ESET Threat Blog

We seem to have pointed out rather often recently that giving away lots of information on Facebook, Twitter and other social network sites isn't a good idea.

PleaseRobMe claims, somewhat amusingly, to be a resource for burglars, saving them the trouble of searching through Twitter and Foursquare for information on whose house is currently unoccupied. In fact, what it's doing is scooping the info from Twitter et al.

More (with links) at http://avien.net/blog/?p=442.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

I just received another request to follow me on Twitter on a protected account, so perhaps it's time I clarified what all those accounts that are and aren't in my signature are for.

@dharleyatESET is a protected account largely for work purposes.  I only accept requests to follow from people who really need to know (sometimes) what I'm doing and where I'm doing it. It's hardly ever used, so unless you work quite closely with me, you're not missing anything.

@esetresearch is the official twitter account for this blog: any of the people who blog here may use it. @ESETblog was originally set up for the same purpose: it's now strictly speaking a personal account, and at some point I'll get around to renaming it.  @dharleyatAVIEN is, unsurprisingly, the account I use for AVIEN work, but I usually send infosec retweets, blog and white paper info to all three accounts, so you probably wouldn't want to follow all three of them.

(Why have three then?  Because it's the easiest way to ensure that everyone who follows just one of those accounts gets the same alerts.)

@ESETLLC sends out lots of technical information and updates including retweets of stuff that . @ESET isn't the research team: it posts some marketing information, but also points to interesting security stories from non-ESET sources.

If you do follow any of my accounts, you'll probably notice that I often don't notice when people try to engage me in conversation on Twitter (and other social networking media). I'm afraid I have an old-fashioned preference for email or IM for that. Partly because at any one time I usually have at least two machines running and multiple windows open on each. Sad, huh?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

As reported at http://www.eweek.com/c/a/Security/Twitter-XSS-Vulnerability-Still-Wide-Open-Developer-Says-433005/, a researcher has found a cross site scripting vulnerability that affects Twitter. The researcher claims that by exploiting this he could gain access to the Twitter accounts of anyone who views his specially crafted tweets.

The explanation of the problem is a bit techie, but there is a very key point in the article. One of the best protections against this and potentially many other attacks is to not follow people you do not know or trust. This means that you must understand that just because a person wants to follow you it doesn’t mean you should follow them. It might be good to look through the list of people you are following and make sure you really trust everyone on the list.

In some ways social networking can be like being at a club. You can meet all kinds of people you didn’t know. You can strike up a conversation with a person you never met before. The big difference is that at a club there are lots of people around. When you are on a social networking site you are effectively alone and the person you are talking to has nobody else to worry about seeing what they are doing. It really is a lot more like being in a dark alley than being in a popular night spot.

With all social networking sites, be selective about what information you share, who you allow on your network, and what links you follow. Always remember that a friend’s account can be hacked and in that case, even though the message actually comes from the friend’s account, it might not be your friend sending it. Look for context. This means that if you get a message that is out of character, use another means of contact to make sure your friend really is the one sending the message.

Randy Abrams
Director of Technical Education

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.

Some people are speculating that the motivation for the Twitter attack was to try to silence one person. There are really good signs that the attack against an individual was what took down Twitter, but still we really don’t know. I speculated that it might be a show of force to try to sell botnet resources. It still could be that. If you’re going to demonstrate your weapon you still need a sample target. In this case it may have been killing two birds with one stone. Of course, this also is conjecture. We may never know the true motivation for the attack. Still, I have to believe that there are some criminal who were pretty upset at the loss of revenue when they were unable to attack the users of Twitter.

Randy Abrams
Director of Technical Education

I was amused (and not the only one, either) to notice that the UK’s Cabinet Office has recently launched a "Template Twitter strategy for Government Departments": I wonder if they’re thinking of reconsidering in view of the proven fragility and security-shakiness of Twitter, but I suspect not.

I am tempted to make a cheap shot related to the fact that the document is 20 pages long rather than 140 characters, but I suppose for a Whitehall Mandarin, 20 pages is probably the essence of brevity.

In fact, it turns out that Neil Williams, of the Department for Business, Innovation and Skills, who drew up the document, is capable of appreciating a good acronym. (And I owe a tip of the hat to e-Health Insider for drawing my attention to it). He describes himself as having JFDI inclinations. (For the purpose of this blog, we’ll render that as Just Flipping Do It, though the usual translation is a little saltier.) As a bit of a JFDI man myself, I’m impressed that he manages to maintain that worldview within one of the world’s great bureaucracies, and even more that he is able to slip that one into an official Cabinet Office blog. But then, he is Head of Corporate Digital Channels, which sounds fairly authoritative.

The real surprise, though (and here comes the tenuous link with security) is that the document is actually worth reading. Well, it won’t be everyone’s bedtime reading. But it does express some clear thinking about some of the implications and practicalities of using Twitter as a corporate tool. I’m not sure I buy into all of it myself, but I’d guess that quite different organizations far beyond the borders of the UK will at least find it useful as a starting point when considering a Project Initiation Document  that runs over 140 characters.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

As I write this, Twitter, the popular social networking site is experiencing a distributed denial of service attack. I do not know where the attacks are originating from, or the reason, but it occurs to me there may be hell to pay.

