Computer Security Articles

It must be be my lucky month. I've been getting lots of calls offering to save my PC from system errors. (Sadly, this is an instance where regional "don't cold call" lists don't help, since the calls are being routed from… well, if you've been following my blogs on this topic, you can guess where.) 
A few days … Read More. – on ESET ThreatBlog

Twitter has made it extremely easy for people to share news and web links and at the same time has created a boon for online criminals. It is hard to find a web service that has done more to make malware distributors’ jobs easier.

I don’t mean just the explosive growth in the Twitter user base. Microblogging in general, and Twitter specifically, contribute to malware distribution in fundamental ways that must be re-examined and corrected.

Here are the Twitter features that make it so dangerous:

1. Twitter usernames are easily harvested in vast quantities
2. Criminals can send tweets to anyone on Twitter
3. Twitter encourages its users to share without thinking
4. Twitter and supporting services like bit.ly strip away critical context
5. Twitter is programmable and can be automated using their published APIs

While each of these features has appeared to some degree in other Internet services like email and instant messaging, Twitter has taken them to a new level and — as icing on the cake — got celebrities like Ashton Kusher and Miley Cyrus to help fuel the frenzy of massive sharing.

Before describing how these features introduce vulnerabilities hackers can exploit more easily than ever, let’s be clear that this is not Twitter bashing. There is a reason Twitter has become so popular: it clearly meets a need shared by many millions of users. On Twitter.com we see people using the best features of the Internet to be more connected and more informed. But just as we think twice about attending large gatherings during a swine flu pandemic, we should also think twice about sharing links on an infected Internet.

Okay, let’s look at our hacker wish list in more detail.

Twitter usernames are easily harvested in vast quantities

Compared to email, collecting huge lists of Twitter usernames is incredibly easy. Part of the attraction of Twitter is that anyone can see what all the users are up to, including seeing usernames. Showing everyone what everyone else is saying is a great way to encourage new users to join the fun. It’s also a great way to build a list of users to target.

Quality email lists, on the contrary, are harder to build. Malware authors have been very creative in building tools to collect email address lists. The Warezov worm, for example, would scan a PC for email addresses and then send itself to those addresses to continue the process. These worms, however, require a user to open a binary attachment to start the process, and then require the next recipients to do the same.

Warezov and other email worms were pretty darn effective, but gathering lists of Twitter users does not require jumping through such technical and social engineering hoops. The public nature of Twitter usernames, combined with the Twitter API (see below), make it outrageously easy “crawl” across Twitter and build massive lists of users.

Here is an interesting look at a Twitter-crawling app created by some good guys — repeat Good Guys! — that demonstrates the concept.

Looking at the image above, it is important to note that not only are lists of usernames easy to build, but relationships between users are also publicly available on Twitter, raising the possibility of targeted attacks against organizations using (seemingly) inside information. (“Harry Reid said you should respond to this: [click here]“)

Criminals can send tweets to anyone on Twitter

Now that we have a huge list of usernames that we generated in a couple of hours, our next step will be to send them malicious links to infect their computers. Before the rist of Twitter, there were other methods malware distributors used to get links in front of people. “Spim” is the term of sending spammy links through an Instant Messaging (IM) network. But the Instant Messaging model calls for users to establish relationships by a two-way handshake. I add a new user to my contact list, they see the request and choose to accept the relationship. Then I can send messages. Now, it is true that malware writers can circumvent this requirement for a handshake but, like the email address harvesting example above, it requires malware engineering to get around protection designed into IM systems. On Twitter there is no such requirement.

Twitter has a similar model wherein I follow you and you follow me. But you do not have to choose to follow me in order to see messages from me. I can follow you, see your tweets, and send a reply that you will see in your reply box. The Replies page is labeled “Tweets mentioning [myusername]“. And on Twitter, who does NOT want to see tweets mentioning them? (Miley Cyrus aside.) Compared to the effort of hacking an IM system to send unsolicited links, Twitter makes it very easy for anyone to send links to arbitrary users.

