Tag Archives: Twitter

Resource updates May 1 2018

Updates to Anti-Social Media 

The Guardian: WhatsApp CEO Jan Koum quits over privacy disagreements with Facebook – “WhatsApp was built with a focus on privacy and a disdain for ads, but the Facebook-owned service is now under pressure to make money”

Selina Wang for Bloomberg: Twitter Sold Data Access to Cambridge Analytica–Linked Researcher. And commentary from Help Net.

ENISA: Strengthening network & information security & protecting against online disinformation (“fake news”) – “In this paper, ENISA presents some views on the problem of online disinformation in the EU from a Network and Information Security (NIS) perspective. A number of recommendations are presented which relate both to general NIS measures, as well as targeted measures to protect against online disinformation specifically.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Coin Telegraph: Scammers Hijack Verified Twitter Account To Steal Crypto By Posing As Telegram CEO

Updates to Chain Mail Check

ESET: This test will tell you how likely you are to fall for fraud

David Harley

Advertisements

New information/resource page: [anti-]social media

[This article is itself the first entry on the new page Anti-Social Media.]

Like many others, I’ve been at least partially assimilated by the social media Cookie Monster. Once upon a time I opened accounts on sites like Facebook and Twitter, so as to find out about their implications for security. (Like many others in the security profession, I suspect.) They also quickly became integrated into my armoury as a means of exchanging and disseminating information, whether it’s a matter of hard data or work-oriented PR. And when friends, colleagues and fellow musicians (some people, of course, are members of two or all three of those sets!) found me on those platforms, it would have been churlish not to have accepted invitations to link up there. (Besides, you can’t tell as much about Facebook’s workings, for instance, if you don’t actually have any Facebook friends…)

However, I’ve always borne in mind the wider implications of membership of such platforms (sociological, psychological, and security-specific), and have often written on those topics. (I’ll probably look back at some of those posts and see if any of them are worth flagging here.) But with the excitement over the Cambridge Analytica, it’s self-proclaimed success at social engineering, and its alleged misuse of data harvested from social media, I can’t help but notice that people who’ve previously expressed no interest in privacy and security have started to voice concern. So I’m going to use this page to flag some news and resources of interest. Starting with a minor deluge of advice from various quarters:

David Harley

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

Blackhat SEO and other nuisances

The horrific Russian suicide bombings have, inevitably, generated a load of blackhat SEO (search engine optimization) attacks, not to mention Twitter profile attacks, using topical keywords to lure victims into running malicious code. I’ve blogged on that elsewhere recently – e.g. “Here come (more of) the Ghouls”, at http://www.eset.com/blog/2010/03/30/here-come-more-of-the-ghouls – so I won’t repeat myself here.

However, I hear from that nice Mr. Cluley at Sophos that there’s an awfully good paper available about “Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware”, by Fraser Howard and Onur Komili.  

It is a good paper, and it will interest a lot of the people who read this blog. And it should interest quite a few people who probably won’t read it. 😦

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

PleaseRobMe: too much information…

[I’ve been told that the PleaseRobMe site includes some dubious affiliation links and is in any case not being updated. I haven’t checked it myself, and the information comes from an organization that flags ‘problem’ links and suggests links to its own resources irrespective of relevance, so I suggest that you take it with the usual pinch of salt. However, I’ve disabled the link anyway: it is, after all, a very old story.  I did consider just removing the article, but it has some historical interest, and I’ve tweaked it slightly to bring it up to date. DH, 2018.]

Sometimes I think I should just stop killing myself multi-blogging and retweet Graham Cluley’s blog URLs. Like this one.

The web site he talks about (PleaseRobMe, not the Sophos blog) “…mashes together content from Foursquare and Twitter, providing an easy way for potential burglars and stalkers to find out where you are supping your cappuccino, and when you may have left your home empty…”

In fact, what the site has been doing  is auto-grabbing publicly available data from such sites and putting it all in one place, with the intention of highlighting the risk of giving away information that burglars and stalkers would find useful about your movements. Sadly, this makes it more of a miscreant-friendly resource than one useful to potential victims, since those victims-in-waiting are not very likely to come across the site.

