Digital shredding

Everyone who runs a business or those who are concerned about their confidential documents, make sure they shred their documents when they realize that they no longer need it. Shredding old bank documents, telephone bills etc., are common things. There is a strong need for this, undoubtedly.

In this revolutionary digital world, we should also realize the bigger danger that we have. Many do not know or realize that deleting a file from a comp, does not really delete the file's contents. Based on the size of the file, the fragmentation on the physical storage, the amount of free space left, the number of files written later to the disk (etc., etc.,), a portion or even the whole file may not get over-written at all -- thus facilitating the recovery of the file. The odds of recovery is higher on magnetic disks (unfortunately, the typical HDD medium so far) -- it seems to have a (fairly) non-zero success rate even on an over-written file. This is why the digital shredders usually write various unique patterns over and over again to completely shred the file from recovery.

To quote just one example, it is a common practice, to write down username and passwords on desktop temporarily and deleting it after use -- well it's not over then. It is a bitter truth that someone who gets hold of your hard disk today can retrieve quite some "deleted" confidential data. The odds of losing a disk is pretty high when it is a laptop or when it is a portable hard drive -- these devices aren't uncommon anyways.

There are so many free file shredders available to choose from. Most of them integrate an option to the Explorer's right click menu on the file, so it is easy to use. You can even choose the shredding algorithm to use based on the size of the file and the extent of confidentiality. The stronger the algorithm, the slower it is in shredding. I use this File Shredder, but that's just one among many.

In the digital world, it is so risky that when the damage occurs it is faster than we could react. If you are thinking about shredding your files when you sense a danger, you might most likely fail to do so successfully. It would rather be a good idea to shred (instead of just deleting) the files as when you are done with it. It should come as a practice so we leave less footprint of confidential information overall.

But beware, you can't ever recover the file if you accidentally shred it!! everything comes at a price, ain't it?

Privacy is more and more a concern

I was really taken aback when I read this news this week that the Facebook CEO says "Privacy is no longer a concern" and that "sharing information online is the new social norm"! I'm shocked and I'm not sure if he really thought of anything more than running his own business successfully. I think the reality is "social networking is the new norm and privacy is becoming a concern more and more. Facebook/Orkut should ensure privacy of the information".

That said, I do not under-estimate the complexity of the problem they have on hand. It is not as easy as it sounds (if it did). Bringing up literacy on -- privacy of confidential information, the way the data leaks, do's and dont's, is more than difficult in reality. The fundamental problem as I said earlier in one of my posts is that, the users are mostly common men. No one can blame them; there are many such cases in real life. I still drive my car without knowing how a Common-Rail-Diesel-Engine (CRDI) works -- but there I never had/have to. Hmm, that's not the case with the Internet.

I see so many issues around with more and more social networking platforms coming up with more and more vulnerabilities. Sure, the social networking sites provide a means to collaborate and share info; but how many of us ensure that the info we share reaches "only" the people we intend to share with!! and that's where the problem is. There is so much private info shared all over these sites, that I bet, you can unlock one (out of say 200) of your friends' mailbox using 'forgot password' feature just by visiting their profile. We can't blame the email providers, as if they go any stricter than this, the actual user doesn't remember them too to recover his own password! Still, the email providers are forced to come up with more and more security options. If this is the case with a mailbox, imagine banking!! omg! Don't be surprised if you are asked with a security question like 'who is the best friend of your father-in-law's second sister's husband?' ;)

People are so happy to have more and more online friends. The "count" is all that counts. What they don't think about is that, people whom they don't know are also going to be treated equally with their best friends in terms of sharing info. Sure, the websites offer granularity and options to group friends and control the privacy settings. But how many know it / use it? Not many. Apparently, the ones who are consciously handling the privacy settings are the ones who share the least already! And all this does not happen consecutively for someone to remember. I might add 5 friends this week and I might end up sharing a confidential information after 6 months. I may not remember that I had those totally "online" (and possibly virtual) friends, but they now have the info that I don't want them to know. In spite of the websites (like facebook/orkut) warning the users, it is difficult to enforce this. Users are mostly in a hurry to share and go read what others have shared. At some point, the users only look for an easy way to get rid of that popup and get back to business -- unfortunately defeating the whole idea of those warnings!! but that's reality. Sometimes I feel really odd when I see the privacy setting for 'friends of friends' -- this doesn't make sense to me at all. In spite of you being extra careful on sharing info, this might just screw up the entire deal. To me, a friend of my friend should belong to 'Everyone'. In security, one should consider the worst case as default.

