Archive for the ‘Research’ Category

« Older Entries

Attackers Use Fake Friends to Blend into Facebook

Thursday, February 2nd, 2012

FOR IMMEDIATE RELEASE

Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Share

Posted in Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »

Human Rights Group Used to Spy on Activists

Thursday, December 22nd, 2011

By Paul Royal, Research Consultant

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Share

Tags: , , , ,
Posted in Current Events, phishing, Research, Security, Uncategorized, Web Security | 1 Comment »

Seven Annoying Attacks That Facebook Misses

Wednesday, November 16th, 2011

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

 

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps.  Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

 

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them.  The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card.  A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.


 

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images.  Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention.  With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album.  With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people.  This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook.  Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

 

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them.  New examples show up daily, often focusing on giving users features that they wish Facebook would provide.  After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button.  It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk.  Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

 

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature.  Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream.  Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

 

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection.  We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc.  Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go.  In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

 

 

Share

Posted in Current Events, Internet Security Tips, Research, Security, Social Networking, Spam | No Comments »

Barracuda Labs Releases 2011 Social Networking Security and Privacy Study

Wednesday, October 12th, 2011

By: Barracuda Labs

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

Campbell, Calif. (Oct. 12, 2011) Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

  • LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

  • Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

  • One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

 

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Share

Posted in ID Theft, phishing, Research, Security, Social Networking, Spam, Statistics | No Comments »

Malformed DHCPv6 packets cause RPC to become unresponsive

Tuesday, August 16th, 2011

by Thomas Unterleitner

There is a vulnerability in the part of RPC processing DHCPv6. The failure results because of incorrect handling of malformed messages. On July 28, 2011, this vulnerability was confirmed and reported by Microsoft.

To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic. Once a DHCPv6 Request has been intercepted, the corresponding Reply would have to be modified to contain the malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail. Exploiting this vulnerability would cause the RPC service to fail, losing any RPC-based services, as well as the potential loss of some COM functions.

Failing RPC calls might interfere with the following:

- network connectivity (no IP address acquired, no IP address release/renew, …)

- applications using COM/DCOM interfaces

- machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7) packets, containing the option “Domain Search List” (option type 24) with an empty domain.

Affected Systems

Using the sample DHCPv6, it was possible to verify this issue on the following operating systems and configurations:

*       Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit
It is very likely that other versions of Windows 7 (and maybe earlier) are affected by this issue.

Impact

1.      Reception of a “malformed” DHCPv6 Reply packet causes critical error 0xc0000374 within rpcrt4, leaving the RPC server to become unavailable.

a.) ipconfig /release <adapter_name> reporting: An error occurred while releasing interface <adapter_name>: The RPC server is unavailable.

This enables e.g. rouge DHCP servers to prevent other machines from connecting to a network.

Acknowledgments

This vulnerability was discovered by Michael Burgbacher and Thomas Unterleitner on behalf of Barracuda Networks AG. The complete advisory is available here.

Share

Tags: , ,
Posted in Research, Security | No Comments »

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

 

+1Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure.  So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity.  This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity.  I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option.  This protects users’ traffic from getting sniffed and their sessions from being hijacked.  It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 184942
Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly
Date: Fri, 15 Jul 2011 14:29:05 GMT
Expires: Fri, 15 Jul 2011 14:29:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser:

 

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step.  In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/x-javascript; charset=utf-8
Expires: Fri, 22 Jul 2011 14:46:37 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-Frame-Options: DENY
Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.52.238.45
X-Cnection: close
Date: Fri, 15 Jul 2011 14:46:37 GMT
Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

Secure Cookie Nosniff XSS Protection X-Frame HttpOnly Cookie SSL
Google+ Yes Yes Yes Sameorigin Yes Yes
Facebook No No No Deny Yes Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”.   According to the advisory, Facebook has resolved the issue.  I did another check of the headers and still did not see any change to the response.  It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has.   Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking.  For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

 

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers.  What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities?  Absolutely not.  Is it a good start?  Yes, it is. And further, it is good to see an app make its debut with security in mind.  It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

 

 

 

 

Share

Tags: , , , , ,
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

Cyber criminals continue to capitalize on current events – Osama Bin Laden dead!

Monday, May 2nd, 2011

by  Nidhi Shah, Security Researcher

Along with media, homeland security and Al-Qaeda supporters, another group of people got to work immediately after Osama Bin Laden was killed: malware authors. This is not surprising given malware writers propensity to take advantage of the day’s current events as a way to reach the largest number of eyeballs and victims.

This news is no different. We noticed multiple campaigns taking advantage of the news within hours of its announcement. One such campaign showed up on Facebook offering a video of the killing:

 

Wall from account spreading fake videos

 

Clicking on the link leads the user to a fake blog with video, which in turn requires the user to “Like” it in order to get to the video. However in doing so (“liking”), the user is authorizing the malware to post on his/her wall and fill it up with other “Like” messages that were never authorized. “Like” messages are shared automatically via the Facebook newsfeed on a user’s network; therefore, these messages quickly become viral and spread via trusted channels.

