Click Fraud Rate Rises to 14.1%, Report Says
FBI consultant gets busted, Microsoft Private Folder pulled and U.S. OMD department issues security incident reporting rules.
According to a quarterly report published by Click
, it suggests that despite additional efforts by large sites
such as Google and Yahoo, bogus clicks on Web advertisements continue to rise.
As long as advertising rates are based on visits and not sales, this problem
will continue to plague the marketing industry. The article points out that
fraudulent clicks might be made by Web site owners to increase their own revenue,
or by competitors hoping to drain others' budgets. With such compelling
motivation, the criminals are likely to always be able to find a way to make
money from this scheme.
Click Forensics does have a vested interest, although they go to great lengths
to describe themselves as being at arms-length. They produce software that allows
advertisers to analyze their clicks to determine which are fraudulent. They
say they are attempting to define an industry standard to identify fraud that
sites such as Google and Yahoo might accept.
Hacker at FBI Gets Home Detention, $20,000 Fine
Joseph Colon, contracted by the FBI to perform some form of computer consulting
in their Springfield, Ill. offices, was convicted of intentionally exceeding
his authorized computer access after pleading guilty to cracking the passwords
of the FBI director and others. He has been sentenced to six months of home
detention and $20,000 in restitution.
It never ceases to amaze me what some individuals consider to be benign or
legal. Just because the contractor has authorized access to the SAM files doesn't
mean he can feed them into tools designed to crack them! It's believed
that the reason this individual didn't get jail time is because the judge
felt he had "noble motives" behind his actions. Bah!
Microsoft Pulls Private Folder 1.0 in Wake of Data Recovery
Microsoft offered a free file security tool to customers who've passed
its Genuine Advantage Program testing verifying that they have an official copy
of Windows XP. The tool would allow each user on a given system the ability
to create a "Private Folder," encrypted and protected with a password
known only to them. The tool was intended to allow an individual user to protect
files of their choice from other users on the same system. Corporate administrators,
however, complained the tool would create a quagmire for them, allowing corporate
employees to prevent administrators from being able to see all of the files
stored on a corporate laptop, for example.
While it's certainly true that such a tool could pose problems for admins,
the tool is hardly unique in its abilities. Just because Microsoft has pulled
the tool doesn't mean that admins no longer face the challenge of privately
encrypted data on corporate PCs. Microsoft could have easily made the tool only
installable by admins and on machines which have had a domain logon, only Domain
Administrators. Further, they could have easily provided Group Policy scripts
that would have detected the presence of the tool, or administratively prevented
The knee-jerk reaction by Microsoft to pull the tool makes one wonder what
their real concerns were.
OMB Directive Requires Reports of Suspected as Well
as Confirmed Security Incidents
The U.S. Office of Management and Budget (OMB) issued a memorandum
[PDF] on July 12 revising the rules governing security
incident reporting. Specifically, they have mandated that any incident,
suspected or confirmed, involving "personally identifiable information"
must be reported within 1 hour of discovery. See below for their definition
of "personally identifiable information."
Here's the OMB's definition of "Personally Identifiable Information":
"For purposes of this policy, the term Personally Identifiable Information
means any information about an individual maintained by an agency, including,
but not limited to, education, financial transactions, medical history, and
criminal or employment history and information which can be used to distinguish
or trace an individual's identity, such as their name, social security number,
date and place of birth, mother's maiden name, biometric records, etc., including
any other personal information which is linked or linkable to an individual."
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
It would seem obvious that the U.S. government doesn't want to get caught in
another media furor over the loss of personally identifiable information. But
it's hard to understand just what value will come of such a mandate other than
to ensure that they know prior to the media. Further, the mandate instructs
institutions that they "should not distinguish between suspected and confirmed
breaches." Such an instruction only has value to the receiving entity,
in this case the U.S. Computer Emergency Response Team (US-CERT). Presumably
they do not want the U.S. CERT to act differently for suspected breaches than
they would for confirmed. Why this must be mandated to the institutions, rather
than U.S CERT, however, is unclear.
One of Bill Murray's Laws of Computer Security is: "Be careful what you
ask for, you may just get it!" In this case, the signal to noise ratio
as a result of this mandate will be extremely low, and possibly overwhelm the
US-CERT reporting mechanisms in the process.
More Employers Firing Workers for Misusing E-mail
Results of a survey, released by the American Management Association and the
ePolicy Institute, indicates that more employers are firing employees for inappropriate
e-mail, IM or blogging activities.
The results also showed that more employers are being subpoenaed for their
employees' e-mail records. As such, it suggests that such court actions
are making employers pay closer attention to what their employees are doing.
Conversely, it's unfortunate that a lot of management believes that the
only disciplinary mechanism available to them in this sort of case is termination.
They forget other options like changes of assignment, changes in pay, leave
without pay and others that may be cheaper than terminating somebody and just
as effective. Another option is to simply take the tool away from an offender.
Suspend e-mail or Internet access for those who abuse their privileges, rather
than fire them.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.