The Weakest Link

The latest twitter security vulnerability emphasizes one of the hardest parts of making things safe: the weakest link. It's more than just one of those many game show ideas. It is an important "common sense" concept, where we know as the old adage says that a chain is only as strong as its weakest link.

In our case, the software we use is now highly interconnected. We don't build systems from the ground up. We rely on software built by others to make it work. There are operating systems, compilers, databases, browsers, networking stacks, libraries, etc. and those are just the major categories. More importantly, the lines between these categories have blurred.

Twitter is a great example of this. At some level twitter is an application hosted on some set of servers in the cloud. This is why it was subject to the Denial of Service (DOS) attack that affected it recently. Like many network applications, it can be (and often is) accessed via html using a browser. Thus, twitter is subject to all the flaws present in your browser and any pages it serves up can trigger those flaws. Like many html applications, the rich interactive interface cannot be served up by html alone, so browser extensions like Javascript are used to program features not present in raw html. That introduces a whole new layer of flaws that can be exploited. Moreover, that rich content, often uses other extensions like Flash players that we have to download onto our computers, which is a very rich vein of flaws to exploit.

The potential weaknesses don't stop there. Because web pages get traversed by "spiders" like Google looking for content, they have to be sophisticated to help defeat those who "game" the system doing "Search engine optimization" (SEO) and attempt to get all our searches directed to their pages. Those pages can be legitimate or they can be malware (i.e. that get us to download fake versions of a flash player, which is really a virus) or pornography or a scam. Twitter turns out to be particularly sensitive to attacks by malicious web pages because it allows "applications" to enter web pages into the system, and it then runs those pages on your computer.

That vulnerability turns out to be the new weakest link. It means just by running twitter on the web you can be "sent" to a web page that you have never clicked on--a malware writers dream.

The bright spot in this particular cloud is that reading your tweets with an application like tweetdeck, you don't have quite as rich an experience and it doesn't send you to the web page. Therein lies the protection.

Eye candy such as animated web pages do make for a very compelling internet experience and have let companies like Google offer web-based applications that are slowly breaking the control of the desktop away from Microsoft. However, this rich experience has come with a very high price. The bazaar we inhabit on the web has not only a wide variety of goods at very cheap prices but also pick-pockets, con-men, drug lords, and all the other undesirables.

A less "rich" experience would make us safer. Certainly, I love playing Sudoku on my computer, but I fear getting addicted to a twitter version of some immersive reality game, where behind my back many different hidden transactions are occurring and downloading and uploading all sorts of things I don't know about and can't control.

For that reason, for a long time, I kept my email off of servers like Hotmail and Google and read it through a text only service (on an unpopular architecture) where to read a mime message, I had to manually copy the file to a different location, and run a special program, which then put the text somewhere I could read it using a different program. If that sounds inconvenient, it was, but in all that inconvenience was safety, because breaking any one of the links did not break the whole chain. Unfortunately, like everyone else, I slowly succumbed to the siren call of the rich and simple internet experience. My work email is in Microsoft Outlook and personal email is on Google. Those services are more protected than they were, but I am still vulnerable like everyone else to any flaws in them.

Therein lies the crux of the problem to me. to fully participate in this world, especially to take advantage of what's new and exciting, one has to expose oneself to a whole variety of software built on long chains of leaks, each of which can be broken, and over which one has little or no control. Even though most messages I send and receive are text, I can't go back to a simple text only world. The interconnections and dependencies have grown so strong that even to send plain text I need to participate in a much more complex ecosystem of interacting applications doing things for me automagically, often without my knowledge or asking my consent.

In that way, it is surprising that we don't suffer more infections and breakdowns. However, I attribute that to the fact that most people are actually honest and honorable and as a result we can keep some reigns on the attacks we are subjected to. That inherent honesty is an aspect of human nature that helps blunt all the bad aspects and why in most cases we can depend on there to always be security researchers like David Naylor who find the flaws in our software and don't exploit them, but instead attempt to get them fixed by posting blogs with advice. before someone does exploit them and this is not just an icon.

Latest Twitter Vulnerability

While Blogging about the twitter attacks another round has happened. This one is more serious for twitter users, because it makes you vulnerable if you simply use the twitter web interface and not some tool like tweetdeck. You don't have to click anything, just view an infected message in your stream while viewing from the web.

Once the infected message is sent to you and you see it from the twitter web interface, the attacker can exploit the flaw. If your browser allows running Javascript, which you probably let it do, since so many web sites need such extensions to deliver the "rich" experience we have all come to expect, the browser can run a malicious Javascript program on your computer. Anything that twitter can do, the attacked can do by exploiting this flaw. In fact, you don't even necessarily have to allow your browser to run code to be at risk as any flaw exploitable via html links can cause the issue.

Because the twitter flaw allows code to be run, the attack can use it to create a worm, where the attacker puts up one infected message and gets one user to read it via the web, takes over that user to copy the infected message to that users account where it spreads to other users.

