Monday, November 27, 2006

Why EV SSL And The New Breed Of Anti-phishing Filters Won't Work

By Coenraad De Beer

Microsoft is planning to implement a feature in Internet Explorer 7, which will make the address bar turn green when the user visits a legitimate web site. Sounds good doesn't it? But there is a catch, to make the address bar turn green when people visit your site, you will need to have an EV SSL certificate. The new EV SSL certificate technology will have a negative impact on the small Internet business that cannot always afford such a luxury. Once again it is a case of everyone getting hit over the fingers because Internet authorities can't control the waves of computerised crime raging on the Web.

What is EV SSL? EV SSL stands for Extended Validation Secure Socket Layer. EV SSL certificates act exactly the same as your conventional SSL certificates, the only difference is the fact that the identity of each certificate holder will be verified and each one will be subject to a very strict, ongoing screening process. But this is nothing new, was that not the purpose of normal SSL certificates? Yes it was, but SSL issuers have become lazy and are not always adhering to the best security standards when they issue certificates for web sites. The problem does not lie with the initial issuing of the certificate, but with the lack of control and supervision over the web site thereafter. What certificate issuers are trying to achieve by creating a new type of certificate, is not clear to me. It is not going to solve the problem if you cannot improve your own security standards, in fact, why issue a new type of certificate when you only need to improve your standards and supervising methods? It is hard to believe that this is not only about money.

Developers of browsers like Opera and Konqueror are supporting the idea, while Mozilla, the makers of the very popular Firefox, is evaluating various solutions and looking for one that will suit everyone, not just high profile corporations. Supporters of the new technology use the ever-increasing threat of phishing scams as a reason to justify the importance of EV SSL. They are concealing their intentions with the smokescreen of “protecting” users against phishing attacks. But once again corporations are looking for ways to make money out of a corrupt system. They are not seeking a cure, but a way of making money by only treating the symptoms of the problem. The correct approach is to treat the root of the problem, namely ignorance. Swindlers will always find a way to circumvent anti-phishing filters and EV SSL protection, but it is hard to bypass common sense once the user has grasped the essence of phishing scams. Companies do not make money out of the common sense of witty users, they actually loose money because of them. The vigilance of informed users empower them to identify phishing scams easier without using advanced software or EV SSL protection.

The EV SSL approach is insulting the ethics of the honest small business owner running a decent web site. Law abiding web site owners are treated like criminals and criminals have the chance to break through the new technology to create an opportunity for another set of new SSL certificates, which means more money for certificate issuers. But in the end you are nowhere near the real solution. EV SSL is like having the burglar alarm of your retail shop activated during the day while consumers visit your shop. What is the use of EV SSL when people only browse your site for information? What is the use of encryption if there is no sensitive information to be transferred between the browser and the web site? What is the use of a green address bar if your site never engages in confidential transactions? I do not think software companies will like it when anti-virus companies start to demand that they buy a special signature to sign all their files with, only to have these files classified as safe by the anti-virus scanner. So what is the use of heuristic detection methods if everyone needs a certificate to comply with the safety criteria of an anti-phishing filter? How many people really know how to verify the validity of an SSL certificate?

The main reason why people fall victim to phishing scams is because of ignorance, curiosity, greed and lack of common sense. People blindly believe everything the computer tells them to do. You can make users click where you want them to, you can make users respond to e-mails in the way you want them to, you can make them visit web sites without letting them know what type of web site they will be visiting, you can even make them pay for things they do not really need. You see, people are computer slaves, they simply obey and believe without questioning the purpose of their actions. If the address bar does not turn green, users will simply believe that the site is not safe, or even worse, fraudulent, whether it is true or not. On the other hand, they will put their trust in a system that can always be bypassed, maybe not easily but there is always a possibility. Is a site really safe if the address bar turns green? How sure are you that a site with an EV SSL certificate was not maybe hacked? What if a malicious add-on hijacks your browser, making the address bar turn green for dangerous web sites without you even knowing it? You cannot put your trust in software that is constantly a target for hackers and hijackers. You cannot use artificial solutions for today's breed of computer criminals. Internet users need to stand on their own two feet, they need to be able to identify these threats on their own without counting on vulnerable software and security systems. You do not need to be a rocket scientist to identify a fraudulent site, but large corporations want you to believe that only they can tell you which site is safe and which site is not through their “wonderful” software. What happened to your freedom of choice, do you want a computer to make all the decisions for you?

