Newsletter - Short URL services and Memorable Phrase - SSO-NL2011-011

17 November 2011

Newsletter November 2011 (File size: 990Kb)

Overview

The purpose of the Newsletter is to provide general advice about online security issues and help you learn to better manage the security of your computer and information when online. This month’s newsletter will cover some of the types of scams used on Facebook and social media.

Feedback

Thank you to everyone who provided feedback in response to our SSO Alerts, Advisories and Newsletters. This feedback helps us to gauge how useful the service is and how it can be improved.

The dangers associated with shortened URLs (links)

When someone talks about a web link or URL (Uniform Resource Locator) they are normally talking about the address that you type into a web browser to access a web page. Some examples are:

• http://www.staysmartonline.gov.au/alerts
• http://www.facebook.com
• http://www.twitter.com

These URLs are made up of different parts. Each part provides information about how your computer’s web browser should go about getting the information that you requested. Here are the three main parts:

1) “http” – this describes the method or language that your computer should use to talk to the website. Another common one is https – the “s” stands for secure. It should be used to protect your privacy when talking to websites where you have personal information such as Facebook or your bank.
2) “www.staysmartonline.gov.au” – this part is who your computer should be talking to, in this case it is the Stay Smart Online website.
3) “/alerts” – this part of the URL tells the web server which specific page you want to view on that website. The length of this last part can be very long depending on how much information the web server needs to know what page to give you.

When all three of these parts are put together the resulting URL can easily become over 100 characters long. This is not normally a problem when you just have to click a link, but if you want to pass the URL to a friend, send it in an email without it going over multiple lines, or if you are using a service like twitter which limits you to 140 characters, this can be a problem.

To solve this problem people have created methods to “shorten” links. These services don’t actually shorten the URL in question. When someone visits one of these short URLs, the user is redirected to the full long URL without having to type the long URL.

Image 1 – Google Maps Link

A good example of this can be found at Google Maps. If you search for a place on Google Maps and find the location you want to send to a friend, what can you do? Well Google has put a small chain link icon (see above) on the top right of the page (next to the Print and Email icons). This allows you to copy a link that will take people directly to that specific location. Here is an example link for Parliament House:

http://maps.google.com.au/maps?q=Parliament+of+Australia,+Canberra,+Australian+Capital+Territory&hl=en&ll=-35.30785,149.125392&spn=0.009298,0.011888&sll=-35.282,149.128684&sspn=0.037205,0.04755&vpsrc=6&hq=Parliament+of+Australia,+Canberra,+Australian+Capital+Territory&t=h&z=17

As you can see, that is a VERY long URL. To solve the problem of a long and complicated URL, Google provides a link shortening service. If you use it by clicking the “Short URL” checkbox, you end up with a link like the following (see below): http://g.co/maps/k25kd

Image 2 – Google Maps Short Link

Aside from Google, there are a number of other companies who provide link shortening services. Some of the others are:

• http://tinyurl.com/

• http://bitly.com/

• http://is.gd/

• http://goo.gl/

These sorts of sites can be very useful if you find yourself in a situation like above, where you need to give someone a very long URL.

The main security problem with these shortened web links (or URLs) is that you have no way of knowing where the link will take you just by looking at it. Normally you would want the short URL to take you directly to the end site, however that may not always be the case. The following are some examples of what could actually happen with short links:

1) Normal behaviour

• Short URL → Real Web Site

2) Malicious Site

• Short URL → Malicious Web Site

3) Malicious Re-direct

• Short URL → Malicious Web Site → Real Web Site

4) Malicious Man in the Middle

• Short URL → Malicious Web Site (pretending to be Real Web Site)

There are probably many other ways that malicious content could find its way into the path taken from a short URL.

To protect against this sort of attack there are three main things that you can do. Firstly you should keep your operating system, web browser, other software and virus scanner up to date. This will mean that if you happen to visit a malicious site (either from a shortened web link or not) there will be less chance that your computer can be attacked.

