Posts Tagged ‘social networking security’

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

 

+1Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure.  So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity.  This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity.  I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option.  This protects users’ traffic from getting sniffed and their sessions from being hijacked.  It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 184942
Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly
Date: Fri, 15 Jul 2011 14:29:05 GMT
Expires: Fri, 15 Jul 2011 14:29:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser:

 

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step.  In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/x-javascript; charset=utf-8
Expires: Fri, 22 Jul 2011 14:46:37 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-Frame-Options: DENY
Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.52.238.45
X-Cnection: close
Date: Fri, 15 Jul 2011 14:46:37 GMT
Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

Secure Cookie Nosniff XSS Protection X-Frame HttpOnly Cookie SSL
Google+ Yes Yes Yes Sameorigin Yes Yes
Facebook No No No Deny Yes Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”.   According to the advisory, Facebook has resolved the issue.  I did another check of the headers and still did not see any change to the response.  It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has.   Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking.  For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

 

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers.  What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities?  Absolutely not.  Is it a good start?  Yes, it is. And further, it is good to see an app make its debut with security in mind.  It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

 

 

 

 

Share

Tags: , , , , ,
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

Facebook like-jacking trades in celebrities for T&A

Monday, March 28th, 2011

by David Michmerhuizen – Security Researcher

Two weeks ago Facebook saw a wave of celebrity like-jacking attacks which Barracuda Labs detailed in a post describing their Open Graph underpinnings.  Those attacks used teen celebrities as their bait – Justin Bieber and Miley Cyrus were prominent themes.

After a slight hiatus, the scammers are back with the same software but a different approach.  They’re targeting a tried and true Internet meme – T & A.

like-jack posts in friends feed

like-jack posts in friends feed

Clicking on one of these links in a friend feed takes you away from Facebook to another site.  In the previous campaign, these throw-away sites were registered with names like girl-gets-caught.info or daddy-bustedonline.info, and the scam pages were formatted to look like YouTube videos.

Now that they’ve added more salacious come-ons, at least some of the pages are formatted to look like gossip sites.

Like-jack attack page

Just as before, this Web page uses the Open Graph API to construct a large ‘like’ button that appears to be a movie preview pane.   Clicking on the preview pane does two things: it posts a ‘like’ message to your own news feed and then serves up a set of scammy surveys and questionable product offerings under the guise of a ‘security check’.

Survey delivery dialog

Survey delivery dialog

If you click all the way through any of these offerings, the like-jack page creators are paid a fee.   Entering personal information into any of these ‘surveys’ is a great way to get on spam lists.   Many of them solicit your cell phone number and then sign you up for unwanted premium SMS services which are placed on your cell phone bill each month.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.


Share

Tags: , , , ,
Posted in Security, Social Networking, Uncategorized, Web Security | No Comments »

@zzap is my hero

Tuesday, September 21st, 2010

By Daniel Peck, Research Scientist

Earlier today Twitter was the target/medium of a large scale cross site scripting (XSS) spam/attack demonstration.

In the wee hours of the morning, Pearce Delphin, @zzap, discovered that when embedding a URL in a tweet, script code following an ‘@’ character in the link was executed in the context of the page hosting the link, in this case twitter.com.  Before long, Twitter was ablaze and as of this writing “onmouseover” is still a trending topic.  Throughout the day, people were using the XSS for pranks (rickrolling) to demonstrate cookie theft, to redirect to porn sites, to push quite a bit of spam, and to deliver a few instances of sites hosting exploits.

Several high profile Twitter accounts were hit by the exploit (and in turn began exploiting people themselves) including Sarah Brown, wife of ex prime minister of the UK Gordon Brown, and the official account of the White House (@presssec).

Twitter has fixed the vulnerability, though we’re seeing reports that the patch wasn’t complete and only blocked that particular exploit instead of the vulnerability itself (an all too common problem).  It is unfortunate that just a couple weeks after launching new features on the site that gave users more reasons to use twitter.com, this most recent example of XSS gives users a reason to second guess that and stick with clients for now.

Share

Tags: , , ,
Posted in Security, Social Networking, Uncategorized, Web Security | No Comments »

Kanye’s First Week on Twitter: An Infographic Review pt. 2

Thursday, August 12th, 2010

By BarracudaLabs

In his first week on Twitter from July 28 to August 4, Kanye West sent 190 tweets. By the end of that first week, he reached 431,104 followers. We calculated the total amount of time that people spent reading @kanyewest tweets in one week. We estimated that each tweet took 3 seconds to read. We calculated how many people were following him at the time each tweet was sent. In total, 2,551,812 man minutes were spent reading @kanyewest tweets in one week. We then looked at what else could be done with that much time.

If one person had 2,551,812 minutes, here is what he could do:

Click one of the images below to view the graphic:

Share

Tags: , ,
Posted in Research, Social Networking, Statistics, Uncategorized | No Comments »

Kanye’s First Week on Twitter: An Infographic Review

Tuesday, August 10th, 2010

By Barracuda Labs

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye’s first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye?  For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye’s followers and their followers.

BarracudaLabs.com - Kanye West Twitter Followers

Let’s review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year’s MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye’s first week, more than half of Amber’s followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye’s new song is called “Power” but let’s compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye’s followers also follow the President.

Perhaps Kanye’s followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye’s first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

Share

Tags: , ,
Posted in Research, Social Networking, Statistics | No Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Share

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »