13 February 2014


Posts relating to the category tag "reputation" are listed below.

22 March 2011

Legal Issues Relating to Suspension of .UK Domain Names

In December I mentioned Nominet had begun a policy review jointly with the UK-wide Serious Organised Crime Agency (SOCA), concerning Dealing with Domain Names Used in Connection with Criminal Activity.

Extract from a page of the background report 'Dealing with Domain Names Used in Connection with Criminal Activity - Background Report on Views Expressed' showing the large number of references

Since the announcement in December, Nominet has received over 200 written responses to the brief and also met with some groups to hear their views and concerns. Last month, Nominet invited stakeholders to take part in the issue group and the list of participants has now been announced. Their first meeting will be on the 4th April 2011.

To aid the discussion, Nominet appointed an independent expert to review the responses received to date, summarise them and also set the issue in the appropriate legal context. The background report has been published, and Nominet are seeking feedback on its completeness before the end of next week (31 March). Section 3 lists 13 suggested questions for the issue group to focus on.

The reason I mention this topic again, is because the 19-page background report is really an excellent read, and although not legal advice (of course!), it does give a good insight into some of the most important legal issues of operating a web site in the UK e.g. the diverse range of organisations in the supply chain (or "value chain" as it is referred to in the report), contractual obligations of registrars, extraterritorial effects, and useful reminders about the implications of the Digital Economy Act 2010 and the Terrorism Act 2000.

The report also includes good nuggets of information such has how various agencies interact with Nominet, and that Nominet has "locked" 2,667 domains to date. If you do just two things today, check domains are registered under your own organisation's name and ensure all the details provided to Nominet, and other registries, have been recorded accurately.

Update 24th March 2011: The link to the background report has been altered, following the discovery by Nominet of an error in the original text.

Posted on: 22 March 2011 at 08:13 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 February 2011

Malware Attack Kit Analysis

The ecosystem of malware production and infection may not be of interest to everyone, but a new report from Symantec provides a great insight, if you are interested or need to know.

Partial view of the contents page of Symantec's report 'Attack Kits and Malicious Websites'

Attack Kits and Malicious Websites (report PDF) describes attack methods, kit types and the evolution of these crimeware kits. The features and method of traffic generation are discussed, together with an excellent section on the prevalence of attack kits, malicious web sites and attack kit popularity. The top three most attacked vulnerabilities all affected web browser plug-ins, and out of five unpatched vulnerabilities used, five of these affected browser plug-ins; and all of these could be used in drive-by malware installation where a user only has to visit a page without any other action required.

Note that the web sites hosting the malicious code are a combination of intentionally malicious web sites, and legitimate web sites which have been compromised for malicious purposes.

The report includes some advice for systems administrators and end users on protective measures, although it is light on advice for preventing your own web site becoming compromised.

If you are interested in cyber fraud or how to detect it, and want to read more extensively, I'd recommend Cyber Fraud: Tactics, Techniques and Procedures, Auerbach Publications, 2009 (ISBN 978-1-420-09127-1), and Detecting Malice, Robert Hansen, SecTheory, 2009 (ISBN 978-0-557-18733-1).

Posted on: 01 February 2011 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 January 2011

Cyber This, Cyber That

It seems we can't go a day without hearing something about cyber threats or cyber war in the mainstream press. But what's the reality?

Newspaper headline reading 'A perfect storm of cyber attacks?'

The World Economic Forum (WEF) published its annual report on global risks in advance of the WEF Annual Meeting 2011 this week in Davos. Cyber security (encompassing online data and information security and critical information infrastructure breakdown) was listed as one of five "risks to watch", which "may surprise or overwhelm us" due to varying levels of confidence in the likelihood of significant impact but which "experts considered may have severe, unexpected or under appreciated consequences". The report discusses cyber theft, cyber espionage, cyber war and cyber terrorism specifically but also warns about design flaws in internet-connected smart systems. Cyber security doesn't however make it into the report's Top 10 risks by likelihood and impact combined (Table 5, page 44).

Meanwhile the Organisation for Economic Co-operation and Development (OECD) published a report Reducing Systemic Cybersecurity Risk. This is an output of the OECD Future Global Shocks project which is looking at options for governments to enhance capacity to identify, anticipate, control, contain and/or mitigate large disasters. The report is at a greater level of detail than the high-level WEF document, . The report concludes that there are very few single cyber-related events have the capacity to cause a global shock, but that governments should make detailed preparations to withstand and recover from a wide range of unwanted accidental and deliberate cyber events. Most breaches of cyber security (e.g. malware infestations, distributed denial of service, espionage, actions of criminals, recreational hackers and hacktivists) are expected to be relatively localised and short-term in impact.

Comforted? Remember that "local and short term" on a world leader's global scale might be the whole of your business or market. Assess the risks, and make decisions based on your own context.

If you want further advice on dealing with cyber security incidents, last week the European Network and Information Security Agency (ENISA) published its Good Practice Guide for Incident Management. Although it is aimed at national/governmental Computer Emergency Response Teams (CERTs), it contains good practices, practical information and guidelines for the management of network and information security incidents which are of use to a wider audience. See also the NIST Special Publications (800 Series) for more documents like this.

