Category Archives: Facebook

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

You can’t always read Facebook on a train

When I saw an MSN article headed Facebook friendships ‘not real’, I was expecting something about lack of validation of Facebookers’ identities. Which is indeed an issue, though not a new one. “On the Internet, nobody knows you’re a dog.” Or, indeed, a wolf in sheep’s clothing.

But no… All this time we’ve been making a fuss about the lack of security and privacy on social network sites, it seems that we’ve been getting it wrong. The problem isn’t security at all.

According to a recent survey, most of us see our friends much more on Facebook than we do in person. Apparently, this becomes truer as you move up the age range. Well, I guess you have to meet your friends in order to get smashed with them.

Anna Richardson, described by MSN as a “Channel 4 presenter and relationship expert” apparently commented:

A Facebook friendship is a poor substitute for actually meeting up with a friend as you miss out on the personal engagement and real connection that you need to build a strong friendship.

It is difficult to make time for friends when juggling busy lives, but without making the effort, there’s a danger that precious friendships are becoming lost in the digital era.

Her advice is to log onto http://www.railcards.co.uk/, buy a railcard and… oh, wait a minute. You can apparently get taxis, finance, holidays, accommodation, broadband, car insurance and many other things at railcards.co.uk, but not railcards. I guess she (or more probably MSN – nice proofing, guys…) meant http://www.railcard.co.uk/, which offers a range of discounted passes for rail travel in the UK. OK, so I should login and buy a railcard (yes, Ken, I am eligible for a Senior Railcard: don’t rub it in…) at www.railcard.co.uk… oh, wait another minute. Isn’t that who commissioned the survey? Well there’s a coincidence….

So I get my railcard and wander down to the station, and get on a train at a reduced rate, and go and see my Facebook friends.

“I’d like a ticket please, to Western Australia, Pennsylvania, Bratislava, Florida, San Diego, the Philippines, Helsinki, Reykjavik, Chennai…”

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Unnamed App Facebook Hoax/Scam

Flagged by Peter Kruse on a specialist list.

A hoax is circulating on Facebook, warning about a virus that is supposed to add an “Unnamed App” to the FB tabs.

SEO actually drives the incautious Googler towards fake AV.

I blogged this at some length at ESET, so I won’t repeat it all here.

http://www.eset.com/threat-center/blog/2010/01/27/unnamed-app-facebook-hoax

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

iPhones, Facebook, and malware friendliness

Being the conscientious security professional, I do the best to keep all my Computing devices current on OS and application patches. This goes for every server in the lab to the iPod Touch and everything in-between. Last Night while checking iStore for App updates, I was advised that Facebook released a new version of their app.

As a force of habit, I looked at what the update addressed. Rather interestingly it made the Application more “user friendly”. the first item on the list was to be able to synchronize my friends with my contacts. This allows me to import things such as contact information, and profile Photos from Facebook to my “Contacts” or address book. Not too bad as such, although some of my “friends” like to use their dog, or a comic character as their photo. Neat feature, now should David Phillips ever leave OU, well, when he updates his phone number and email, I won’t need to worry, my iPod will update automajically. However, I don’t get to pick and choose which Photos to sync, so when an old High School Chum update their Photo from a nice head-shot, to something less than professional, well, I’ll have no choice there.

Now that is rather nice and user friendly, but at the same time, suddenly, Facebook is also Pushing messages, wall posts, friends requests, friend confirmation, photo tags, events and comments. In fairness, I did have to approve Facebook access, and authorization.

So here’s the rub, as normal user, I would say yea sure, that’s what I want, I want to know when David Harley posts the next AVIEN Blog to Facebook. But suddenly, Facebook has access to my address book, (Contacts to be precise) AND is able to push to my always on device (iPhone and iPod Touch use same app). This disturbs me greatly, as now my email addresses are harvestable (and who’s to know), as well as potentially malicious information being pushed to my phone. Am I paranoid? I’m envisioning a compromise at FB, which is now using iPods and iPhones to send SPAM, emails and SMS messages

As we often said in the past, a more user friendly environment directly translates to a more Malware Friendly environment. I only hope more mobile device users take the steps I did and NOT allow pushes, and the like.

Ken Bechtel

Who owns you?

David recently blogged here (https://avien.net/blog/?p=253) on his concerns over the ways that our personal data is increasingly online and available to everyone who might want it.

On a similar theme, a site called “Web 2.0 Suicide Machine” has recently been sent a cease and desist order by Facebook on the grounds that by “collecting login credentials, the site violates its Statement of Rights and Responsibilities”. This sort of controversy raises the question of who owns an account on a site – not just a social networking site – what about a webmail account? But, more on that shortly. It’s a tricky question, and I suspect that the answer is that the information is jointly owned once you give the information, you enter a contract to allow the recipient to use your info according to their terms and conditions (which could be to publish it all over the place, or just to change your password and never let you back into the account).

