Inside Facebooks FarmVille's Sinister Underbelly

ShmooCon: Inside FarmVille's Sinister Underbelly

By Bill Brenner, CSO

You see it all the time on Facebook: A friend moving on up in FarmVille. Another friend trying to expand his posse in Mafia Wars. Everyone thinks of them as harmless third-party applications, free from the crooks and cooks of cyberspace.

Unfortunately, that's not the case.

The sad fact is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose yourself, the bigger the target you become.

The dangers of these games were part of a larger talk on social networking dangers at the 2010 ShmooCon security conference. Indeed, social networkers are in danger from all corners, be it from malicious Twitter bots you think is a celebrity following you or that hot model who friended you on Facebook, hoping you wouldn't notice that she's nothing more than a phishing hook.

In their talk, "Social Zombies II: Your Friends Need More Brains," security practitioners Tom Eston, Kevin Johnson and Robin Wood continued what they started in their "Social Zombies: Your Friends want to eat Your Brains" presentation at DEFCON 17.

They presented new techniques and tools used to exploit people on these social networks. They also examined how all your profile information is being used against you and eroding your privacy [related story: 6 Ways We Gave Up Our Privacy].

"Facebook has 350 million users with 12 million logging in daily. Twitter is getting 6.2 million new users a month. The target base keeps growing," said Eston, a penetration tester for a Fortune 500 financial services organization.

In one of their more colorful examples, the trio explained how actress Jessica Biel is the most dangerous woman on the Internet because of all the fake profiles of her scattered throughout the social networking landscape.

People on Twitter are easily duped into thinking Biel is following them in Twitter. The Facebook folks proudly count her among their friends, not realizing the page is really under the control of a malicious operator who wants you to click on malicious links on the page.

Then there's Blippy, a social network billed as a "fun and easy way to see and discuss the things people are buying." The presenters noted that penetration testers absolutely love this platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM."

Another example is Foursquare, a social networking program that lets you keep track of where your friends are, literally. If someone in your network is in South Korea or in front of the Alamo in Texas, Foursquare will tell you so. Want to use it on your iPhone? There's an app for that. And for BlackBerries, too.

While it's becoming increasingly difficult for people to turn away from social networking, especially since it's become a critical, legitimate business tool for many professionals, there are still ways to protect yourself, the presenters noted.

For one thing, you can avoid Facebook and Twitter pages purporting to be from famous people. A good way to tell if that Twitter page is really a malicious bot is to look at its follower/following ratio. If they're being followed by 50 people but are following over a thousand, that's a pretty good indication that something stinks.

And, they noted, if you must use apps to get around certain places and find the shops you're looking for, remember that too much information can be enough for someone evil to track your specific whereabouts and come after you.

National Clean Out Your Computer Day

Why Your Computer Sucks

By Keith Shaw

Today is not only the day after the Super Bowl, it’s also National Clean Out Your Computer Day – the day was created by the Institute for Business Technology [1] as a way to remind PC users about all of the clutter on their systems.

Regardless of the day’s motive, it’s pretty clear that computer users are just as much packrats as they are in their homes. According to the Consumer Electronics Association, the average American adult has more than 1,800 digital files [2]. Instead of cleaning up our systems, Americans are likely to just go out and buy a new system, rather than fix or maintain the one they have. Vendor iolo technologies [3], maker of the System Mechanic PC tune-up software, says the average computer’s lifespan is about 30 months.

The reasons people give as to why their computer sucks, such as "It’s too slow, I need a faster one, etc." may be fixable using a reputable PC tune-up program on their existing system, rather than going out to get a brand-new system. I’ve compiled a list of several reasons why computers end up slowing down or "suck" from the purchase date to about two years later:

1) Registry errors: Imagine going to a shopping mall where several stores have opened and closed or moved over the past few years, and visiting the Store Directory map, and discovering that it hasn’t been updated. Imagine the time you’d waste walking all the way to where that store used to be only to find out it’s gone. That’s a little bit like what happens to your computer’s registry after a few years of installing and uninstalling programs, as well as errors made during the installation or uninstall process to the registry. Every error, invalid reference or unresolved key path involves more time needed by the PC, attempting to find that no-longer-existent program, slowing down the system.

2) Registry bloat: As new applications are installed onto the PC, the size of the registry grows. Even if an application is uninstalled, the empty spaces in the registry still exist and must be accounted for. In addition, bloat is created by applications that install temporary libraries or other data that doesn’t get used by the application or the end user, but still creates entries within the registry.

3) System crashes that corrupt the registry: The blue screen of death? It can corrupt the registry as well, slowing it down post-crash.

4) Startup Clutter: Applications that get loaded during the start-up process for Windows tend to eat up memory and processing power (and make you wait during start-up). Many are updater applications that are not even needed – most applications check for updates when they load, so they’re unneeded in the system tray.

5) Browser tool bars: Tool bars and extensions to browsers also can chip away at a PC’s available memory or processing power. For example, an ActiveX or Java tool that autodetects the type of printer a user is connected to is now there permanently, always checking or re-checking. Extensions can also freeze or crash or become unresponsive.

6) Lost RAM: Users who get frustrated over slow start-up times tend to keep their PCs on at all times, or put them into “sleep” mode so they can start up fast again. However, this can cause the system to leak memory over time. In addition, when some applications close, they don’t reallocate all of the memory they grabbed when the program launched, causing less memory to become available for other applications.

7) Fragmentation: Like the issues with the registry, the constant installation and uninstallation of programs can cause havoc on the PC’s hard drive. In addition, if a hard drive is fragmented, larger files often have to be split in order to be stored on the drive, causing application performance to slow. Users who don’t regularly de-frag their systems are likely to complain about a slower system.

