Facebook IPO Setting Stage for Cyber Security Disclosures
Given the recent guidance from the SEC on how public companies must include cyber security postures in their disclosures, many have been waiting to see how these companies would interpret this guidance. Facebook’s IPO filing gives some indication of what this is going to look like going forward.
While most of the discourse in Facebook’s filing talks about data privacy, they do a good job explaining why a privacy-related breach would be costly for their business. I’m not a regulator, but it seems like this is a good way to disclose this type of risk – put it in context of the monetary impact of a problem occurring.
Twitter shows that XSS is still viable
I’m always trying to find simple explanations to some of the complicated attacks out there. This week there was the Twitter exploit that ran rampant for a day or so. The good news is, I found a great explanation about the exploit. The better news is, the explanation is from a trusted colleague, Gary Warner. And better still, Gary references my friends and colleagues Robert Hansen and Jeremiah Grossman! You can see Gary’s post here.
What’s important to notice is that this attack was a form of business logic abuse. The perpetrator was able to use the functionality of the html in the way Twitter intended it to be used, but for annoying – and possibly destructive – consequences.
If you have any interest in this topic, I highly recommend Gary’s blog.
Facebook bug or business logic abuse?
You may have heard of the vulnerability on Facebook that has been exposed. If you enter an email address and a password, Facebook will tell you the password is wrong, but show you the picture and full name of the person corresponding to the email address. This is a treasure trove for phishers since it gives the first and last name associated with an email address – something that is often used by companies to give their customers confidence that the email is really from the company.
I’m wondering whether this feature was a bug on Facebook’s part or if this was meant to be a helpful feature. I’m guessing some Facebook engineer thought it would be cool to show you the name and picture associated with your account if you got your email address wrong and the implications for exposing this information were never considered.
Anyone have more information on why this happened?
Facebook used to find money mules
This is probably not a surprise to most of you, but it appears the criminals have started using Facebook in a diligent way to recruit money mules. The scammers are creating groups on Facebook looking for people who want to “work from home”. These groups are used to recruit victims into being the go-between for the money taken out of a victim’s account and then sent to the criminal – usually in another country.
You can read the article about this here.
The hope is that we can cut down on the money mules since this is the most fragile part of the cyber criminals’ network. It’s tough to figure out how to stop the flow of money mules, though. Education is challenging given these people can come from all walks of life and telling people about this scam is irrelevant until you fall for it.
If anyone has thoughts on good ways to combat the money mule problem, I’d love to hear them.
Are link-shortening services not so bad after all?
An article today talks about a study done by ZScaler on link shortening services like bit.ly and tinyurl. The results show that well less than 1% of links posted on Twitter linked to something malicious.
There’s an obvious reason to use the shortened URL services to send people to webpages with malicious code or unexpected content. People have been trained to look at a URL to determine whether where they are being sent is legitimate. (Hey! Maybe some of that consumer education I did in a former life actually worked!) With shortened URL services, the URL is trusted since it is from a well-known brand like tinyurl. It is not clear to the consumer where s/he will actually be taken once they click the link.
I was very surprised by the findings of this study, but my opinion may be biased. I see lots of articles about malicious shortened URLs on Twitter and Facebook. And I get emails about these types of problems quite often. Maybe it’s the case that because I care about things like this people are sending me many of the examples or I’m noticing them more in the news?
“Gaming” the games on social network sites
For those of you who haven’t seen it, there is a fascinating post on TechCrunch by Michael Arrington about how various types of ads on social network sites makes millions of dollars by scamming users.
While most of the post talks about how innocent gamers are lured into scams where they are charged money just because they participated in an online survey or game, there is a part of the post that talks about how the super-savvy group has figured out how to game the system.
From the post:
The games that scam the most, win.
And some users aren’t dumb, either. For every user who gets tricked into some fake mobile subscription, there’s another who can beat the system. That’s where the legitimate advertisers, like Netflix and Blockbuster, get hit. Users sign up for a free trial with a credit card, get their game currency, then cancel the membership and start over. Netflix has a policy of only paying for a user once. But game developers use a complex set of partner chains to launder these leads and try to get them through for payment. Netflix sees an overall lowering of quality and pays less for leads. Game developers, desperate to monetize, then search for ever more questionable offers to make up the difference. In the end, the decent advertisers are out, and only the worst of the worst remain.
Left alone, the system really will slide into a full blown disaster.
Of course, gaming these systems is merely a form of business logic abuse – the use of legitimate webpages to perpetrate bad behavior. But can that be detected?
The problem comes from the fact that there are too many layers in the system. I don’t know exactly how the ads work – when someone clicks on the ad who sees that click? The advertiser? The publisher? How many networks in between those two?
