Cyber-blurring: the strategy used by Macron’s digital team to face cyberattacks

Cyber-blurring - the strategy used by Macron’s digital team
Photo : www.gouvernement.fr

 

May the 5th , 2017, two hours before the end of 2017 presidential campaign, thousands of documents owned by the campaign team of the candidate Emmanuel Macron have been leaked and have been made public on American forum 4Chan, relayed by Wikileaks. Social media have played an important role in the attack and content diffusion: internal discussion of the political party, briefing notes, pictures, bills, accounting, which represent 9 gigaoctets of hacked data.

Since the beginning of the presidential campaign, it wasn’t the first attack faced by the team of En Marche’s candidate.  Alerted of a potential attack a long time ago, they have set up a cyber-blurring strategy to defend themselves. This method creates dozens of false documents (false emails, false passwords, false accounts) trying to slow down hackers’ work. This strategy is often used in the banking field to protect their customers. (This diversion method is also called digital blurring.)

 

L'Express Twitter account - Cyber-blurring: the strategy used by Macron’s digital team to face cyberattacks
L’Express Twitter account

 

Even if Mounir Mahjoubi, digital director of the En Marche campaign, thinks to have slowed down the hackers’ job with this cyber-blurring method, despite these measures, the attack was not avoided.

The hackers didn’t ask for money in exchange of the documents publishing. These documents which are not compromising for the Emmanuel Macron’s team, were not monetizable because the hackers would have to sort out 9 gigaoctets of data in a few period of time.

Consequences are few on the presidential campaign and the En Marche staff was not really affected. This counterattack was well implemented.

The hackers who were against Macron, didn’t have the success desired. Nevertheless, this failure will get them to become smarter, more ingenious, less visible and better prepared for a next attack.

To be continued.

Mastodon : What about cybersquatting ?

Mastodon : What about cybersquatting

 

Communication on social media is the subject of many justified concerns from trademarks owners. As a matter of fact, user’s names creation, called “username”, are not legally protected beforehand. Specifically, the owner has to register or retrieve the username corresponding to their brand or demonstrate to the social media that the use of their brand is used with ill intent. In short, it’s a time consuming activity…

Mastodon, a few months old social network, trendy since a few days, is the subject of some articles regarding its nature, process and goal. But what about the associated brands protection?

Mastodon is a social network, created by Eugen Rochko, a 24 years old German developer. Twitter’s clone where characters are limited to 500, Mastodon is free, open source and not centralized. We will be interested in this last term. It’s possible to access Mastodon with its “basic official” website mastodon.social.

However mastodon.social is only an instance, you can use others like mastodon.fun developed in Angers. You choose a username for an instance and your complete username will be @username@instance. Keep in mind that instances are associable with each other, giving them a federal term.

Anyone can create an instance, so you have two cumulative possibilities:

  • Either you register your brand for all existing instances (today there are more than 2000 of them and it’s only the beginning).
  • Or you create your instance, closed, corresponding to your brand.

As you might have guessed, I will advise you the second choice: as it doesn’t exist any certification on Mastodon, anyone can be anybody. But by creating an instance corresponding to your principal domain name, you create this certification!

Of course .BRAND owners should create social.BRAND so they have a dedicated instance which allows them to highlight their TLD, like @pierre.dupont@social.brand.

If you need more information on Mastodon, don’t hesitate to contact us.

Good name, bad product

New product development is exciting – and costly. In addition to the essential R&D, market research and marketing initiatives, all products require a name which is (ideally) distinctive and available. Finding the right name in itself is a costly business that involves many steps: name & logo creation, trademark research, brand validation & strategy, trademark filing and protection). Depending on where you plan to launch and therefore protect your product name will define the costs which will probably range from $5,000 to $50,000+.

A failed product is a costly error for any company. In addition to the wasted time the failure can haunt companies for years to come. Now a new museum is opening in Sweden to celebrate these failures and hopefully to help companies learn how to succeed.

The Museum of Failure (museumoffailure.se) opens in Helsingborg in June this year with the tag line “Learning is the only way to turn failure into success”. The collection consists of over sixty failed products and services from around the world, many of which have carefully created trademarked names. The founder Samuel West comments that even big and competent companies fail. It is important to create a culture that accepts failure and learns from it.

Here are some of the branded exhibits which have failed for various reasons ranging from poor design to products that were just plain awful or simply useless.

