Ann Arbor Area Business Monthly
Small Business and the Internet
By Mike Gould
The garden that is today's computer environment is cluttered with new growth popping up here and there, an undergrowth un-loosed that challenges the most industrious of gardeners. There is a matching, often bewildering lexicon of new words appearing to describe such foliage, be it weeds or wonders. How does one keep up with such herbage/verbiage? One reads this column, that's how. So here is a current crop of new terms, neologisms, technical terms, and other synonyms: fun words to know and share. Well, maybe not so fun, as we seem to be focusing on webweeds here.
Last month's column was about the spate of new Macintosh viruses, which are spread via users visiting a disguised criminal website. Upon hitting the homepage, users automatically and invisibly download a planted file that seeds you with cyber-weeds. What wasn't clear to me at the time was that you end up at the site by searching for something on Google, and that Google itself has been a victim of criminal activities. What happens is that the search you perform can take you to a specious site, one that shows up first in the list of Google results. This is a result of Google Poisoning, where the cyber-criminals have gamed Google's ranking system to make their dens come up ahead of legitimate sites.
How this is done is beyond the scope of this article, but suffice it to say, Google is aware of this and is fighting a mighty battle against it even as we speak. The technique that takes advantage of the Google ranking system is called:
Black Hat SEO
SEO stands for Search Engine Optimization, and is a process of coding a website to make it blessed in the eyes of Google and other search engines. For the most part, this involves writing clean HTML code that has embedded keywords and other techniques. (For more details see the article I wrote about this, URL below.) The WWW being the Wild, Wild West that it is, there are good cowboys, the white hats, and bad cowboys, the black hats. The white hats (of which I count myself, pardner) follow the rules and try to stay out of the saloons. The black hats are criminals hiding away in the sagebrush who do any number of evil things to worm their sites to the top of the listings. One way of doing this is through the use of a:
One of the methods Google uses to rank your site is by the number of sites that link to you. Google figures that if a number of other related sites think you are worth linking to, you must be cool so you get a higher ranking. So criminals create hundreds of sites (using automated malware designed for this), all linking to their target site with the Bad Page on it. Google sees all this cross-linking and decides that the Bad Site is cool, and bingo, it is at the top of the rankings. This is an automated process on the Google side as well, and that is the crux of the biscuit: Google has to be constantly re-tuning its ranking software to find and ignore the results of link farming. A gargantuan, if not Sisyphean task, given the enormous crop of bad guys on the Web.
This is not a new term - it was invented by the hacker Kevin Mitnik back in the 20th century to describe his methods of manipulating people into divulging security information. Example phone call: "Hi, I'm from your ISP and we're checking a reported break-in. Could you please give me your password so I can test your account?" Yes, people used to fall for this. The more current versions of this are emails from your credit card company (with a fake - "spoofed" - return address) directing you to a website that looks just like the one your card company uses, but has the Bad Code in it, or asks to verify your account number. As a long-time reader of my column, you know all about this and are never at risk, right?
Never mind that I get caught by this occasionally; see Targeted Spam below. Since I went through this, I discovered this technique now has a name:
This describes a variant on the phishing scam. Phishing is an attempt to get sensitive information by masquerading as a trusted company such as a bank, etc. The trickery is accomplished by the afore-mentioned spoofed email or website. Spear phishing is where a given population is targeted, such as the staff of a defense company. An email arrives from firstname.lastname@example.org to all the WarBux employees, directing them to visit a certain web page for a "security update". It only takes one person on a supposedly secure internal net to do this, and the entire network, servers and all, is compromised.
This has recently happened to several defense contractors, probably hacked by a hostile, state-backed cabal of programmers who Do Not Mean You Well. Also hacked: Sony, various national banks, and an unknown number of others who haven't yet fessed up that your credit card information has been stolen.
This is a computer security technique where un-trusted code is run in a separate, walled-off area of a computer. The walling-off can be a physical disconnection from a network, or via a software construct that restricts what data can move to and from the "sandbox". This is now appearing in operating systems, most notably, Apple's new Lion (v. 10.7), due out in July of 2011. As I understand it, Apple's sandboxing restricts the kinds of activities apps can do, mostly regarding accessing files and relating to a network. This should keep a malicious app from attacking other parts of your computer or network. We'll see how this shakes out.
Targeted Spam: http://mondodyne.com/b2b/smbiznet.154.shtml
Mike Gould, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds lasers into lunchboxen, performs with the Illuminatus Lightshow, and welcomes comments addressed to email@example.com.