It’s only recently that Facebook provided its members with a facility to fully delete (rather than deactivate) their accounts. As someone who spends a lot of time on social networking sites, I’ve often felt the urge to be able to ‘get away from it all’. The idea of being able to commit ‘Web 2.0 suicide’ is in some ways quite appealing, and it does remove the awful problem of trying to delete all that data yourself – and avoids the thorny problem of always being able to get back in and start again. I did actually do this at one point, I entirely deleted my accounts on MySpace and Bebo, removed as much as I could from Orkut (more on Google below) and deactivated (the only option available at the time) my Facebook account. However, after some time after constant messages still arriving from Facebook I succumbed and reactivated my account (although I’m much less obsessive about it, and used the privacy controls to lock it down far more than had been the case before). I’ve never revived the other accounts, basically because I’m to lazy to set them up again. I’m pretty sure that I’d not have come back to Facebook had my account been actually deleted – but Web 2.0 Suicide Machine (and similar services) are in some ways even better, they leave you no option but to start again, because they change your password, and your profile will still exist, only you can’t get to it.

Of course, giving a third party (whether an SN site like Facebook or a service like W2.0SM) your account information is a risk, because you don’t really know what they’re going to do with it, maybe W2.0SM are going to sign you up to all sorts of groups or services on FB, or use your account to click through on site advertising to raise revenue, maybe they’ll harvest  your email addresses and send them to spammers, maybe they’re going to use your phone number and address to do all manner of things. I doubt it, but it’s possible were less ethical people in charge of it. At least, if you’re going to use such a service, remove your most critical private information first.

You can read more on this story here: http://news.bbc.co.uk/1/hi/technology/8441080.stm

Sometime last year, I got an invitation to Google Wave (http://wave.google.com) and had a play around with it. It’s interesting in many ways – not all of them obvious. There has been plenty of comment in other places about what Google Wave does, or what it doesn’t do, but I’m not really interested in that. As far as I’m concerned it was pretty much a failure because nobody could really think of a problem that it solved in a better way than existing technologies. But, what does interest me is what that sort of platform offers to Google. In a collaboration system you have multiple people working on topics. They will discuss the topic, and the group will be focused on a single issue (or set of issues). This is a goldmine for a company like Google which makes money from selling advertising. Nearly everything that Google does is ‘free’ to the user, and the cost is that everything you do is tracked and monetized somehow for Google’s advertising clients. The more services Google provides, and the more you sign up to use, the more exposed you are (and therefore the more useful to Google). I have Gmail (and therefore Gmail Chat), Picasa, Google Wave, Google Apps, a Google Books library, a Google Calendar and so on (as mentioned above I also have a Google Orkut account, though relatively denuded of information). Now, all of those things provide information about me and my interests to Google, allowing targeted advertising to be delivered, and useful demographic information to be collected.

Google wave is a whole different beast, because it doesn’t just connect a few random parts of my life that may or may not be current (for instance, me posting photographs of me with funny hair as a teenager isn’t really that interesting to Google – nor anyone else I should think), it connects people who are discussing a topic of mutual interest, in real time. Planning a trip to India? Great, in real time, to your group specifically, Google can target advertising from firms offering travel services in India. Working on a conference in Sydney? Google can target advertising from firms in the area. Even better, your conference is at the Four Points Sheraton? Great, Google can advertise a room discount, the restaurants withing walking distance, a limo service, the theaters, cinemas etc. About to go for a coffee break? Google can pop up the location of the nearest StarCostaPacket coffee store and offer a 50c discount good for the next two hours.

It’s clear that corporations are interested in getting the most relevant information to consumers, and what better way than exploiting real time data on topics currently under discussion. It’s a goldmine, or would be, if only there was a problem that only Google Wave could fix.

Andrew Lee CISSP
AVIEN CEO, CTO K7 Computing Pvt Ltd.

Never Mind the Balls: it’s the Unsafe Hex Crystals

A little more crystal balling.

Anton Chuvakin suggests in his Security Warrior blog for today that the ongoing trend for the next decade will be for people to find it ever harder to untangle their real lives from their virtual lives, and that will have serious implications for security.

He says “I think that in the next 10 years these two worlds will be much closer to each other, in both perception and “real” reality. HUGE implications to information security will result.” I’m afraid he’s absolutely right: we already see many examples. It’s not only teenagers who don’t distinguish sufficiently between realworld and Facebook friends.

He makes many other interesting points, but that’s one that is giving me nightmares right now.

http://chuvakin.blogspot.com/2010/01/security-predictions-2020.html?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+AntonChuvakinPersonalBlog+%28Anton+Chuvakin+Personal+Blog%29 

A (reasonably) safe, prosperous and happy new year to you.

By the way, I wanted to offer a free AVIEN subscription for the first person to identify the 70’s reference in the title, but AJ won’t let me. 😉

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Privacy, AVG, Facebook, Uncle Roger Thompson and all

My last post (https://avien.net/blog/?p=209) on Roger Thompson’s article about privacy concerns, “public” information and so on raised some interesting discussion.

Ironically (or perhaps appropriately) a lot of it was on Facebook.

I carried on the theme on the ESET blog, if you’re interested. “Your Data and Your Credit Card”, at:

http://www.eset.com/threat-center/blog/2009/12/14/your-data-and-your-credit-card

Note that due to a couple of system crashes, a link to Allan Dyer’s excellent article disappeared in the first published version, but is fixed now:

http://articles.yuikee.com.hk/newsletter/2009/12/a.html 

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Roger Thompson on Privacy Concerns

Exactly who has your data?

Roger’s blog suggests that even legitimate businesses are getting a much wider spread of data than they’re getting directly from you as a customer.

Scary, definitely.

http://thompson.blog.avg.com/2009/12/now-_this_-is-scary.html#axzz0ZYOquqRO

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/