Social networking breeds new wave of 'Trojan 2.0' attacks

Posted by AccountingWEB PM | on Wed, 16/01/2008 - 10:43  6851  7 comments

The great Facebook boom of 2007 was accompanied by a new generation of phishing and trojan horse virus attacks, according to security experts.

Continued...

» Register now

The full article is available to registered AccountingWEB members only. To read the rest of this article you’ll need to login or register.

Registration is FREE and allows you to view all content, ask questions, comment and much more.

Tags
Technology
More like this
Comments
dahowlett's picture

Irrelevant

dahowlett | Fri, 18/01/2008 - 17:32 | Permalink

Sorry John I have to come back on this.

"It may have a security model but I suggest you speak to any uni student of 2+ years ago when their details were available to anyone on the same campus. Quite frankly the students were basically trusting and did not expect that a 'closed' site would be opened up to all and sundry - as a consequence any security model that existed at that time was generally ignored"

Irrelevant to the situation today and factually wrong. The security model was beefed up over time and before they opened the doors to everyone.

On actual attacks:

1. There was ONE instance of the AIM virus which was OUTSIDE FB. Several years ago.

2. There is no confirmed viral infection arising from LinkedIn neither for Plaxo though it has a dark past as a spammer.

There are no instances of viruses attaching to individual file data - it can't happen in any of the environments you mention because FB anonymizes the data as we all do who work in this space.

I think you're getting muddled with spyware and social engineering which is a very different problem that no security solution can overcome. You can argue that FB is one giant piece of spyware - which is probably true. Most people don't care.

These are not Trojan attack and to describe them as such is misleading.Trojans relate to viruses.

If anything I am much more concerned with government links the major FB stockholders have which have been known about for 2 years.

Web 2.0 systems are not inherently weak in the way you describe. If that was so then every new system coming out would have problems. They don't.

There is no reason to attack FB or other systems because there is nothing of value that will help the attacker.

Finally - if FB is so weak, why would marquee brands like Coca Cola sign up for the ad model? They'd be crazy to do so.

incorrect ....

Anonymous | Sat, 19/01/2008 - 09:03 | Permalink

Social Sites are similar to Banks when disclosing security breaches - they never admit to the fact if they can get away with it. Therefore it is not possible to make claims either way about attacks because no real info is available

However just one example disproving your statement:
An attack may consist of a number of steps culminating in the required result - AJAX allows XSS (see: http://boilingbrain.blogspot.com/2006/10/cross-site-scripting-worm-hits-myspace.html ) and once you have gained 1m friends then you start your payload distribution

As for beefing up the security model before going public - not quite: http://paranoia.dubfire.net/2007/06/go-fish-is-facebook-violating-european.html Subsequently quickly fixed however ....

http://www.spamfighter.com/News-9650-Hackers-Phish-on-Facebook-Profiles.htm
says it all

A Trojan by definition is something that resides undetected on a computer in order to perform an unapproved task (i.e. spyware, virus etc) - although the term is more usually associated with viruses. Anyway if spyware can be delivered via FB then so can viruses

Of course there is value in targeting FB etc. because it is a carrier/delivery mechanism for a payload to a lot of people.

As for Coca Cola - all ads are good exposure; expecially with plausable deniability about breaches not being their fault. Anyway seem to recall that Coke offered to put vending machines in all schools (down to primary) so that they could 'get em hooked young'

Ultimately its all about education and claiming no potential problem exists is not the way forward

Agree with you about Government interest

dahowlett's picture

aah but

dahowlett | Mon, 21/01/2008 - 16:57 | Permalink

Privacy is a different issue to a viral attack that destroys your machine. This is something FB and all the others don't understand. It is a major problem right now that some of 'us' are attempting to tackle in a responsible manner. Whether 'we' succeed is unknown.

@jc is wrong on the 'cover up' thing. There are way too many smart people out there capable of figuring this stuff out and then publicising it.