Most of your common phishing scams start with an e-mail as the bait. No one will visit a phishing site at random, you need something or someone to take the user to that site. Taking this into account you soon realise that it is not the anti-phishing filter of the browser or an EV SSL certificate that is going to solve this problem. For instance, 419 scams can be done completely through e-mail without having the victim visiting a single web site, so no EV SSL certificate or anti-phishing filter is going to prevent a Nigerian 419 scam from succeeding. Spam is the vehicle of all types of scams on the Internet, but at the same time the least controlled problem in the online world. Authorities are aiming at the wrong target. The main purpose of EV SSL certificates is to reward ethical, trustworthy web sites with a status symbol of being safe and secure. But is it ethical to base your reasons for using this technology on the ignorance of people without combating the true root of the problem?

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

Monday, November 13, 2006

Why Distinguish Between Spyware And Adware?

By Coenraad De Beer

The difference between spyware and adware has been a heavily debated subject and has been the focus point of many laws and court cases. But it is more important to keep in mind that there should not be a distinction between the two. The whole idea behind the term adware was to confuse the general public and create loopholes in laws, conditioning the Internet user to care less about it.

Advertising companies using spyware to market their products came with the idea to create a term for the software they use to infiltrate the systems of Internet users without breaking any laws. But there is more to the name adware than just a clever legal move. Over time the term adware created confusion among Internet users and made it harder to differentiate between spyware and adware. It did not take the Internet community long to adapt to this new term and all over the Web you see people referring to adware instead of spyware. Making people adapt to the term adware was done in a very subtle manner and its main goal was to make people more sympathetic towards the usage of adware. The term spyware is in essence a “bad” word and creates a more vigilant approach among users, an approach these advertising companies do not want. Nobody wants to be spied on, so you will automatically get a negative response from people if you approach them with the term spyware.

The consumer wants advertisements to stay up to date with the latest trends and specials. Many people support advertising and acknowledge its importance to any marketing campaign. When you call it adware, you are giving the consumer what they want, you use this positive psychological state of mind to your advantage and easily infiltrate computers of consumers without offending them or scaring them off. This is in essence misleading advertising, but adware is in the field of computers and you can’t prosecute it through conventional marketing laws alone. Even from the angle of computer laws, you can’t do much about it either, when the law speaks of spyware you can’t prosecute someone using adware.

Developers of adware always use the excuse that they only deliver ads and never spy on people, they only collect information about their online behaviour in order to deliver them targeted ads. Again they conceal their intention through clever word choice. What else do you call it when you collect information about someone’s online behaviour without his/her consent? You spy on people and that makes it spyware, the fact that the collected information is used to deliver targeted ads is besides the point. Sometimes people use the argument that adware is not bad when it discloses these information collection activities to the user. Is it disclosure when you hide it in a huge Terms of Use document? All of us know that the Terms of Use is never read and most users simply scroll to the end and click on the proceed button. Creators of adware rely on this behaviour. And when the program explicitly discloses program activity through a compulsory window that can’t be bypassed, is it still bad? Most novice users don’t understand this disclosure and don’t realise the implications of information collection and targeted ads. In the end they are annoyed by the endless advertisements populating their screen and can’t understand where they come from. If they are annoyed by these ads, it is clear that they would not have allowed the software to be installed if they understood the disclosure made by the program. You can’t justify your acts if you rely on the ignorance of users.

It is spyware when the “adware” invade programs like your web browser, e-mail reader or any other program on your system through the use of some kind of memory consuming toolbar, add-on or modification, whether you know about it or not. If they want to deliver ads, they should do it through their own program, within a single window, without collecting information about the user, without throwing ads in your face every five minutes or adding useless memory hogs in your Windows Startup. They can base their ads on the software the consumer is using, but only software developed by their organisation.

