ESET Threat Blog

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.

As I previously pointed out http://www.eset.com/threat-center/blog/2009/08/04/calling-adobe%E2%80%99s-bluff, Adobe is at best deceptive about claims of the security and privacy of Flash.

Even if you do not know what flash is or how to find it, you probably have it on your computer. If you open control panel and go to the “add or remove programs” application you will probably see it listed there. There could be a few entries. There is “Adobe Flash Player 10 ActiveX” for Internet Explorer and “Adobe Flash Player Plugin” for Firefox. In my limited testing, it appears that configuring Flash in one browser takes care of both if you have multiple browsers installed.
If you click on an Adobe Flash Player entry in add or remove programs, then you will see a link that says “Click here for support information”. Clicking that link will bring up a box with the version information. It is a good idea to make sure that you have the most current version.

Flash has had vulnerabilities that were real security problems for people. Flash is installed without regard to user privacy. Flash can be configured, but most people do not know how. In fact you have to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html in order to configure your Flash player.

If Adobe cared about privacy and security then these settings would be presented upon installation. These settings should be configurable from your computer without requiring web access.

Once you go to the settings manager at macromedia.com then you need to go through several steps.

The “Global Privacy Settings Panel” allows you to prevent access to your microphone and web cam, or be prompted each time there is an attempt to access these devices. The panel does not show which option is currently enabled, even after selecting an option.

The “Global Storage Setting” lets you specify how much space a new website can use on your computer. Some space is required at times. Additionally you can prevent 3rd party websites from storing Flash content on your computer by unchecking the box that says “Allow third-party Flash content to store data on your computer. Finally you can choose whether or not to store common Flash components to reduce download time. For more information about these choices, read the information under the settings manager.

The “Global Security Settings” panel allows you to prevent one website from letting another website access your computer. For both privacy and security I recommend against allowing this.

The “Global Notifications Settings” panel will allow you to change the default time period for checking for updates. I set mine to every 7 days since there is not an option to check every day. Given the rash of vulnerabilities recently found in Adobe products it is prudent to update as frequently as possible.
The “Website Privacy Settings” panel allows you to set specific camera and microphone settings for websites you have already visited. If you trust a website that uses your microphone and camera, then let that one access the devices, not all websites.

Finally, the “Website Storage Settings” panel allows you to delete all of the cookies and other stuff you never authorized to be stored on your computer in the first place, and Adobe didn’t think it was important to let you choose if this could happen when you installed Flash.

I choose to be prompted before a site can store data on my computer. I also choose not to let one website let another website access my computer. If it breaks a Flash application then I simply didn’t need that application enough to use it.

Randy Abrams
Director of Technical Education

Stephen Northcutt, with the SANS Technology Institute, suggested the following in the SANS NewsBites Vol. 11 Num. 61:

[Editor's Note (Northcutt): I think organizations should avoid Adobe if possible.  Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can.]

Limiting the use of software is always good advice, but should you remove Adobe products from your computer? Given the prevalence of Flash and PDF files that might be a bit drastic, although there are other PDF readers available.

Adobe has had a rash of security vulnerabilities found in their products recently. I don’t think you have to get rid of the Adobe Reader, but there are some smart precautions you can take to make it more secure.

The first step is to make sure you have the most current version of Adobe Reader. Under the help menu, select about and it will tell you the version number. If you do not have version 9, then you may need to go to www.adobe.com and download the latest version. If you do have version 9, then under the help menu select “Check for Updates” so that you have the latest version of version 9. As of this writing it is version 9.1.3 or version 9.1.2.82. You see, when I click on the words “Version 9.1.3” it then changes to “Version 9.1.2.82”. So, the safest thing is to check for updates. By default Adobe Reader checks for updates every week, but with the recent security problems it is best to check for updates now and every day that you use the reader.

The next step is to go to the edit menu and select preferences. On the left side click on the word JavaScript. On the right side uncheck the box that says “Enable JavaScript”. For most people they will never notice that JavaScript is not enabled. There are some legitimate PDF files with JavaScript, but it rarely, if ever, is needed to use the document. Many security problems with Adobe Reader would have been avoided if Adobe had disabled JavaScript by default. You will know that Adobe has taken security seriously when they start disabling JavaScript by default.

The next step is to click on “Multimedia (Legacy). This is on the left side again. There will be a list of media players on the right side. You will see things like “Permission for Windows Built-In Player is set to allow. Click on each of these and either choose prompt or disable. You do need to click on each one and change the setting though.

The next step is to return to the left side and click on “Security (Enhanced). Check the box that says Enable Enhanced Security.

The final step is to not open PDF files that come from unknown senders or that you are not expecting from a known sender. Ask the sender if they sent it before you open the PDF if you were not expecting it. Why ask the sender? Email addresses can be spoofed. Just because it says Mom@aol.com it doesn’t mean that it really came from mom.

All of these steps combined will make Adobe Reader much safer to use and in most cases it will not impair the functionality of the PDF files you read.

In a future article I’ll discuss Adobe Flash in more detail

Randy Abrams
Director of Technical Education

Dear Adobe,

It is time to put up or shut up. Your web site FAQ http://www.adobe.com/products/flashplayer/security/privacy_policy/faq.html has the following entry:

Does Flash Player compromise my privacy and security?

No. Flash Player is not only the most widely distributed piece of software on the Internet today, it’s also one of the most secure. Given that Flash Player is in use by over 500 million internet users we invest considerable effort into keeping Flash Player safe and secure.

In the past, vulnerabilities in Flash have compromised the security of users. Are you going to guarantee there will be no more Flash vulnerabilities that are exploited?

It seems to me that the statement is misleading. As for privacy, Flash can compromise privacy and most users do not know when it happens or how to prevent it.

How about answering the question “Does Flash Player compromise my privacy and security?” honestly? The honest answer is that it can compromise both.

Randy Abrams
Director of Technical Education

Adobe has issued an important announcement, much of it relating to the impact of vulnerabilities in the Microsoft Active Template Library (ATL)  flagged as CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 and described in Microsoft Security Advisory (973882) on Adobe products used as Internet Explorer plug-ins. 

It appears that Flash Player and Shockwave Player "leverage" vulnerable versions of ATL.

According to Adobe, the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are not subject to the above vulnerabilities. Flash Player within Firefox and other browsers (apart from IE) do not share the vulnerabilities, and nor do Flash Player and Shockwave Player on Macintosh, Linux and Solaris.

The latest version of Shockwave Player, which is now available for download (http://get.adobe.com/shockwave), has been patched. The Flash Player vulnerability will be patched in the update due on July 30, 2009.

Sensibly, Adobe recommend the installation of the MS09-034 security update, which provides mitigation against the vulnerabilities in the relevant versions of ATL.