So what motives? Perhaps the bad guys are upset that Twitter has recently started filtering URLs in order to cut back on the amount of malware the user’s experience. Twitter’s actions must have hurt the bottom line of some criminal organizations, but there are still other ways thieves can make money and they make none at all if Twitter is down.

This leads to the thought that either it is a revenge attack by a disgruntled idiot or an attempt to gain fame by a hacker with more technical skills than brains. If it isn’t an organized criminal group that is attacking Twitter I would expect the attacker will draw the ire of criminal groups that abuse Twitter for illegal gains. Somebody is hitting the criminal element in the wallet by attacking Twitter.

Update: It occurs to me that this could be how a major botnet operator markets a botnet. "If I can do that to Twitter, imagine what I can do for you". There may be another intended target and Twitter was simply the proving grounds.

Randy Abrams
Director of Technical Education

We’ve been having some discussion internally about shortened URLs, with specific reference to pointing to web resources on Twitter, where you can’t actually avoid using shortened URLs, because an uncompressed URL is automatically shortened using bit.ly.

You may remember that I discussed these issues before here, The main problem, of course, is that it’s all too easy to conceal a malicious site behind a shortened URL, as all too many blackhats have already discovered. So while I sincerely hope that ESET’s web pages are as secure as they can be on the wild, wild internet, I think it’s more responsible  to force  users to check the real URL before they open it, even though it’s an extra click. As a security company, we should be trying to set a good example.

Now, bit.ly isn’t a bad option: it offers a preview plugin for Firefox users, checks links agains some blacklists, and offers click ratio statistics. But it doesn’t let me force a preview, and it isn’t browser-agnostic.

The tr.im service seems to be good on statistics, but I can’t find a preview mode or security information: perhaps there’s something if you actually sign up for it, so I’ll be looking further into that.

Recently I’ve been using tinyURL with the "preview.tinyurl.com" prefix, to force anyone who uses it to see the preview page that tells them what the full URL is. (is.gd also has an option to force a preview by appending a hyphen, and also uses SURBL.) If you really hate the preview option, and it seems that some people do dislike seeing the redirect, you can avoid it by pasting the link into your browser with the "preview." removed. But that’s probably more hassle than just viewing the preview and clicking again.

Right now, though, I’m using sURL, which always shows a preview page, and has one or two features I like the look of and am testing out at the moment. (I particularly like the ability to generate a loooooonnnnnnggggggg URL, but I haven’t thought of a legitimate use for it yet.)

However, I’d like to establish consistent practice across the blogging team.  And, indeed, to get your opinions. How would you prefer us to handle this, if you have any views at all? Do you use the Twitter notifications?

By the way, I’m probably going to come back to this topic in a paper Real Soon Now. In the meantime, if you’re interested in looking at the issue in more detail, you might want to take a look at Rob Slade’s blog here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Our July ThreatSense.Net® report has been released today, and will eventually be available from the Threat Center page here. Most of the top ten entries are old friends: well, familiar names might be a better way of putting it. One of the disadvantages of having a scanner that makes heavy use of advanced heuristics is that many of the most common detections don’t really map to single malware families the way that they do for companies that are more signature-oriented.

There are advantages, though, as we’ve discussed before, apart from the obvious (and important) advantage of proactive detection: it gives us more time to concentrate on processing detections rather than fussing with crossmatching samples to malware families, and it gives us a better picture of major threat trends, which we consider to be more useful. Unfortunately, some sectors of the media are still hung up on the minutiae of malware naming, which I don’t consider so important at a time when some sources are talking about collections of (much) more than 20 million individual samples. Hopefully they’ll catch up with the rest of us eventually…

Pierre-Marc and I presented a paper on the naming problem at Virus Bulletin last year, and I’ve developed the theme further in another conference paper that will be available on the white papers page in September.

As it happens, there aren’t a lot of surprises: the first few positions remain unchanged from June. However, Win32/TrojanDownloader.Bredolab.AA, despite a strong local showing in some countries, has dropped out of the worldwide top ten, while W32/FlyStudio is in at Number 5. FlyStudio is kind of interesting: it’s not exactly a malware family, but a development platform (a scripting language, to be more precise) much used in China. Unsurprisingly, the FlyStudio malware we’re seeing also seems to be targeting computer users in China, but is also being reported elsewhere, including North America. This may mean that it’s being deployed by another malware family.

 Elsewhere in the top ten section, we’ve updated some of the descriptions. Over the lifetime of a threat family, there are often substantial changes in the way the malware works, or in our understanding of it as more variants appear and more information becomes available. And, as usual, we’ve included some notes on other issues that have been addressed recently by the labs and/or the Research team, including:

• Adobe and Microsoft patching issues
• Twitter and Facebook problems
• A little about AMTSO
• Some white papers that are about to appear
• Waledec and the Dewey Effect
• ESET in Europe’s initiative on safe wi-fi.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/