* Social Media Vulnerabilities: From the New York Times Sunday edition came a report of a Hollywood burglary ring whose members not only targeted celebrities, but used celebrity gossip web sites to figure out when those celebrities would be out partying, so they could break in knowing no one would be at home.

Granted, celebrities aren’t normal people — their movements are tracked and broadcast with unhealthy intensity. And the burglary ring (alleged, that is) doesn’t seem to be composed of criminal masterminds, relying in a few cases on doggy doors and keys left under mats to get inside the target homes.

However, to my eye, we keep edging closer and closer to scenarios that I outlined in my entry, Please Burglarize My House, where criminals, aided by quick Web searches, find the information that we willingly blast out to the world telling people were we are (and thus, where we aren’t — in realtime), plus what we have that’s worth taking, and a whole bunch of other information that’s useful to them.

Folks, this isn’t a moral panic here — it’s just a recognition that criminals adapt to new technologies, too. Postal mail opened up a whole lot of new opportunities for scams that didn’t require physical presence; cars and roads gave new mobility to criminals of all sorts; and burglars could case a house just by using a telephone.

In many ways, there still seems to be a naivete about potential negative impacts of social media on your physical existence, that borders on an adolescent’s invulnerability.

* Social Media and Crisis Communications: Two followups from CrisisCamp — the first is a very literal one, since it builds on conversations between representatives from Google, Yahoo, and Microsoft at the first CrisisCamp in DC: At Random Hacks of Kindness, coders got together to build apps to harness social media and communications tools to help improve communication during disasters.

I’m pretty sure I was in the session (primarily as a spectator) where light bulbs went off and commitments were made, so it’s cool to see concrete things coming out of it.

The second item is more of a spiritual successor: The US Navy’s Office of Naval Research awarded a contract to Lockheed Martin to see how social media could be used during disaster and crisis operations. Valued at  a “miniscule” $1 million over 24 months, it shows that social media is a serious, useful phenomena, and that even large, traditional institutions are trying to find ways it can be harnessed.

* One More Thing: Oh, and one last thing — this entry marks my 1-year anniversary as a contributor to the Solutions Are Power blog. (I suppose I should re-read and revisit my first entry at some point.) Time flies — it seems like only yesterday that I barely used Twitter and I still hadn’t yet wasted any time on Mafia Wars. Even so, the social media landscape has changed a lot in just a year, but I’m glad to still be here to write about it.

Thanks to Shashi, Jill, Steve, and the rest of the Network Solutions blog team, as well as to all readers and commenters, for continuing to indulge me. I hope you’re getting as much from reading my writings as I am from writing them, and I hope to continue doing so for as long as you’ll have me.

Well, it looks like this scenario may have finally happened, as written up by travel blog Travelin’ Light: Twitter user @izzyvideo posted a Tweet saying he and his family were on vacation. A few days later, he tweeted that his house had been burglarized. (There’s more info in his blog entry, and it’s been getting mainstream press attention.)

Since his Twitter updates were publicly findable on any Web search and also appear on his Facebook page, there’s no way (that I see, anyway) to pin this on one of his online friends or followers. If any of them had a hand in the crime in the first place: It’s perfectly possible (in fact, I would say probable) that the burglary was just a random property crime that doesn’t have anything to do with any social media at all. But it’s a fascinating, if disturbing topic, especially since it has a link to Twitter. After all, Twitter is about socially broadcasting your status in realtime, as well as the ability to search those updates, also in realtime.

Transparency as Vulnerability?
I was struck by a passage in Everfree, a science fiction novel by Nick Sagan, where a protagonist is talking about the wireless links that people use to communicate:

Watch lists tell us who’s in the news, so if I’ve got Claire on mine and she’s featured on someone’s channel, an alert lets me know. Watch lists are also a measure of popularity, so the more watched you are, the better. Slick way to get citizens to enjoy being watched. “How do I get more people to like me? How do I move up in the rankings?”…

…If someone’s using a link anywhere in the city, I can find out where he is and what he’s linking — another person, an information site, entertainment, you name it. Blows my mind how many citizens are willing to give up their privacy. Total transparency may be the selling point, but the goal is control.”

Sound like any social broadcasting phenomena we know? (Incidentally, the book came out in 2006, the same year as Twitter’s founding. Also, one of the bad guys is named “Ning,” though I think that’s just a coincidence.)

Opsec as a Way of Life

Now, intelligence and military types (including military bloggers) often talk about Opsec (Operations Security), which means being aware of what you say that might reveal what you’re doing. It’s best embodied by that most famous WWII slogan, “Loose Lips Sink Ships.” (You can see a whole bunch of related posters at the WWII Poster Collection at the Northwestern University Library.)

Another aspect of Opsec is the idea that a single piece of information might not be damaging by itself, but a watchful adversary could combine it with other pieces to form a revealing picture, as illustrated by another poster: “Bits of careless talk are pieced together by the enemy.”

Anyway, especially with services where we announce our physical location, I predict we’re going to have to be a lot more sensitive to personal Opsec concerns, because eventually, the criminals will catch up.