 

Examples of failed products

 

One interesting exhibit on display is a board game called Trump, The Game. This was similar to Monopoly but with Trump dollars, Trump properties and T-shaped game pieces. Trump, The Game was launched in 1989 but only sold 800,000 units instead of the estimated two million copies. It was re-released in 2004 but still failed to impress. It is interesting to note that the original trade mark is no longer in force but a new application was filed in the US at the end 2016.

 

Trump, The Game

New extensions: The first signs of a (R)evolution?

Domain names registration strategies follow reasoning sometimes hard to understand. However “sheep-like” reasoning is the one we can easily observe.

When Alphabet (Google) used for the first time its domain name ABC.XYZ, a sensitive rise of registrations for this extension has been observed. More than a simple registration, ABC.XYZ has created for the public, informed or not, an interrogation on the extension used: “they aren’t in .COM?”

 

New extension - abc.xyz Alphabet Google

 

New gTLDs’s program by ICANN has generated many thoughts on naming politic on the web. Until now, these extensions weren’t well known by the general public, despite the real concern of the brands to communicate on this subject: BNP Paribas, Leclerc and AXA for French examples, which have chosen a dedicated extension.

New gTLDs creation allows to register domain name by searching to give a meaning to the associated activity: be it geographical or by sector.

That way, the following sentence makes more sense: “When I look at the domain name, I know what’s behind it”.

Today, despite this opportunity, few companies of big scale have chosen to use a new extension. And none to my knowledge, suppress its former address to go on the new one. Which can be quite logical. But things which seem unchanging, are changing.

DXC an American company, present in NYSE, has changed its short domain name, three characters, dxc.com to dxc.technology. It was our colleagues of DNW who announced this news. However the email addresses service didn’t move to the new extension yet.

 

New extension - dxc.technology
Example of dxc.technology

 

This information may seem of little importance, but have in mind the impact it will have on the process of new extensions use. Simply put, it begins with the importance and the safety of the extension for a company to change. Wait for the next step! It may only be the beginning of an underlying trend on communication and naming strategy on Internet.

Technology revolution growth is usually slower than the one planned, but its impact is often more important… To be continued.

Connected objects: unavoidable in DDoS attacks?

IoT- DDoS attacks

 

Nowadays consumers use and are around connected objects. The Internet of Things (IoT) includes all connected objects like a connected refrigerator, captor, light bulb, security camera, router or even a thermostat control. Their common point? To have an IP address and to be connected to communicate.

According to the American company Gartner, connected objects will reach 20.5 billion units by 2020. We will face an impressive growth of IoT in the years to come.

China, North America and West Europe will represent 67% of IoT in 2017.

However these connected objects are spreading frequently with security flaws, which is an opportunity for DDoS attacks!

Nowadays, Distributed Denial of Service (or DDoS) attacks are frequent. For hackers, it’s quite easy to set up attacks against an unprotected target. These attacks could lead to significant financial loss for companies by disruption of service (website or email) or indirectly, by the harm caused to the target’s image (bad buzz, bad reputation…).

With the arrival of connected objects, chances to be confronted to DDoS attacks are high.

These attacks are making a service unavailable by flooding the system with requests. With the help of digital and connected objects, hackers can send a massive number of requests on one or many DNS servers. They get to remotely control our objects because of their security flaws. If the DNS servers are not protected by a strong anti-DDoS filter, then they are under the risk of not absorbing the high number of requests and as a result, won’t respond to the user’s demands anymore.

In October 2016, DYN Company, DNS service supplier had been the victim of a DDoS attack by connected devices. DNS infrastructure services had been unavailable, which then impacted on their customers’ services: Twitter, Netflix, Spotify…

Many hours offline for these web pure players have a direct impact on sales revenue. DYN affirms that “Ten billion of IP addresses were touched” by this attack.

Last week, Melbourne IT Registrar was also a victim of a DDoS attack. Some of its customers were affected by this service disruption.

We might see more powerful attacks of this kind in 2017.

In the past, attacks were done by computers, today connected devices are a real weapon. Luckily those companies have affirmed wanting to reinforce security on their connected products.

DNS is an absolute priority. It’s essential to secure his strategic domain names by using highly secured DNS, so you can have a high permanent availability.

Nameshield offers a DNS Premium solution to gain performance and assure 100% availability.

 

Let’s talk about DNSSEC

DNSSEC has taken shape, and has become essential in security process recommended by ANSSI as well as the web in general. And yet, it’s a barbaric term that is often scary as we don’t know how it works and what it’s used for. This article will focus on clarifying this term.