Graham comments that it will be interesting to see if FourSquare and Twitter try to stop PleaseRobMe snarfing the data from them. We already have part of the answer to that: Mikko Hypponen reported about three hours ago that Twitter had suspended the @pleaserobme account.

There’s been a series of infomercials on UK TV recently in which “members of the public” try to interest thieves and burglars in robbing them, and a while ago there was a “reality” show in which an ex-burglar broke into people’s homes (with permission) and then lectured them on what they should have done to prevent it.

There’s would be a certain felicitous and felonious irony if PleaseRobMe were to get accused of having stolen part of their idea from these sources. 😉 In fact, though, the site is Dutch, according to the BBC, so probably not. The Beeb does cite some good advice from Charity Crimestoppers.

“Details posted online are available for the world to see; you wouldn’t hang a sign on your door saying you’re out, so why would you post it online?”

David Harley 

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Haiti Relief Scams

It’s been a while since I talked about Haiti.

First of all, I’m delighted to report that Jeff’s father turned up very much alive.

Less happily, Tom Kelchner of Sunbelt has flagged a story in USA Today that claims that more than 170 complaints have been received by federal law enforcement agencies relating to earthquake relief scams. Scams specifically mentioned include:

  • SEO poisoning directing search-engine users towards sites laced with rogue anti-malware
  • Door-to-door collectors for fake charities
  • 419-type emails from alleged victims or officials
  • SMS scams where text messages invite potential victims to ring a number to get more misinformation
  • Similar scams using social networking sites such as Twitter and Facebook.
  • Fraudulent charity web sites.

One fake charity I found particularly galling, as a Brit, was the one that claimed to be a British affiliate of the American Red Cross. Come on, guys, we’ve had our very own Red Cross since 1870 (some years before the foundation of the American Red Cross), though it wasn’t called called the British Red Cross Society until 1905. Of course, there’s no particular reason why most Americans should know about the British Red Cross as a matter of general knowledge, but this does illustrate the importance of checking the validity of a charitable organization before you contribute to it. Of course, you also need to be sure that where the charity is real, the collection mechanism is also genuine!

USA Today recommends Charity Navigator (http://www.charitynavigator.org/) and the American Institute of Philanthropy (http://www.charitywatch.org) as a means of checking the charitable status of an organization.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com

Congratulations, Graham

Congrats to Graham Cluley of Sophos, who walked away from the Computer Weekly blog awards with not just one, but three awards:

IT Security blog of the year – http://www.sophos.com/blogs/gc/

Twitter user of the year – @gcluley

Overall Best blog – yes, same blog.

As a part-time blogger (on several sites!) myself, I have a fair idea of how much work it takes to produce a consistently high-quality blog, and I can only say that these awards were richly deserved.

However, this will not stop me making rude remarks here and on the ESET blog about his karaoke performances.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

AVIEN tiptoes into Web 2.0

First the blog, then the twitter account, now the Facebook group. I don’t have a clear agenda for the group: to some extent it’s an exercise designed to force me to make more use of Facebook. It’s certainly an opportunity for AVIEN members to leap in at an early stage if they have ideas on how we could make good use of the group. However, it’s open to non-members, too, as I’d like to see more engagement with the public and media, which we’ve pretty much lost lately. Of course, if there’s a feeling that we’d benefit from a group for internal use, we could do that too.

I’ve also put up an AVIEN FB page, but there’s nothing to see there right now.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Resources

A quickie (don’t get too excited!)

A tweet from Alex Eckleberry sent me to the Sunbelt blog (always worth monitoring) and hence to the Securosis blog. The blog that caught Tom Kelchner’s eye and ultimately mine was this one: “I’m tired of this whole ‘security is failing, security professionals suck’ meme” (http://securosis.com/blog/friday-summary-november-13-2009).

However, my gaze travelled over several other interesting pieces to get there: some fairly specialized like this:

http://securosis.com/projectquant/project-quant-database-security-process-framework

Others, thought-provoking opinion pieces like this one:

http://securosis.com/blog/critical-infrastructure-60-minutes-and-missing-the-point,

 Worth a look: http://securosis.com/blog/

So, was it good for you?

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://dharley.wordpress.com/
http://www.eset.com/threat-center/blog
http://blogs.securiteam.com
http://blog.isc2.org/