By

Social Networks & Social Engineering – Twitter Round 1

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0” while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

  • TinyURL.com
  • bit.ly
  • get-shorty.com
  • SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

  • Spam – Unsolicited Bulk E-mail
  • Fraud or Money Making scams
  • Malware
  • or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

By

Is the Internet worth it?

I know I’ll be accused of FUD (Fear, Uncertainty, Doubt) with this post but here goes.
The whole world knows the Internet is used for building businesses. Some businesses rely solely on the Internet – they simply wouldn’t exist without it.
However, with all the security threats, at some point you have to ask: Is it worth it?

On November 12, 2008 the 63rd Session of the International Telecommunications Union (ITU) Council met and discussed the current state of cybersecurity. The event concluded with the declaration that cyber-security is one of the most important challenges of our time. The ITU Secretary-General, Dr. Hamadoun Toure stated: “The costs associated with cyber threats and cyber-attacks are real and significant — not only in terms of lost revenue, breaches of sensitive data, cyber-attacks and network outages but also in terms of lives ruined by identity theft, debts run up on plundered credit cards or the online exploitation of children.”

While I might not totally agree with the severity he states, I do agree that the situation is bleak – and apparently only getting worse.

Hackers use any method available to achieve their goal – total domination of the Internet. Okay, that’s really extreme.

Think of your own specific situation. You undoubtedly have at least one anti-virus (AV) program installed on your working computers, right? (many of you have 3-4 different security programs installed)

How many times has it actually caught a virus? If your AV is set to scan once a day, how often has it detected a virus/worm/trojan during it’s scan? If ever, you have to

During the course of the past 2 months we’ve seen the following security issues:

  • Malware delivered by infectious Adobe Acrobat files (pdf)
  • “Common” websites delivering malware (i.e., www.mlb.com, www.businessweek.com, www.cbs.com)
  • 85% of malware being delivered by infectious websites
  • Numerous content management systems (CMS) and forums having various vulnerabilities
  • “Hacking” used in a multitude of political wars (website defacements, etc)
  • More intelligent malware (blocking of AV updates, disabling security software)

In addition to the above list, more malware has been delivered via social engineering. Social engineering is the “art” of using deception to get a user to intentionally install something which turns out to be malware (definition of trojan).

Back in October we saw the keyword “costumes” being abused by cybercriminals to get people to visit malicious websites promising to offer fantastic ideas on Halloween attire. Then in November we saw numerous emails be circulated that offered various food recipes for Thanksgiving many of which resulted in webpages that contained more than recipes. They offered recipes for infection (you can use that if you want).

Along with the holiday themed malware strategies, here in the US we were also going through a Presidential election which brought about an abundance of election themed malware attacks. Then we had the year-end holidays and New Year’s each with their own malware messages and accompanying websites.

Now with the Presidential Inauguration just completed we’ve seen numerous messages “flying” around the internet touting “Obama refuses to take oath”. When any of these links are followed, they lead the unsuspecting inquisitive reader to a website that delivers more than the message they were seeking. It also attempts to infect their computer with little pieces of code that are just the beginning of taking control of the infected PC.

All of this is actual, real world reality. I didn’t make this “stuff” up. I didn’t write these viruses/worms/trojans like some of you think.

Cyber crime is something we all have to deal with.

You’re in business to solve some real world problem. Whether you’re a plumber or a rocket scientist, you solve someone’s problem otherwise you wouldn’t be in business.

I selected computer security as my profession and I believe I do it well. I try to solve real world computer security problems. If you find my work offensive, you’re free to ignore it.

I don’t work in FUD. I just merely try to educate you so you know what you’re facing being online.

Please leave me your comments on this posting.

Thank you.