The Domain Name System Security Extensions is a standardized protocol of communication allowing to resolve security problems related to DNS. We will begin by a reminder of what is the DNS.

What is the DNS?

Simply put, the Domain Name System is quite like an Internet directory. It’s a service translating a domain name into IP addresses. It relies on a data base distributed to millions of machines. Humans identify, memorize and differentiate more easily names than series of numbers. The DNS has been defined and implemented in the 80’s and has become an essential element of Internet.

 

How does the DNS work?

The DNS will allow web user to inform a domain name in his web browser to access a website. The browser will then “resolve” this domain name to obtain the IP address of the web server which hosts this website and displays it. We call this the “DNS resolution”.

 

DNS resolution 

 

What are the risks related to the DNS?

If the DNS goes down, your websites and emails are going to be unavailable, which is unthinkable nowadays. Other applications can be impacted in the companies: VPN access, intranet, cloud, VOIP… all that potentially needs a names resolution to IP addresses. DNS must be protected and stay highly available.

If the DNS protocol has been created with security in mind, many security flaws of the DNS protocol have been identified since its creation. The mainly flaws of DNS have been described in the RFC 3833 published in August 2004. Queries package interception, fake answer, data corruption, DNS cache poisoning and Denial of service.

To deal with this vulnerability, DNSSEC protocol has been created.

 

DNSSEC issues

DNSSEC prevents these different attacks, particularly cache poisoning, by securing the integrity of the DNS resolution. DNSSEC issues are:

  • How to secure the data integrity and authenticate DNS (resolver, server with authority) and keep backward compatibility with the DNS at the same time.
  • How to secure access security at the resource asked to billions web users?
  • How to find a solution light enough so it won’t surcharge names servers?

 

DNSSEC process

To secure the integrity of the DNS resolution, DNSSEC develops a chain of trust that goes back to the DNS root (refer to the DNS root server image above). Data security is done by keys mechanism (KSK for Key Signing Key & ZSK for Zone Signing Key) which signs DNS records in its own zone. Public keys are sent to the corresponding register to be archived; the register being linked by DNSSEC to the root server, the chain of trust is developed. Each DNS parent zone ensures the keys authenticity of its child zones by signing them.

 

Without DNSSEC                                  With DNSSEC

DNSSEC process

DNSSEC, Nameshield and you:

DNSSEC operates like an essential protection for your strategic names, which secures DNS’ answer authenticity. It would be advisable to identify names that need to be protected. All TLDs don’t propose DNSSEC yet. Here is a list of principal TLDs that does, it can change with many more coming:

TLDs supporting DNSSEC: .fr, .com, .be, .net, .eu, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk.

All news gTLDs, like .paris, .club, .xyz, .wiki, .ink, support also DNSSEC.

DNSSEC is included without supplement in Nameshield DNS Premium offer. Nameshield supports you in this process to secure your immaterial assets and manages the integrality of the DNSSEC protocol for you, from keys creation, to storage and renewal.

It’s not the only answer to set, registry lock system, DNS Premium service, SSL certificates are complementary solutions to implement, we will have the opportunity to discuss it in other articles or in the next nameshield.cafe.

 

What is the appropriate way to deal with inappropriate content on the internet?

The internet is a great place to find content of all sorts. Videos of cats doing crazy stunts, memes, thought provoking lifestyle messages. But this rich availability means ease of access to a wide variety of inappropriate content.

Inappropriate content means any material that is disturbing, improper, and just wrong. It can be images of real or simulated violence or of a sexually explicit nature. Recently there have been concerns raised around disturbing YouTube videos. These strongly resemble videos of popular cartoons but contain disturbing and inappropriate content not suitable for children. In some cases the videos are parodies, some are clear cases of copyright infringement where unauthorised use is made of authentic cartoons or characters, most are simply not aimed at an audience of children.

So what is the best way to deal with cases that you discover?

Google and social media sites offer reporting tools highlighting inappropriate content and copyright or trademark infringement cases.

A copyright infringement submission is a legal process and only accepted from the right owner or their authorised agent.  But it is essential to consider if the content is being used fairly. Fair use generally covers adaptations of original works for the purpose of parody or comment. Parodic uses of copyrighted works are normally justified by freedom of expression but the key factor is that the public must be able to differentiate between the works. If the content is being used fairly then it is best to avoid submitting what might be considered a false claim and maybe even provoking further parodying activity. In summer 2015 the artist Banksy launched the clearly satirical Dismaland, an obvious play on words and “look and feel” of Disneyland, but Disney (sensibly) remained silent.