Lavasoft made a clever choice for the name of their anti-spyware software. The name Ad-Aware removes any confusion there may be. Be aware of ads, they are not as harmless as they seem. The software is developed to remove spyware, whether you call it spyware or not. If a hawker wakes you up every morning before sunrise to offer you his products, but a hawker must be called a consumer agent, does that make it less annoying or justify the invasion of your privacy?

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software. Also visit our Anti-Adware Section for supplementary information on this topic.

Saturday, November 04, 2006

The Dangers Of Chain Letters And Petition Lists

The Dangers Of Chain Letters And Petition Lists
By Coenraad De Beer

Have you ever thought about the purpose of chain letters? Do you think petition lists ever promote the specific cause they were created for? Very few people ask themselves these questions when they receive chain letters and petition list spam, simply because they act like mindless zombies when it comes to responding to these e-mails. Instead of ignoring them, they follow each instruction within these e-mails down to the very last bit of detail. Have people forgot to question the purpose of their actions or are they deliberately exposing themselves to the dangers of these unsolicited e-mails?

I think chain letters and petition lists are nothing new to the e-mail user of today. At some stage in your computerised life you will run across an e-mail requesting you to either support some cause or to mindlessly forward it to all your contacts. People have become slaves of spam and spammers are enjoying it every step of the way. Very few understand the dangers of chain letters and petition lists. They are the fuel for spam, scams, identity theft and online fraud. They are the mechanisms that cause your inbox to be polluted with buckets of unsolicited bulk e-mails and attempts to rob you from all your hard earned cash. The ever-increasing problem of spam is our own fault, because we continue to support useless, unwanted e-mails that simply eat up bandwidth and delay servers everywhere.

But how exactly can a harmless e-mail pose any dangers to my online security? It is ignorant questions like these that help spam achieve their goals. What people don’t realise is the fact that every time you take part in a chain letter you supply your e-mail address to hundreds of other e-mail users out there. Chances are good that this chain letter will land in the mailbox of a greedy spammer. The tragedy of chain letters is the fact that e-mail addresses of innocent people are sent all over the globe. This is the case when someone sends an e-mail for instance to six people, the first three recipients ignore it and the other three forward it to all their contacts. The e-mail addresses of the first three recipients are distributed along the chain without their consent, permission or even having a say against their inclusion in the mailing list. Your e-mail address becomes yet another dumping zone for endless junk e-mails. But it doesn’t stop at simple advertising e-mails for fake Rolex watches and stock market quotes. You get bombarded with continuous ‘phishing’ scams, viruses and hoaxes. Petition lists normally require the user to supply a name followed by an e-mail address and sometimes a telephone number and the city you live in. A petition list is a handy tool in the hands of a spamming swindler. You can supply more targeted and credible scam e-mails by addressing the e-mail to a specific person. This can create a false sense of security among the recipient of the e-mail and the chances of walking into a trap is much greater than in the case of your conventional impersonal scam e-mails.

I can hear thousands of people screaming that petition lists are for good causes, causes that really exist. Do all of them really exist? So many people respond to petition lists because they appear to be for valid causes. What do you know about the person you need to reply to for every 150th or 300th entry on the list? How sure are you that this person is not simply harvesting e-mail addresses for spamming purposes? And even if it is for a good cause that really exists, how do you know whether this person is not exploiting the circumstances? I have seen e-mails (even faxes and normal letters) circulating in South Africa where people send their names and banking details all over the world in search of riches. I have seen people blindly respond to lottery scams with the hopes that they will win something. How can you win a lottery if you never entered one, how can you receive e-mails from Barclays bank if you are not a client of them, how can you receive an order confirmation from Amazon if you never ordered from them and how can you be alerted about suspicious activity on eBay if you are not even a member? If it is not mindless ignorance it is greediness that cause people to step with open eyes into a trap, ignoring every warning light flashing in their faces.

The more information you supply when taking part in petition lists or chain letter scams, the easier you make it for swindlers to steal your identity, hack your accounts or turn your computer into a spamming zombie. Next time when you receive a chain letter or petition list, think about the consequences before taking part in the chain

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software. For examples of chain letters and scams visit our Hoaxes and Scams section.