what hit you, or in this case, you’ll never notice that you got robbed virtually.

This case is turned from bad to worse by the fact that there exist phishing kits, programs with user interfaces that allow reproduction of websites and creation of their fake versions. Such kits are often used by script kiddies—malicious but amateur programmers who cannot develop their own set of wicked programs, using programs that other malicious programmers like hackers developed. Man-in-the-Middle is one example of phishing kits that enables despicable pseudo businessmen to “mediate” between legitimate online businesses and their clients. Man-in-the-Middle channels information from a business website to a fraudulent website and vice versa in order for the amateur phishers behind the crime to communicate with their victims. Through this, the crime perpetrator can easily capture the victim’s confidential information in real-time setting. This technique spreads phishing to the not-so-knowledgeable script kiddies to build a growing network of virtual criminals. Also, the kit was so flexible that it can be customized based on what type of online business the script kiddie criminal wants to target. Further, the fake website can easily interfere through the transactions between the original website and the victim by “importing” from the target website the victim’s sent information, meaning all credentials of the victim can be viewed and acquired by the phisher. Fortunately, the said phishing kit was discovered by the anti-fraud division of an American software and systems manufacturer.

Other Techniques

Internet frauds don’t only involve websites. When you receive an e-mail message telling you to dial a certain number, doubt it immediately (unless you are expecting some transactions from the website, of course). This might be a voice phishing attack. If you dial the number provided by the phisher in the e-mail message, voice prompts will be asking you to press numeric information about your bank account like your account and PIN number. Phishers have arrays of faking techniques to employ to fool users. They can use fake caller ids to give the call a legitimate, trustworthy feel, an IP service that provides voice-overs to communicate with you in real-time setting, and even access on information keyed through a landline phone.

Although there are anti-phishing toolbars that check websites if they are one of the identified spoof websites in an Internet-wide database, phishers have found a way to further conceal their identity from anti-phishing programs which evolved from mere filter evasion. Introducing: the phlashing technique.

Confident that the anti-phishing programs are the ultimate salvation from phishers, users get that false security feeling that they are protected from any kind of phishing attack. Sadly, phishers were able to think outside the box (or the four corners of the webpage window) and learned to use Macromedia Flash animations as means to create their spoof websites. Such knowledge, in essence, defeats the purpose of anti-phishing services “with the phisher’s hands tied behind his back.” Since anti-phishing programs scan only the text contents of a suspicious website, phlashes can just pass the anti-phishers with flying colors.

As the phishing activities evolved, cyber criminals developed their wicked craft even more, anticipating possible reactions from the security militia of the Internet. Phishers even entered the world of compressed files to easily spread chaos among networks of banks and online transactions. Developing a somewhat plug-and-play phishing network using zipped files on hacked networks, web cons enjoy a phishing spree just by unzipping certain files in a subdirectory of an exploited website. Falsely becoming part of the target website, the unzipped spoof files inside the website’s subdirectories will look just as legit as the directories above it.

Social Network Phishing

Although this only comprises a small percentage of phishing activities, social network phishing is just as grave as its ancestors in the sense that it attacks major groups of web users at once through online community websites. In here, a phisher targets a certain social network like MySpace or LiveJournal, planting in those websites some botnets, automatic and autonomous programs run remotely by a hacker. Although there isn’t much money involved in social networks, phishers still consider them their pot of gold as it is very easy for them to spread key loggers, programs that can capture every keystroke of the user. Phishers use such networks in order to hopefully capture a home computer that is often used to shop online or store money via online banks. Further, most of the people in social networks use the same password for any and almost every account they have in the Internet universe, including their e-mail addresses where most confirmation messages for online transactions are stored. That and the fact that key loggers can acquire passwords are enough warnings for amateur people who use the web for transactions. Other typical social networks that phishers target are bulletins, forums, commentary, and profile websites.

There is another form of phishing that attacks big groups instead of just a single person, and that technique is known as spear phishing. In terms of attack deployment, spear phishing somehow resembles the exact opposite of social network phishing because the former uses somebody from the organization to set up the attack, as compared to the latter, which uses a community website to attack individual users.

