Your SlideShare is downloading. ×
0
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
When web 2.0 sneezes, everyone gets sick
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

When web 2.0 sneezes, everyone gets sick

1,611

Published on

Web 2.0 applications have become increasingly popular among Internet users in the past few years. This trend is very unlikely to come to an end soon. More and more 'classic' websites are shifting …

Web 2.0 applications have become increasingly popular among Internet users in the past few years. This trend is very unlikely to come to an end soon. More and more 'classic' websites are shifting towards web 2.0 concepts, start-ups are all about web 2.0 and new users are adopting the web 2.0 lifestyle every day.

This paper aims to address the following questions:

What exactly is web 2.0?
What are the concepts and technologies that make web 2.0 what it is?
Why does web 2.0 attract malware authors?
How did malware spread over the Internet before web 2.0?
What are the new attack vectors created by web 2.0 technologies?
What social engineering tactics emerge over the web 2.0 concepts?
How dangerous is the combination of human & technological vulnerabilities?
Are web 2.0 attacks more efficient?
How difficult is it to protect ourselves?
How are web 2.0 threats going to evolve?
Web 2.0 applications are not only being used at home, but also in the corporate environment. The new attack vectors are raising the stakes, both for malware authors and security professionals. The user is somewhere in between the two sides, unwittingly helping the attackers while also suffering from the attacks.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,611
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • By the end of 2008, the Kaspersky Lab collection contained more than 43 000 malicious files relating to social networking sites.   The number of programs received by the Kaspersky Virus Lab which target social networking sites demonstrate that such sites are an increasingly popular target.
  • Vulnerabilities For users, software vulnerabilities are the most dangerous type of threat. They can enable cybercriminals to evade protection installed on the machine and attack the computer. As a rule, this is true for newly-identified vulnerabilities, for which patches have not yet been created – these are targeted by so-called zero-day attacks. In 2008, zero-day vulnerabilities were used by cybercriminals several times. The primary targets were vulnerabilities in Microsoft Office applications. In September, unknown Chinese hackers began to actively exploit a new vulnerability in the NetAPI service of Microsoft Windows. The vulnerability made it possible to infect a computer by launching a network attack. This vulnerability is now known as MS08-063. In the ranking of attacks on ports, this type of attack is in fourth place (see the  Attacks on ports  chapter). However, vulnerabilities in browsers and browser plug-ins remain the favorite attack vector. Kaspersky Lab was the first antivirus company to include a vulnerability scanner in its personal products. This solution is the first step towards creating a fully functional patch management system, which is a matter of urgency not only for the antivirus industry but also for operating system and application developers. The scanner detects vulnerable applications and files on the computer and prompts the user to take action to eliminate these problems. It is extremely important to realize that vulnerabilities can be detected not only in Microsoft Windows, which has a built-in updating system, but in third-party applications as well. We used the statistics provided by the vulnerability analysis system in 2008 to analyze the 100 most widespread vulnerabilities. 130,518,320 vulnerable files and applications were identified on computers running Kaspersky Lab antivirus products. Of these 100 vulnerabilities, the twenty most often detected affected 125,565,568 files and applications, i.e. over 96%.
  • XSS worms targeting twitter There has been a lot of hype generated lately in the web 2.0 world around the XSS worm that hit the well known micro blogging website Twitter. The worm was able to execute JavaScript code and thus propagate itself from one profile to another by exploiting Cross-Site Scripting (XSS) vulnerabilities in unfiltered inputs on the Twitter profile page. Thousands of spam messages containing the word "Mikeyy" (the nickname of the worm author) were generated as the worm propagated itself. We’ve identified and added detection for several variants of this worm under the name Net-Worm.JS.Twettir. Some variants were obfuscated to make the analysis process harder, some changed the exploited input field as soon as Twitter fixed the previously used one and finally there were even variants that included code used to steal cookies storing user session information, enabling the author to hijack legitimate sessions. This is not the first time we’ve seen a Cross-Site Scripting (XSS) worm and most probably won’t be the last one. In the case of the Samy worm, the largest known XSS worm which infected over 1 million MySpace profiles in less than 20 hours back in 2005, the virus author was sued and found guilty. With the case of the Mikeyy worm now, it’s up to the folks at Twitter to decide whether or not they will pursue legal action. In the meantime, what users can do to protect themselves from XSS worms is to only allow JavaScript code to be executed from trusted sources – the NoScript extension in Firefox is helpful - and, of course, to keep their antivirus definitions updated.  