Secondly, you should treat shortened web links with a little more caution than you otherwise might. Consider whether you know where the link should be taking you from the context. Did the link come from a friend? If the link is related to money or personal information it should probably be avoided. For example if the link was in an email from (or pretending to be from) Facebook or your bank then there is a large chance that it is malicious.

Thirdly, there are some ways that you can find out what the short link actually redirects you to. Some web browsers have plugins available to enable either automatic or manual unshortening, which will tell you the real web link that is being disguised. If you do not want to use one of these, or if one is not available for your web browser, then some websites will display the unshortened URL for you. Some examples of these websites are:

• http://longurl.org/

• http://www.longurlplease.com/

• http://www.unshorten.com/

These services will not stop malicious web sites, but they will allow you to see what the short URL is actually taking you to so you can make an informed decision about whether you want to visit the site or not.

A reminder about your memorable phrase

As new subscribers are constantly signing up to this service, it is timely to again remind subscribers that the memorable phrase is not a password and is not secret information; nor is it meant to be treated as secret.

If you have opted to receive Stay Smart Online alerts, advisories and/or newsletters by email, the top of your email will show the memorable phrase which you chose when you set up your profile, as shown in the email below.

Image 3 – Example Memorable Phrase in an Email

Every memorable phrase is unique and is created by the subscriber, so your memorable phrase will be different to the one above. If your memorable phrase is the same as your password for any online account you have, then it is recommended you change those passwords because people who know your memorable phrase may be able to more easily guess your passwords.

Unfortunately some criminals try to impersonate legitimate and trusted organisations in order to fool a person into doing something, which ultimately harms their computer’s security and their personal interests. The memorable phrase is a mechanism that helps prevent this.

The memorable phrase is a way to help verify, with reasonable reliability, that emails sent by the Stay Smart Online Alert Service, are legitimate and really were sent by the people who operate this service. The memorable phrase is not a guarantee that emails, which include your memorable phrase, are legitimate and were sent by us, but it is a good indicator they are. Certainly if you ever happen to receive an email that “appears” to be from the Stay Smart Online Alert Service that does not include your memorable phrase then it should be regarded as fraudulent and deleted.

For a more detailed explanation about the purpose and significance of the memorable phrase, read the FAQ (Frequently Asked Questions) on this topic.

Another way to check if emails sent by the Stay Smart Online Alert Service are legitimate is to check on the web site www.ssoalertservice.net.au. All alerts, advisories and newsletters sent via email are posted to the web site at the same time.

We have not had any reports that criminals have attempted to impersonate the Stay Smart Online Alert Service at this time.

Disclaimer

This Newsletter has been prepared by AusCERT for the Department of Broadband, Communications and the Digital Economy.

The information is intended for used by home users and small to medium sized businesses and is general information only and not intended as advice and was accurate and up to date at the time of publishing. The material and informationin this Newsletter is not adapted to any particular person's circumstances and therefore cannot be relied upon to be of assistance in any particular case. In any important matter, you should seek professional advice relevant to your own circumstances.

The Commonwealth, AusCERT, and all other persons associated with this Newsletter accept no responsibility or liability for information either included or referred to in the Newsletter. No responsibility or liability is accepted for any damage, loss or expense incurred as a result of the information contained in the Newsletter, whether by way of negligence or otherwise.

The listing of a person or organisation in any part of this site or Newsletter does not imply any form of endorsement by the Commonwealth of the products or services provided by that person or organisation. Similarly, links to other web sites have been inserted for your convenience and do not constitute endorsement of material at those sites, or any associated organisation, product or service.

Please note that material in this Newsletter, as the case may be, includes views or recommendations of third parties, which do not necessarily reflect the views of the Commonwealth, or indicate its commitment to particular course of action. Material on this site or in this Newsletter may also include information provided by third parties. The Commonwealth cannot verify the accuracy of information that has been provided by third parties.