Spear phishers actually need three things in order to execute an attack to an organization: (1) an identity of somebody within the organization, preferably a person with high authority to make the attack convincing, (2) wide knowledge about the company’s transactions and daily activities to back up the validity of the phish, and (3) a seemingly valid and well-researched reason for requesting confidential data like the PayPal account of one of the company’s departments. If these three are already available to the phisher, then the spear phishing comes to actuality, as described below.

In spear phishing, after finding a website suitable for the attack, the phisher acts as if he is a member of the website’s company with a position of authority. This step utilizes the first of the three requirements to conceal his identity and at the same time, be more convincing when he would be sending requests for confidential information. However, before he creates the fraud e-mails, he has to first look for traces of financial and confidential information, which he can use to further infiltrate the company, supporting the validity of his next move. In that step, he utilizes the second requirement. And lastly, the crime perpetrator then drafts the e-mail message directed to the company, using as reason the third requirement, in order for the phishing to take place.

The typical information that the spear phisher requests in his fraud e-mail message are the same as any kind of phisher would ask: usernames, passwords, account numbers, and the like. But furthering the attack, the spear phisher provides a manipulated link that, once clicked, will download a malicious program into the computer of the victim.

Phishing is as varied as robbing is in the real world. And with the many techniques above, with some even requiring phishers to study and improve the technique, I can’t help but wonder what the driving force for a phisher to phish is. Let’s explore a phisher’s mind in the next section.

A Net Full of Phishes

Everyday, an average of 10 phishing attacks are developed to dupe varying online transactions. However, in this constant increase, the concern of people is more directed to stopping phishers by putting up layers and layers of phishing security programs. Fortunately, I am one of the few people who have heard of the saying: “Prevention is better than cure;” so I decided to learn what goes on inside a phisher’s mind. Upon researching on phishing and trying to figure out how a phisher’s mind thinks, I stumbled upon a website wherein an article they published discussed how it is to be a phisher.

In the earlier years of phishing, a phisher is known to be someone who experienced being phished or had witnessed somebody suffering from the damages of phishing at one point in his earlier life. Given that he or she had ample background of the Internet and its programming styles, then that person can imitate the phishing attack that got him or somebody close to him to do revenge or simply to acquire personal, financial information. But with the dawn of phishing kits, almost anyone can do it, like the novice script kiddies mentioned above.

In the course of a normal phisher’s life, he or she “gains” a multitude of virtual identities, acquired using the techniques we discussed above. Often, they can no longer track all those whom they have phished that they start building databases of phished credentials from their victims.

Phishers don’t stop when they have acquired some identities. Even though they are getting enough money from a good number of victims, phishers still are insatiable that they started resorting to social phishing. Usually, social networks contain e-mail addresses, which are accessed by the phisher once he gets hold of his victims’ passwords through key loggers. Upon looking around the e-mail addresses of his victims, the phisher can then determine how much his gains will be.At times, when the victim is registered to online transaction websites like eBay and Paypal, the phisher sells the accounts to scammers, who will be the ones doing the stealing.

When they start phishing, phishers become very meticulous virtual entities as they try to select the best Internet services to handle their attack elements: a convincing domain and an anonymous, often offshore host to carry out their spoof websites and Internet files and connections. Second, the phisher checks the page source of his target website, studying it to identify where he can place certain codes that will do the phishing for him. Third, he develops the spoof website with care and keenness so as to make it believable. After that, he will include certain scripts that will transfer information from the spoof page to his server using scripting languages for backend of websites. Lastly, he will deploy the spoof web page using any or all the techniques shown above, and wait for the “phished to take their bait.”

Phishers can fool as much as 10,000 people everyday. But to remain hidden from such big crowd, a phisher has to use his own virtual private network, a personally dedicated server, a copious amount of proxies, and encryption of his network signals that travels to and fro.

Finally, the reason why a phisher can still catch a good haul these days is because their adversaries, the good guys of Internet security, are “lazy” that phishers maintain a firm step ahead of them.

