Daily Bits

Internet

The Internet’s Carbon Footprint Will Make You Think Twice

by 1 Comment

If you are concerned for the environment, then this post just might make you think twice about spending so much time on your computer and on the Internet. According to The Guardian, the carbon footprint of the Internet is astounding: 300 million tones of carbon dioxide per year. Just to make that more understandable:

• Almost as much as all the coal, gas, and oil burned in Turkey or Poland
• More than half of the fossil fuels that the UK burns
• Imagine every person in the UK flying to the US and back – twice.

Astounding is the word, right? It makes you think – all the effort you’ve been putting into making the world a better place might be going down the drain. All because you spend so much time on the Internet. (Yeah, I am talking about myself here.)

Then again, the Internet does help cut back on energy consumption in so many ways. The same article outlines a couple of points:

• Smart grids are possible because of the Internet, and we all know they save energy.
• Tools such as video conferencing software help cut back on flights (read: higher carbon footprint).

More interesting are the ideas that Leo Hickman posted about a year ago. In his article, he posed the suggestion of cutting back on Internet usage:

Might we now have to ration our use of the internet to ensure its very survival? If so, what would be considering a fair share of the internet? Thirty minutes of browsing a day per person? Fifty megs of download a day? Just as we are being asked to “do our bit” for the environment by flying less, using public transport more, eating less meat and the like, might we now be asked to download fewer bulging multimedia files?

Call me biased and totally subjective, but just how accurate are these figures anyway? Isn’t it possible that the situation isn’t that bad? But yes, this post is making me think twice.

Photo credit: Green Office Projects

3 Internet Pet Peeves and Their Fixes

by Leave a Comment


Considering the time that you probably spend online, you would know that there are a lot of things that can happen out there that get your goat. We all have our pet peeves; some of them we can find fixes for, some we just can’t do anything. And, speaking of these Internet problems and fixes, I read a very interesting and useful list at PC World.

There are too many too mention here, but let me give you the three that are my pet peeves.

Facebook game and apps overload

I love Facebook games – a couple of them, at least; but I know how irritating it can be to see all those feeds when you are NOT interested in them. Hence, I try to limit the things that I publish. If you have friends who can’t help but flood your feed with their Facebook games and apps, though, PC World suggests Facebook Purity, which is part of Firefox’s GreaseMonkey add-on.

Useless search bars in web sites

What use is a search bar embedded in a web site if you can’t get relevant results? This has happened to me countless of times that I have simply stopped using them most of the time. What I have been doing is what PC World suggests: go to your usual search engine and key in site:nameofsite.com “what you’re looking for” instead.

Flash ads automatically blaring out some audio

Imagine browsing the net while at Starbucks or some other place when suddenly, this loud audio emanates from your speakers. Forget that – imagine working late into the night, you’re alone at home, and the same thing happens. I have jumped out of my skin so many times because of this! Here’s the fix from PC World: use FlashMute, which blocks Flash access to your audio. They do have a disclaimer: your anti-virus software might see it as an attack when you download the software. Ignore it.

For the complete list, visit PC World.

Security Tips When Using Public Wi-Fi

by 3 Comments

It’s a dream coming true, isn’t it? Most places you go nowadays, you can access the Internet via Wi-Fi. Most cafes are following the trend – even Starbucks, which has been resistant for quite some time. In some cities, the coverage is especially wide.

While this is pretty convenient for all of us, we should realize that using public Wi-Fi isn’t exactly the safest thing to do. Still, as long as you don’t access and transmit sensitive information, right? You might be wrong there – you cannot deny that there are many ways by which you can be prone to security issues when using Wi-Fi. With a little vigilance, though, you can make your access a little more secure.

Always use SSL, if possible.

That is, use HTTPS instead of HTTP. For example, when accessing Google, key in https://www.google.com/ instead of http://www.google.com/. The good news is that this is where Google is headed anyway. If you take a closer look, Gmail already uses HTTPS as a default. To make it even easier, check out HTTPS Everywhere, an add-on for Firefox.