Afraid not Dennis ... fact not scaremongering

Anonymous | Fri, 18/01/2008 - 16:29 | Permalink

Look at the origins of FB and their initial target audience of students (originally only a campus facility)

It may have a security model but I suggest you speak to any uni student of 2+ years ago when their details were available to anyone on the same campus. Quite frankly the students were basically trusting and did not expect that a 'closed' site would be opened up to all and sundry - as a consequence any security model that existed at that time was generally ignored

The point is that this does happen and more frequently than one would expect
'.. if folk are stupid enough to leave all their personal details out in the open that's their problem. If their daft enough to accept any Tom, Dick or Harry as a 'friend' then they're equally dumb ..'

As you say users may be dumb at times etc. but it is all down to education, explaining about the dangers of the technology to get them to 'wise up' and just be aware

The whole point is that FB can very simply (as can other Web 2.0 implementation) be used as a 'wrapper' for malicious intent - no amount of denial is going to change this fact. The nature of Web 2.0 lends itself to being a carrier

http://www.fortiguardcenter.com/advisory/FGA-2007-16.html

In these circumstances a roach model is irrelevant - no one is interested in extracting info from FB at the virus load stage because they only want to infect the user. Data extraction will probably occur via the virus at a later stage (i.e. Trojan 2.0 attack)

dahowlett's picture

Scaremongering

dahowlett | Fri, 18/01/2008 - 14:29 | Permalink

Sorry John but this is nonsense. Hardly surprising though as the companies quoted sell on FUD.

Facebook has a security model that means you can only 'friend' people who you allow. It has a comprehensive set of 'switch on/off' capability.

If folk are stupid enough to leave all their personal details out in the open that's their problem. If their daft enough to accept any Tom, Dick or Harry as a 'friend' then they're equally dumb.

The Scoble/Plaxo thing was an issue because FB WON'T allow users to export their data so quite frankly it's not worth a hacker's time and effort to attempt hand reading this. They rely on bots to do the job. FB will kick you off for executing a bot. Which is what Scoble did. They have auto detection systems in place for that.

If there were real problems on these platforms, you can be sure it would've been written up months ago.

Also noting there isn't a single example from the services mentioned in this piece.

Yes - there has been the odd attempt but they've got nowhere.

The biggest offender is FB with its Beacon spamming engine. That's been modified considerably for optin nad not opt out.

I wouldn't recommend FB for any business use because it's a data roach motel.

John Stokdyk's picture

The downsides of Web 2.0

John Stokdyk | Wed, 16/01/2008 - 15:21 | Permalink

Just to make things easier for readers, here is a recap of JC's previous adivce (see first comment, below), which is posted quite far down the thread. Since it was such good advice, I've decided to repost it again:

* * *
Whilst Web 2.0 is generally a good thing we should not blind ourselves to the caveats of this 'technology'.

The main danger is that Web 2.0 provides the ideal 'wrapper' for malicious users; this can be managed if normal users are aware of the potential dangers but all too often they are completely unaware of the position.

The danger areas are:

The complete lack of awareness about security. There seems to be a current tendancy to 'bare ones soul' in public, which is all very well until some enterprising 3rd party collates all the information and uses it for their own purposes or sells it on. Identity theft - here we come !

Basically information is power, and by the time a user has given their entire life story via this medium it really is not that challenging to make an educated guess about their passwords, bank info etc. For instance most people use fairly obvious password (easy to remember) which can easily be duduced with a number of guesses.

A little bit of education is required about the 'dos & don'ts' of using Web 2.0 'technology' so that at least perople are aware of the downside as well as the upside

The underlying message is that people are far too trusting and need a great deal more awareness of the possible issues.

All the above are quite apart from other issues such as:

- Accessing sites at work
- Workplace confidentiality - discussing work issues in a public forum
- Malware included in pages being downloaded & compromising business security

Just be aware.

* * *
Thanks again to JC for the advice.

John Stokdyk
Technology editor
AccountingWEB.co.uk

Dangers highlighted some time ago ....

Anonymous | Wed, 16/01/2008 - 11:42 | Permalink

http://www.accountingweb.co.uk/cgi-bin/item.cgi?id=166670

Related links
The accounts production landscape: A new alternative?
Rebecca Benneyworth & Intuit deliver RTI Implementation Gripes: free whitepaper
Drive growth and boost profitability with these 10 steps: Free whitepaper