February 22, 2012

By Mike Talon
in Security
No Comments

Spam is a major issue on social networks, blogs and forums these days. Spammers have even resorted to hiring “human bots” to troll websites and post comments and postings just to get their site links a bit higher on search engine results.

To try to combat the problem, many sites have resorted to CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This technology is simply the use of some manual test that a human being would have no issues passing, but a computer would be unable to complete correctly.

Generally speaking, the test takes the form of a series of letters and numbers that are rendered as a graphic (like in the picture above). A human has no issue typing the letters on the screen, but a computer can’t, since the computer only “sees” the image as an image, not as a series of characters.

The test gets its name from the work of Alan Turing, a computer scientist who spent a great deal of his life trying to figure out if a machine could ever think exactly like a human. The result of that work helped win World War II (he helped build the Ultra machine used to break the German ENIGMA code generator system); and also helped create a series of tests to see how “human-like” machines could get.

The so-called “Turing Test” is still used today against advanced computer systems. A human operator sits in an isolated room and sends a series of questions to both another human and to a computer. The operator then tries to determine which is the human and which is the computer based on the reactions, responses and answers they get from both subjects. If the operator cannot correctly identify the computer, it is said to have passed the test.

And so, in order to try to weed out automated computer systems trying to post spam to blogs, networks and forums, tech professionals often implement CATPCHA tests to block them.

While the idea is great in theory, the benefits to CAPTCHA are severely limited by several factors these days:

– Spammers are hiring human beings in depressed economies to answer CAPTCHA tests and post nonsense to forums and blogs, bypassing the test for a few cents per dozen posts.

– People with visual disabilities (such as being legally blind or color blind) have issues passing the tests. This is either because the CAPTCHA provider didn’t include an audible test with the visual one, or because the CAPTCHA itself is in non-contrasting colors that are difficult to read for someone who is color blind.

– The CAPTCHA’s themselves have become so intricate and complex that real humans can’t answer them correctly either. I’ve seen math problems, characters so twisted around they’re unreadable, so many intersecting lines that you can’t read the characters, etc.

– Computer systems are getting complex enough that they can actually pass the CAPTCHA.

While you will still see CAPTCHA on many websites, and while they still have some use in the overall war on spam, you should probably avoid forcing a CAPTCHA test for your blog or website.

Instead, require administrator interaction before a blog comment can go live, require registration before a forum can be posted to, and use other techniques that will help keep spammers away from your postings. Many content management systems (such as WordPress) allow you to permit those who’s comments you have allowed in the past to post without having to get permission each time; for example.

If you find a CAPTCHA that is unreadable, unusable, or both; let the site administrator know that they need to fix it or remove it.

Photo Credit: plindberg

February 22, 2012

By Mike Talon
in Security
No Comments

Your Social Media identity is your brand, your representation online. You should be protecting it just like you protect your wallet, keys and everything else you don’t want people playing with without your permission.

Basic Social Media security isn’t very hard to accomplish, doesn’t diminish your ability to get things done, and doesn’t take a lot of time to keep up with. It’s also free for the most part, so it won’t even make a dent in your wallet if you only need the basic features.

For social networks and bookmark/photo sharing sites, you can do three things to help ensure you stay safe:

– Choose a password that’s not a word in the dictionary, is made up of letters and numbers, and it at least 8 characters long. XKCD had a great way to do that. You can also simply pick a phrase that you’ll remember, and translate that into a combination of letters and numbers.

So “To Infinity, and Beyond!” becomes “2InfinityAndBeyond!” If the network in question doesn’t allow punctuation in passwords, just drop the “!”

[editor’s note] PLEASE don’t use that one as your password, as anyone reading this article will be able to get into your social networks if you do.

– Make sure you know what’s connecting to your networks. Twitter, Facebook, LinkedIn and others have Connections, Applications and/or Privacy pages that detail what apps can see and use your data, and what data they can see and use. These pages are typically on the Settings, Options, or Privacy pages for your account once you log in. Be sure you know what each application is, what it does, and how it accesses/uses your information. Remove any apps you no longer use, or don’t want to use, and whenever possible, limit the apps you do use just to the vital data they require and no more.