Make sure your sharing settings are secure.

In other words, turn off all sharing! If you’re like me, you have certain files and folders that are shared for use at home. When you go out and use public Wi-Fi, however, it is better of you turn sharing off. How to do this? Go to Network and Internet -> Network and Sharing Center, then click Choose Homegroup and Sharing Options -> Change Advanced Sharing Settings.

Double check your firewall.

Sometimes, for one reason or another, I turn off my firewall at home. I don’t exactly remember the reasons, but I am pretty sure they were convincing at that time. Don’t take it for granted – operating systems come with basic firewall setups, but they can be your very first line of defense.

Have You Got Flock Yet?

by Leave a Comment

Social networks left and right – that’s what you’re bound to see and experience if you go online even for a few minutes. There’s nothing inherently wrong with these social networks, if you think about it. It’s just sometimes, some people go overboard – both users and the brains behind the networks.

Anyway, if you can’t get enough of social networking, here’s something for you: Flock. It’s nothing new, really. This social network browser has been around for some time now, but there are new developments that will make its fan base happy.

It used to be that Mozilla Firefox was the browser of choice for a lot of people, but when Google came out with Chrome, some loyalties changed. And now, Flock has switched loyalties as well!

The new Flock is now using Chromium, the open source platform that is found under all the layers of Chrome. This is a milestone is many respects, one being the fact that Flock is the first non-Google browser to implement such a thing. For the end-user, this means S-P-E-E-D!

They say that this new “super fast” Flock beats Firefox by a factor of two when it comes to certain tasks. Some features that social network addicts will find very useful include integration with Facebook, Twitter, YouTube, and RSS feeds. There is also a new thing called “What Friends Are Saying,” which is basically going to let you know what your contacts are doing across various platforms.

Download Flock for Windows if you’re into this kind of thing. Mac users, you have to wait a little bit longer for summer to come around.

What’s your biggest Internet time waster?

by 1 Comment

bejeweled-blitz-facebookHi there! Firstly, let me introduce myself. I’m Andy and I’ve been near-addicted to the Internet for 15 years. I met my wife online and I spend a lot of time at both work and play on the net.

You really don’t want to see me when my broadband connection goes down!

Anyway, while I get into the swing of things here at DailyBits, I thought I’d throw out a question to get you all commenting (so I don’t feel like I’m talking to myself.)

What’s your biggest Internet time waster?

What is it that saps time that you could have better spent being productive on or offline?

Is it one of those pesky Facebook apps? Is it Twitter? WoW? Flash games?

I’ll start. My two current time sinks are Bejeweled Blitz and Scrabble, both on Facebook.

Scrabble is easy — I’ve loved the board game since I was a kid, and now I can play against anyone even when there’s no-one locally who wants a game.

Bejeweled Blitz — well I guess the download figures for the Bejeweled empire speak for themselves when it comes to its popularity, but add the ability to play “just one more one minute game” against your Facebook friends and it has the ability to be extremely addictive.

Honestly, I’m trying to kick the habit.

(PS If anyone has found any decent tactics for playing Bejeweled Blitz as well on a trackpad as when using a mouse, do let me know.)

What keeps you online? Share in the comments below.

What is Phishing? An Introduction

by 9 Comments

whatisphishing.jpg

The Internet is a vast world, so vast that it somehow is an existence similar to our real world: IP addresses for home addresses, e-mails for snail mails, even calling-enabled messengers for telephones and mobile phones. But a world is not a complete world without its prevailing crimes, right? If so, which crime is as widespread in the Internet as robbery is to the real world? It’s phishing.