		SEARCH
Home Advisories Alerts Newsletters Subscribe or Log In Visit Stay Smart Online	Larger text Smaller text You are here: Stay Smart Online Alert Service > Server applications > Newsletter - Short URL services and Memorable Phrase - SSO-NL2011-011 Newsletter - Short URL services and Memorable Phrase - SSO-NL2011-011 17 November 2011 Newsletter November 2011 (File size: 990Kb) Overview The purpose of the Newsletter is to provide general advice about online security issues and help you learn to better manage the security of your computer and information when online. This month’s newsletter will cover some of the types of scams used on Facebook and social media. Feedback Thank you to everyone who provided feedback in response to our SSO Alerts, Advisories and Newsletters. This feedback helps us to gauge how useful the service is and how it can be improved. The dangers associated with shortened URLs (links) When someone talks about a web link or URL (Uniform Resource Locator) they are normally talking about the address that you type into a web browser to access a web page. Some examples are: • http://www.staysmartonline.gov.au/alerts • http://www.facebook.com • http://www.twitter.com These URLs are made up of different parts. Each part provides information about how your computer’s web browser should go about getting the information that you requested. Here are the three main parts: 1) “http” – this describes the method or language that your computer should use to talk to the website. Another common one is https – the “s” stands for secure. It should be used to protect your privacy when talking to websites where you have personal information such as Facebook or your bank. 2) “www.staysmartonline.gov.au” – this part is who your computer should be talking to, in this case it is the Stay Smart Online website. 3) “/alerts” – this part of the URL tells the web server which specific page you want to view on that website. The length of this last part can be very long depending on how much information the web server needs to know what page to give you. When all three of these parts are put together the resulting URL can easily become over 100 characters long. This is not normally a problem when you just have to click a link, but if you want to pass the URL to a friend, send it in an email without it going over multiple lines, or if you are using a service like twitter which limits you to 140 characters, this can be a problem. To solve this problem people have created methods to “shorten” links. These services don’t actually shorten the URL in question. When someone visits one of these short URLs, the user is redirected to the full long URL without having to type the long URL. Image 1 – Google Maps Link A good example of this can be found at Google Maps. If you search for a place on Google Maps and find the location you want to send to a friend, what can you do? Well Google has put a small chain link icon (see above) on the top right of the page (next to the Print and Email icons). This allows you to copy a link that will take people directly to that specific location. Here is an example link for Parliament House: http://maps.google.com.au/maps?q=Parliament+of+Australia,+Canberra,+Australian+Capital+Territory&hl=en&ll=-35.30785,149.125392&spn=0.009298,0.011888&sll=-35.282,149.128684&sspn=0.037205,0.04755&vpsrc=6&hq=Parliament+of+Australia,+Canberra,+Australian+Capital+Territory&t=h&z=17 As you can see, that is a VERY long URL. To solve the problem of a long and complicated URL, Google provides a link shortening service. If you use it by clicking the “Short URL” checkbox, you end up with a link like the following (see below): http://g.co/maps/k25kd Image 2 – Google Maps Short Link Aside from Google, there are a number of other companies who provide link shortening services. Some of the others are: • http://tinyurl.com/ • http://bitly.com/ • http://is.gd/ • http://goo.gl/ These sorts of sites can be very useful if you find yourself in a situation like above, where you need to give someone a very long URL. The main security problem with these shortened web links (or URLs) is that you have no way of knowing where the link will take you just by looking at it. Normally you would want the short URL to take you directly to the end site, however that may not always be the case. The following are some examples of what could actually happen with short links: 1) Normal behaviour • Short URL → Real Web Site 2) Malicious Site • Short URL → Malicious Web Site 3) Malicious Re-direct • Short URL → Malicious Web Site → Real Web Site 4) Malicious Man in the Middle • Short URL → Malicious Web Site (pretending to be Real Web Site) There are probably many other ways that malicious content could find its way into the path taken from a short URL. To protect against this sort of attack there are three main things that you can do. Firstly you should keep your operating system, web browser, other software and virus scanner up to date. This will mean that if you happen to visit a malicious site (either from a shortened web link or not) there will be less chance that your computer can be attacked. Secondly, you should treat shortened web links with a little more caution than you