CounterMeasures - A Security Blog � Twitter

You can’t fight the power, but the power has shifted.

Rik Ferguson — Fri, 20 Jan 2012 11:04:35 +0000

One of the largest file sharing services on the Internet was shut down yesterday in US legal action. The site is charged with violation of copyright laws. The indictment (now available on scribd) charges seven individuals with online piracy, four of whom have already been arrested in New Zealand. This 72 page document also details the estimated cost to copyright holders at more than $500 million USD, while themselves allegedly earning $175 million in advertising revenue. The maximum penalty for the offenders could total 50 years of jail time.

Search warrants were executed in nine countries and 18 domain names, including mega-upload.com, were seized along with associated servers.

This indictment, unsealed right in the middle of impassioned debate over SOPA and PIPA quickly aroused the wrath of the Internet community, particularly Anonymous who have been exhorting their supporters to participate in Distributed Denial of Service attacks against US government web sites including the Dept of Justice, the FBI, the Copy right Office and the RIAA and MPAA, who were successfully taken offline as a result.

Anonymous supporters have been using the Low Orbit Ion Cannon (previously detailed here) as well as a new technique of embedded JavaScript. Several web pages have been loaded with JavaScript and the simple act of rendering that page in a web browser will in most cases recruit the browsing computer to the DDoS attack. The attacks have attracted a high level of participation and public sympathy and quickly became a trending topic on Twitter under the #OpMegaupload hashtag.

Akamai’s Real-time Web Monitor is currently showing attack traffic online at more than 24% above normal, giving some idea of the scope and geographic spread of public sympathy.

Whatever your views on online file sharing, there is no denying that this is an issue urgently in need of a solution. Consumers, artists and corporations seem to have devised workable methods in the music industry. A return to the generation of income through live performance has reinvigorated the music scene in many countries and cites. Artists have harnessed the power of the Internet for a direct sales model that bypasses the increasingly archaic music industry and online music stores have evolved to facilitate this, with the participation of the corporations, providing music at reasonable cost. It could even be argued that the new iTunes Match service represents the capitulation of the music industry to the new reality of illegal downloads. This model is beginning to be repeated in the printed world too.

In the early 1900′s music publishers decried the arrival of the “player piano” as a threat to their way of life, when I was a kid, every record bore the legend “Home taping is killing music“, Hollywood was scared to death at the advent of the VCR…

The simple truth is, technology ever advances and with it come new opportunities. Many consumers are taking advantage of those opportunities to access copyrighted material quickly, easily and cheaply (or for free). It is only by facilitating that behaviour backed by a forward-looking business model that the traditional industry can hope to survive into the future.

It’s true that you can’t fight the power, but the power has shifted.

Egypt: The Plague of Darkness

Rik Ferguson — Fri, 28 Jan 2011 09:16:54 +0000

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” – Universal Declaration of Human Rights 1948 – Article 19

Credit: Arbor Networks

At approximately 10:30 UTC last night, the internet in Egypt began to go dark. Many of the major ISPs have disappeared completely from the internet including LINKdotNET, Raya Telecom, Internet Egypt, Vodafone Egypt and IDSC. Most of the remaining service providers also have significantly less connectivity than at this time yesterday. The only ISP who currently appears unaffected is Noor Data Networks who remain resolutely 100% available. This is the provider used by the Egyptian Stock Exchange. The availability of this network and normal connectivity to the rest of the geographic region demonstrates that this is not a cut cable or other physical outage.

Even the National Telecoms Regulatory Agency is currently unreachable as are most major news outlets, schools, businesses and official and unofficial information sources. SANS are reporting that external access to resolve any address in the .eg domain is inaccesible. From my own tests, the top-level domain server at the Egyptian Universities Network cannot be resolved over DNS and does not respond to communications over TCP/IP, illustrating the effectiveness of this total shutdown using both Domain Name System (DNS) and Border Gateway Protocol (BGP) approaches. DNS is the protocol used to translate human readable wed addresses into numeric IP addresses and BGP is the protocol that Internet Service Providers use to advertise the IP addresses for which they are responsible.

This sudden severing of internet connectivity appears to have all occurred at a similar time and the assumption must be that it is a part of officially sanctioned tactics to attempt to contain the growing political unrest in the country. The crackdown first started with the censoring of social network in the country but as Iran learned, determined people quickly find ways around this with help from the outside world.

If indeed this action is officially directed then it would seem that the regime in Egypt has learned lessons from the Iranian attempts to censor communications there last year and taken even more drastic measures. This action is unprecedented in internet history.

Currently Egypt is effectively isolated from the internet and anecdotal reports are that similar action has been taken against mobile phone networks disrupting telephone and text communications.

Appeals are being made for amateur radio enthusiasts to lend their support in giving a means of communication with the outside world back to the Egyptian population.