The malware criminal can also make the attack more subtle so that they steal information from your computer silently without you realizing you've been attacked.

Fortunately, the original discoverer of the flaw, David Naylor, instead of doing something evil posted this blog with advice and just used it to pop up this image to make the warning clear:



The good news is that the folks at Twitter have been made aware of the issue and are presumably working on a fix (and not just the patch they originally tried to bandage over the problem) and that the folks at Mashable are also aware of the issue to keep the media spotlight focused on the problem until it is addressed.

One can expect that it will take time before a complete fix is in place given how twitter first attempted to solve it, by simply disallowing spaces in the problem field. This is the opposite of the draconian but trivial fix that more conservative companies might have tried, such as disabling the feature entirely or limiting the feature to a known white-list of values, both of which would have been significantly more secure, but would have essentially crippled that aspect of twitter.

The approach that twitter has taken thus far suggests that they will attempt to do the minimum necessary to correct the problem. That is a difficult line to draw. However, each step they make in that direction will give us additional protection by making it harder to exploit.

That is the nature of most security measures, they aren't absolute protection, they just make exploiting the weaknesses sufficiently difficult that it isn't worth doing. When that point is reached, we are "safe enough".

While we are waiting for it to become safe enough, we pedestrians have to be very careful.

• Avoid using the twitter web interface until you know this issue is fixed.

• If you are more cautious, you may wish to unfollow people whose motives you doubt or whom you may fear are infected--although there are no known infections that exploit this flaw yet.

For now, this is just a vulnerability and not an actual attack. However, it is a simple enough vulnerability to exploit, that unless fixed quickly, it will become an attack.

Twitter Comes of Age (Part 1)

Upfront disclaimer: I am a security researcher for Intel and my work is likely to result in products that Intel will want to sell (not necessarily to you, but to solve your problems). However, this particular blog entry does not address the technical problems as much as it addresses the underlying social issues that drive the problems and contains only minimal concrete suggestions to solutions. I will try to later supplement this with some concrete technological steps one can take, but first I had to address this overwhelming issue that isn’t something a new configuration file parameter could make disappear.

Recently Twitter, Facebook, and several other social media sites came under a Denial of Service (DOS) attack. Since that time, twitter has been the victim of a koobface virus attack and implicated as part of the control structure for a bot net. Prior to that there was a mild uproar on twitter about it removing many followers from people, having suspected those followers as "spam" sites. Just prior to that there was a twittergate where many of twitter's internal confidential documents were leaked.

Is this the end of the world for twitter? Not exactly. These are facts of life in the always-on-world-wide-internet-connected-got-to-have-it-now age. In fact, for twitter, they are probably a good sign, a coming of age, a sign that it is worthy of being noticed and has made it onto the malware writers’ radar.

There are also other ways to look at what has happened. We could look at what twitter tells other site managers about what attacks they might expect as they launch internet services and those services become popular. In the future, I hope to explore that topic.

We can also look at what it means to us the general populace as users of twitter, facebook, friendfeed, and other social media sites. That’s what I’ll explore in the next section of this blog article by giving it a historical perspective.

Artwork: The picture of the dead twitter bird is by almisakti from the photobucket.com collection.

The world is not as safe and friendly as it might seem. (Part 2)

The internet and the social media sites have become a place where you should never share photos of your kids, your travel plans, your address. If you think about social media and what they are trying to do, connect us, those are very typical of the things one would want to share. They are also the same things that sexual predators, identity thieves, and burglars want to know about us. That contradiction is one of the roots of the problem. As the police officer is quoted as saying, “What you say can and will be used against you. ”

The internet was once a very congenial place, one that seemed very safe, like the place immortalized in the Music Man, where the biggest danger was the chance that someone might introduce a pool hall. As John Levine points out, the internet was born of such places: the Arpanet where everyone was a student or a researcher and the worst we did was play Adventure or talk to Eliza, the business LAN where we were mainly worried if we could get our TPS reports done, or the community bulletin board where we could share free software and our latest clever hacks to make something work. All of those were small communities where any miscreants could easily be spotted and exiled.

However, the internet grew because it was easy to leverage those small groups and join them together. As an entrepreneur I recall when joining Usenet required buying just a Telebit modem, or when AOL users became a mass influx onto the internet, or Starbucks first gave away wifi access with coffee. Those events precipitated a tragedy of the commons--an analogy to how the Pilgrims overused their shared pastures (known as commons) and ruined them in the process. We found ways to over utilize the shared internet resource until it has become almost useless for everyone, like the other day when someone was unsuccessfully attempting to use the wifi at the gym to broadcast his daughter’s ballet lesson over Skype and made it impossible for the rest of us to even get our email, because the bandwidth wasn’t there.