That’s pretty much it for the first part of our expedition in the world of phishing. In the second part, we will learn how to stop or avoid malicious phishing activities. Stay tuned!

Top 6 Bizarre Online Gaming Incidents

by

People stabbing each other (in real life) for magic swords (inside an online game); men kidnapping a top player to steal his game password; a girl that dies after playing her favorite multiplayer game for several days in a row….

It is a crazy (virtual) world, what can I say! Below you will find the 6 most bizarre online gaming incidents in history:

1. Lengend of Mir 3 player stabs fellow gamer to death

legendofmir3.jpg Back in 2005 Qiu Chengwei, a 41 years-old Shanghai resident, stabbed fellow gamer Zhu Caoyuan repeatedly in the chest, causing his death. The reason? Zhu sold the “dragon sabre,” a weapon that they won jointly in the MMORPG (Massively Multiplayer Online Role Playing Game).

According to the China Daily, Qiu Chengwei went to the police first, but after being told that virtual items were not protected by law, he decided to make “justice” with his own hands.

Qiu Chengwei received a life sentence.

2. Brazilian gang kidnap top GunBound player

gunboundplayerkidnap.jpgEarlier this year four Brazilian men, with ages between 19 and 28, developed a plan to steal the game password of a GunBound (an online multiplayer game) top player. The objective was to sell the game account on the Internet for $8,000.

The first step was to get the girlfriend of Igor, head of the gang, in contact with the GunBound player. They accomplished that via Google’s social networking site Orkut, which is extremely popular in Brazil. After exchanging messages for a couple of days, the girl asked the boy to meet her at a shopping center.

He went, but instead of the girl he found Igor waiting for him, armed with a gun. They took the GunBound player away, and here comes the bizarre part. After five hours of interrogation at gun point, the boy was still determined to not reveal his password, so the four men released him.

The boy went to the police, who arrested all the gang members.


3. Girl dies playing World of Warcraft

girldiesplayingworldofwarcraft.jpgBack in 2005 a Chinese girl nicknamed “Snowly” died of exhaustion after playing the MMORPG World of Warcraft for three days in a row. She was preparing to kill the Black Dragon Prince, other players explained, hence why she had no time to rest between the game sessions.

Interestingly enough, her fellow game players held a virtual funeral inside the game, as reported by Yahoo News China.

4. Teenager arrested for stealing virtual furniture

habbohotelarrested.jpgA couple of weeks ago a seventeen year-old boy stole almost $6000 worth of virtual furniture in the online game Habbo Hotel. Habbo is a virtual world where people can create houses and other scenarios, but the items need to be purchased with real money.

The company alleged that the boy, with the help of some friends, created a website to lure other players into revealing their passwords. After that it was just a matter of logging into the game and transferring the furniture into his own room.

It would be a perfect crime, except that the police (the real one) was called and the boy was arrested.

5. Belgian Police decides to patrol Second Life after virtual rape case

secondliferape.jpgThe details about the case were not revealed, but two Belgian newspapers reported early this year that the Belgian Police would setup an in-game patrol unit to investigate virtual rape incidents.

Absurd as it sounds, the event spurred a myriad of discussions around the web, from sexologists arguing that even virtual rape can be a traumatic experience to online gamers that wondered the technical details that enabled a virtual rape to occur in the first place (in fact it is hard to conceive how someone would not be able to simply turn the computer off…).

6. A plague ravages World of Warcraft

worldofwarcraftplague.jpg In the middle of 2005 Blizzard introduced a new area to its popular MMORPG, World of Warcraft. The boss of the area was able to cast a spell called Corrupted Blood, which was supposed to infect and cause damage to all the players nearby.

Contrary to what Blizzard planned, however, the players remained infected even when they returned to their towns, contaminating pretty much everyone around them. The plague spread through the game servers and thousands of players died.

Blizzard manage to create quarantine zones within the game, and shortly afterwards it introduced a “cure” for the infection. Despite the remedies the event created a lot of buzz in online forums and community websites.

In one word: bizarre!