Posted on: 28 January 2011 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 January 2011

Data Breach Notification Insights

The European Network and Information Security Agency (ENISA) has published a report on "Data Breach Notifications in the EU" to support the introduction of mandatory personal data breach notification following the EU Telecommunications Regulation Reform Package in 2009. That legislation requires the new rules to be transposed into the national laws of the 27 member states by May 2011.

Partial view of the cover from European Network and Information Security Agency (ENISA) report 'Data breach notifications in the EU'

The report will not only be useful to public authorities such as data protection agencies (DPAs), but also for those in the electronic communication sector directly affected by the legislation — communications providers including telecoms companies and internet service providers (ISPs). It will also be of use to any organisation developing policies and processes in the area of internal or external notification, regardless of whether r not there is a legal requirement.

The report is largely based on the results of a survey of 46 organisations conducted using interviews and questionnaires. The organisations primarily included DPAs, telecommunications operators and some other private sector organisations located in Europe. There is a good description of the legislative background including examples of existing local requirements/guidance in Germany, Ireland, Spain and the United Kingdom. In the UK, there is currently no legal duty to notify breaches (see ICO guidelines), but other mandates such as contracts, policies or requirements of trade organisations might dictate otherwise. There is a also a summary of working definitions and criteria for personal data, data subjects and data breaches across Europe, which is not as homogenous as you might hope.

The chapter about the private sector provides a good insight into operators' existing notification practices and incident handling procedures. It also examines the divergent objectives between regulatory authorities and the private sector. Remember that "breaches" are not only incidents relating to data loss. All aspects of privacy legislative contraventions need to be considered.

The ENISA report concludes with a list of aspects requiring further definition to simplify the transition to mandatory notification, and to ensure better harmonisation across the member states. Time may be against all these occurring before May 2011.

Other sectors - keep watching!

Posted on: 25 January 2011 at 08:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 December 2010

Google Search Security Notifications

Last week, Google announced an additional tier of user security notification in its search results. Sites which Google believes have been hacked or otherwise compromised, but do not yet host malware may be marked with "This site may be compromised" on search engine result pages.

Diagram showing how a normal website may go straight from 'normal status' to being excluded from the index and search result listings; the site may also be marked as 'compromised' or 'hosting malware' - once resolved, compromised and excluded sites can be submitted using the 'reconsideration review' process whereas sites which were affected with malware need to request a review.

This status is not as severe as notifying users that the site hosts malware, when "This Site May Harm Your Computer" is displayed, but take it as an important warning. Compromise often leads to malware hosting. See my previous post about suggestions on to prepare for such an event — these are identical for "This site may be compromised".

Unlike requesting a review after malware has been cleaned up, the process for recovering a clean status in Google for a previously compromised site, uses the Request Reconsideration Form.

Google may also remove sites completely from its indexes and search results. This could be due to not having access, content such as malware, incorrect use of the robots exclusion standard, incomplete site maps, incorrect HTTP status codes, or other reasons that lead to a breach of its webmaster guidelines. Sites may also be removed or excluded due to legal action (e.g. if Google receives a Cease and Desist Notice - examples).

There is another tier which doesn't really fit in the above diagram — sites which use common application software which is out-of-date or which is known to contain security vulnerabilities, may receive WebMaster Tools messages, but this information is not currently displayed to search engines users.

Remember, just because Google has not detected use of old/vulnerable application software, or detected compromise or detected malware, this doesn't mean these none of these are true. Verify your own web applications, and have a plan in place in case any of these occur. Oh, and make someone accountable.

Posted on: 21 December 2010 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 October 2010

Check It's Right for Children is Wrong

I read about a new web site which should be a useful resource for people who market or communicate to children. Great I thought.

But then I saw the domain name: www.check.uk.com

Why is this Check web site on a sub-address of someone else's domain? It could at least have been a sub-domain of the Advertising Association e.g. check.adassoc.org.uk - how will they deal with domain reputation issues such as malware reports? The fundamentals just haven't been thought about.

I can understand, but don't agree with, the decision to embed Google Analytics code within these pages and making JavaScript mandatory. I also think it's rather weak to have this in the privacy "policy":

We cannot guarantee the security of data you disclose online and users must accept that the Internet is not completely secure, and agree that we shall not liable for unauthorised use, distribution or destruction of personal information.

I know this Check web site isn't itself aimed at children, but even the Information Commissioner's Office (ICO) recommends privacy pages are called "privacy notices" and produce a clear guidance document on the topic. There aren't even any contact details on the page about privacy.

Apart from that, the advice looks helpful.

Posted on: 01 October 2010 at 07:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 September 2010

This Site May Harm Your Computer

"This Site May Harm Your Computer" is displayed by Google as a safe browsing advisory in its search results when it has found suspicious content during content crawling and indexing. The effect on traffic can be dramatic; especially for e-commerce sites.