Son of God at risk from social networking

Rik Ferguson — Fri, 17 Dec 2010 16:18:04 +0000

A good friend of mine sent me a link to a really great viral video entitled “The Digital Story of Nativity (or Christmas 2.0)” and it set us wondering if Christmas would ever have survived in the socially networked world of today. Have a watch for yourself…

Suddenly the three wise men don’t look so wise, and even though Joseph was a humble carpenter, there are a few basic rules he could benefit from when it comes to sharing information online. Such a liberal and open use of social media could have halted the development of a world religion in its tracks and Christmas may never have come to be.

What the blazes am I talking about?

It is never a good idea to use an unprotected social network profile to post information regarding your whereabouts, particularly if that post betrays the fact that you are not at home. “Travelling with Mary to Bethlehem for the census” is enough to let anybody know that there is a whole load of unattended carpentry equipment up for grabs in Nazareth, particularly once the expectant couple have used foursquare to check in and shared it on their facebook profiles.

Not content with endangering his own livelihood Joseph goes on to endanger the safety and privacy of his family, I can only think that he must have been overcome with excitement at the imminent miracle. When Joseph creates his facebook “Meet the baby” event he doesn’t use any of the options to make it private, or to restrict the visibility and we all know what happens when facebook parties attack. Not only that but it looks like his facebook profile must be wide open too, simply by judging how many ‘likes’ his post announcing the birth got…

It seems Joseph may have been lucky though, as only three strangers showed up for the birth, and they even had the decency to show up bearing gifts. Unfortunately they do their own damage to the safety and privacy of the proud new family by sharing their travel plans on twitter and foursquare themselves.

This post takes a humorous look at a very serious subject, always take care how much information you share in public, make sure you use the privacy options available to you and, especially during this holiday period, make sure you don’t expose yourself to unnecessary risk with an ill-considered post.

After all, I hear Herod was also a keen social networker…

Safer Social Networking

Rik Ferguson — Thu, 02 Sep 2010 11:12:28 +0000

I was asked recently for a few tips on how to look after yourself online, particularly with regard to social networking. I know many of the people who read this blog are regular users of Facebook & Twitter, so I wanted to share those tips here. It’s by no means an exhaustive list and I didn’t quite make to the catchy “10 top tips” but hopefully there are a few things here that you may not have previously considered.

Image from Philo Nordlund's Flickr stream under creative commons

1 – Familiarise yourself with both the privacy settings and the security policy of any social and professional networking sites you use. If you’re not happy with them, stop using the site.

2 – When you create your profile consider each piece of information that you share and whether if it is necessary or even relevant to that site. Do you need to share telephone numbers for example, maybe if your mail or direct messages come direct to your phone that is enough. Think practically don’t complete a form just because it is in front of you.

3 – When you share content, chat, mail or comment on other people’s posts or profiles never consider your communication to be personal or private. Even if you have made full use of the privacy settings available to you, you cannot be sure your content won’t be copy/pasted, downloaded or otherwise shared more widely without your knowledge.

4 – Most sites offer a means to reset your password should you forget it. This is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

5 – Do not use a single password for multiple different sites, that way if one is compromised you don’t have to worry about the others. Create complex passwords using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your complex password. (Tip: the character £ does not feature in some automated tools for brute forcing passwords so it can be a good one to use. To get that character on a non UK keyboard, hold down the Alt key and tap 0163).

6 – If you receive a friend request from someone you don’t know or recognise, contact them directly before you make the decision to add them to your circle of trust. Ask how they know you, and check they are legitimate. It’s not only your own privacy you are protecting, it’s also that of all your friends.

7 – Consider sorting your friends into groups, in many cases this will allow you to share specific content with specific groups only.

8 – Try to minimise the number of third party apps and services that you install or allow to access your account, learn how to remove or disallow them and get rid of any that you no longer use. Don’t forget even on Twitter once you authorise a service to access your account, that permission remains unless you manually remove it and it also persists through password changes.

9 – Don’t click links in messages or wall posts, even links sent to you by friends without checking first if the person intended to send it to you. The few moments it takes to check could save you from falling for a phishing scam or worse, infecting your computer. You could also be doing your friend a favour if you are letting them know their account is compromised and sending out links.

New malicious Twitter spam

Rik Ferguson — Tue, 15 Jun 2010 14:36:25 +0000

Just a couple of hours ago I started getting some very shady looking tweets like the below.

Malicious Tweet

The link in the post is abbreviated, but leads on to a site hosting some obfuscated JavaScript.



If this JavaScript is executed by the browser an unpleasant payload is delivered to the victim. So far we have seen both malicious PDF documents and executable files. These Trojans attempt to connect to additional locations to download further malware. TrendLabs are currently investigating, watch the blog for updates.

This latest Twitter malspam follows hot on the heels of the Gaza and FIFA spam run earlier this month.

Be careful where you click and make sure your security software is blocking those evil links.

GORDON’S ALIVE?! Tory online campaign fail.

Rik Ferguson — Mon, 22 Mar 2010 17:11:05 +0000

The Conservative party this weekend unveiled a social media marketing campaign aimed at embarassing the Labour Party. The plan has backfired quite spectacularly…

The “Cash Gordon” web site was highly dynamic and tied in with many popular social networking sites and tools. It capitalised on user generated content and relied on organic sharing and interaction. In a blog post on the Conservative home page Samuel Coates said

“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.