I've read and also realized that there is a lot of encroachment happening into the privacy of the individuals without they knowing about it. It seems there is a concept catching up called 'virtual friends' wherein, bots (computer programs) try to create friendships with unknown people. There was also a study that says many people have the tendency to accept unknown online friends. I can tell you that recently the number of friend requests that I get on both orkut/facebook have increased and believe me, I don't know most of them. With more and more real people having funny names on their profiles, it is obviously getting easier for bots to deceive us. I might have rejected some real friend requests because they sounded abnormal. Maybe someone (or many) somewhere is making the grounds; silently gathering info; or waiting to.

and someone out there says privacy is no longer a concern!! hmmm...

Dangerous Windows Explorer options

If you are a Windows user and in Windows Explorer if you do not have the file extensions visible (option: Hide file extensions for known types) and also have the habit of viewing the files in any mode other than 'details' mode (Thumbnails, Tiles, Icons, List), then you need to be definitely be aware of this vulnerability awaiting you.

Last week, I plugged in one of my pen drives into my friends comp and noticed that there was an extra folder (in the name 'New Folder'). I was sure I didn't create that, but was just curios as to how it got created. The apparent reaction was to click on the folder to see what files it has. I click on it, but nothing happens, the folder doesn't open. This is when I realized the possible trap.

After analysing, it turned out that my friend's comp was already infected with a virus; and I guess the virus automatically copies itself to any removable media attached to the comp. It spreads itself onto removable drives and creates autorun.inf to get control on the next comp where the pen drive is inserted (as explained by my earlier post). When that explains why the 'new folder' was created, it was still unclear as to what was inside it. Later, I figured out that, that Windows Explorer was configured (by default) to not show file extensions, and that the view mode was also tiles mode -- so some otherwise-apparent things have gone missing and before we could realize, the damage is done. It turned out that, the 'New Folder' was not a folder/directory, but an application with the application icon set exactly the same as a normal Windows Folder icon. See it for yourself.



In this scenario, MyFolder is an application, while MyFolder2 is a real folder -- Can you spot any difference?? Absolutely not. An immediate reaction for anyone would be to open the new folder, but end up executing the application!! This is a real danger.

Then I disabled the 'Hide extensions for known filetypes' and changed the view to details mode; Now you should spot the difference:



The application in the picture was created by me on my dev setup for testing; it is totally harmless. Apparently when any application has its icon set the same as 'Windows Folder', McAfee jumps in and tags it as a 'W32/Generic.worm.b' virus. Even my test application was caught promptly -- not bad.

So please be aware of this and think twice before clicking on anything from a removable drive (even if it is a folder). If the computer was not infected earlier, all it requires is a click to get infected (and as I had mentioned in my previous post, do not let autorun kick in anytime you insert a removable drive). It is a good practice to show the extensions all the time (unfortunately, Windows Explorer hides it by default :( ). The other good practice is to create 'system restore points' regularly, so you can get back to a clean state if required (this shall not be 100% effective for all cases).

Spam or not?

Whenever I receive any "interesting" spam, I have the habit of investigating and tracking down the sender and trying to analyze the motivation of the sender. This email caught my attention in the same way.

See the email for yourself.



Yes, that is all it had. My initial reaction was that, the hacker sender was a amateur so he didn't know how to make the mail look legitimate -- but not for so long, when I discover that this email was totally legitimate and was indeed sent by Standard Chartered Bank - SCB (Unless!! : read the epilogue of this post).

