When web 2.0 sneezes, everyone gets sick

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

more share options
Embed For WordPress.com

Without related presentations

By the end of 2008, the Kaspersky Lab collection contained more than 43 000 malicious files relating to social networking sites. The number of programs received by the Kaspersky Virus Lab which target social networking sites demonstrate that such sites are an increasingly popular target.

Vulnerabilities For users, software vulnerabilities are the most dangerous type of threat. They can enable cybercriminals to evade protection installed on the machine and attack the computer. As a rule, this is true for newly-identified vulnerabilities, for which patches have not yet been created – these are targeted by so-called zero-day attacks. In 2008, zero-day vulnerabilities were used by cybercriminals several times. The primary targets were vulnerabilities in Microsoft Office applications. In September, unknown Chinese hackers began to actively exploit a new vulnerability in the NetAPI service of Microsoft Windows. The vulnerability made it possible to infect a computer by launching a network attack. This vulnerability is now known as MS08-063. In the ranking of attacks on ports, this type of attack is in fourth place (see the Attacks on ports chapter). However, vulnerabilities in browsers and browser plug-ins remain the favorite attack vector. Kaspersky Lab was the first antivirus company to include a vulnerability scanner in its personal products. This solution is the first step towards creating a fully functional patch management system, which is a matter of urgency not only for the antivirus industry but also for operating system and application developers. The scanner detects vulnerable applications and files on the computer and prompts the user to take action to eliminate these problems. It is extremely important to realize that vulnerabilities can be detected not only in Microsoft Windows, which has a built-in updating system, but in third-party applications as well. We used the statistics provided by the vulnerability analysis system in 2008 to analyze the 100 most widespread vulnerabilities. 130,518,320 vulnerable files and applications were identified on computers running Kaspersky Lab antivirus products. Of these 100 vulnerabilities, the twenty most often detected affected 125,565,568 files and applications, i.e. over 96%.

XSS worms targeting twitter There has been a lot of hype generated lately in the web 2.0 world around the XSS worm that hit the well known micro blogging website Twitter. The worm was able to execute JavaScript code and thus propagate itself from one profile to another by exploiting Cross-Site Scripting (XSS) vulnerabilities in unfiltered inputs on the Twitter profile page. Thousands of spam messages containing the word "Mikeyy" (the nickname of the worm author) were generated as the worm propagated itself. We’ve identified and added detection for several variants of this worm under the name Net-Worm.JS.Twettir. Some variants were obfuscated to make the analysis process harder, some changed the exploited input field as soon as Twitter fixed the previously used one and finally there were even variants that included code used to steal cookies storing user session information, enabling the author to hijack legitimate sessions. This is not the first time we’ve seen a Cross-Site Scripting (XSS) worm and most probably won’t be the last one. In the case of the Samy worm, the largest known XSS worm which infected over 1 million MySpace profiles in less than 20 hours back in 2005, the virus author was sued and found guilty. With the case of the Mikeyy worm now, it’s up to the folks at Twitter to decide whether or not they will pursue legal action. In the meantime, what users can do to protect themselves from XSS worms is to only allow JavaScript code to be executed from trusted sources – the NoScript extension in Firefox is helpful - and, of course, to keep their antivirus definitions updated.

Do you know what that innocent-looking Facebook app is really doing? Researchers at the Institute of Computer Science (ICS) have created a proof-of-concept Facebook application capable of covertly herding users of the popular social network into a powerful — and malicious — botnet. The demo application, called Photo of the Day , delivers a different image from National Geographic everyday but, behind the scenes, special code embedded into the application creates a botnet of Facebook users launching denial-of-service attacks. In a research paper (.pdf) to be presented at this year’s Information Security Conference , the research group provided technical details of its Facebot: [W]e have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host. More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