  • XSS worms targeting twitter There has been a lot of hype generated lately in the web 2.0 world around the XSS worm that hit the well known micro blogging website Twitter. The worm was able to execute JavaScript code and thus propagate itself from one profile to another by exploiting Cross-Site Scripting (XSS) vulnerabilities in unfiltered inputs on the Twitter profile page. Thousands of spam messages containing the word "Mikeyy" (the nickname of the worm author) were generated as the worm propagated itself. We’ve identified and added detection for several variants of this worm under the name Net-Worm.JS.Twettir. Some variants were obfuscated to make the analysis process harder, some changed the exploited input field as soon as Twitter fixed the previously used one and finally there were even variants that included code used to steal cookies storing user session information, enabling the author to hijack legitimate sessions. This is not the first time we’ve seen a Cross-Site Scripting (XSS) worm and most probably won’t be the last one. In the case of the Samy worm, the largest known XSS worm which infected over 1 million MySpace profiles in less than 20 hours back in 2005, the virus author was sued and found guilty. With the case of the Mikeyy worm now, it’s up to the folks at Twitter to decide whether or not they will pursue legal action. In the meantime, what users can do to protect themselves from XSS worms is to only allow JavaScript code to be executed from trusted sources – the NoScript extension in Firefox is helpful - and, of course, to keep their antivirus definitions updated.  
  • Do you know what that innocent-looking Facebook app is really  doing? Researchers at the Institute of Computer Science (ICS) have created a proof-of-concept Facebook application capable of covertly herding users of the popular social network into a powerful — and malicious — botnet. The demo application, called  Photo of the Day , delivers a different image from National Geographic everyday but, behind the scenes, special code embedded into the application creates a  botnet  of Facebook users launching denial-of-service attacks. In a  research paper  (.pdf) to be presented at this year’s  Information Security Conference , the research group provided technical details of its Facebot: [W]e have  placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host. More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).
  • Facebook Certifies First Batch of 120 Verified Applications   May 20th, 2009 Along with the release of the updated application directory today, Facebook has also made public for the first time the list of applications which it has certified in its Application Verification Program. 120 applications now appear with a “green check” in the application directory and a badge on their about page. In addition, Facebook  shared  in more detail the what the exact benefits of Verification actually are: Badging in the Application Directory:  Users will see a green “verified” check mark next to your application name wherever it is listed. Priority ranking in the Application Directory:  When appropriate, Verified Apps will appear before any applications that have not been verified yet. Badging on your application profile:  On this page, users will see the official “Facebook Verified App” graphic in the left column. Allocation boosts:  You will also receive a two-bucket boost in both notification and requests allocations. You can see your application’s allocation buckets on the Allocations tab on the Insights page. These allocations will continue to be subject to our algorithmic reputation system which looks at various metrics and user signals. Ad credits and discounts:  You will receive $100 in credit to advertize with Facebook and discounts to paid Facebook events. The verification program, which was  announced  last July and  launched  in November, is designed to give more prominence to applications which meet Facebook’s standard for user experience and security. Anyone can apply, but there is a $375 fee per year. Along with the “Great Apps” program, which currently includes just Causes and iLike, the verification program is another part of Facebook’s efforts to improve the trustworthiness and reputation of applications on the Facebook Platform. Bugs Hit Facebook Application Verification Program Juan Carlos Perez, IDG News Service PEOPLE WHO READ THIS ALSO READ: Wall Street Beat: HP, Lenovo Disappoint but IPOs Rock Facebook (and Others) May Keep Your Deleted Photos Craiglist vs. South Carolina: The Prostitution Ad Showdown Yahoo Developer Tool Identifies Locations in Apps, Docs Best Buy Inflates Pre Price to Deter Advance Purchase Zap! Apple Earbuds Could Shock You FIND A REVIEW                                                                      Thursday, May 21, 2009 5:10 PM PDT Facebook's Application Verification Program, controversial due to its concept of charging developers to have their applications certified as "trustworthy," has run into technical problems. Announced in November and launched on Wednesday, the program has system bugs that are preventing developers from reaping