Hijacking Your Fear

Have no fear, the toxoplasma gondii parasite is here. Just like a decent piece of malware exploiting a zero day vulnerability in an anti virus software, shutting it down or making sure it cannot obtain the latest signatures while totally ignoring the host's firewall, this parasite controls the fate of rats and mice in a targeted nature :

"by hijacking the part of the brain that makes the rodents naturally fear cats, a new study show. The exquisite precision leaves intact all other neurological mechanisms for learning to avoid danger, so the rodents learn to survive all hazards except being eaten by cats – the only form of death beneficial to the parasite."

Very interesting example of targeted attacks on a rat's brain courtesy of mother Nature's ghost-hacking capabilities. Just a whisper in my ghost - hope the parasite doesn't become cats-compatible and have them fear the mice.

Interacting with Spam Emails

Unbelievable, and you wonder why is spam on the verge of destroying email as the once so powerful communication medium. What I don't like about survey's like these is that they barely report their findings without providing further clues on the big picture and actually assess the findings in the way they should. The ultimate question thefore always is - So What?! Interacting with spam in any way, be it clicking on a link inside the email, loading the bugged with remote images emails, and the most moronic of them all - unsubcribing from the spammer's URL will only result in verifying that your email is active. What follows is a syndication of this email by different spammers and a flood of advertisements in languages you'll probably never speak :

"Bombarded by spam, e-mail users are eager for tools like a "report fraud" button that would help weed out unwanted messages that litter inboxes, according to a survey by the Email Sender and Provider Coalition released on Tuesday. More than 80 percent of e-mailers already use tools such as "report spam" and the "unsubscribe" button to manage their in-boxes, the survey found. The survey, which was also conducted by marketing research firm Ispos, polled 2,252 Internet users who access e-mail through service providers such as AOL, MSN/Hotmail, Yahoo! and Gmail."

Having a report spam button means the technological measures in place to prevent the spam from reaching a mailbox have failed, a very bad sign by itself. Before asking for a report spam button understand how spammers obtain your email at the first place and try to prevent it. Standardizing the "report spam" button on multi-vendor level would never happen. That's mainly because vendors actually compete on spam detection results, just like they should do with the idea that competition not only keeps them in a good business shape, but has the potential to best serve the customer.

There's also the mean wisdom of crowds to keep in mind. Remember when Hotmail was blocking Gmail invites? Was it an undercover corporate policy, or Hotmail fans were clicking the report spam button on received Gmail invites to make sure Hotmail subscribers never get the chance to receive them? Empowering the massess in a Web 2.0 windom of crowds style is tricky, as the way competitors click on each other's AdSense ads during lunch breaks, the very same way they'd subscribe to a competitor's email notifications and have them reported as spam. Contribute to Project Honeypot if your infrastructure allows you to and see them crawling. Cartoon courtesy of Bill Holbrook.

Taking Down Phishing Sites - A Business Model?

Processing orders for taking down malicious or fraudulent web sites is gaining grounds with not just RSA providing the service, but also, with Netcraft joining the process :

"Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers. Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity. However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action."

How does Netcraft differentiate its value proposition compared to RSA's? Netcraft's core competency is monitoring of web sites and providing historical perforce reports regarding various server variables, and they've been doing it for quite some time. Moreover, the company directly relies on the success of its anti-phishing toolbar in respect to gathering raw data on new phishing sites, thus, a future customer in the face of company whose brand is attacked. While the business models seem sound to some, it's worth discussing their pros and cons. Will ISP implement an in-house phishing sites monitor to compete with the services offered by third-party vendors -- they could definitely delay their actions given the huge infrastructures they monitor and the lack of financial incentives for the timely shut down -- or will ISPs and vendors figure out a way to build an ecosystem between themselves? The pioneer advantage is an important despite the common wisdom that even if you have an innovative idea and a market that's not ready to embrace it it wouldn't get commercialized.

In the past, there were futile attempts by banks to utilize the most commonly abused phishing medium - the email - to build awareness among their customers on the threats of phishing which isn't the way to solve the problem. You've got many options in respect to your customers - either educate them, enforce E-banking best practices or deny them the service if they don't comply, be a paper tiger and forward the responsibility for fraudulent transactions to their gullibility, or improve the entire authentication process. As we have seen two-factor authentication may improve consumer's confidence, but we're also seeing malware authors getting pragmatic and adapting to the process as well. Flexibility also stands for better transparency of the process - respect to the banks providing me with the opportunity to receive an SMS each and every time money come and go out of the account.

OPIE and multiple factor authentication are inevitable, but a customer's awareness of the threat is worth more than another keychain of OPIE generators. The rest are unmaterialized E-commerce revenues due to customers still fearing the risks are not worth the benefits.