otherwise might. Consider whether you know where the link should be taking you from the context. Did the link come from a friend? If the link is related to money or personal information it should probably be avoided. For example if the link was in an email from (or pretending to be from) Facebook or your bank then there is a large chance that it is malicious. Thirdly, there are some ways that you can find out what the short link actually redirects you to. Some web browsers have plugins available to enable either automatic or manual unshortening, which will tell you the real web link that is being disguised. If you do not want to use one of these, or if one is not available for your web browser, then some websites will display the unshortened URL for you. Some examples of these websites are: • http://longurl.org/ • http://www.longurlplease.com/ • http://www.unshorten.com/ These services will not stop malicious web sites, but they will allow you to see what the short URL is actually taking you to so you can make an informed decision about whether you want to visit the site or not. A reminder about your memorable phrase As new subscribers are constantly signing up to this service, it is timely to again remind subscribers that the memorable phrase is not a password and is not secret information; nor is it meant to be treated as secret. If you have opted to receive Stay Smart Online alerts, advisories and/or newsletters by email, the top of your email will show the memorable phrase which you chose when you set up your profile, as shown in the email below. Image 3 – Example Memorable Phrase in an Email Every memorable phrase is unique and is created by the subscriber, so your memorable phrase will be different to the one above. If your memorable phrase is the same as your password for any online account you have, then it is recommended you change those passwords because people who know your memorable phrase may be able to more easily guess your passwords. Unfortunately some criminals try to impersonate legitimate and trusted organisations in order to fool a person into doing something, which ultimately harms their computer’s security and their personal interests. The memorable phrase is a mechanism that helps prevent this. The memorable phrase is a way to help verify, with reasonable reliability, that emails sent by the Stay Smart Online Alert Service, are legitimate and really were sent by the people who operate this service. The memorable phrase is not a guarantee that emails, which include your memorable phrase, are legitimate and were sent by us, but it is a good indicator they are. Certainly if you ever happen to receive an email that “appears” to be from the Stay Smart Online Alert Service that does not include your memorable phrase then it should be regarded as fraudulent and deleted. For a more detailed explanation about the purpose and significance of the memorable phrase, read the FAQ (Frequently Asked Questions) on this topic. Another way to check if emails sent by the Stay Smart Online Alert Service are legitimate is to check on the web site www.ssoalertservice.net.au. All alerts, advisories and newsletters sent via email are posted to the web site at the same time. We have not had any reports that criminals have attempted to impersonate the Stay Smart Online Alert Service at this time. Disclaimer This Newsletter has been prepared by AusCERT for the Department of Broadband, Communications and the Digital Economy. The information is intended for used by home users and small to medium sized businesses and is general information only and not intended as advice and was accurate and up to date at the time of publishing. The material and informationin this Newsletter is not adapted to any particular person's circumstances and therefore cannot be relied upon to be of assistance in any particular case. In any important matter, you should seek professional advice relevant to your own circumstances. The Commonwealth, AusCERT, and all other persons associated with this Newsletter accept no responsibility or liability for information either included or referred to in the Newsletter. No responsibility or liability is accepted for any damage, loss or expense incurred as a result of the information contained in the Newsletter, whether by way of negligence or otherwise. The listing of a person or organisation in any part of this site or Newsletter does not imply any form of endorsement by the Commonwealth of the products or services provided by that person or organisation. Similarly, links to other web sites have been inserted for your convenience and do not constitute endorsement of material at those sites, or any associated organisation, product or service. Please note that material in this Newsletter, as the case may be, includes views or recommendations of third parties, which do not necessarily reflect the views of the Commonwealth, or indicate its commitment to particular course of action. Material on this site or in this Newsletter may also include information provided by third parties. The Commonwealth cannot verify the accuracy of information that has been provided by third parties.
	Last Updated: 2011-11-17 Copyright \| Privacy \| Disclaimer