some benefits of having paid to have their applications reviewed and approved. In a  thread  on the official Facebook developer forum, developers who shelled out the US$375 review fee began reporting a variety of system problems on Wednesday. In that same thread, Facebook on Thursday afternoon acknowledged that at least three of the bugs reported exist and that the company is working to fix them. For example, the special green checkmark that denotes verified applications' special status isn't appearing in the Applications Directory search results. Consequently, without that special badge, the applications look no different from those posted by developers who didn't pay for the verification. In addition, some developers are reporting that they can't submit their applications for review because the link to do so doesn't work, another bug Facebook has acknowledged exists for some applications. Another bug Facebook has acknowledged is that the boost in user notifications and requests that verified applications get isn't always showing up in the developer's control panel stats. Other developers complained in the thread that they couldn't find their applications at all-- green checkmark or not -- although this may be due to the way the Facebook algorithms work in displaying certain applications to certain people and not others. The program became instantly controversial when it was announced in November because critics said developers shouldn't have to pay to have their applications labeled "trustworthy." They argued that it should be up to Facebook to ensure that applications built for its site comply with this requirement. In response, Facebook has said that, in fact, all of the more than 52,000 applications on its platform must comply with requirements and policies that make them trustworthy. The Application Verification Program, which is optional, gives developers a chance to make their applications stand out by adopting an additional set of best practices for them regarding user experience and user communications, according to Facebook. Still, some Facebook developers remain unconvinced about the value of the program, and even more so now with the technical issues affecting it. "I will not pay to be approved. It's not worth the money. Any good application will do just fine without it," said Christopher Bourton, games developer and consultant at  Lethos Designs  in London, which has developed three Facebook applications and is building two more. Bourton, contacted via e-mail on Thursday, said he fears that the program will create "an elitist two-tier system" in which large developers that can pay the fee will get the benefits, while smaller developers with fewer resources will not be able to afford it. Applications approved through the system get the verified status for 12 months, after which developers must re-submit them for review and pay the $375 fee again. Other developers are more positive about the program, like Tim O'Shaughnessy, CEO of  LivingSocial , which has created about 10 applications for Facebook, including its very popular namesake and Visual Bookshelf. "The verification program is a nice way of allowing users to weed through the noise and know [that] if they're adding a [verified] application, there is a sense of trust behind that add," O'Shaughnessy said via e-mail. Living Social submitted Visual Bookshelf for verification and got it approved, but while the process was fairly simple and straightforward, it took Facebook longer than O'Shaughnessy expected to complete its review. "Now that the initial applicants have been verified, however, my guess is the process will be much shorter in the future," he said. For O'Shaughnessy, a big question regarding the value of the program is whether it will truly give Facebook users a sense of security towards verified applications. He also hopes that Facebook will continue to evolve the program. "As new Facebook features and functionality are made available, will the verification program keep up with new, relevant additions? This seems like a necessity in order for the program to have long-term value," he said. Gartner analyst Ray Valdes thinks that establishing the program was a good move by Facebook. "Facebook's value proposition is having a quality user experience and that includes the experience of applications," Valdes said in a phone interview. "As the number of applications has grown, the quality of the experience has decreased. This is part of their ongoing maintenance and cultivation of the user experience." IDC analyst Al Hilwa concurs that end users will benefit from having a set of applications that Facebook has certified as meeting special criteria for user experience and trust. "I think this is a welcome move to rein in what could potentially be a tiring process of finding well-behaved and trustworthy apps," he said via e-mail. "Relying on market forces to sort out the wheat from the chaff may work in the long run and sounds good as an ideal, but with the velocity of business these days, and the ephemeral stickiness of online sites, it is maybe too late for a platform to be successful to wait for that process to settle down," Hilwa added. On Wednesday, Facebook launched the program with an initial set of 120 verified applications, but it expects developer interest to pick up considerably now that the program has been launched.
  • Transcript

    • 1. When web 2.0 sneezes, everyone gets sick Stefan Tanase - Kaspersky Lab 19 th Virus Bulletin International Conference September 25 th 2009, Geneva, Switzerland
    • 2. <ul><li>What is web 2.0 ? </li></ul><ul><li>Social networking malware </li></ul><ul><ul><ul><li>General structure of a web 2.0 attack </li></ul></ul></ul><ul><ul><ul><li>Technical vulnerabilities, human factor </li></ul></ul></ul><ul><ul><ul><li>Koobface – the web 2.0 worm </li></ul></ul></ul><ul><li>Threats beyond classic malware </li></ul><ul><ul><ul><li>Big problems with short URLs </li></ul></ul></ul><ul><ul><ul><li>Malware inside the browser: XSS worms, 3 rd party applications </li></ul></ul></ul><ul><ul><ul><li>From web 2.0 to mobile malware </li></ul></ul></ul><ul><ul><ul><li>Problems beyond malware (privacy, data leakage) </li></ul></ul></ul><ul><li>Targeted attacks become mainstream </li></ul><ul><li>Conclusions – what’s next? </li></ul>Overview
    • 3. Agend ă
    • 4. Brawn GP
    • 5. Barak Obama
    • 6. The White House
    • 7. Connect with the Pope on Facebook. Really. .
    • 8. Iran
    • 9. Web 2.0 – profitable business?
    • 10. Facebook population– bigger than USA?
    • 11. What W eb 2.0 is? UGC collaboration flexibility mobility socializing wiki blog AJAX CSS XML RSS tag API OMG FTW LOL WEB 2.0
    • 12. What W eb 2.0 is? New attack vectors
    • 13. You T ube
    • 14. Digg
    • 15. Twitter
    • 16. LinkedIn
    • 17. <ul><li>Total number of malicious software samples spreading through social networks </li></ul>Social networking malware
    • 18. <ul><li>Technical factor </li></ul><ul><ul><ul><li>0-day vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Lack of patches </li></ul></ul></ul><ul><ul><ul><li>Unlicensed software </li></ul></ul></ul><ul><li>Human factor </li></ul><ul><ul><ul><li>Social engineering </li></ul></ul></ul><ul><ul><ul><li>Curious and naïve users </li></ul></ul></ul><ul><ul><ul><li>Trust – a human “vulnerability” </li></ul></ul></ul>Vulnerable systems: humans &amp; machines
    • 19. <ul><li>Critical vulnerabilities in 2008 </li></ul>Technical vulnerabilities
    • 20. Human vulnerabilities – Mac DNS Changer
    • 21. The real human vulnerability
    • 22. <ul><li>Human factor and Kido/Conficker </li></ul>Human vulnerabilities - Kido
    • 23. General structure of a web 2.0 attack
    • 24. The web 2.0 worm 18 September 2009 Webstock 2009 <ul><li>June 2009 – Explosive growth of Koobface modifications </li></ul><ul><ul><li>The number of variants detected jumped from 324 at the end of May to almost 1000 by the end of June 2009 </li></ul></ul><ul><ul><li>This sign of increased cybercriminal activity involving social networks in the past months proves that the strategies being used by the bad guys to infect users are much more efficient when adding the social context to the attacks </li></ul></ul>
    • 25. The web 2.0 worm 18 September 2009 Webstock 2009
    • 26. Koobface on the tweet <ul><li>June 2009 – Koobface spreading through Twitter also </li></ul><ul><ul><li>First discovered one year ago by Kaspersky Lab , Koobface was only targeting Facebook and MySpace users </li></ul></ul><ul><ul><li>Being constantly “improved” , now spreading through more social networks : Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter </li></ul></ul>
    • 27. Koobface – social engineering at work
    • 28. <ul><li>Web 2.0 malware : very similar to email worms </li></ul><ul><li>Infection success rate of malware: </li></ul><ul><ul><ul><li>10% when spreading through social networks </li></ul></ul></ul><ul><ul><ul><li>only 1% when spreading through email </li></ul></ul></ul><ul><li>Social networking threats mean more than this </li></ul><ul><ul><ul><li>Social networks themselves are vulnerable </li></ul></ul></ul><ul><ul><ul><li>Social engineering is made easy with short URLs </li></ul></ul></ul><ul><ul><ul><li>Personal data leakage , privacy issues </li></ul></ul></ul><ul><ul><ul><li>Another risk: 3rd party applications </li></ul></ul></ul><ul><ul><ul><li>Social networks open doors to mobile malware </li></ul></ul></ul><ul><li>Targeted attacks </li></ul>Social networks: from ecstasy to agony
