We're a free community of over 18,000 Texas technology professionals here to network and promote our local tech scene.
If you're working in semiconductors, hardware, software, or IT in Texas, join us!
Twitter message could be cyber criminal at work
Submitted by threew on Mon, 06/22/2009 - 6:38am.
::
Share this on Facebook!
CNN/Tech this morning finds the usual round of criminals at work in the high-tech arena with some very good points made in the line up.
Panda Security, a Spain-based antivirus maker, has been monitoring an onslaught of links with malicious software, or "malware," on Twitter that tag hot topics such as the Air France crash, the NBA finals, "American Idol" runner-up Adam Lambert and the new iPhone.
Personal Note: They are appearing in #iranelection and other Iran related discussions as well.
Adding to the difficulty is the legal situation that in many jurisdictions, it is not illegal to create or sell malware... "It's like the arms industry ... it's not a crime to build and sell them," Negi said.
Full article here
- threew's blog
- Login or register to post comments
Yep. This is just what I have been expecting. The shortened links used in Twitter (bit.ly, tinyurl.com) can effectively hide the destination site until the user has clicked on it. Until we get the link shortening services to provide some sort of protective scan on submited links, I predict this is going to be a major vulnerability for a while.
Jim Adcock
SharePoint Administrator & Developer
Process Improvement Champion
http://www.linkedin.com/in/jimadcock
Twitter: @dlairman
Technical Career Blog: http://dlairman.wordpress.com/
Even if link shortening services (like tinyurl) scan the submitted links for malevolent content when they are submitted it won't mean much since the attackers can change the content at any time after that. Scanning it each time someone clicks through would add a lot of overhead which might prove to be cost prohibitive to maintaining that kind of service.
And so this is going to be a major vulnerability for a while.
(At least until browsers are so locked-down that they don't do what we want/need them to do, or browsers and operating systems both become *gasp* totally secure...)
Jim Adcock
SharePoint Administrator & Developer
Process Improvement Champion
http://www.linkedin.com/in/jimadcock
Twitter: @dlairman
Technical Career Blog: http://dlairman.wordpress.com/
I have seen some apps with an "expansion" capability for shortened links. It shows the full URL on click. This should be common place - would help a lot for people who'll actually use it.
William W. (Woody) Williams
Project Management Consultant
| Blog | Twitter |
w3src Consulting
If you're using Firefox (and you should be), download the LongURL Mobile Expander add-ons ... then, when you hover your pointer over the shortened URL (be tiny or otherwise), it will show you the actually, full URL so you can decide if you want to take the plunge.
Now if we could talk TweetDeck into doing something similar... That would be worthwhile for Twitterati.
William W. (Woody) Williams
Project Management Consultant
| Blog | Twitter |
w3src Consulting
A few weeks ago, I raised the point about malware being transmitted via Twitter and throngs told me I was wrong, that Twitter couldn't cause malware. Well, maybe it cannot, but it perpetuates it. And I remain convinced that those who prey on others through email virii, malware and use of social networks to spread their cr@p deserve to strung up by their "short ones" over Congress Ave. and stoned, or whatever the geek equivalent is of public executions.
The real issue here is links, not Twitter, Friendfeed, Facebook, or any other website or web app. Anyone - in a blog; even here on door64 - could put a shortened link to a location or URL that contains malware, a trojan, or virus. They can come in the URL for an image in email.
The problem here is that in it's shortened form, a format used a lot on Twitter due to the 140 character limit, the user can not determine to what or where the link points.
Be wary of shortened URLs no matter where they are found.
As mentioned above, Firefox has an add-on (actually two) that "un-shorten" them and make the full URL visible before they are clicked. Very helpful.
The throngs are mostly correct in that the Twitter web site itself is highly unlikely to be transmitting malware. It's the people who use Twitter we must be wary of ;~) Perhaps a distinction without significant difference, eh.
William W. (Woody) Williams
Project Management Consultant
| Blog | Twitter |
w3src Consulting
Clearly from this ungeek POV, Twitter is the vehicle being used to transmit malware. Even if the "throngs" were in "thongs" it doesn't matter that the cause is the shortened URLs. Since Budurl is local, why not have them do something?
Twitter isn't any different as far as transmission of urls that point to malevolent content than anything else. Don't follow people you don't know. Don't follow links posted by people you don't trust. Same as not reading emails or clicking on links in emails. Same as blogs or other web sites such as Facebook, MySpace or even LinkedIn. I'm not saying that Twitter isn't being used to spread malware, I'm just saying that its no different from a lot of other sites so I don't see any reason to pick on them in particular. In fact since the payload for twitter is so small (140 chars), they are actually potentially less dangerous than sites like Facebook or MySpace.
Here's the problem with the compressed link services searching what those links point to... unless they scan every time a url is accessed (which may be prohibitive as far as bandwidth and performance issues) the people trying to spread malware can change the content after the shortened url is set up. It is also fairly difficult to scan a web page and make sure there is no malevolent content on it by itself, and its worse if it just in turn links to other pages and other sites. How many levels down do you try to scan?
