Jan 11 2011

Biggest mobile malware threat

Category: Malware,Smart Phone,Web 2.0DISC @ 2:39 pm
Image representing Facebook as depicted in Cru...
Image via CrunchBase

Facebook is biggest mobile malware threat, says security firm
Researcher claims bad links on Facebook responsible for much higher infection rate that targeted mobile malware

By Joan Goodchild -CSO

The biggest mobile infection threat isn’t malware that specifically targets mobile devices, according to new research from security firm BitDefender. Malware that targets Facebook is a far bigger problem for mobile security, the firm claims.

Spam links on social networks are infecting mobile devices via bad links on Facebook because the worms and other malware are often platform-independent and are widely spread as malware that targets PCs.

BitDefender officials point to Google statistics, which reveal almost one quarter of Facebook users who fell for a recent scam on the social network did so from their mobile device. The URL that was studied was one that claimed to show users a girl’s Facebook status which got her expelled from school. It generated 28,672 clicks ā€” 24 percent of which originated from mobile platforms. Users who clicked on the link ā€” whether on their PC or mobile device ā€” downloaded a Facebook worm and fell victim to an adword-based money grabbing scheme.

“When data security researchers focus on finding malware specifically designed for mobile platforms, they lose sight of an important mobile platform threat source ā€” the social network,” said George Petre, BitDefender Threat Intelligence Team Leader.

Mobile Malware Attacks and Defense

The Truth About Facebook – Privacy Settings Every Facebook User Should Know, and Much More – The Facts You Should Know

Tags: facebook, Google, Koobface, Malware, Mobile device, Mobile operating system, Social network, Uniform Resource Locator


Mar 20 2009

Web 2.0 and social media business risks

Category: Web 2.0DISC @ 3:01 am

A tag cloud with terms related to Web 2.

Web 2.0 is major force and has numerous business benefits but it is posing companies to potential new risks.
Social networking sites, such as Facebook, LinkedIn and Twitter, have become the preferred method of communication for a whole generation of people and the ability to post “Status Updatesā€ is fast becoming the new Email. Linkedin is adding one user per second and Facebook has reached 150 million users in just five years.

Some of the associated risks which organizations face as a result relate to phishing, harvesting of email addresses and of course the dangers of (relatively) simple social networking, not only to hack the employeeā€™s present organization, say, but to the organization of losing an employee and all their leads because clients follow ā€˜their man/womanā€™ to their new job by tracing where they are at through sites such as LinkedIn. Hackers can follow the conversation on social media to identify the user problem or pain point and pretend to offer a solution which happen to be a malware to steal private and confidential data.

And then of course there is the downside of staff using bandwidth and their work time for purposes other than for which they are employed, and possibly preventing others (due to bandwidth/processing restrictions) from doing what they should. Many of these sites openly encourage people to download video clips.

The solution?
Usually the controls in ISO 27002 code of practice can be selected and applied in a manner to address the associated risks through a combination of management and technical policies, but of course this should be as the result of a risk assessment and should balance the three attributes of C, I and A.

Web-20

For clear best practice guidance on how to tackle ‘Threat 2.0’, you should download
Web 2.0: Trends, benefits and risks!




This 112-page best practice report from IT Governance separates the hype from the tangible reality and provides:


1. A workable description of what ‘Web 2.0’ is and what it means, within the business environment, complete with a glossary of Web 2.0 terms.
2. A description of the business benefits to be derived from Web 2.0 technologies, with examples taken from real-life case studies.
3. An identification and discussion of ‘Threat 2.0’ – the information security risks inherent in Web 2.0 technologies, together with latest best-practice recommendations for mitigation.

During financial crisis when companies are cutting budgets. It is imperative that information security will have some budget cut but any drastic budget cut might not be wise. A major security breach might put the organization in irrecoverable situation. In this tough economy security professionals have to do an extraordinary job to sell the security to management and show them how security due diligence can make business safe, successful and compliant.

Do you think the advantages of social media outweigh the potential risks?