Still, the internet is a major part of enabling the global economy and making the world a smaller place. It helped drive the cost of distributing software to zero, which drove the price of software itself to zero. Not the cost of writing the software, that is still expensive, but the amount one could sell the resulting software for. That is not something we could or would actually want to reverse, at least not as consumers. It is really nice that I can get updates of my software from major vendors automatically and with no extra cost. This globally connected, hard-to-charge-above-cost world is here to stay.

There was an interesting side-effect of that revolution though. Just as one could download a new version of flash to display ever more complicated animated web pages, one could also (accidentally) download malware such as viruses, Trojans, and phishing software. Every silver lining came with a corresponding cloud.

The malware evolved with the network. The first malware spread on floppy disks when that was how hobbyists shared software. As email and the web became dominant, we got email messages that tried to get us to sites that were fake copies of our favorite banks. Now, we get tweets that suggest some sites where we need to download some new viewer software, which is actually a virus that install bots on our PC’s which then watch twitter pages to know what nefarious deeds their masters want them to commit.

What does that mean to us end-users? (That's in the next section.)

One must be ever vigilant and suspicious (part 3)

I have two twitter accounts that I follow that recently gave me reason to be suspicious. They may be hazardous and they may be benign. Only by treating them carefully can I be safe.

The most recent instance was a one-time message from a user I know and trust, but which contained information about a virus. At first, I wasn’t sure whether to pass on the link in the warning message or not. What if the link was a pointer to the virus itself? The person sending the warning was not a person I knew to be sophisticated about such things. They could have made a mistake or the account could have been hijacked. Eventually, I found a safe way to check the link out, and it was a message that showed how the virus was being spread and not the virus itself. Thus, I was happy to send the link along. However, the realization made it clear to me that caution needs to be on ones’ mind always.

The other one of them is a tweeter who sends me good security information which I’ve checked out and then retweeted. Unfortunately with the good info I’ve also gotten a stream of tweets suggesting how I can get more followers and make easy money on the web—spam that I don’t want. My interpretation is that this is a real person, who just happens to be caught up in the make-money-easily trap, but who is worthwhile because they do send me good info in the process. I remove all the unwanted tweets from this user’s stream before sending the information on. In that way, I am performing a filtering service, my readers get the good content and only I have to wade through the muck to find it. If the ratio to useful info to spam gets worse, I will probably have to unfollow that user or at least find a way to filter out the spam from his tweets.

In the long run, this trend could be problematic. If too many accounts get hijacked, or too many people get caught up in MLM (multi-level marketing aka Ponzi) schemes, the ability to use twitter to spread good word-of-mouth information will be compromised beyond usefulness—it too will suffer the tragedy of the commons.

Some of the hardest hit people will be the “motivational” tweeters and those who hope to make contacts to sell things. I rarely read the tweets that such people post in any event, because they don’t generally provide much value to me—and I’m certain there are others who do likewise. Still, I occasionally do. Imagine how difficult it will be for them to get their message out, if everyone suspects that they can’t even read a tweet from an unknown person as it may infect them.

In fact, the scariest aspect of twitter coming of age is that there are people developing software to try and mine the various tweets and links to come up with ways of combining the information into useful trends. That may help Intel, Wal-Mart, Starbucks, Coca-Cola, et. al. find ways of knowing what they should try to sell to you, but it will also eventually get used by the various criminal organizations to better target their marks too. Sadly, it will probably help the criminals find easy targets before it helps normal companies find ways to sell us things we will enjoy better.

To me this is the ultimate tragedy of the commons, the fact that there will always be criminals and some of them will be one step ahead of us and in the process they will take all the nice things we invent to make our lives better and abuse them to make some of our lives worse. I fervently hope these problems won’t affect you.

The good news is that for most of us, these threats will remain just possibilities or minor annoyances. The adequate protections for most of us will not be severe and will become part of "common sense", just as they are in real-life. Most of us will never have our identities stolen. Not even me whose lost his wallet on several occasions and always had it returned with the money untouched. Similarly, even though I had one UNIX system I owned hacked, there was no harm that came from it other than having to rebuild the system from scratch and start running the appropriate protections. The anti-virus software that the Intel IT folks keep installed on my laptop appears to be adequate for most surfing that I do, and although it occasionally detects a virus, it always manages to delete the containing file.

You will still be more likely to be shot by your spouse (or yourself) if you keep a gun in the house than you will be the target of an internet attack that destroys your life. Your biggest risks will still be the drive you take to commute to work or slipping in the shower. Yes, if you use twitter to hook-up with someone interesting, word of that will probably get back to your spouse and their lawyer and used in your divorce, but that’s the risk of hooking up and not of the internet. The person who the twitter DOS attack was directed at was not an ordinary person, but an activist trying to bring about change where there are powerful forces already at work. If you are the next Gandhi, that may be an issue for you. If you are not, you will probably never be interesting enough to be singled out, sorry.

The risky things in life have not changed because of the internet. The internet has just made the world a smaller and more open place. It is much harder to hide your foibles. Hopefully, it may also make it harder for criminals to hide their tracks too. And, that may be the ultimate victory.