Sister CISA CISSP » IT Security

Studying Google and Twitter for Malware

Arian Eigen Heald — Tue, 03 Aug 2010 16:54:11 +0000

The folks from Barracuda Labs have issued a midyear report with some riveting data about the connection between Twitter and Google as venues for malware. You can see the summary and download the report here.

It was fascinating reading their assessment of search engine malware as well as Twitter use and crime rate.

Did you know that only 28.87 percent of Twitter users are actual Twitter users? The rest appear to be categories of Twitter “users” that are actually IDs for business, fan clubs,political and social announcements. The higher the tweets, w/friends and followers, the higher the likelihood of scammers. (This being a very loose interpretation on my part. You should really read the report.)

Where do Twitter and Google tie together? Google acquires Tweets on average of 1.2 days, while the other search engines do not capture the Tweets until an average of four days.

So a bad guy using Twitter to “announce” his malware delivery website (freewaresoft.info, for example) will see his tweet appear on Google much more quickly that any other search engine.

Unsurprisingly, Google provides 69% of malware infected websites in search results.

(It was enough to make me change my default search engine.)

The bad guys are constantly changing their terms to meet the top search engine terms. They even use search engine ranking and optimization.

Another reason (as if we needed one) for controlling social networking in the workplace.

The Chinese Hack, Nasty Exploit & What You Can Do

Arian Eigen Heald — Thu, 21 Jan 2010 17:36:22 +0000

I’m sure you’ve heard about the Chinese hack into Google, and there’s some interesting goings-on behind the scenes to identify and fix the hack, deemed “very sophisticated.” It’s even been given a name: “Aurora.” Not only Google has been hit, but Juniper, Adobe and some other 29 firms.

Microsoft has been active in this issue, releasing an advisory, an out-of-cycle patch, and frequent updating of their security blogs, and this blog link has a patch to make sure DEP (Data Execution Prevention) is enabled on your system.

Information about this issue is still see-sawing back and forth as further data is released to the public. It definitely involves all versions of Internet Explorer, but especially IE6. If you’re still running this on your systems, change it now. Microsoft has specifically reported that IE6 was used in the target attacks.

Adventures in Auditing #3, or “Why Do you Need to See That?”

Arian Eigen Heald — Fri, 24 Jul 2009 15:26:35 +0000

It always pains me when I get this question from a client’s IT staff. It usually means that auditing has never penetrated to that level, and people are used to doing pretty much what they please around the network. It usually goes with:

“This is a development shop. Those are not production servers or databases – so why are you asking to see users, patching, inventory, etc????”

These are the kinds of questions that will keep me employed as a successful penetration tester AND a digital forensics analyst. When I’m dead someone will prop me up to keep going.

A development environment is EXACTLY where a penetration tester goes first for exactly this reason. When you don’t know what’s running on your network, you don’t know who is on your network.

If it’s on your network, the company is responsible. Legally responsible. And that question will not hold up in court.

It’s a great version of the “sniff test:” Imagine saying it on the witness stand to a judge.