As a bonus, here’s a version of the Someone Talked! poster that I’d worked up for a more up-to-date warning message:

Modified public domain source image from the WWII Poster Collection at the Northwestern University Library

Have you thought about how people might misuse the information you broadcast? [Incidentally, in case anyone gets any ideas, my house is hardened and alarmed -- a veritable fortress -- and my neighbors and roommates are all former police / Special Forces / ninjas.] Is this overblown hype? Are you planning your own social-media enabled crime spree? Leave a comment below.

1. Flexibility – If you plan to have a number of domains & web pages, Network Solutions has an excellent a la carte approach rather than canned packages.

2. Permanence – Network Solutions is the oldest domain registrar. This is reassurance that they’ll be providing you service into the future. In fact, you can register a domain using Network Solutions’ 100 year service (for $999). If 10 years is more comfortable then there is a considerable discount for that.

3. Room for Growth – Nearly unlimited storage for your website. This is really important because content is what will encourage customers to return. You can continue to add as much as you like.

4. Security – It’s just as important as having antivirus software for your computer. WatchDog™ by Networks Solutions provides three things:

• web site vulnerability scanning
• web site performance monitoring
• certification seal

5. Customer Service – and most importantly! Free 24/7 customer service recognized by J.D. Powers & Associates.

All of these are important aspects to consider as you move your business online. Network Solutions provides a full range of products to not only suit your needs but also provide excellent value. What are the reasons why you selected Network Solutions?

Google engineers have posted a detailed explanation saying that the recent domain hijacking related incidents were due to phishing and not because of any security flaws in the Gmail software.

According to Google, attackers had sent e-mail messages to web domain owners asking them to visit fraudulent websites, such as “google-hosts.com”, with the purpose of collection their Google login credentials. Once they had access to the Google mail accounts, they would set up filters designed to forward email conversations with web domain providers.

They have some great advice on preventing such a thing from happening to your own Gmail/Google account. Since many people have moved to using web mail instead of mail clients like Outlook, this has become the latest target to make you an unwilling participant in spam spiders and other sorts of scams.

Things like email and web domains are core to us doing business on the Internet and are the most damaging when hijacked. We will continue to bring you relevant stories and advice to help you keep these scams from doing damage to your business.

Please delete the email if it is suspicious. 

We want you to know that we are taking every possible measure to protect our Customers from this attack and mitigate its impact. We are working very closely with the Registries as well as ISPs to detect any new domains from which these attacks are coming and shut them down.

See image below as an example.

( You can click on the image to make it larger)

Please take precautions, when you click on any link in an email.  Also please make sure you check the top address bar of your browser before entering any information. A genuine network solutions page should look like this in the browser https://www.networksolutions.com/manage-it/index.jsp, the important part of this URL is that after the https://www.networksolutions.com/ there should not be any additional .com in the URL. Note that the link in the screenshot above has two .coms in the URL. You can also scroll over the link with your mouse and see where the link leads to in the status bar at the bottom of your browser.

If you believe you have received an e-mail of this type and have clicked on the link, and provided your login information, we recommend the following for security purposes:

• login to your account
• review your account information for accuracy
• choose a new password security question and answer
• change your password

If you believe any of your account information has been altered, please contact customer service immediately at: 1-800-333-7680

If you have questions, advice or ideas please feel free to leave a comment here on this blog. Here are some other  resources for learning more about Phishing :

http://www.microsoft.com/protect/yourself/phishing/identify.mspx

http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm

http://www.antiphishing.org/consumer_recs.html

http://www.businesswritinginfo.com/?p=302

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

http://www.commoncraft.com/phishing

Posts explaining and cautioning people:

http://www.sophos.com/security/blog/2008/10/1901.html?_log_from=rss

http://garwarner.blogspot.com/2008/10/first-enom-phish-now- network-solutions.html

http://www.domainnamenews.com/miscellaneous/network-solutions-proactive-in-fighting-recent-phishing-attack/3046

http://www.sophos.com/blogs/gc/g/2008/10/31/network-solutions-and-enom-targeted-by-phishing-attack/

http://www.circleid.com/posts/20081030_domain_slammers_go_phishing/

http://www.google.com/tools/firefox/safebrowsing/faq.html#q4

http://www.pcmech.com/article/fake-network-solutions-email-phishing-scam/

There have been a number of examples of domain hijacking in the industry over the past several years. We feel that it if we can take actions to minimize the risk of a domain name being stolen, we should. David Airey had the unfortunate experience in December of last year. While that was not related to his efforts to transfer his domain name, he did have to spend significant time and effort to gain control over the domain name registration.

When a domain name is transfer to another registrar as a result of a hi-jack, the registrant has a much harder time getting the domain back. Thieves use many different tactics to get access to a domain name and the can be sold very quickly to other unsuspecting people. Once you have lost a domain name registration, it is not certain that you will be able to get it back. As we have seen some domain names have significant value in the resale market and many Internet criminals know this..

We hope that you agree that the safeguards used by Network Solutions that may delay a domain transfer for a short period of time is worth the preventing an authorized transfer. There are instructions here. You may also call Customer Service 24/7 for assistance. Additional verification may be required if you do not have the proper account information to be validated as an authorized contact.

In the U.S. and Canada call:
General Support
1.800.333.7680
Technical Assistance
1.866.391.HELP (1.866.391.4357)

Outside the U.S. call:
1.570.708.8788