Nov
02
2009
Micheal Arrington sure knows how to stir up a crap storm. Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace. I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes. I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace. Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do. I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?
Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out. He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition. I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward. And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.
One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source. Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu. Which has been one of the things that Facebook has been the leader of providing since it’s inception. Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’. Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.
It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads. Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement. The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards. In other words, they don’t actually buy things that ads are selling. But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number. Toolbars are egregious because they are often nothing more than conduits for spyware. An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook. The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone. After all, how many people actually check their phone bills that often?
The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made. They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening. But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run. Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads. Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools.
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Aug
16
2009
I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites. The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites. Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes. The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites. I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.
It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data. Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%. So why the big difference between the three browsers running off of the same information? NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.
What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours. None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits. The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live.
I’d be curious to see how Firefox 3.5 changes this mix. Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter. I’m also wondering what affect the FF plugin NoScript would have on the results. Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.
Now to go back and read the Socially Engineered Malware report.
Aug
03
2009
When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take. Phone wireless off:check. Phone bluetooth off: check. Laptop wireless and bluetooth off: check. Use an ATM that’s no where near either Caesar’s or the Riviera: check. Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money. And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived. Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well. The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.
It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world. Attendees take the safety of their computers into their own hands when they connect to either network. The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event. These aren’t the only steps you should have taken over the last week, but it’s a good start.
Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events. I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas. I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio. I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers. So far it looks like my luck has held.
It’s no joke that ATM’s are not secure. Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity. Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year. The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level. And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.
It’ll be interesting to see how this plays out. The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine. The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor. The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.
Jul
25
2009
I’m sitting down to nurse a cup of coffee this morning. Had friends over last night, a fair amount of drinking ensued, lots of male bonding through bad jokes and some rousing games of Alhambra and Saint Petersburg. This is my idea of a good Friday night with friends, which worries me a little, since it makes me sound and feel like a middle-age geek. Which I have to say is a pretty good description. I guess I’ll have to overcompensate at Black Hat and Defcon next week. In the mean time, here are some of the stories from this week that are clogging up my Firefox tabs.
- Adobe issues security advisory for Flash zero-day flaw – Rumor has it that Adobe has known about this flaw for over seven months.
- Help for internal auditors on PCI Compliance – Some of these points are going to help me as the assessor as well. But more of them should be part of your security processes whether your trying to be PCI compliant or simply secure.
- Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha. The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture. Very interesting concept, I want to see how Chris develops it going forward.
- Vulnerabilty scanning and Clouds: an attempt to move the dialog on – This is the post that kickstarted the Hoff’s thinking for the previous article. Lack of vulnerability scanning is just one of the reasons that cloud computing gives compliance officers fits.
- The growing threat to business banking online – Somewhere in the last couple of years the Internet has gone from being the Wild West to the streets of Chicago in the 1920′s. The bad guys have become incredibly well organized and you’re taking your digital health in your own hands every time you go online. Businesses and local governments are increasingly becoming targets. After all, “That’s where the money is.”
- Mind games: How social engineers win your confidence – Scams and grifting are as old as humanity, probably older if you want to consider some of the examples you can find in the animal kingdom. And they stick around because once you’ve mastered the basic principals, it’s relatively easy to get what you want out of the majority of people and situations. The best defense is to be educated and be able to recognize some of the clues you’re being social engineered without you having to consciously think about it.
- Network Solutions hack compromises 573,000 credit, debit accounts – Good job NS, you allowed code to be installed on a compromised system and gave up over half a million records, mainly of mom and pop stores. I hope you do a better job protecting our domain names.
Just added – Matasano site compromised. I couldn’t fault them too much for falling to a Zero Day, except for the fact that they’re a research firm that should be finding these things on other people’s sites, not their own.
Apr
26
2009
I’m the first to admit that my own direct experience at forensics is limited, but what I’ve seen has always been done using a set of tools collected and mastered by the individual responding to the incident and that any framework surrounding the response has been developed through experience. It’s hard work that takes a very specific skill set that only a limited number of individuals have. I don’t have those skills and admire those who do.
I had a chance to sit down on the show room floor at the RSA Conference and talk to Dave Merkel about Madiant’s ‘red box’ Intelligent Response (MIR). Intelligent Response allows the forensics responder to collect important information from a large number of hosts quickly, and more importantly, consistently. Once the vector of infection or attack has been identified, MIR can be used to scan the systems with very specific instructions, allowing the specialist to find other compromised systems quickly and with a high degree of confidence.
Dave Merkel and I talk about how Madiant works as well as his opinions about recent news of breaches and compromises. If anything, Dave thinks some of the reports on SCADA compromises may be under reported, something that really makes me worry.
NSP Microcast RSAC 2009 – Dave Merkel from Madiant
Apr
13
2009
I really have to wonder if Michael Mooney is trying to get arrested; after creating three Twitter XSS worms over the weekend, the 17 year old author responded to an editor at Net News Daily and told the editor that he wasn’t worried and that he knows this stunt could land him in jail. Like many grey and black hat hackers, he blames Twitter for leaving open the vulnerability, rather than taking any of the responsibility for notifying Twitter of the issue.
This Twitter XSS attack by Mikeyy caused quite a stir over the weekend, infecting thousands of users and creating tweets to point them back to his StalkerDaily site. The accounts that started this have been shut down and work is in progress to clean up the issues, but it may be a few more days before we know for certain that everything is safe again. There doesn’t appear to be any theft of personal information or account passwords involved in the worm, it was simply a publicity stunt to garner traffic for StalkerDaily, at least accoding to F-Secure and Twitter.
Don’t be at all surprised if this is only the first wave of Twitter worms. Even if Twitter has already patched this vulnerability, it’s a big application with a lot of people banging against it trying to find the next set of vulnerabilties. They’ll be found, sooner or later, it’s just a fact of life. If you’re not already using Firefox and NoScript, now is a good time to start, at least when checking out people’s profiles.
Mikeyy is not an adult, he didn’t do anything that destructive, but his actions may be technically illegal, even if Twitter doesn’t want to prosocute directly. His arrogance in claiming the worm and showing no signs of being even slightly apologetic for releasing it on Twitter don’t bode well for his future and the authorities need to have a long talk with him about it if nothing else. I’ve long been a believer in responsible disclosure and this sort of behaviour is about as far from responsible disclosure as you can get.
The thing we need to learn the most from this is that any web application is vulnerable. Mickeey didn’t do much damage, all things considered, and he probably won’t get in too much trouble just because of that. The next person who discovers a vulnerability in Twitter might not be quite so nice however.
Update: Here’s some steps you can take to protect yourself – Twitter worm attack continues: Here’s how to keep safe
Technorati Tags: Twitter, XSS, StalkDaily