– Try to never use social networks on computers you don’t own. While it’s probably impossible to always follow this rule, do it whenever possible. If you must use a social networking site on a computer you don’t own, make sure the “remember me” or “always keep me logged in” checkboxes are cleared and make sure you log off the social network site when you’re done, don’t just close the web browser or window. Public computers – like at libraries and internet cafes – are prime targets for key-tracking malware. Use them for social networks (or really anything that requires you to log in) as an absolute last resort.

For blogs, things get a little trickier:

– Do use secure passwords, just like for social networks. Make sure they are NOT the same passwords you use for social network sites.

– Keep your blog updated. If you use WordPress, for example, check weekly for new updates both for the WP software and for any plug-ins and themes. WordPress 2 and up will allow you to update these items with a few clicks, so there’s no excuse for not staying updated. If you are with a hosted blog provider like Blogger, then the host will typically do this updating for you, but it never hurts to check your Settings/Administration pages just to make sure.

– Use a 2-factor authentication system if you host your own blog. Duo Security has a free version of their smartphone-based authentication system that works great with WordPress, for example. This ensures that just because your password is breached, there is another layer of security for most forms of blog access to help ward off attackers.

– Moderate comments. This isn’t so much for your direct security as for spam prevention and keeping links to malware-infected sites off your Comments page. Moderation is a bit annoying at times, but you can minimize that by setting up an account with a filtering service, like Akismet, to remove the obvious spammers and only bug you when a comment appears legitimate.

Take a few steps today to help close the loopholes that allow attackers to get hold of your Social Media info and sites. An ounce of prevention now helps avoid weeks of clean-up later.

Photo Credit: Dazzie D

February 22, 2012

By Mike Talon
in General Info
No Comments

Into each blog, several trolls must fall. This is an immutable law of the Internet, and you should be ready to deal with negative posters, bloggers, tweeters, etc.

The first step in dealing with the haters is to identify which ones are real, and which ones are just annoyances that you can’t and/or shouldn’t do anything about.

For example, let’s say that someone is tweeting something negative about your company. Are they someone you should be concerned about, or is it just a spammer who happens to have latched on to your company name in their spam?

First, determine if the threat is real:

1 – Does the tweet/post/blog seem to actually have an issue with your company or product? You can usually tell because the real people with issues state them clearly and distinctly. “Your product broke and caused something to happen” is more likely to be legit than “Have you heard how bad Product A is?”

2 – Is the poster a real person, or a spammer looking to get visibility by leveraging your product? Spammers will simply post things like “Comparison of Product X and Product Y” with a link to an article that has nothing to do with the poster. In all likelihood, the page they link to may not even be a real comparison or legitimate document, but rather a site full of advertising (or worse, a malware trap site).

3 – Is the issue something you can fix, or just someone airing their opinions? Many times, users spout off about a gripe, but have no intention of actually working to fix the problem. Gauge their reactions to your responses to see how you should continue – or if you shouldn’t continue.

Often, you can find out the answer to all three of these questions by sending a simple @Reply, Comment, etc. that says “Hi, I work for Company A, and we’d like to help.” Avoid using direct messages, even if they follow you, as the idea here is to publicly show everyone else that you’re responsive to negative tweets/posts/blogs. After all, if you can’t help this one person, you want the rest of the world to see that you at least tried.

If the poster in question replies back that they want help, then you have a legitimate user who is frustrated, but one you can work with. If, on the other hand, the poster either doesn’t reply back, or worse they continue to stream abuse, then it would be better to classify them as “unreachable.” At that point, keep an eye on them, but don’t engage them directly. All you’ll do is give them more fuel, and they’re not going to come around to your point of view anyway.

The idea is to find those people who are truly frustrated and looking for help, but to not “feed the trolls” and contribute to the noise level online without getting anything out of it for you and your company.

Next week, we’ll discuss what you can do both in cases where the negativity is real and the person is willing to accept your help; and then those cases where the comments/posts are real, but the user has a bias against your company and does not want help.

Photo Credit: jurvetson