Ok, let's go through the email. The email is poorly formatted (maybe spam?). The only useful content is the 'Click here' link and it points to something like http://pop4.mailserv.in/sc/lt.php?id= eh8IBgAGA19XRAwETAA6XweWkKK (more and more like spam). I clicked on this link, and I was taken to a page that looked exactly like SCB's site; it didn't take me long, before I figured out that the page was actually the real SCB inet banking login page, and not a fake one!! I verified the SSL certificates and they are valid, trusted and belong to SCB (Thanks to the further confirmation from Firefox that it said I had visited this site more than 100 times earlier -- 100 is just an illustration, don't try to guess anything). At this point, I had no answer. If that was a spam, why would I be redirected to the bank's page; and if it was not a spam, why would a bank send such a suspicious email and redirect to a login page through a third-part link??!!! Instead of speculating, I thought I would analyze the technical aspects of this email first.

Given that the link didn't point directly to the bank's site (but to mailserv.in), I first verified if sc.com (see the from address of the email) belongs to SCB. It turned out that sc.com is legitimate and registered against SCB's head office in Hong Kong. Now that sc.com is valid, I verified the email headers to check if the email was indeed sent from 'sc.com' domain. The email had come from an MX from cleanmail.in and the return path is to sc.mailserv.in. Now, it makes sense why the link was pointing back to mailserv.in. At this moment, I thought it was a spam originating from mailserv.in. But when I digged out more details, I was shocked. mailserv.in belongs to a legitimate email service provider registered in Mumbai. When I went through their customer lists, I started to believe that this email is legitimate -- all of its customers are well known institutions in India including a handful of banks (Interestingly, SCB is not listed as one of them). But a list of customers of this grade, made me believe that an email from mailserv.in would not be a spam.

One last thing I still wanted was, to take a look at how the redirection from pop4.mailserv.in to SCB's inetbanking site happens -- just to ensure if there is any injection of any XSS stuff. I did a wget on the given URL, pop4.mailserv.in just returns an HTTP error code 302 (meaning Moved Temporarily) and redirects to the SCB's legitimate page. This was a clean redirection and this solves the last question, and the sender has no "hacking" benefit out of this.

After all this, I finally believed that this mail was legitimate and not a spam. I am really depressed with the kind of security implications that such an email would cause. If a legitimate institution can send a spam-like email, why wouldn't it be easy for a spammer to send a legitimate-like email and deceive the user??!!

I still "wish" this to be a spam (I just can't believe a bank would do this!!); If it was a spam, the only benefit for the sender that I can "speculate" is: Maybe the sender is tracking the number of users who actually click on this link and navigate. Maybe the sender would send a number of such legitimate messages, and then suddenly a phishing email, so the user doesn't realize the difference and gets trapped. I can't think of anything else.

Any other thoughts?

If you enjoyed reading this analysis, you might also be interested in my analysis of another interesting spam I received.

Disclaimer: I've no confirmation from SCB that it is legitimate email. So it could still be a spam. Use your own conscience and decide it for yourself.

Remote surveillance on your mobile phone

I assume that you have read my previous post on 'streaming webcam using VLC' that describes how to use VLC to stream your webcam's video over the network.

This opens up a new and simple means for surveillance. The idea becomes more interesting and useful based on the network that we choose and where the video is viewed from. To me, if I were to view the video from some other comp, the usability decreases a lot -- unless you are streaming video from home and want to have an eye from your office comp over the Internet; yes, but there are cheaper and better ways to do the same.

I was keen in trying to perform surveillance on a mobile phone and was pretty much fascinated when I could do it. It is really awesome to watch a place in real-time from a remote place and that too wirelessly on a mobile. Now that we know how to stream the video over a network, the only missing link is to figure out a way to establish a network between your mobile phone and your comp.

There are multiple ways to do it:

1. Bluetooth PAN (Personal Area Network): This is the simplest, cheapest and comes at no running cost. Modern bluetooth devices provide upto 100m range, but remember you might have to check with your phone's capability also. I would NOT prefer this as this might tend to disconnect and there is no easy way to reconnect remotely. But it works. I sometimes use it to have an eye on my office cube (for no reason :) ) when I'm just around it.

2. Internet: This is cheaper to establish but has a running cost (specially the data charges on the mobile side are usually hefty). Given that we are aiming at transferring video (atleast QVGA), the bandwidth usage will cost a lot of money; the speed of the network might also be an issue (although a high speed EDGE service on the mobile side might be enough). However, this gives the maximum possible range of surveillance. Literally, from anywhere in the world.

