Back to Page 1: New Frontiers in Threat Research

Many malicious Twitter incidents were facilitated by shortened links, including "Funniest Video" banking trojan, Bifrost backdoor trojan, and NeoSploit download attacks. To mitigate this, Twitter established it own shortening service ( to check links against known-malware/phishing sites. Twitter also replaced basic authentication with OAuth so that authorized apps can access Twitter on a user's behalf without password disclosure.

Daniel Peck described Barracuda's study, which used Twitter's API to send 20K queries per hour to gather a large volume of tweets for analysis. By modeling normal user behavior, Barracuda tried to identify characteristics correlated with malicious Twitter accounts. During the first phase, Barracuda analyzed number of tweets sent, frequency, and the number and ratio of Followers and Friends.

Among "true Twitter users," most have 1-9 Followers – just 17% had more than 100, and only 1% had over 1000. Similar percentages existed for Friends (followed-by accounts), leading Barracuda to conclude that few users have significantly more Followers than Friends or vice versa. By focusing on exceptionally popular Twitter user accounts, Barracuda identified a “Red Carpet Era” (November 2008-2009) during which 54 percent of the most popular accounts were created. This correlates with the Twitter "Crime Rate" – percentage of Twitter-suspended accounts – which spiked to 12 percent in 2009.

Additionally, Barracuda found that accounts with large negative Follower/Friend deltas were more highly correlated with apparent scams and links to illegal downloads, trojans, and rogue anti-virus installers. Finally, Barracuda showed that hackers have learned to use Twitter SEO to spread malware. Specifically, 8 percent of malware on a blacklist could be found by searching popular Twitter hash tags (compared to 38 percent on Google). Twitter users: This study's message is clear. Be careful what you click on!

Wireless Vulnerabilities in the Wild: View from the Trenches

Finally, K N Gopinath, Director of Engineering at AirTight Networks, drilled into 802.11 wireless network and client vulnerabilities. Using Wi-Fi observations collected from over 4500 Wireless IPS sensors, deployed by 156 businesses at 2155 different locations, Gopi shed light on the instance, duration, and frequency of real-world Wi-Fi vulnerabilities. This data set included over 250K unique access points (APs); roughly 70 percent of them external or unmanaged – that is, not part of the authorized WLAN. Of 118K Wi-Fi clients studied, 87 percent were external or unmanaged.

"Most IT professionals think Rogue APs are the most common Wi-Fi vulnerability," said Gopi. "But we found that's not so." In second place, 60 percent of studied networks had mis-configured APs, while just 50 percent had confirmed Rogue APs (unauthorized APs actually connected to an organization's network). Based on MAC address, most Rogue APs were consumer products; just 29 percent were secured with WPA or WPA2. "The rest present a large potential risk for backdoor attacks," warned Gopi.

However, client extrusions (authorized clients willing to connect to unauthorized APs) were by far the largest vulnerability in this study. Most laptops are at some time connected to an external home or hotspot Wi-Fi network. When workers carry those clients back to the office, they often try to reestablish connections, explained Gopi. This is why so many clients were overheard probing for unauthorized network names, including known-vulnerable SSIDs such as Free Public WiFi.

To illustrate this, Gopi turned his Nokia N900 smartphone into a "mobile honeypot" – a malicious AP trying to lure nearby clients. By running SSLStrip on his phone, Gopi intercepted a connected demo client's Yahoo! session. "Bottom line: Using a smartphone and off-the-shelf tools, we were able to capture this user’s credentials. Technology advances have made this so easy. Hacking is no longer confined to geeks," he said.

This study showed that wireless vulnerabilities present in real-world networks are often associated with external or unmanaged devices. "The enterprise wireless environment has been influenced by consumerization," said Gopi. "Mitigation [steps] should be taken to stop not just AP-based intrusions, but also client-based extrusions."

These are just a handful of many interesting research presentations delivered by speakers at RSA 2010. To hear many other presentations, check out RSA Conference session recordings and slide downloads.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.

Back to Page 1: New Frontiers in Threat Research