Newsfeed from victim account

 

There are multiple other campaigns taking advantage of this news and also creating new related headlines to get more attention. Like this campaign (again on facebook):

Wall from another account trying to promote sites with fake headlines

 

Clicking on that link will lead you to the blog full of such fake headlines.

Blog from fake headline campaign

 

While this one did not directly lead to any malicious impact, clearly the headlines are fake. That leads us to believe that we might have encountered it while malware authors were still in the process of preparing their next malicious campaign. Or that they could be taking advantage of current events and user curiosity for increasing search engine ranking for these pages.

Our advice to readers is to be cautious while browsing the Web to look for more details related to this event and any other major news in general. We recommend visiting the major news channels directly to get more information rather than click on links in Facebook or Twitter, even if they are seemingly posted by friends or trusted sources.


Share

Posted in Purewire Trust, Research, Security, SEO Poisoning, Social Networking | No Comments »

Email Spam Drops by Half While Search Engine Malware Increases 50 Percent and Twitter Crime Rate Rises 20 Percent During 2010

Thursday, March 3rd, 2011

From: Barracuda Labs [PRESS RELEASE]

Barracuda Labs Issues 2010 Annual Security Report; Launches New, Free Profile Protector to Protect Users against Malicious Threats on Facebook and Twitter

Campbell, Calif., March 3, 2011 – Barracuda Networks Inc., a leading provider of content security, data protection and application delivery solutions, today released findings from its 2010 Annual Security Report which indicates attackers are making a shift from using email spam to more aggressively targeting the Internet. Email spam dropped by half during 2010, while search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. To help combat this, Barracuda Networks today announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. Profile Protector is available at http://profileprotector.com/.

“Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.”

Searching for Malware
Barracuda Labs conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google.

Key highlights from the search result analysis include:

  • In June 2010, Google was crowned as “King” of malware, turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. As malware spread across the other search engines, the ratios were distributed more evenly by December 2010, with Google producing 38 percent of overall malware; Yahoo! at 30 percent; Bing at 24 percent and Twitter at eight percent.
  • The amount of malware found daily across the search engines increased 55 percent from 145.7 in June 2010 to 226.3 in December 2010.
  • One in five search topics lead to malware, while one in 1,000 search results lead to malware.
  • The top 10 terms used by malware distributors include the name of a Jersey Shore actress, the president, the NFL and credit score.

The Dark Side of Twitter
Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.

Key highlights from the Twitter research include:

  • In general, activity continues to increase on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • The number of True Twitter Users increased to 43 percent, up from only 29 percent in June 2010.
  • For every 100 Twitter users, 39 have between one and nine followers, while 50 percent of Twitter users have more than 10 followers.
  • Approximately 79 percent of Twitter users tweet less than once per day.
  • After decreasing at the end of 2009, the Twitter Crime Rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent.
  • Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals.

To view the complete Barracuda Labs 2010 Annual Security Report and the company’s security portal, please visit http://barracudalabs.com.

Protecting Profiles on Facebook and Twitter
Barracuda Labs also announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter and is available at http://profileprotector.com/. The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds.

About Barracuda Networks Inc.
Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions.  The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 130,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions.  Barracuda Networks is privately held with its International headquarters in Campbell, Calif.  For more information, please visit www.barracudanetworks.com.

Resources:
•    Download the Barracuda Labs 2010 Annual Security Report at http://www.barracudalabs.com/research_resources.html.
•    View the Barracuda Labs security research portal at http://BarracudaLabs.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:
1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.
2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.
3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

#  #  #

Share

Posted in Research, Security, SEO Poisoning, Social Networking, Statistics, Web Security | 1 Comment »

73 Percent of Organizations Have Been Hacked At Least Once In The Last 24 Months Through Insecure Web Applications

Tuesday, February 8th, 2011

By: Barracuda Labs

  • Report from Ponemon Institute finds website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications
  • 69 percent of organizations rely on network layer firewalls to protect their websites, leaving Web applications wide open for attack
  • 72 percent of organizations test less than 10 percent of their Web applications for security holes, some knowing they have been hacked in the past

Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute, today announced the results of the “State of Application Security Survey,” which reveals respondents’ perceptions and experiences protecting Web applications. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.

According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.

“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.”

“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”

Other key findings in the study include:

  • Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
  • Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
  • With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
  • More than half (53 percent) expect their Web hosting provider to secure their Web applications.
  • Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession. The full survey analysis can be found at http://www.barracudanetworks.com/ns/downloads/White_Papers/Barracuda_Web_App_Firewall_WP_Cenzic_Exec_Summary.pdf.

Share

Posted in ID Theft, Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »

Gawker Compromise, Password Lessons

Tuesday, December 14th, 2010

by Daniel Peck, Research Scientist

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise.  Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part.  These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be.  All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart.  Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks.  All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt.  It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc.  This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2.  Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.)   An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.”  Then take the first letter from each word, like so – “TqbFjotlD”.   Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3.  Users – Don’t share passwords between sites.  Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site.  For example, the above password root could be “TqbFjotlD32@GM”  for Gmail,  “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Research, Security, Uncategorized, Web Security | No Comments »

« Older Entries