So what I don't get is that with all of the IT expertise in the Austin market, and with one of the URL shorteners right there, why doesn't someone work on a solution?
What is the business model in it?
I can't see how the URL shorteners make any money to begin with.
How they make money is hardly the point of my question about some local talent helping to solve the problem.
In one sense the question of how money is made in the "shortening" business leads into how / why local talent might gain traction in resolving the issue.
The model is basically that the information (data) is sold -- what's being created (URLs), how many clicks, to what content, etc. It's "golden" to marketing, advertising, and SEO folks.
Why does that matter to anyone interested in providing more transparency?
Because any solution proposed needs to maintain data integrity, for one thing. If a scan or recomposition of the shortened URL is counted as a "hit," then that devalues the data... or at least dilutes it. In other words, the recomposition software should parse the service provider data in a way that does not "count." This may represent a real boundary in the solution space.
This brings up a side issue. If the solution doesn't "see" the content of the actual URL, only the service provider's database, there is no real way to judge whether or not the landing page is truely safe. In other words, showing that the link actually points to a part of the CNN site, for example, is only half the battle. It's good, but incomplete.
The full solution might need to be something more like McAfee SiteAdvisor - going all the way to the URL and scanning content. However, knowing that the URL actually points to the site referenced (my blog, door64, or TechCrunch) goes a long way toward helping users make good decisions.
Certainly the folks at budurl (or others) have considered this. Might be worth some networking time or phone calls to find out.
William W. (Woody) Williams
Project Management Consultant
| Blog | Twitter |
w3src Consulting
Still, the "local talent" should be addressing this (just my opinion). Further, a challenge and differentiator for the URL shortener companies would seem to be cyber-assurance and filtering. Frankly, its an obligation to the end user.
Someone recently made me aware that bit.ly is a service from Libya (.ly). When there are alternatives, why use one with Libyan connections?
O.K., so say someone comes up with an URL shortener which offers complete safety... How do you figure you are going to force the people trying to spread malware to use it?
And if you don't trust a site run in Libya (which would seem reasonable), then you shouldn't follow links that end in .ly. Its pretty simple to avoid clicking on links like this and you don't need any kind of special software to do it.
Isn't the purpose of the "fix" for the URL shortening company to make it an add-on? and transparent to the user?
If you have to install a plug-in in the browser then it isn't transparent to the user and only users that install it will be protected. And if the URL shortening site does the plug in to work with their site it may not work with other shortened URLs, which would still leave exposed even people with the plug-in installed if they are on a platform that is vulnerable to the malware.
The key is that if one of the shortners made the fix, then it would have a competitive advantage versus the rest. If the others didn't adopt the fix, then they'd lose traffic and theoretically business.
Maybe, maybe not. But as long as there were one or two URL shorteners out there who didn't adopt a fix, then people who use platforms with malware problems still wouldn't be safe, would they? How are you going to eradicate all the unsafe URL shorteners? There is a pretty low barrier of entry, all someone needs to start one up is a relatively short base URL and some code, which isn't hard. Even if everyone were to be able to recognize every unsafe URL shortener today, there could be 3 more tomorrow.
The problem is that all this is a band-aid. The broswers and the platforms with the malware problem are where the real fix needs to start. Well, even that isn't the real beginning. Most of this is a "social engineering" problem. The real fix needs to start with the users. Pick the safer platforms and then be careful who you network with and what links you follow.
Come on, you are a business man, you should know that money is exactly the point. Software developers solve problems for two reasons, either they personally need the solution or someone is paying them for it (or they think someone might). I personally don't need the solution you are talking about because I use a computing environment which doesn't have a problem with malware, so without a profit motive, why would I be interested in developing something like that?
Come on? O-o-o-oH
Now that sounds like something out of a Led Zeppelin song... :-P
:-P Nothing to do w/Led Zep. Alot to do with self control.
Lots of chit-chat and chatter, and little application of problem solving.
See http://budurl.com - started by Andy Meadows here in Austin (Live Oak 360). They have a subscription model that gives you all kinds of information about who clicks on your shortened link, when, how many times, etc. It's like Google Analytics on a per-link basis.
Not sure how the other ones make money though.
UPDATE:
Tweetdeck has implemented a URL previewer in their latest version (you do need to go into the settings to turn it on). When you click on a short URL in Tweetdeck, you get a pop-up window that lists that actual destination URL for you to click through to.
While this does add an additional click in the process of getting where you are going, it does allow you to check whether or not you do want to actually click through to the URL.
Naturally, this doesn't guarantee that the destination site is malware free, but it does allow you to filter out the obvious phishing trolls.
Jim Adcock
SharePoint Administrator & Developer
Process Improvement Champion
http://www.linkedin.com/in/jimadcock
Twitter: @dlairman
Technical Career Blog: http://dlairman.wordpress.com/