3. Wi-fi: This option is similar to option 1, but much more reliable than a bluetooth PAN. Automatic recovery from signal failures is a plus. I prefer this the most, because my office is fully equipped with Wi-fi. In fact, our other offices (including the ones overseas) are all interconnected, so I can really watch my cube (where I broadcast) from my mobile wirelessly from any of my offices. It's really cool (at least for the first few times). Wi-fi drains battery much faster than bluetooth (as of this writing) though -- so may not be suitable for continuous surveillance.

4. Combination: A combination of these options shall also be applied. E.g., I can choose Internet (broadband) on the broadcasting side, and use Wi-fi (maybe in office?) on the mobile side.

How to view on the mobile:

I'm only going to talk about Windows Mobile here (although I believe the same software is available for Symbian phones too). All you need is a video player for streaming video. Based on the platform you have, you can find one. Note that you need to get a player that supports the protocol and codec you used while streaming.

For Windows Mobile, users can choose to use the free TCPMP (The Core Pocket Media Player) or the professional edition of the same called as the CorePlayer. I personally believe that the CorePlayer is the best for playing streaming video.

An interesting spam and analysis

I just noticed an interesting spam mail into my mailbox recently. Unlike other spams this mail had a different intent (read it to know). No product marketing, no wealth transfer etc., no phishing intention. The only justification I can think of was to get in touch and create a friendship and then collect the necessary info. Anyways here is the mail (as-is):

======================================================
Hello Dear,

how are you today I hope that every things is ok with you as it is my great pleassure to contact you in having communication with you starting from today, please i wish you will have the desire with me so that we can get to know each other better and see what happened in future.

I will be very happy if you can write me through this mail for easiest communication and to know all about each other, and also give you my pictures and details about me, i will be waiting to hear from you as i wish you all the best for your day.

your new friend.
Miss. Aminata.
======================================================

I was curious to just figure out if this is not a possible spam from any of my friends. I wanted to take it forward and reply if I had suspected any of my friends for this, but unfortunately it was not. The mail's SMTP header was as follows:

From Aminata Sankoh Thu Feb 26 15:47:48 2009
Return-Path:
Authentication-Results: mta209.mail.re4.yahoo.com from=yahoo.co.th; domainkeys=pass (ok); from=yahoo.co.th; dkim=neutral (no sig)
== strip little ==
Received: from [124.108.114.83] by t2.bullet.mail.sg1.yahoo.com with NNFMP; 27 Feb 2009 01:34:30 -0000
Received: from [127.0.0.1] by omp103.mail.sg1.yahoo.com with NNFMP; 27 Feb 2009 01:34:30 -0000
Received: (qmail 47623 invoked by uid 60001); 26 Feb 2009 23:47:48 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.co.th;
h=Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
b=6DW+LjgIGtkj1fBUv41AyHZOGKeVZljOv8/lXgJLCNujOTjsjqX+R3yacDOW9Q080JdDCUuW+yBnhwnbUEpBFmILXgS2JDP6H4lVIqtCcuZ9WOgVok/2lLLwQ3ZP585/JAanJUjrOGzEBoeo8biUWzqLKHqNht4rlW7Lks12pOw=;
Received: from [41.208.161.138] by web76716.mail.sg1.yahoo.com via HTTP; Fri, 27 Feb 2009 06:47:48 ICT
Date: Fri, 27 Feb 2009 06:47:48 +0700 (ICT)
From: Aminata Sankoh
Reply-To: amina_luv8@yahoo.com
Subject: Hello Dear
To: aminsankoh@yahoo.co.th
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1397759359-1235692068=:47230"
Content-Transfer-Encoding: 8bit
Message-ID: <445714.47230.qm@web76716.mail.sg1.yahoo.com>
Content-Length: 2417

== end-of-headers ==

There are few interesting things to be noticed:

• Server authentication through domainkeys passed. So this email has been sent by the given email address from yahoo.co.th. That makes it easier to track further.
• This email has been sent from IP address 41.208.161.138. A simple search and this IP address belongs to country Senegal in Africa -- oh ok that throws my friends out of the list.
• The email has been addressed to the sender's address and all those bunch of people targeted are in BCC probably.

