Researchers Build Malicious Facebook App 116
narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."
Re:Researchers! (Score:1, Interesting)
Heh. Researchers experiment with anything malicious they want in the name of research, and publish their findings widely for the bad guys to consume.
With the tenuous justification "the bad guys would have surely come up with this already"
I'll accept the bad guys find these things out on their own, eventually too. But there are massive numbers of full-time researchers and few full-time bad guys.
Plus not that many bad guys will think of X attack; at least not until there are news articles or a fad, other well-known bad apps to mimick.
The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.
If the wannabe-bad-guys thought of using a facebook application to attack a third party before, now they most certainly have been inspired by this "research" and are dilligently racing, trying to be the first to take real advantage of the weakness!
When will we as a society stop giving positive recognition of any of these teams of "researchers" who do things that are trivial (but inspire bad guys) and paper news services with press releases?
I expect researchers to concentrate on the harder task of how to harden things and make them more secure.
Merely pointing out how horribly insecure things are is destructive not constructive.
Sorry, but it was pretty obvious to people familiar with Facebook apps and computer security, that this weakness existed.
Nothing novel or valuable has really been found here; except things that should have been reported to the site admins to be fixed.
The researchers did valuable work, but it's clear that the worldwide security threat of releasing the information to third parties is greater.
Re:BFD(?) (Score:3, Interesting)
Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to exploit.
Unless of course they figured out a way of activating the dynamic content without the user clicking (this was a hack submitted a while ago as a XSS exploit, local news went nuts about it). Now THAT would be a nice hack, as it would allow the design of apps to counter-stalk (i.e. see who's been viewing your profile).
Re:social networking considered harmful (Score:2, Interesting)
Re:Researchers! (Score:3, Interesting)
I'll concede there are financial motives for crackers to attempt to compromise systems.
But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.
I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.
Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there. Script kiddies are secretive, and their exact number and records are not available for inspection.
I'll concede there is financial motive to compromise security. Both for criminal crackers and for non-criminal researchers. But the motive should be much larger for researchers to constantly find new ways to compromise security.
As long as the old ways continue to work perfectly fine; crackers can still satisfy their greed.
Security researchers on the other hand, by definition cannot merely re-discover the same attacks over and over again, they'll lose their funding.
Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.
People still download and run programs they shouldn't. People still download and run attachments they shouldn't, despite all warnings. Crackers don't have to be creative to try to get the financial incentive. They just have to use information and tools that are all publicly available now.
I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.
Tighter publication restraints should help; such as not posting full text online, for free. A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access, who may lack judgement to limit use of security info to responsible purposes.
An additional aid may be an NDA consumers of publications have to accept to see sensitive research that describes exploits when the exploit effects many people and sites at the time of publication.
Not to mention.. for-fee articles help cover research costs....
Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..
Re:Researchers! (Score:2, Interesting)
An IDS is a failsafe, last line of defense, and only ever sure to work against a small category of pre-packaged attacks.
Pattern matching cannot detect the exploit of all types of weaknesses.
Not all types of weaknesses have a set string or sequence of bits you can reliably search for and ID an attack.
Generally IDS rules are specific to the most common attack, not the weakness.
The cracker that wants to evade your IDS and knows how to evade an IDS is likely to be successful.
E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.
There is this problem that the overflow has occured already, and chances are the application is already running the malicious code, just as your IDS is detecting it and starting to alert you.
Re:Researchers! (Score:4, Interesting)
Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.
If they didn't then they wouldn't exist.
I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:
Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.
My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.
I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?
Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.
At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.
Also - a researcher who sells to blackhats, is a blackhat by definition.
I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.
You seem to be describing exactly what happened with the recent DNS server vulnerability?
A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access
Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.
Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.
Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..
Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.
Everything you describe which makes it harder for whitehats is to the benefit of blackhats.