Photograph of a construction site warning sign which reads 'Caution Site Entrance' - sunlight from behind indicates some writing on the reverse reading 'Danger Deep Hole'

I keep speaking with people where their online sales have dropped 50-100% within a few days of such a notice appearing.

The best thing of course is to try to avoid becoming listed as having suspicious content in the first place. That's where securing your web site, applications and related systems comes in. But you also want to find out as soon as possible if one of your web sites is being flagged as harmful, so that you can investigate the cause, fix the problems and remediate altered data.

What can you do in advance to help yourself and make sure you know as soon as possible?

  1. Register as the site owner (you—not your developers or hosting company)with: which will alert you by email when problems are detected, and provide a quicker way to request your site is re-evaluated after problems have been resolved; ensure this email account is monitored 24h/d.
  2. Check malware monitoring sites regularly:
    • Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=[yourhostname]
    • McAfee SiteAdvisor http://www.siteadvisor.com/sites/[yourhostname]
    • McAfee TrustedSource https://www.trustedsource.org/query/[yourhostname]
    • Norton Safe Web http://safeweb.norton.com/report/show?url=[yourhostname]
    • Stop Badware http://stopbadware.org/home/reportsearch
  3. Examine search results yourself (Bing, Google, Yahoo) using automated methods where possible (e.g. create a content/uptime monitoring alert which looks for the word 'harm' or 'malware' in each search engine's results page that will always include your web site).
  4. Install security widgets (such as McAfee SiteAdvisor or Norton Safe Web) in your own web browsers and visit your own web sites.
  5. Scan your own web site for malware using professional services, although there are some free tools available (e.g. Qualys Stop Malware or AVG Online Scan).
  6. Browse your own web sites using computers with a range of anti-malware (anti-virus) software installed and configured in the most paranoid mode.
  7. Build logging and monitoring into your web sites and applications which will detect unusual activity and unauthorised changes to files and other data.

Web site owners cannot register in advance with McAfee SiteAdvisor, but keep the URL handy so you can contact them if necessary.

But do remember, like other "reviews", organisations that display warnings about your site are under no obligation to respond or change the adverse status within any particular timescale. It's best not to become blacklisted in the first place.

Posted on: 21 September 2010 at 12:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 August 2008

Is Your Web Site on Virtual Contaminated Land?

When we set up a web site, how much thought should we give to the previous use of the Internet Protocol (IP) address and domain name? Any previous use could spell disaster for a new web site.

When you buy a house your conveyancing solicitor will undertake local searches and review the Home Information Pack. For commercial transactions, organisations will usually undertake some form of due diligence checks including enquiring about previous uses of the site and adjoining properties using old maps and information from the local authority. No-one wants to inherit the liability for contaminated land, for example from a previous gas works, tanning plant or dye manufacturer that occupied the site.

Instead of chemical threats, web sites need some virtual due diligence, when setting up a new site or moving to a new hosting company or domain. It may also be an issue if your hosting company is changing their IP address ranges and this affects your servers. The threats are to your organisation's reputation if it becomes associated with something contrary to its beliefs, objectives or might upset its customers, clients or users. It could also lead to a lack of availability if the address is blocked by spam or web filtering gateways.

The Domain Name Service (DNS) is responsible for translating between human-friendly domain names (e.g. www.clerkendweller.com) and and machine-friendly IP addresses (e.g. If a hosting company loses a client, they are very likely to re-allocate their web site's IP address to a new customer.

For a new IP address on your existing domain (e.g. a server move), my recommendation is to obtain details of:

  • How long the IP address has been allocated to the hosting company
  • All domains assigned to the IP address previously
  • Details of the organisations who own those domains
  • Check what is hosted on 'nearby' IP addresses i.e. in the same address block
  • Check what else is listed on the same domain name servers and the company who operates them

For a new web domain, check:

  • Ownership history
  • Current and prior internet usage (web, email, ftp, etc)
  • Check the IP addresses for both of these (as above)

Then, evaluate whether there is anything you might not want to be associated with or has been excluded by web/email filtering/firewall systems due to what it has been used for or the content it contained. Check other server IP addresses as well (e.g. your mail server) if this is changing as well. Also check what else is hosted on 'nearby' IP addresses in the same range.

For a new web domain, use tools like Netcraft, Site Advisor, The Way Back Machine and Google searches to investigate prior use. Check with suppliers of web filtering gateways and providers of reputational services whether the domains are blacklisted.

For mail, the Spam and Open Relay Blocking System (SORBS) and Spamhaus list potentially problematic spam sources and open mail relays. There are many more similar searchable spam lists listed at dr.moensted. You may also want to check whether Hotmail, GMail and AOL treat the IP or domain as a source of spam.

If you are purchasing an existing domain name, as opposed to registering one from scratch, check its previous and current use. Some companies serve advert pages for domains they own but are not allocated to a web site - be very wary of these.

If your hosting company won't help with this enquiry, go elsewhere.

Posted on: 15 August 2008 at 10:15 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

Reputation : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Friday, 18 April 2014 at 11:34 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com