Few things which aren't clearly justified:

• The relevant yahoo webserver (web76716.mail.sg1.yahoo.com) seems to be located geographically in Singapore. Possibly because the yahoo mail's domain was co.th (not sure if yahoo has a separate server for Thailand; maybe it wasn't available at the time of creation of the yahoo account - never mind). Maybe the user from Africa wanted to pretend to be in Thailand.
• The reply-to address points to another email id in the yahoo.com domain. Maybe she/he sends multiple emails from different different email accounts and want to easily catch hold of the bakara(s) who replies, by diverting all the replies to one email box -- so just check one mailbox for replies?? possible.

Obviously I chose not to reply. Just beware of such mails.

Inside an infected laptop

A non-techy friend of mine had bought a laptop 2 months back. As he wasn't aware of installing the OS and software etc., I installed all the required software for him. Just after 2 months, last week, he complained saying "nothing" works. He said that the computer is saying 'you are at risk', 'your system lacks security', 'the winamp is not playing' etc., etc., He was even worried that the speaker is blown up. I got the laptop back from him to set it right for him.

As I am not a service engineer (who would have formatted the laptop right away and installed everything fresh), I wanted to discover each and every portion of the problem before I recover the laptop. I wanted to have some real-time experience on an infected machine. It was actually funny to see each trojan and worm's behavior.

The laptop boots and the desktop starts to come up. There is no welcome music -- the sound card driver is gone for a toss. The (fake) Windows security center pops up saying 'Your computer is not running an anti-virus and might be at risk'. Then, I get a popup saying 'your computer is infected, do you want to scan for viruses'. The program calls itself 'Internet Antivirus Pro' and presumes the user is an idiot. Without the user's permission it starts scanning the computer (yes, everytime the user logs in). The funny part is that, the software doesn't bother to read the files at all while scanning. It was clear from the hard-disk usage that no files were read. The software managed to scan thousands of files in less than a minute. One smart thing it did to make the user believe was to really pickup some files from the user's Documents and Settings folder, so it looks as though they were real scans. When you know what it is doing, it is just funny -- but if you are a non-techy user there is no surprise that you would panic. At the end the software asks 'do you want to clean these viruses?'. If you say yes, it takes you directly to a payment site and you will be billed for nothing. Uhh!!

As I was looking at the billing page for any identity, I could see the Internet Explorer's title bar saying -- "Internet Explorer -- hacked by xyz" (I don't remember the exact name). Aha! The next one. Having known that it is possible to change the IE's title bar in registry, I searched for scripts with the appropriate registry key path (maybe not, I don't want to publish the path here) and hurray! I managed to get hold of the script. Thankfully it was a script and not a binary. The script had successfully managed to propagate itself to all the drives and into the \WINDOWS folder. The script spreads itself through autorun.inf in Windows (autorun.inf seems to create more problems than it solves). Whenever you double-click on a drive, the autorun.inf (if any) on that drive's root folder gets executed. This is the heart of this worm. It copies itself into all other drives, specially looking for any flash disks connected to the computer and replicates. In addition, this script registers itself with Windows to get executed on startup. So anytime, you start the computer with any removable drive, it gets infected too. This worm was later identified as 'VBS:Solow-L (worm)' by avast!.

The last one is the sound card issue. I believe this is also caused by the IAPro worm that I had discussed earlier. A close look at the device manager revealed that the sound card is powered by a device driver which is not digitally signed by anyone; and the publisher name seems to say "unknown". The driver was smart enough to claim that it supports the sound card's device instance id so that windows loads this same driver every time -- even if I uninstall/reinstall the hardware or disable/enable the sound card. I had to rollback to the earlier driver to make it work.

There was no other visible sign on the laptop that needed to be addressed although there were many other resident viruses/worms. Just installed avast! and it found around 20+ viruses spread out in around 520 files. It isn't surprising me now that a laptop was infected with so many viruses in such a short-time. I think with a little promising note, any website can make an average non-techy user to install their software and get control of their machine. Even a simple popup in the browser stating 'Your computer is infected, do you want to scan for viruses' might do the trick. No wonder phishing has become so easy and common. Lack of fundamental exposure is the issue here, but the users cannot be that easily blamed for their ignorance. After all this isn't their cup of tea. Hmm, computer is a complicated device to understand but a life without it is becoming inevitable in this modern era. Using a computer with no understanding is starting to be dangerous when connected to the Internet!!