 

Dismaland

 

Inappropriate disturbing content should be flagged using the platform system. YouTube takes feedback very seriously and they appreciate people drawing attention to problematic content and make it easy for anyone to flag a video.  Flagged videos are manually reviewed 24/7 and any videos that don’t belong are removed within hours.  In addition they have a YouTube Kids app which helps limit access to flagged content.

Of course no filter is 100% accurate and nothing replaces vigilance. Careful monitoring can help ensure that your copyright protected content is not being used unfairly and allow you to submit takedown notices. But there is no product which can ever replace parental awareness.

 

YouTube

Towards a 100% encrypted web, the new challenges of HTTPS

Between Mars, 2016 and Mars, 2017, Let’s Encrypt has issued 15 270 SSL certificates containing “PayPal” term, 14 766 of these certificates were issued for domains leading to phishing websites. It’s the result of the recent analysis led by Vincent Lynch, SSL expert.

 

Paypal fake or real

 

Lynch was closely interested in this case, after an interesting article published by Eric Lawrence (Google Chrome Security Team) in January 2017, the image above is from this article named “Certified Malice “which exposes deceitful SSL certificates and counts “only” 709 cases for PayPal and much more for big American brands: BankOfAmerica, Apple, Amazon, American Express, Chase Bank, Microsoft, Google…

What’s the impact on web users?

In January 2017, Google and Mozilla have updated their browser with Chrome 56 and Firefox 51, and a major change has appeared for web users: “Secure” and “Not secure” have appeared in the address bar.

In 2015, the initiative Let’s Encrypt, supported by big names of Internet (EFF, Mozilla, Cisco, Akamaï…) was created with the purpose of massively and freely spreading SSL certificates to the whole world. One year and a half later, Let’s Encrypt issued millions of certificates and other initiatives have followed.

Who says free, says few or no verification for delivering certificates, and an army of cybercriminals who rush towards these certificates to secure their illicit contents: phishing, malware… and show the term “secure” on their address bar. How can the random web user easily differentiate between real and fake?

For reminder, there are three verification levels for certificates allowing to show HTTPS: Domain Validation (DV) considered as low authentication, Organization Validation (OV) with high authentication and Extended Validation (EV) with strengthened authentication.

Free certificates are DV, and represent almost 90% of certificates, most of the time on “small” websites. OV certificates (9%) and EV certificates (1%) are fewer but protect almost all websites with high traffic. GAFA (Google, Apple, Facebook, Amazon), are all in OV or EV for example.

SSL Certificates - DV OV EV

The problem for web user is the lack of distinction in browsers between DV and OV certificates. These two types are shown the same way, as being “secure”, but EV certificates display the name of the certificate’s owner in the address bar.

By looking at the image at the beginning of this article, we understand easily the concern on EV for PayPal: to easily differentiate real from fake. This is the reason why Nameshield will systematically advise the use of EV for display website, in particular for their clients exposed to cybersquatting, phishing or counterfeit.

 

Two forces opposed for the future of HTTPS

Sadly, things aren’t so simple, and where logic would like to differentiate clearly between the three types of certificates, or at least two types (DV/OV), Google disagrees and wishes, on the contrary, to suppress the EV display altogether. Chris Palmer (Senior Software Engineer for Chrome) subtly confirms this point in his article published here.

Today we are in a situation where Historical Certification Authorities, Microsoft and to a smaller extent, Apple, are facing Google, Mozilla and Let’s Encrypt in a perspective resumed here:

 

Google/Mozilla/Let’s Encrypt perspective:

 

HTTP = not secure

 

HTTPS = secure

 Historical Certification Authorities/ Microsoft/Apple perspective:

HTTP = not secure

HTTPS DV = no sign in the address bar

HTTPS OV = secure

HTTPS EV = company’s name in the address bar

 

Inside the higher authority of SSL, the CAB/Forum, the discussion is still opened at this moment. We can easily understand that Certification Authorities look unfavorably at the end of the visual distinction between DV/OV/EV in browsers, it’s their purpose to deliver certificates with high authentication, but is it wrong? It’s to reassure the web users by securing the identity of the website they visit.