The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon.

Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.

The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.

Tweets containing JavaScript and #cashgordon hashtag

This isn’t all fun and games though, configuration oversights can lead to serious harm. This latest in a line of social media marketing related fails is a salutary warning not to underestimate the technical know-how of the world wide audience you are inviting.

In reality this poor configuration could have posed a serious risk to the Tory party’s own supporters as well as any other curious visitor. Those responsible for the page should have been filtering incoming Tweets or simply sanitising the code before it was reposted. This could just as easily been used as a means to infect visitors by redirecting them to malicious web sites.

Polticians and scum-sucking pigs make uncomfortable bedfellows

Rik Ferguson — Tue, 16 Feb 2010 11:27:05 +0000

In yet another example of the potential pitfalls of social networking in the workplace, a British MP for Telford and party whip is today at the centre of a storm over an offensive post on the micro-blogging site Twitter.

MP David Wright tweets

Yesterday evening, the Twitter account of MP David Wright posted the message

“#ivenevervotedtory because you can put lipstick on a scum-sucking pig, but it’s still a scum-sucking pig.”

The tweet was joining in with the Twitter meme responding to the latest Tory poster campaign which features the tag line “I have never voted Tory before but…”. However the turn of phrase has hit a raw nerve among many Twitter users, prompting the MP to delete the offensive tweet and apologise.

TrippyPip talks to David Wright MP

Out of interest, in response to the question above “Do you *really* think it’s acceptable to call people ‘scum-sucking pigs”???” The MP responded as in the next image:

MP David Wright tweets

The story doesn’t end there though.. David Wright MP has said that he actually posted the comment as “#ivenevervotedtory because you can put lipstick on a pig, but it’s still a pig.” (in a kind of homage to Barack Obama use of the phrase during his election campaign) but that his message was subsequently “tinkered with” and the extra words added. Mr Wright told the BBC that this was a legitimate “edgy Twitter comment about the political process” and the Tories’ “general policy position“.

I’ll be very interested to see how this story ends, because currently neither the Twitter interface or any of the third-party Twitter clients have any kind of functionality that allows the editing of Tweets once they have been posted. So for these words to have been mischievously added by persons unknown must mean a quite substantial security failure at Twitter themselves. Either that or Mr. Wright just forgot what he actually typed.

Twitter.Grader.com hacked?

Rik Ferguson — Thu, 11 Feb 2010 20:07:29 +0000

Twitter Grader home page

UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.

: Example of affected accounts (search by Twitscoop)

Fortunately the link that has been endlessly tweeted by grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

The domain name of the destination site however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised.

Embarassingly the victims of this attack also include Dharmesh Shah, the founder of Grader

: Dharmesh Shah on Twitter

UPDATE: Hubspot, the parent company have tweeted that they are aware of the hack and working on a solution. In the meantime, if you are a Grader user, you may want to consider temporarily revoking Access to Grader in your Twitter profile via Settings -> Connections.

Twitter (not) hacked by Iranian Cyber Army

Rik Ferguson — Fri, 18 Dec 2009 09:03:37 +0000

UPDATE: I was asked to talk to Channel 4 news in the UK about this incident this evening and they have been good enough to share the full content of my interview and a subsequent interview on the same subject with Tim Stevens from King’s College London.

_________________________________________________________________________________________

Original post:

Banner from hacked site

At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

2010 – Year of the Zombie Cloud?

Rik Ferguson — Tue, 15 Dec 2009 10:10:26 +0000

How to Survive a Zombie Attack, by Acey Duecy

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

Here’s where it gets interesting, in addition to spamming and malware, web 2.0 sites have been abused in new and concerning ways over the course of 2009. Twitter and Google Reader have been used as the landing page in spam campaigns, to attempt to overcome URL filtering in email messages. In recent months Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate Command & Control servers for botnets, and just last week it was reported that a Zeus botnet was leveraging compromised servers inside Amazon’s EC2 cloud for command and contro. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands often contain further URLs which the bot then accesses to download commands or components.

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a command and control infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (command & control servers), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case.

It is no coincidence that much the innovation in 2009 has been around command & control systems for botnets. The vast majority of old-school IRC controlled botnets are shut down within 24 hours and peer-to-peer bots often leave visible signatures too, leading to their neutralisation at machine level. One factor of web 2.0 botnet controls that I would expect cybercriminals to be currently evaluating is the single point of failure represented by relying on a single provider such as Facebook or Google–shut down the malicious Facebook page and you disable the botnet. Botnet creators have invested significant amounts of time and code in distributing their management infrastructure, in fast-flux and in peer-to-peer protocols. We can fully expect them to carry these lessons learned into the newer “cloud-enabled” botnet. It is entirely possible that the capability of the latest Koobface variant to create multiple automated profiles could be leveraged to mitigate against the single point of failure inherent in using a single Facebook or Twitter profile as a covert channel.

When it comes to botnets it would be really nice to be able to say “it’s getting better”. It’s not. More and more computers are being infected, and they are staying infected for longer.