So I build a huge list of usernames, follow all the users, wait for them to tweet and then reply with: “You are so right and this proves it: [click here]“
At this point, the only thing keeping my huge list of users from clicking the link is a good dose of caution. And Twitter is not about caution. Read on.

Twitter encourages its users to share without thinking

Stepping out of the technical realm for a moment, let’s look at the Twitter social phenomenon. Twitter is not about privacy. Twitter is about massive-scale sharing. The tagline on the Twitter home page is, “Share and discover what’s happening right now, anywhere in the world.” And, “Join the conversation.” THE conversation. Not one on one conversations with your known friends. We’re talking about The Big conversation that we crawled through collecting our usernames up in step one.

Twitter does provide Public or Protected accounts. But the default setting is public and the message is clear: don’t be shy. Jump in the deep end of the pool.

On top of that, the first step you see after creating an account is “See if your friends are on Twitter” and a web form that asks for your Gmail, Yahoo or AOL email password. Yes, your password. Twitter will log into your email account and retrieve your contact list to see if there are matching Twitter accounts. Doesn’t this sound just like our friend Warezov described above?

Of course these are features designed to maximize the number of users and connections between users, and that’s the attraction of Twitter. The sunny day scenario is positive one that helps build the Big Conversation. What we are doing here is looking at these features with an eye on how they contribute to the spread of malware across the Internet.

So to recap: we have a huge list of usernames with known relationships between users, we can send any of them a link that includes some apparently familiar context even though they don’t know us, and the users are in a hurry. Tweets are short and sweet and meant to be posted and read frequently. This favors the social engineering malware distributor who hopes the users do not spend too much time deciding whether or not to click a link in a tweet.

Twitter and supporting services like bit.ly strip away critical context

Tweets are very short messages that don’t leave a lot of room to establish familiar context. “Check this out: [click here]” is a classic line from emails that distribute malware.

The shortened URLs that appear in tweets remove all the warning signs that indicate dangerous links. When a link appears in your email, an IM message or a tweet it is important to inspect the URL and see where it goes before clicking on it. If we receive a message that looks like it is from a friend asking us to look at their vacation pictures, we have a chance to be suspicious if the URL ends in a .ru (Russia) or .cn (China). It’s not likely that our friends chose a Russian or Chinese photo hosting service. Or if the link is purportedly from our bank but the URL looks like http://aimee.pl345xxx.ru/scripts/infector/clickit.html, we might be wary about clicking it.

URL shortening services like bit.ly, tinyurl.com or tweetburner remove all the useful context and turn all URLs into generic nonsense. There is no chance for a user to screen out risky URLs when they are shortened.

Then there is the risk of someone penetrating the URL shortening service itself and hijacking previously shortened links to point them to malware sites. Over 2 million shortened links were hijacked this summer at URL shortening service Cligs.

Twitter is programmable and can be automated using their published APIs

As I mentioned above, Twitter provides an Application Programming Interface (API) that lets developers create programs to automatically exercise Twitter features. Features that the API does not support can be accessed by automating web requests as described here: Scripting Twitter with cURL.

Countermeasures

As we have seen, Twitter is a feature-rich malware distribution platform with a ready-to-go user base of 25 million Tweeters who are predisposed to do exactly what the bad guys want: click it fast. Here is a short list of things users can do protect themselves:

• Protect your tweets: Go into your Twitter settings and click the “Protect my tweets” checkbox at the bottom. This will remove you from the public timeline and only people you approve can follow your tweets and send you replies.
• Check those short links: Network security firm Sucuri provides a free service that scans shortened URLs with McAfee SiteAdvisor and Google’s SafeBrowsing service. It’s available here: http://sucuri.net/index.php?page=tools&title=check-url. AVG’s LinkScanner is also an option that will scan all the links you visit in a supported browser.
• Use Twitter security tools: Security tools designed specifically for Twitter are starting to appear on the market. I haven’t evaluated them yet, but one recent example is Krab Krawler from Kaspersky.

– on SafeCentral Blog

Microsoft has added new security features progressively with each version of Internet Explorer (IE). For example, IE 7 introduced a phishing filter, and IE 8 added a cross-site scripting filter and InPrivate browsing for better protecting the users’ privacy.