Facebook Certifies First Batch of 120 Verified Applications May 20th, 2009 Along with the release of the updated application directory today, Facebook has also made public for the first time the list of applications which it has certified in its Application Verification Program. 120 applications now appear with a “green check” in the application directory and a badge on their about page. In addition, Facebook shared in more detail the what the exact benefits of Verification actually are: Badging in the Application Directory: Users will see a green “verified” check mark next to your application name wherever it is listed. Priority ranking in the Application Directory: When appropriate, Verified Apps will appear before any applications that have not been verified yet. Badging on your application profile: On this page, users will see the official “Facebook Verified App” graphic in the left column. Allocation boosts: You will also receive a two-bucket boost in both notification and requests allocations. You can see your application’s allocation buckets on the Allocations tab on the Insights page. These allocations will continue to be subject to our algorithmic reputation system which looks at various metrics and user signals. Ad credits and discounts: You will receive $100 in credit to advertize with Facebook and discounts to paid Facebook events. The verification program, which was announced last July and launched in November, is designed to give more prominence to applications which meet Facebook’s standard for user experience and security. Anyone can apply, but there is a $375 fee per year. Along with the “Great Apps” program, which currently includes just Causes and iLike, the verification program is another part of Facebook’s efforts to improve the trustworthiness and reputation of applications on the Facebook Platform. Bugs Hit Facebook Application Verification Program Juan Carlos Perez, IDG News Service PEOPLE WHO READ THIS ALSO READ: Wall Street Beat: HP, Lenovo Disappoint but IPOs Rock Facebook (and Others) May Keep Your Deleted Photos Craiglist vs. South Carolina: The Prostitution Ad Showdown Yahoo Developer Tool Identifies Locations in Apps, Docs Best Buy Inflates Pre Price to Deter Advance Purchase Zap! Apple Earbuds Could Shock You FIND A REVIEW Thursday, May 21, 2009 5:10 PM PDT Facebook's Application Verification Program, controversial due to its concept of charging developers to have their applications certified as "trustworthy," has run into technical problems. Announced in November and launched on Wednesday, the program has system bugs that are preventing developers from reaping some benefits of having paid to have their applications reviewed and approved. In a thread on the official Facebook developer forum, developers who shelled out the US$375 review fee began reporting a variety of system problems on Wednesday. In that same thread, Facebook on Thursday afternoon acknowledged that at least three of the bugs reported exist and that the company is working to fix them. For example, the special green checkmark that denotes verified applications' special status isn't appearing in the Applications Directory search results. Consequently, without that special badge, the applications look no different from those posted by developers who didn't pay for the verification. In addition, some developers are reporting that they can't submit their applications for review because the link to do so doesn't work, another bug Facebook has acknowledged exists for some applications. Another bug Facebook has acknowledged is that the boost in user notifications and requests that verified applications get isn't always showing up in the developer's control panel stats. Other developers complained in the thread that they couldn't find their applications at all-- green checkmark or not -- although this may be due to the way the Facebook algorithms work in displaying certain applications to certain people and not others. The program became instantly controversial when it was announced in November because critics said developers shouldn't have to pay to have their applications labeled "trustworthy." They argued that it should be up to Facebook to ensure that applications built for its site comply with this requirement. In response, Facebook has said that, in fact, all of the more than 52,000 applications on its platform must comply with requirements and policies that make them trustworthy. The Application Verification Program, which is optional, gives developers a chance to make their applications stand out by adopting an additional set of best practices for them regarding user experience and user communications, according to Facebook. Still, some Facebook developers remain unconvinced about the value of the program, and even more so now with the technical issues affecting it. "I will not pay to be approved. It's not worth the money. Any good application will do just fine without it," said Christopher Bourton, games developer and consultant at Lethos Designs in London, which has developed three Facebook applications and is building two more. Bourton, contacted via e-mail on Thursday, said he fears that the program will create "an elitist two-tier system" in which large developers that can pay the fee will get the benefits, while smaller developers with fewer resources will not be able to afford it. Applications approved through the system get the verified status for 12 months, after which developers must re-submit them for review and pay the $375 fee again. Other developers are more positive about the program, like Tim O'Shaughnessy, CEO of LivingSocial , which has created about 10 applications for Facebook, including its very popular namesake and Visual Bookshelf. "The verification program is a nice way of allowing users to weed through the noise and know [that] if they're adding a [verified] application, there is a sense of trust behind that add," O'Shaughnessy said via e-mail. Living Social submitted Visual Bookshelf for verification and got it approved, but while the process was fairly simple and straightforward, it took Facebook longer than O'Shaughnessy expected to complete its review. "Now that the initial applicants have been verified, however, my guess is the process will be much shorter in the future," he said. For O'Shaughnessy, a big question regarding the value of the program is whether it will truly give Facebook users a sense of security towards verified applications. He also hopes that Facebook will continue to evolve the program. "As new Facebook features and functionality are made available, will the verification program keep up with new, relevant additions? This seems like a necessity in order for the program to have long-term value," he said. Gartner analyst Ray Valdes thinks that establishing the program was a good move by Facebook. "Facebook's value proposition is having a quality user experience and that includes the experience of applications," Valdes said in a phone interview. "As the number of applications has grown, the quality of the experience has decreased. This is part of their ongoing maintenance and cultivation of the user experience." IDC analyst Al Hilwa concurs that end users will benefit from having a set of applications that Facebook has certified as meeting special criteria for user experience and trust. "I think this is a welcome move to rein in what could potentially be a tiring process of finding well-behaved and trustworthy apps," he said via e-mail. "Relying on market forces to sort out the wheat from the chaff may work in the long run and sounds good as an ideal, but with the velocity of business these days, and the ephemeral stickiness of online sites, it is maybe too late for a platform to be successful to wait for that process to settle down," Hilwa added. On Wednesday, Facebook launched the program with an initial set of 120 verified applications, but it expects developer interest to pick up considerably now that the program has been launched.