Phishing is an act of illegally acquiring sensitive information, like usernames and passwords, from an unsuspecting user. Like fishing, the word it originated from where you use worms as bait to catch fishes, of course, phishing uses trustworthy websites (usually the online transaction types like e-bay and PayPal), e-mails, and online messengers for bait to catch unaware users and get sensitive information from them. But unlike computer viruses, which attack the computer’s internals, phishing deals a more serious damage in a personal, commonly financial level.

There are numerous ways for malicious Internet connoisseurs to phish out sensitive information. People who depend on Internet-based transactions should be wary of these phishing techniques that we will discuss next.

Link Manipulation

The most common of all phishing techniques in existence is link manipulation which, as the name states, directs your browser to a website different from the original website you are to visit through fiddled links. Link manipulation usually comes in the form of an e-mail message from what you think is your trustworthy website. Let’s look at a scenario that shows how link manipulation works.

You are checking your e-mail account when suddenly you receive a notice telling you to protect your PayPal account. As you click on the e-mail message link, you read through a seemingly original PayPal message, telling you that PayPal administrators have “noticed” that you attempted to log in using a foreign IP address (a clever alibi, I must say). In the middle of the baffling message appears a highlighted sentence telling you to verify your account, followed by the manipulated link. And after that, a frightening message appears: “If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.” That really leaves you no choice but to follow their manipulated link. Since you cannot afford to temporarily lose access to your virtual bank account, you clicked on the link, which opened the website created by the phisher. On the webpage, you are asked to enter your username and password to “log in” to your account. Thinking that you are furthering the security of your PayPal account, you provided the username and password, et voila! The phisher now knows your username and password and can eventually use them for his gain!

Often, such spoof websites have very minute differences from the original so the link can go unnoticed from a careless eye. Phishers use subdomains in order for their spoof link to keep a reference to the spoofed website, without really connecting to it. Also, phishers trick their victims by using deceiving anchor texts, words or phrases that stand for a link in a website. Through it, the spoof website looks legitimate since the anchor texts act as cover for the phishing link. And on a more complicated note, phishers can also use redirectors of Uniform Resource Locators or URLs to hide their phishing links behind trustworthy websites and domains.

What if you installed an anti-phishing filter to detect phony text contents of e-mail messages and web pages? Think you are safe enough? Think again. Phishers have seen through this, and their methods evolved from phony, plain text messages sent via e-mail providers. Filter evasion methods include using other web objects like images to avoid their manipulated links from being detected by filters.

Website Forgery

Phishers can also use fake web pages to phish out information. This method is known as website forgery, which comes in two devilishly wise packages.

The first method of website forgery uses scripting methods to conceal the manipulated link in the web page’s address bar. Commonly, phishers imitate the address bar logos of trustworthy websites and put them beside URLs of their deceiving website. Further, the phisher’s scripts can even close the address bar containing the phisher’s link, replacing it with an address bar containing the genuine URL to obscure the website’s identity.

The second method of website forgery is done through exploitation of a website’s flaws. Cross-site scripting or XSS uses a website’s programming defects to trick an unsuspecting visitor. XSS is a very convincing phishing technique, because what it does is open the authentic website wherein the victim fills up forms for usernames, passwords, and other confidential information. But upon submitting the page, XSS scripts start working, linking you, the persuaded victim, away from the authentic website and into the phisher’s own. Sometimes, the phisher wouldn’t even need their own websites, for their script is enough for the deception to occur. Such phishing attack is difficult to detect just by merely “looking around” the website. Without prior knowledge on scripting and the like, you will never know what hit you, or in this case, you’ll never notice that you got robbed virtually.