With the IE 9 beta versions out now Microsoft promises even more security than all its predecessors. One problem though is that it runs only from Windows Vista SP1 and newer Windows versions. Windows XP which is currently still the most widespread Windows is not supported at all.

Summarizing the changes in IE9 which drive Microsoft to claim it is the most secure browser from the Redmond company, the most important new security feature is the Download Manager with SmartScreen filter integration. SmartScreen is a URL blacklist providing malware and phishing protection. Starting with this version, Microsoft introduced SmartScreen download reputation. SmartScreen download reputation is a browser feature that uses reputation data to remove unnecessary warnings for well-known files, and shows more severe warnings when the download has a higher risk of being malicious. This reduces the problem of having the users ignoring or deactivating these warnings if they appear too often. The download manager also performs some malware checks, digital signature checks, and so on.

Something closely related to security is the approach to separate the core from the 3rd party functionalities like plugins and addons. IE9 is naming this “Hang recovery” and “Automatic crash recovery”. There is also another interesting feature called “Add-on Performance Advisor” which should audit all add-ons and allow the user to close those which are slowing down the browser. There is also hope for the enterprise users because IE9 now has over 1500 Group Policy settings built in, allowing IT professionals to tweak the browser in many ways.

SorinMustaca
Data Security Expert

– Avira GmbH on Avira – TechBlog

Earlier this year Norman published a security article about how Google’s Street View cars collected data from WiFi networks.
Google then wrote on its blog:

"(…) We collect the following information–photos, local WiFi network data and 3-D building imagery. (…) Google does not collect or store payload data."

This caused much attention by the media, privacy interest groups, and the authorities in many countries. Several nations investigated the issue, some of the investigations are completed, others are still on-going, and at least one country (Spain) has filed a lawsuit against Google.
Google acknowledged that this data collection was a serious mistake, and in a recent blog item the corporation mentions three changes that are implemented in order to avoid similar errors:

Appointing the internationally recognized expert Alma Whitten as the director of privacy across both engineering and product management.
Enhancing core training for engineers and other important groups with a particular focus on the responsible collection, use and handling of data. (In addition all employees will be required to undertake a new information security awareness program.)
Adding a new process to the existing review system, in which every engineering project leader will be required to maintain a privacy design document – reviewed regularly by managers, as well as by an independent internal audit team – for each initiative they are working on.

However, the part of this new blog item that caused the most interest was the followng, where Google’s Senior VP, Engineering & Research refers to the previous blog item (the emphasis is mine):

[N]o one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.

Hopefully this new information functions as an eye opener to those who leave their WiFi networks open just because they are too lazy to set up even the most rudimentary protection mechanisms. If emails and passwords can be harvested by accident, it surely can by someone who intents to do so.
Incidentally, according to a report this month from The Office of the Privacy Commissioner of Canada, Google has discontinued collecting WiFi data from its Street View cars.  Instead Google

(…) intends to rely on its users’ handsets to collect the information on the location of WiFi networks that it needs for its location-based services database.

Hopefully the safety procedures that Google has set up prevent similar privacy issues when the device is walked as opposed to driven. – on Norman’s security blog

The Cupertino based company just released the long awaited update of the operating system iOS 4.2.1 for the iPhone, iPad and iPod Touch. While it brings many changes mainly for iPad owners like multitasking, app folders and so on, it is more than just these more or less cosmetic fixes.

It is a full-blown security update which closes plenty of security holes especially in Webkit – the foundation of the Safari web browser. These vulnerabilities allow attackers for example to dial out without user knowledge to costly numbers or to take over complete control of the iPhone/iPad/iPod Touch. A post on Apple’s security announcement list contains a lengthy list of security vulnerabilities fixed with iOS 4.2.1.

Thus owners and users of an iPad, iPhone or iPod Touch are strongly recommended to apply the update as soon as possible. The danger of an attack is significantly increased since meanwhile the source code of the greenp0ison hack to unlock and root the iP*-devices has been published by their developers and greatly simplifies the programming of according hacks.

Dirk Knop
Technical Editor

– Avira GmbH on Avira – TechBlog