1 Favorite

awrid favorited this 2 months ago
Tags gets sneezes everyone when 20 sick web

When web 2.0 sneezes, everyone gets sick - Presentation Transcript

When web 2.0 sneezes, everyone gets sick Stefan Tanase - Kaspersky Lab 19 th Virus Bulletin International Conference September 25 th 2009, Geneva, Switzerland
- What is web 2.0 ?
- Social networking malware
- Threats beyond classic malware
- Targeted attacks become mainstream
- Conclusions – what’s next?
Overview
Agend ă
Brawn GP
Barak Obama
The White House
Connect with the Pope on Facebook. Really. .
Iran
Web 2.0 – profitable business?
Facebook population– bigger than USA?
What W eb 2.0 is? UGC collaboration flexibility mobility socializing wiki blog AJAX CSS XML RSS tag API OMG FTW LOL WEB 2.0
What W eb 2.0 is? New attack vectors
You T ube
Digg
Twitter
LinkedIn
- Total number of malicious software samples spreading through social networks
Social networking malware
- Technical factor
- Human factor
Vulnerable systems: humans & machines
- Critical vulnerabilities in 2008
Technical vulnerabilities
Human vulnerabilities – Mac DNS Changer
The real human vulnerability
- Human factor and Kido/Conficker
Human vulnerabilities - Kido
General structure of a web 2.0 attack
The web 2.0 worm 18 September 2009 Webstock 2009
- June 2009 – Explosive growth of Koobface modifications
The web 2.0 worm 18 September 2009 Webstock 2009
Koobface on the tweet
- June 2009 – Koobface spreading through Twitter also
Koobface – social engineering at work
- Web 2.0 malware : very similar to email worms
- Infection success rate of malware:
- Social networking threats mean more than this
- Targeted attacks
Social networks: from ecstasy to agony
- XSS Worm:
Twitter: comeback of the XSS worm
Twitter: comeback of the XSS worm
Short URLs, big problems
- June 2009 – URL shortening service Cli.gs gets hacked
Social networking and privacy concerns
Social engineering at its best
- April 2009 – Twitter admin panel gets hacked
- “ Photo of the Day” application - Web 2.0 botnet
Third party applications
- Facebook certifies 1 st batch of 120 verified apps
- $375 fee for developers
- 52,000 applications in total
- Several bugs were discovered
Third party applications
- Trojan-SMS.J2ME.Konov
From social networks to mobile malware
From social networks to mobile malware
From social networks to mobile malware SMS messages to premium rate numbers
- So much personal information becomes public on social networks nowadays
- Advertisers are already doing it: targeted ads
- Targeted ads? Targeted attacks are already happening
- But social networks are enabling the cybercriminals to deliver bulk targeted attacks
- The personal data is there. Next step? Automation.
Targeted attacks become mainstream
That’s it?
What’s next?
- The number and complexity of threats that exploit web 2.0 will continue to grow
- Social networks will open up new ways for bulk targeted attacks against individuals
- It will be very hard for social networks to do better: unfortunately, their business means usability, not security
- Be careful out there !
Thank you! Questions? Stefan Tanase – Kaspersky Lab 19 th Virus Bulletin International Conference Geneva, Switzerland – September 25 th , 2009 stefant @kaspersky. ro twitter.com/ stefant