In the opposite, Google and Let’s Encrypt don’t hesitate to say that phishing and guarantee of website content, don’t depend on Certification Authorities, and that there are other systems responsible for that (for example, Google Safe Browsing). Therefore we have to have a binary perspective: exchanges are encrypted and inviolable (= HTTPS = secure) or they aren’t (= HTTP = not secure). We can simply wonder by this perspective, which defends itself, if it’s not a semantic problem of the used term “secure” instead.

What does “secure” mean for web users? By seeing “secure” in their address bar, do they enter their login/password or credit card numbers? We can think that yes, they do, and in this case, actual risk does exist. Kirk Hall (Director Policy and Compliance – SSL, Entrust) has done a noticed intervention at the last RSA conference on this subject (if you have time, the record is here).

You can’t neglect financial industry weight and big companies which look unfavorably at the growth of fraud online risk, Google can’t ignore that.

 

How to reassure web users?

For the time being, we can only encourage you to choose Extended Validation certificates for your display websites and/or your e-shop in order to facilitate web users’ tasks and to stay informed of what’s going on on the web. To reassure and educate web users by mentioning on your website the choice you have made in security and authentication.

As you probably monitor domain name registrations on your brands, today you can also monitor certificates registrations so you can react quickly.

And as web user, when the term “secure” is mentioned in the address bar, systematically control the certificate’s details to see who the owner is.

The launch of .AFRICA

After more than five years of legal dealings and battles, South African organization .ZA Central Registry (ZACR) is now designed to commercialize the internet extension “.AFRICA” which will be opened to all. As presented by Koffi Djossou, member of UNIFORUM ZACR, future domain names in .AFRICA will “promote African companies, people and culture on Internet”. President of the African Union Commission Nkosazana Dlamini Zuma, has already saluted the end of this battle as the moment when Africa “has finally acquired its own digital identity”.

 

new gTLD .africa

 

We will go back to present the facts: in the application call for new extensions launched by ICANN, they were two to claim the .AFRICA. On one side, we have South African national extension operator .ZA (ZACR). On the other side, we have an African/American business woman Sophia Bekele, the DotConnectAfrica (DCA) founder.

With the geographical and cultural nature of the .AFRICA, the extension couldn’t be sold by bidding. So ICANN has required the participants to obtain the support of at last 60% of the concerned region governments. After this, ZA Central Registry (ZACR) has benefited from many official supports (39 African governments) like the African Union. While DotConnectAfrica (DCA), has been the object of many mails opposed to this “dissident application”.

In early 2014, ICANN has finally given the delegation of the .africa domain to ZA Central Registry (ZACR). At that time begins this unprecedented judicial marathon, after DotConnectAfrica (DCA) submits a claim against ICANN for fraud and unfair business practices. DotConnectAfrica (DCA) has requested to the United States Federal Court to stop ICANN from giving the delegation of .africa domain to ZA Central Registry (ZACR) during the trial.  Even if the last request was finally denied, the claim against ICANN is still ongoing…

This highly political saga has ended in February 15th, 2017 but for ZA Central Registry (ZACR), the work begins now: to make of .Africa a real banner of the African continent.

Find more information on http://nic.africa/ or contact Nameshield regarding the conditions and the open period for the registration of your .AFRICA.

Alibaba’s use of technology to fight counterfeit reaps first rewards

In December 2016 Alibaba was placed on a US blacklist for fakes. A US industry watchdog called the company’s Taobao website (the world’s largest e-commerce platform) a “notorious” market for counterfeiting and piracy. Now Alibaba is diligently combatting this label. Via a program called Operation “Cloud Sword” big data technology such as advanced algorithms, machine learning, optical character recognition (OCR), and mapping technologies, is used to generate clues to help identify and take down fakes.

In January Alibaba sued two fake Swarovski watch sellers who allegedly link merchants with people willing to falsify purchases and write positive comments on its Taobao e-commerce platform for violations of goodwill and contract. The company claimed 1.4 million yuan, or about $201,000, in damages. Shenzhen police raided the seller and confiscated about 125 counterfeit watches after Alibaba’s claim. Alibaba used gathered and analysed data to identify the counterfeit Swarovski merchants and subsequently purchased a watch from the seller in a test-buy program.

Zheng Junfang, chief platform governance officer of Alibaba Group said. “We will bring the full force of the law to bear on these counterfeiters so as to deter others from engaging in this crime wherever they are.”