TwiGUARD update

Several months ago we announced TwiGUARD, a project researching how hackers spread malware/spam via Twitter. We believe that defenses like SafeBrowse (a Google feature that tells you when URLs are malicious) react too slowly. We are starting an experiment today that shows this, whose results we'll post in two months.

Social networking sites are the new front in the computer virus war. Previously, users would check a webpage (such as CNN or Slashdot) only once a day. Now, users check Twitter or Facebook several times an hour. (I am a good example of this, checking Twitter every ten minutes throughout the day). This means a piece of malware can spread quickly among Twitter users, faster than a security mechanism (like SafeBrowse, or updates to virus signatures) can respond.

Google's SafeBrowse is based on its search engine spider. When it comes across a site distributing malware, it adds that site to black-list. Browsers like Firefox downloads black-list updates every 30 minutes. When a user innocently clicks on a link to one of these bad sites in the black-list, Firefox will display a warning instead.

There is a race between how fast hackers can distribute malware on Twitter, and how fast Google's spider can find them, update the list, and distribute that list to browsers.

We have devised an experiment to test this speed. We downloaded all the tweets from yesterday (December 28, 2009) that contained URLs, and saved them to a file. This file contains half a million (504,489) URLs.

After downloading the list, we ran it through Google's SafeBrowse. It told us that about a thousand (1,250) of those URLs were bad.

Next we are going to wait a week and run the same list of URLs again through SafeBrowse. We expect that Google will have found more of them to be bad. We expect the number of bad URLs found in that file will double or triple. We will run the December 28 list through SafeBrowse every week for the next two months. We should see a steady rise in SafeBrowse claiming URLs are bad.

While we have done this informally in the past, this is the first time we are tracking the results. We'll post them in two months.

Daemon: Don't mess with John Carmack

Over Christmas I read Daemon by Daniel Suarez. I saw an advertisement in the latest Wired for its sequel, Freedom, coming on January 7th, so I thought I would give the first book a try. The plot revolves around a dead video game programmer releasing the mother-of-all botnets that recruits a gang of conspirators to take over the world. I found the book to be a fun, quick read. Aside from the botnet with world domination goals, I was struck by how technically accurate the hacking portions of the story are written. The author describes different attacks ranging from buffer overflows to SQL injection with pretty dead on accuracy. One of the characters exploits an injection with a '1=1 string! Ideas like DDoS and kernel rootkits are integral plot points but never get bogged down in semantic details. Augmented reality even makes an appearance near the end. I really enjoyed the book. I would suggest it to anybody who likes detailed fiction in the vein of Tom Clancy or Michael Crichton.

I have already pre-ordered the sequel which is released on January 7th (and downloaded to my Kindle at 12:01am that morning).

Xmas: netbook gift

Like the Kindle, netbooks are going to be a popular gift for Xmas. Also like the Kindle, you should understand their limitations - there's a good chance the recipient won't like the limitations.

The primary limitation of a netbook is speed, no CD-ROM, and keyboard/screen size. In exchange, you get increased portability and longer battery life. You can't play games well on it, but you can carry it with you wherever you go and sit for hours in a café typing away.

Shodan scares me

One of the problems of being white-hat hacker is that we scare ourselves. Such is the case of the "Shodan" engine that was released last month. It's a simple idea, one that has been discussed before. It simply scans the Internet for likely web server ports and indexes the HTTP headers that come back. Now that somebody has actually done it, and we can play with it, we find it's a lot scarier than we had imagined.

What this means is that instead of finding an exploit that works on a target system, you can grab any exploit then find a system vulnerable to it.

Ironic...

"It's what you do next that counts"

It seems that Accenture is a bit of a precog. Although Tiger Woods is the best baseball player of all time. Since Mr. Woods problems are a private matter and have nothing to do with cybersecurity, I will not comment any further than to say this ad gave me a chuckle!

Xmas: to Kindle or not to Kindle

Xmas is coming up quick, and people are asking me whether they should get eBook readers as a present, specifically the Kindle.

First of all, if they don't read at least one book a month, then it wouldn't be a good gift. It's like exercise equipment: if you don't already exercise, then getting exercise equipment won't make you exercise. Getting somebody a Kindle won't make them start exercising their brain.