IT Security Blog

On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site. 

Phishing campaigns are certainly nothing new.  So, what makes this interesting or different?

Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace.  In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals. 

Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly.  These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one.  For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links.  URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.

There is more to this potential threat than just the risk of the redirection to a phishing site.  Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection.  The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target. 

For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place.  Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking.  As with all other online threats, diligence is of the utmost importance.  Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies.  That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.

According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.

Don't be fooled by what is meant by "address" in this context.  Let's be clear on what these tools do and what they don't do.

They DO:

-- Scan web sites and identify potential SQL injection vulnerabilities.  Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript. 

Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.

They DON'T:

-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities. 

If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide.  As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist. 

I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today.  I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.