    • 29. <ul><li>XSS Worm: </li></ul>Twitter: comeback of the XSS worm
    • 30. Twitter: comeback of the XSS worm
    • 31. Short URLs, big problems <ul><ul><li>The best things about short URLs </li></ul></ul><ul><ul><ul><li>There are so many! </li></ul></ul></ul><ul><ul><li>Problems with short URLs: </li></ul></ul><ul><ul><ul><li>Social engineering is easy </li></ul></ul></ul><ul><ul><ul><li>Questionable reliability </li></ul></ul></ul><ul><ul><ul><li>Implicit trust </li></ul></ul></ul><ul><ul><li>Cli.gs gets hacked , no malicious intent – but what if ? </li></ul></ul><ul><ul><li>Too many redirects hosted in the same place is not good news </li></ul></ul><ul><li>June 2009 – URL shortening service Cli.gs gets hacked </li></ul>
    • 32. Social networking and privacy concerns
    • 33. Social engineering at its best <ul><ul><li>Public information posted to social networks by twitter admin </li></ul></ul><ul><ul><li>Used by French hacker in social engineering attack </li></ul></ul><ul><ul><li>To answer Yahoo! Mail security question and reset the password </li></ul></ul><ul><ul><li>“ Wow - my Yahoo mail account was just hacked. “ </li></ul></ul><ul><ul><li>“ If anyone with Yahoo! Security is out there, hit me up with an reply “ </li></ul></ul><ul><li>April 2009 – Twitter admin panel gets hacked </li></ul>
    • 34. <ul><li>“ Photo of the Day” application - Web 2.0 botnet </li></ul>Third party applications
    • 35. <ul><li>Facebook certifies 1 st batch of 120 verified apps </li></ul><ul><ul><ul><li>Announced in November 2008 </li></ul></ul></ul><ul><ul><ul><li>Rolled out in May 2009 </li></ul></ul></ul><ul><li>$375 fee for developers </li></ul><ul><ul><ul><li>Must be renewed each year </li></ul></ul></ul><ul><li>52,000 applications in total </li></ul><ul><ul><ul><li>How many will get verified? </li></ul></ul></ul><ul><li>Several bugs were discovered </li></ul>Third party applications
    • 36. <ul><li>Trojan-SMS.J2ME.Konov </li></ul>From social networks to mobile malware
    • 37. From social networks to mobile malware
    • 38. From social networks to mobile malware SMS messages to premium rate numbers
    • 39. <ul><li>So much personal information becomes public on social networks nowadays </li></ul><ul><li>Advertisers are already doing it: targeted ads </li></ul><ul><ul><ul><li>Age, gender, location, interests, work field, browsing habits, relationships </li></ul></ul></ul><ul><li>Targeted ads? Targeted attacks are already happening </li></ul><ul><li>But social networks are enabling the cybercriminals to deliver bulk targeted attacks </li></ul><ul><li>The personal data is there. Next step? Automation. </li></ul><ul><ul><ul><li>Geographical IP location has been around for a while </li></ul></ul></ul><ul><ul><ul><li>Automatic language translation services are getting better and better </li></ul></ul></ul><ul><ul><ul><li>Personal interests &amp; tastes are public (ie: trending topics ) </li></ul></ul></ul>Targeted attacks become mainstream
    • 40. That’s it?
    • 41. What’s next? <ul><li>The number and complexity of threats that exploit web 2.0 will continue to grow </li></ul><ul><li>Social networks will open up new ways for bulk targeted attacks against individuals </li></ul><ul><ul><li>Localized, contextualized, personalized </li></ul></ul><ul><li>It will be very hard for social networks to do better: unfortunately, their business means usability, not security </li></ul><ul><li>Be careful out there ! </li></ul>
    • 42. Thank you! Questions? Stefan Tanase – Kaspersky Lab 19 th Virus Bulletin International Conference Geneva, Switzerland – September 25 th , 2009 stefant @kaspersky. ro twitter.com/ stefant

    ×