This case is turned from bad to worse by the fact that there exist phishing kits, programs with user interfaces that allow reproduction of websites and creation of their fake versions. Such kits are often used by script kiddies—malicious but amateur programmers who cannot develop their own set of wicked programs, using programs that other malicious programmers like hackers developed. Man-in-the-Middle is one example of phishing kits that enables despicable pseudo businessmen to “mediate” between legitimate online businesses and their clients. Man-in-the-Middle channels information from a business website to a fraudulent website and vice versa in order for the amateur phishers behind the crime to communicate with their victims. Through this, the crime perpetrator can easily capture the victim’s confidential information in real-time setting. This technique spreads phishing to the not-so-knowledgeable script kiddies to build a growing network of virtual criminals. Also, the kit was so flexible that it can be customized based on what type of online business the script kiddie criminal wants to target. Further, the fake website can easily interfere through the transactions between the original website and the victim by “importing” from the target website the victim’s sent information, meaning all credentials of the victim can be viewed and acquired by the phisher. Fortunately, the said phishing kit was discovered by the anti-fraud division of an American software and systems manufacturer.

Other Techniques

Internet frauds don’t only involve websites. When you receive an e-mail message telling you to dial a certain number, doubt it immediately (unless you are expecting some transactions from the website, of course). This might be a voice phishing attack. If you dial the number provided by the phisher in the e-mail message, voice prompts will be asking you to press numeric information about your bank account like your account and PIN number. Phishers have arrays of faking techniques to employ to fool users. They can use fake caller ids to give the call a legitimate, trustworthy feel, an IP service that provides voice-overs to communicate with you in real-time setting, and even access on information keyed through a landline phone.

Although there are anti-phishing toolbars that check websites if they are one of the identified spoof websites in an Internet-wide database, phishers have found a way to further conceal their identity from anti-phishing programs which evolved from mere filter evasion. Introducing: the phlashing technique.

Confident that the anti-phishing programs are the ultimate salvation from phishers, users get that false security feeling that they are protected from any kind of phishing attack. Sadly, phishers were able to think outside the box (or the four corners of the webpage window) and learned to use Macromedia Flash animations as means to create their spoof websites. Such knowledge, in essence, defeats the purpose of anti-phishing services “with the phisher’s hands tied behind his back.” Since anti-phishing programs scan only the text contents of a suspicious website, phlashes can just pass the anti-phishers with flying colors.

As the phishing activities evolved, cyber criminals developed their wicked craft even more, anticipating possible reactions from the security militia of the Internet. Phishers even entered the world of compressed files to easily spread chaos among networks of banks and online transactions. Developing a somewhat plug-and-play phishing network using zipped files on hacked networks, web cons enjoy a phishing spree just by unzipping certain files in a subdirectory of an exploited website. Falsely becoming part of the target website, the unzipped spoof files inside the website’s subdirectories will look just as legit as the directories above it.

Social Network Phishing

Although this only comprises a small percentage of phishing activities, social network phishing is just as grave as its ancestors in the sense that it attacks major groups of web users at once through online community websites. In here, a phisher targets a certain social network like MySpace or LiveJournal, planting in those websites some botnets, automatic and autonomous programs run remotely by a hacker. Although there isn’t much money involved in social networks, phishers still consider them their pot of gold as it is very easy for them to spread key loggers, programs that can capture every keystroke of the user. Phishers use such networks in order to hopefully capture a home computer that is often used to shop online or store money via online banks. Further, most of the people in social networks use the same password for any and almost every account they have in the Internet universe, including their e-mail addresses where most confirmation messages for online transactions are stored. That and the fact that key loggers can acquire passwords are enough warnings for amateur people who use the web for transactions. Other typical social networks that phishers target are bulletins, forums, commentary, and profile websites.

There is another form of phishing that attacks big groups instead of just a single person, and that technique is known as spear phishing. In terms of attack deployment, spear phishing somehow resembles the exact opposite of social network phishing because the former uses somebody from the organization to set up the attack, as compared to the latter, which uses a community website to attack individual users.

Spear phishers actually need three things in order to execute an attack to an organization: (1) an identity of somebody within the organization, preferably a person with high authority to make the attack convincing, (2) wide knowledge about the company’s transactions and daily activities to back up the validity of the phish, and (3) a seemingly valid and well-researched reason for requesting confidential data like the PayPal account of one of the company’s departments. If these three are already available to the phisher, then the spear phishing comes to actuality, as described below.