Whatever it is, I enjoyed the exercise :)

Botnets -- a dangerous threat

Botnets is a short form for network of robots. In this context, a robot (or a bot) is really a computer program. A bot in theory is not malicious always. Theoretically bots re computer programs meant for performing an automated task without any need for user interaction. But they have become a real scope for security threat these days. A maliciously coded bot just distributes itself across the network all over and tries to do the damage.

End-user computers might be highly vulnerable to viruses/malwares due to the ignorance of the users or being lethargic. However most servers are very well protected by qualified admins from any such vulnerabilities. But any server is still vulnerable to Denial of Service (Dos) attacks. Especially Distributed DoS is almost a impossible problem to solve based on the level of distribution. IP blacklisting is impractical in DDoS. This is the vulnerability that the botnets mostly exploit. They just bombard the server with requests that the server has to go down or become so slow that it's as good as dead.

The most worrisome part of botnets is that they are spread all over before they begin the damage. Even yours and my computer might have one or more botnets without we knowing about it. Botnets are difficult to identify as they mostly do not harm the infected computer -- after all that is not the intention. They use your computer as a shooting shoulder.

So how do they know when to attack and whom? They have the concept of command and control. There is a botnet commander who issues commands to all the botnets and assigns their next job. No, it is not possible to blacklist the commander from the network, as over time the hackers have matured and now there is usually a swarm of commanders. The commanders themselves are usually distributed ; there is usually a super commander which leads the swarm and they know how to elect a new superior if the existing one is found missing (probably shot down).

It is feared that there are thousands (or even more) of such botnets (not just bots, but networks) around the Internet -- and this is still growing at a fast pace. It is very difficult to spot the botnets as they reside on end-user computers as innocent and invisible applications. I read that some new versions of AntiVirus products detect the presence of bots on the end-user side -- but not sure on what basis (maybe rookits?) and how effective are they. So even though the botnets exist for sure, the extent to which they have spread in the Internet is still a dreadful speculation.

Now comes the scary part. It is feared that these botnets might form the future of cyber war. In years to come, these might have occupied billions of computers all over the world and someone remotely might have full control over all those computers and do what they want! With the pace of development in technologies and the reliance on the Internet for various services, in the future, these botnets might not just cause financial, technological, political damage but may even cause human casualty. It is also feared that some techies are cultivating these botnets all over the world and are renting it out on specific targets for a price!!! This apparently is a business!

It is really worrying that a wonderful platform like the Internet is being misused upon even before the technologies mature enough for the benefit of the mankind -- at which point, the damages that these culprints can cause could be vital!! The problem is complicated because it is to protect all the end-user computers; not everyone is aware of even the simplest of attacks, forget about botnets. In my opinion, this problem has to be addressed from being outside the endpoint security to be really robust. It's high time that security experts think of some fool-proof mechanisms to protect against these propagations and attacks -- I'm sure they know even without me having to tell them! I'm scared!

Computer security - a complicated problem

Technology is advancing really fast..but so are security threats. With the fast growing Internet and its exposure to even a common man, security threats have become much easier to perform and much more complicated to deal with.

With only ~900 million IPv4 addresses remaining for use in the Internet (out of roughly 4294 million in total), you can imagine the number of nodes connected to the internet -- this ofcourse excludes those computers which are connected to the Internet over NAT and proxy servers. And a number of computers share a set of public DHCP IP addresses on different time slots. So you can imagine the total number of computers connected to the Internet -- it's huge! So what does it mean to me as an end user?

Earlier when computers weren't connected, the number of ways a virus can enter a computer was very limited. Infact only through removable media. This could not happen without the user interaction (atleast, the user had to insert an infected disk). But now that the computer is connected with billion others, there are billions of nodes which can affect your computer and more importantly "without" even you knowing about it!!

The traditional means of virus protection through signature will slowly go obsolete -- as there are just too many viruses. The rate of new viruses is slowly increasing and at some point, the round-trip time for the AV vendors to publish new signatures for new viruses would be too late to stop the damage. In addition, new viruses are also self-mutating (they change their own footprint while retaining the same functionality) which makes the signature based protection much more complicated and sometimes useless.

