Twitter hacks: lessons for users and Twitter

What are the risks - to both consumers and companies - of social media-borne hacks, attacks, malware, etc.? Was this latest Twitter attack a wakeup call? Also what users could do to protect themselves and what Twitter could do to avoid future incidents

The risks

The risks are no different from social media based malware and hacks than from any other service on the Internet. Some characteristics that are more unique to social media however are:

  • Distribution - how quickly attacks and malware can go viral (pun intended). As seen with the Twitter worms recently and the Facebook click-jack attacks these services are designed for sharing and dissemination of information. This makes them the ultimate carriers, a virtual viral superhighway

  • AJAX - social media and especially Twitter makes heavy use of AJAX and encourages link sharing. It is very difficult to white list validate free form text that has to accept HTML code. This provides a perfect storm for most malware, which can make JavaScript calls without user input i.e. The Twitter attacks later on didn't even require the mouse over just visiting the Twitter site

From an organization perspective there is a lot of pressure to not block social media sites primarily because so many execs and senior management use these services and the organization itself needs them for marketing and responding quickly to customers. So simply by being so good at what they do services like Twitter and Facebook have forced companies to increase their attack surface

Back to the future

Is this e-mail/spam all over again, only in a different form? What's changed since then? What hasn't?

It is the same as email spam in the sense that the main goal of the malware is still to distribute it's message to as many of your contacts as possible. By spoofing your identity like the Twitter re-tweet hack did it gains more legitimacy.

The monetization of malware and spam although has really lacked my innovation and that's why although social media has changed the distribution it has not done much to increase the actual risk. Sure Twitter spam is just as or more annoying than email spam but to really hurt you and make some money it is still limited to:
  • Phishing and social engineering - i.e. you provide information such as your bank login
  • Trojan - malware that either captures those details when you enter them or modifies things like the beneficiary
  • Ransom - install some software like a fake antivirus and require you to pay to remove the fake viruses it finds
  • Sucker - you to signup to marketing services to "get that free iPad"
  • Identity theft or resale of personal info - most of the info you store on Facebook or Twitter is unlikely to fetch a good price on the black market, I mean even credit cards go for less that a $1 per number and that's if it has not been cancelled. It is such commodity good these days it is barely worth the effort, so in theory while the amount or personal info stored on social media services could make them an attractive target for malware writers unless you could harvest say a few 100 million users and good ones like celebrities the real risk for reward for these guys is probably quite small
These also require a certain level of action from the user and rarely results a major end game final impact because as soon as they report it to their bank the money is refunded. So other than slightly higher bank fees the impact and thus the overall risk to the end user has not really increased with social media based attacks.

So what can we do?

How do users of social media platforms like Twitter, Facebook et al protect themselves against increasingly sophisticated attacks?

For attacks like the basic cross side scripting vulnerability that was exploited on Twitter - just use Firefox and run the No script add-on. Any JavaScript that like what the exploit depended on would have been denied by default. Also you could not use webapps - tools like Hootsuite or Tweetdeck which are unfashionably rich client these days are harder to attack using web application vulnerabilities

To go from the specific to the more general good habits on the Internet include the firm favorites:
  • Anti-malware - Do not skimp on a good anti malware tool or two, McAffee, Symantec, AVG etc
  • Personal firewall
  • Non windows OS - like os x or ubuntu is not a bad move both for your sanity and security, you do 95% of what you do on a browser anyway, why do you need Windows? If you do this you can proably skip the first two points
  • A modern sandbox browser -  that is auto updated for security e.g. Firefox 4 or Chrome or Chromium
  • Patching - keeping your addons, extensions and pluggins patched up also
  • Minimize attack surface - not running software with a massive attack surface and ubicutious like Adobe Flash or Reader or Microsoft Office. Use open source and other alternatives like Google documents, PDF creator, Openoffice or
  • Not clicking on anything that looks suspicious even from someone you know. You may miss that occasional Digg or Reddit post on lolcats but you will be better off for it in more ways than one
  • Applying common sense - the iPad is the market leader and the only reason Apple can't sell more is that those dam kids at Foxcon can only do 20 hour days. Is anyone really going to give you one for free?

What could Twitter do?

It is easy to say have a secure development lifecycle but I imagine Twitter to be a place that would hire only coders and engineers who knew some security than us plebes that know something about process design or writing requirements, analyzing designs or drawing pretty pictures of threat models. They would also I assume have some agile development practices and do daily or weekly code pushes which makes it very hard to apply security requirements and design as opposed to the slower but more robust waterfall.

But there are still things they could do to improve security without slowing down too much:
  • Security requirements - having a standard set of do's and dont's as overarching security requirements that are stuck on every developers desk such as thou shalt use the oAuth API and libraries, thou shall not write your own security function or thou shall not use blacklist as input validation 
  • Security libraries - use libraries like the Owasp Easpi to stop reinventing the wheel with security
  • Checklist and cheatsheet - Have a basic security checklist that is ticked off as part of peer review of each unit of code or by the co-developer for a story
  • Scan - invest in some automated security source code scanning software and application vulnerability scanning software that integrates with the developer IDE and run it as part of every build
  • Regresion test - Have a security regression test pack and run it after every change
  • Review - Have a security guy that  understands code to review the daily and weekly code push pack. Make the dev leads for each area produce this pack and make sure it includes a short summary, whether it is impacting any security controls or has anything to do with user input
  • Security push - For big changes e.g. the upcoming twitter site overhaul do a proper security push
  • Pen test - Get an independent penetration test done every quarter and include the dev environment in the test. Any first or second year tester would have found that twitter xss and all this could have been avoided

No comments:

Post a Comment


Written by