Reblog this post [with Zemanta]

Tags: facebook, iso 27002, linkedin, Security, Social network, Social network service, Twitter, Video clip, Web 2.0


Jan 22 2009

Web 2.0 and malware 2.0

Category: Malware,Web 2.0DISC @ 5:43 pm

Web 2.0 - No one owns it
A new position paper from ENISA describes the risks associated with web 2.0 and malware 2.0. Web 2.0 includes social networking, photo sharing, wikis and social bookmarking sites and malware 2.0 is defined as a web based infection in which user can be entrap by visiting website.

Web 2.0 applications are thriving because of their dynamic contents, in which users chip into the content and interact with each other. This dynamic interaction with other users comes with new threats of malware 2.0, in web 2.0 environment user trust the information without knowing anything about the author or integrity of the source, and thatā€™s precisely why criminals are attacking these applications and using it to circulate malware 2.0.

ENSIA survey also evaluates the methods used by people to figure out if the web page is phony. People will be suspicious of a source if it only appears once on the web, but will start trusting the source (integrity of the source) if it appears more than once on the web. Assumption is somebody down the chain might have validated the source and as the source start spreading on the web somehow people start believing in the authenticity of the content.

ā€œMisinformation is easily propagated through syndicated news stories, blog posts, and social data, which provides few trust cues to users. This has very serious consequences such as stock price manipulation and control of botnet via RSS feedsā€

There is a need to establish an independent third party on the web to validate the source of the content. Availability of the web 2.0 content has to be balanced with a fitting dose of confidentiality and integrity of the content.

Survey results

[TABLE=12]

Related article
ā€¢ 25 Most Shocking Crimes in Social Media History

    The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=NLlGopyXT_g

Tags: availabiliy, confientiality, integrity, malware 2.0, On the Web, Photo sharing, risks, RSS, Security, Social bookmarking, Social network service, threats, Web 2.0, Web page, Website


Sep 04 2008

Web 2.0 and more data

Category: Information Security,Web 2.0DISC @ 5:52 pm

According to the Identity Theft Resource Center of San Diego, ā€œthe data breaches are on the rise in 2008ā€ and with more data breaches so are the impact and amount of losses. Web 2.0 is next phase of internet creation, where huge social networks are built and citizens of the network enjoy the interactive and conversational approach of the new web frontier. Does the web 2.0 introduce new threats which can be exploited by cyber criminals?

To aid a social communication, users are required to input personal profile including birth date and residence addresses into these social networks to participate, which happens to provide a target rich environment for cyber criminals. These days new attacks are already taking advantage of personal information, some of which is retrieved from social network sites. If the account is hacked/breached from one of these social network sites, the impersonator can damage the (personal and professional) reputation by modifying the profile or changing/inserting the contents or comments.

Cross site scripting is one of the major threat facing Web 2.0, below is an example of XSS.

“In an incident reported in early December 2006 by Websense, hackers compromised the MySpace social networking site and infected hundreds of user profiles with a worm. This malicious code exploited a known vulnerability to replace the legitimate links on the user profiles with links to a phishing site, where victims were asked to submit their username and password. In addition, according to Websense, the worm embedded infected video in victims’ user profiles.”

AJAX is one of the main programming languages used to develop Web 2.0.

ā€œA traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window.”

What if you happen to be a peace activist or a whistle blower in your company? Then perhaps Uncle Sam or your employer wants to settle scores with you for some reason. The question is who is monitoring them or for that matter stopping them from getting into your account to steal or modify data to damage your reputation or career? The point is, besides all the functional benefits, web 2.0 comes with new threats which we need to be aware of. Without knowing these risks we canā€™t manage or mitigate them to a point which is acceptable to the society at large.

Web 2.0 contents are mostly interactive or dynamic in nature. The tools which were used to defend static contents might not be feasible for dynamic web 2.0 contents. Non-repudiation, validating the source and real time verification of the contents might be necessary to stay on top of the dynamic nature of web 2.0 threats.

Web 2.0 ā€“ Opportunity 2.0 or Threat 2.0?

How freely available online infomation on Web 2.0 was utilized to break into online banking account

Web 2.0 … The Machine is Us/ing Us

httpv://www.youtube.com/watch?v=6gmP4nk0EOE


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: ajax, cross site scripting, cyber criminals, data breaches, identity theaft, mitigate, non-repudiation, phishing, Web 2.0, web 2.0 threats, websense, xss