In spear phishing, after finding a website suitable for the attack, the phisher acts as if he is a member of the website’s company with a position of authority. This step utilizes the first of the three requirements to conceal his identity and at the same time, be more convincing when he would be sending requests for confidential information. However, before he creates the fraud e-mails, he has to first look for traces of financial and confidential information, which he can use to further infiltrate the company, supporting the validity of his next move. In that step, he utilizes the second requirement. And lastly, the crime perpetrator then drafts the e-mail message directed to the company, using as reason the third requirement, in order for the phishing to take place.

The typical information that the spear phisher requests in his fraud e-mail message are the same as any kind of phisher would ask: usernames, passwords, account numbers, and the like. But furthering the attack, the spear phisher provides a manipulated link that, once clicked, will download a malicious program into the computer of the victim.

Phishing is as varied as robbing is in the real world. And with the many techniques above, with some even requiring phishers to study and improve the technique, I can’t help but wonder what the driving force for a phisher to phish is. Let’s explore a phisher’s mind in the next section.

A Net Full of Phishes

Everyday, an average of 10 phishing attacks are developed to dupe varying online transactions. However, in this constant increase, the concern of people is more directed to stopping phishers by putting up layers and layers of phishing security programs. Fortunately, I am one of the few people who have heard of the saying: “Prevention is better than cure;” so I decided to learn what goes on inside a phisher’s mind. Upon researching on phishing and trying to figure out how a phisher’s mind thinks, I stumbled upon a website wherein an article they published discussed how it is to be a phisher.

In the earlier years of phishing, a phisher is known to be someone who experienced being phished or had witnessed somebody suffering from the damages of phishing at one point in his earlier life. Given that he or she had ample background of the Internet and its programming styles, then that person can imitate the phishing attack that got him or somebody close to him to do revenge or simply to acquire personal, financial information. But with the dawn of phishing kits, almost anyone can do it, like the novice script kiddies mentioned above.

In the course of a normal phisher’s life, he or she “gains” a multitude of virtual identities, acquired using the techniques we discussed above. Often, they can no longer track all those whom they have phished that they start building databases of phished credentials from their victims.

Phishers don’t stop when they have acquired some identities. Even though they are getting enough money from a good number of victims, phishers still are insatiable that they started resorting to social phishing. Usually, social networks contain e-mail addresses, which are accessed by the phisher once he gets hold of his victims’ passwords through key loggers. Upon looking around the e-mail addresses of his victims, the phisher can then determine how much his gains will be.At times, when the victim is registered to online transaction websites like eBay and Paypal, the phisher sells the accounts to scammers, who will be the ones doing the stealing.

When they start phishing, phishers become very meticulous virtual entities as they try to select the best Internet services to handle their attack elements: a convincing domain and an anonymous, often offshore host to carry out their spoof websites and Internet files and connections. Second, the phisher checks the page source of his target website, studying it to identify where he can place certain codes that will do the phishing for him. Third, he develops the spoof website with care and keenness so as to make it believable. After that, he will include certain scripts that will transfer information from the spoof page to his server using scripting languages for backend of websites. Lastly, he will deploy the spoof web page using any or all the techniques shown above, and wait for the “phished to take their bait.”

Phishers can fool as much as 10,000 people everyday. But to remain hidden from such big crowd, a phisher has to use his own virtual private network, a personally dedicated server, a copious amount of proxies, and encryption of his network signals that travels to and fro.

Finally, the reason why a phisher can still catch a good haul these days is because their adversaries, the good guys of Internet security, are “lazy” that phishers maintain a firm step ahead of them.

That’s pretty much it for the first part of our expedition in the world of phishing. In the second part, we will learn how to stop or avoid malicious phishing activities. Stay tuned!