With the AV vendors already migrating towards behavior based protection, the problem is getting better but it has its own problems. The heuristics of behavior based protection has to be smart enough to catch and stop a malicious virus and liberal enough to allow a legitimate program to do its job. The problem is much more complicated than it sounds (if it didn't), and I believe it is impossible to achieve this unambiguously. To resolve such ambiguities, the applications will need to ask the decision from the user, which is mostly confusing to a common user. There is a good chance that a common user would not understand the question.

Like, what if my body asks me "The pituitary gland is trying to secrete an enzyme 'abc' and is trying to send it to your kidney -- this seems suspicious, do you want to allow this?" -- a question on a virus's behavior might look equally awkward to a common user. But for a computer user it is becoming necessary to know some intricacies about its functionality -- because the problem itself is complicated.

In spite of all these AV products, it also requires discipline from the user while using the computers (specially while having access to the threat-entry-points like removable media, email, Internet etc.,) to be really safe. I don't believe that any AV product can provide 100% security. I think 'having all possible AV products and not having self discipline is much more dangerous than not having any AV product but having self discipline'. Understanding the various security threats is crucial to protect oneself from such attacks.

A new form of security threat which is seeming the most dangerous one is "botnet". The more I think of it, the more dangerous it looks to me. It requires a separate post; will write about it later.

What you see is not where you go!

I know the title does not make any sense -- maybe it will after you read the post.

One of the common means of phishing is to take you to a malicious website when you think you are at the genuine website. The task is not so easy for the attacker to make you believe. A fundamental hole (genuinely useful in many cases) is that a HTML link can be named anything you want, while the URL can be anything.

eg., Google -- This link shows up as Google and takes you to yahoo.com when you click on it. A non-techy user who uses internet for banking etc., might believe that a 'ABC Bank Login' link will really take him there --- but there is absolutely no need. Unfortunately this simple tweak is seeming to be enough to succeed against a non-techy user. All that the attacker needs to do is to make sure that the malicious page looks the same as the original page.

Among the smarter people, the most popular way to check the link is to not go by the text, but by the URL the link is pointing to. All browsers have ways to find this out. The simple thing is to hover the mouse over the link and look at the status bar of the browser. Scripts can manipulate what is being shown in the status bar and so the other option is to see the properties of the link (right-click).

Unfortunately this does not help all the time. This is what even some techy users do not know. A hacker can show the URL of the genuine site until the user clicks on it, and then redirect him to the malicious site the moment he clicks the link (This reminds me of the click-hijacking vulnerability in the flash player -- Interested people can read further here).

Now look at the following example: This links reads Google and continues to show the URL of www.google.com but when you click on it, it would take you to www.yahoo.com. If you notice carefully the URL is changed on the fly when the mouse is clicked on the link. Not many users will notice that the URL is changing (if you think you always would notice, wait for a while and read further).

Google -- see the properties of the link and click on this link. see where you go!

[Update: This trick does not work on Google reader (possibly other readers too). So please visit my blog page if the link doesn't work for you. Thanks Senthil for pointing this out]

This is the dangerous part. It is quite difficult for us to notice these subtle things on hundreds of links that we click everyday. But being aware of these traps is very important. At least we would know how to be vigilant while accessing confidential and financial sites.

The other most effective way is to make sure your URL is correct on the address bar of the browser after you reach the site (yes, DNS spoofing will fool you here). Thankfully if the website is a https website (in most cases it is, where you need them), it is the best to make sure that the SSL certificate belongs to the website that you are pointing too.

Ok, now for those who thought they would always notice the link : Have you noticed that when you click on a link from the search results page in google, you are actually clicking on a link that takes you to google.com and not directly to the website you want to reach? It is actually Google that redirects you to the actual website -- but we usually fail to notice this. Now that I told you it would be obvious this is how google's page ranking works! I'm surprised that google does this; I would rather feel safe to see the actual google's URL on the link given that the website's URL is anyway shown at the bottom of every site listed in the search results page.

So be vigilant, have a safe browsing -- because what you see is not where you go :)