If there were some way to see all of the behavior on the legitimate ads, it might be possible to determine who was gaming the system. It would sure be fun to try!
Why phishers target low value accounts
PCWorld talks about a recent phishing scam on Twitter. The question in the article is:
In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.
I’ve posted about this before, but it seems prudent to talk about it again. Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts.
If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target. The user is 
is less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher.
If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts. Therefore, the passwords that I do steal would be more likely to be useful on other sites.
Seems like a good idea to be careful about random tweets!
Concern about web security at financial institutions
Russ McRee’s post on The need for financial web application security rung true for me. While the bad actors are finding ways to make money through e-commerce and even social network websites, the finance sector will always be a target since that’s where the money is.
It can be super tough to harden a website against online attacks. Russ does a great job calling out some of the things that are especially troublesome, but this dovetails nicely into the presentation Jeremiah Grossman gave yesterday (link to follow). Jeremiah’s presentation said that cross-site scripting and cross-site request forgery are major problems, but business logic flaws are becoming more and more prevalent.
Unfortunately, websites of all types are going to need to start defending themselves against all of these types of attacks – both the technical kind and the business logic kind.
Social Network Security – When will we reach the tipping point?
Bruce Schneier posted a link to an article on Facebook Privacy. A couple of days earlier, Mario Sundar of LinkedIn posted an article on Security and Privacy on LinkedIn.
It’s fascinating that the security people are starting to pay attention to social networks. Social networks have always had privacy and security risks. In fact, they have much bigger privacy risks than typical websites where people have accounts. E-commerce sites usually don’t show interesting information about where you work, your children’s names, the clubs you belong to, etc.
I’ve been keeping an eye on the progression of social network sites. Having been responsible for user security on a website for three years, I understand the tradeoffs that have to be made. Social networks are at the stage where attracting more people to join the social network is much more important than making sure that those users are safe.
I’ve definitely heard cases where marketing teams will tell the security group that protecting millions of users is not nearly as important as attracting millions more users to the website. The e-commerce websites are starting to learn a valuable lesson, though: having a website that does not protect its users’ privacy and security will scare away users faster than it attracts them. I’ve talked to several e-commerce companies lately that say they are ramping up their security teams to make sure that their customers have a positive experience. It’s great to see the priority shifting from gaining new customers to keeping the current customers safe.
My question is: how long will it take for the social network sites to make the same choices? Since internet time accelerates faster than normal time, my guess is that what took e-commerce companies 5-10 years will likely take social network sites 2-3 years. I’ve heard rumblings of social network sites placing a priority on security, even if it means a few less registrations, but I don’t have any direct evidence. If anyone has any anecdotes they’d be willing to share or predictions on how long it will be until we reach the tipping point, I’d be happy to hear them.
Investigating website fraud – the bad and the ugly
In my last post, I talked about the Koobface virus, how it is an example of a business logic flaw, and how difficult it can be to find business logic flaws on websites. BTW – I should know. It used to be my job to find, investigate, and fix the business logic flaws on eBay. I’m sure you’d agree that is not a trivial task.
Let’s look at the next step of addressing business logic flaws: investigation. Once the business logic flaw has been identified (usually after days of customers reporting the problem), it’s critical to determine how the attack is being carried out (and, if possible, by who).
Here’s a typical investigation technique by someone trying to determine the exact method of the perpetrators of a business logic attack:
1. Grab all of the weblogs for the website during the impacted time period
2. Sort through the weblogs to find the exact transactions that represent the attack
3. Correlate the data in the attack transactions to determine patterns
The above list may seem simple, as usual, there are hidden complexities. First, grabbing the weblogs for the website can be a daunting task. Because of load balancing, you have to get ALL of the weblogs – it’s not enough to just grab the ones where you think the data might be – a load balancer will scatter user sessions across all of the files. And the size of the logs can be massive – I know some sites that have terabytes of logs per day – compressed. Dealing with a terabyte of data is no small feat.
Next, sorting through the logs can be challenging. Again, because of the load balancers, the transactions for a session are scattered. This means that if you find one part of a session in one file, you’ll need to find the rest of the session, and it could often be in any other file. Once you have all of the transactions for the session you have to reassemble them into the correct order so that they make sense. This is even more challenging when webservers clocks are not synchronized.
Finally, you have all of the sessions for the bad behavior re-assembled, now you have to look through them to determine a fingerprint. What is it about each session that is similar to the other bad sessions, but dissimilar to good activity on the site.
Needless to say, doing all of the above by hand is an extremely time consuming task. The investigation step of addressing a business logic flaw can take DAYS by itself. And, similar to the identification phase, while the investigation is happening customers are continuing to be impacted.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