8) CPU Churn: All of these extra applications, services, etc., end up using more of your CPU than you’d like – and while it appears that nothing is happening with your system, all of this stuff in the background is slowing down the system, causing irritation for end users. Dual-core processing systems from 3-4 years ago should be plenty fast enough for users’ needs, if there’s enough RAM, but processor churn and memory leakage can cause those systems to slow down.

9) Viruses, malware: A system infected with malware not only puts the user in danger if the malware is looking for financial or other data, but malware can slow down performance if the system is being utilized as a spambot, or if it tries to create several instances of additional malware to spread to other PCs. Drive performance, network traffic and system resources can all take a hit from viruses and malware.

10) Internet speed issues: Some systems and applications try to detect what your network connection speed is, and adjust the network traffic accordingly – for example, broadband connections tend to optimize traffic to carry larger packets over the network. When a user switches their network connection to a different method (in the old days, dial-up, but now, 3G wireless for example), those optimized packets can be too much for the smaller pipe, slowing down network traffic.

Fixing a lot of these issues can be solved through the use of tune-up and defragmentation software (such as System Mechanic and Diskeeper [4], for example).

Other tips:
* Organize files more logically, and put them in folders that make sense to you. This helps later on when trying to locate or clean up.

* Back up files and programs at least every month. Check out hardware like Seagate’s Replica [5] or Clickfree Automatic Backup [6] devices, which automatically back up files a lot easier than earlier software that required human interaction. Don’t forget online backup options as well, for off-site backup.

* Uninstall programs you don’t use or need. Holding on to unused programs is like holding onto the clutter in your basement, and the excuse of, "well, I might need it some day." Trust me, you don’t need it. Get rid of it. And don’t forget to clean the registry after you throw out the old programs.

Clean the outside of your PC as well. Clean your screen, keyboard and mouse, and you may feel like you have a brand new system.

Blast for the past, but oh so true in the IT field.

Start Black History Month Off Right

Start Black History Month Off Right

by Travis from the MPMG-Technology & The Urban Community Blog

The first thing we do is start highlighting black figures that we have never heard of. Don’t get me wrong there is nothing wrong with this, but I believe that “hindsight is 20/20″. In other words, to clearly see the present you have to look at the past. Dr. Carter Woodson who we consider the father of Black History Month wrote a deeply thought provoking book that many quote the title of, but have never read, “The Mis-Education of the Negro“.

Although this text was published in 1935, it is highly relative and prophetic for today’s issues surrounding black America. Anybody who is especially interested in educational reform would do good to read this book or even buying the audio book for your iPod/iPhone/Touch/iPad or whatever you listen to these days. So this month’s lesson people is go and read The Mis-Education of the Negro and then tell me if you agree with what many are calling educational reform, empowerment, and post-racial America. Peace

Skype sheds light on 3G calling, iPad

By Marco Tabini

Fans of Skype's popular VoIP application will have to wait a little longer to make calls over 3G networks with their iPhones, according to a post by spokesperson Peter Parkes on the company's blog.

As previously reported, Skype seems to be the lone holdout among a number of VoIP-capable apps that gained that ability last week as a result of a reported change in Apple's iPhone SDK agreement for developers. At the time, a company spokesperson told Macworld that Skype's delay was due to it "seeking some clarifications" from Apple.

Today's blog post provides a little more information on what's holding back the release of an updated app: the company says it's working on methods to provide the highest voice quality possible by using wideband audio--a technology used in telephony that extends the frequency of sounds transmitted across a connection, thus providing clearer audio signals.

According to a video interview with David Ponsford, Product Manager for Skype's mobile team, the updated app will also include a call-quality indicator and several other enhancements designed to improve the user experience during 3G calls.

In the same blog post, Parkes also hints that there will be a version of Skype for the iPad, although no details are currently available

Motivational Moment

Thought for the Day

February 4, 2010

REMEMBER THAT THE FAULTS OF HUMANKIND ARE PRETTY EVENLY DISTRIBUTED AMONG ALL OF US.

Why can we so easily overlook in ourselves the faults we are quick to spot in others? It is easy to be objective when it comes to criticizing our friends, family members, and business associates, but it is far more difficult to be honest about our own shortcomings. Only when we recognize that we are all human, with the same faults and failings, do we begin to develop that wonderful quality of tolerance that enables us to accept others as they are and ask nothing in return. Replacing faultfinding with "goodfinding" is never easy. But when you become one who always compliments instead of criticizes, you become the kind of friend we would all like to have.

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at http://www.naphill.org. We encourage you to forward this to friends and family. They can sign up for this free service at our web site.

How Wi-Fi attackers are poisoning Web browsers

Black Hat presenter describes latest public Wi-Fi security threat

By Ellen Messmer

Public Wi-Fi networks such as those in coffee shops and airports present a bigger security threat than ever to computer users because attackers can intercede over wireless to "poison" users' browser caches in order to present fake Web pages or even steal data at a later time.That's according to security researcher Mike Kershaw, developer of the Kismet wireless network detector and intrusion-detection system, who spoke at the Black Hat conference.

He said it's simple for an attacker over an 802.11 wireless network to take control of a Web browser cache by hijacking a common JavaScript file, for example.

"Once you've left Starbucks, you're owned. I own your cache-control header," he said. "You're still loading the cache JavaScript when you go back to work.

"Open networks have no client protection," said Kershaw, who also uses the handle Dragorn. "Nothing stops us from spoofing the [wireless access point] and talking directly to the client," the user's Wi-Fi-enabled device.

Knowledge gained from researchers over the past year, he said, is showing that browser-cache poisoning over Wi-Fi can be kept in a persistent state unless the user knows how to effectively empty the cache.

"Once the cache is poisoned, it's going to stay there," Kershaw said. This means that an attacker can intercede to "poison the URL" of the victim so that he will see a fake Web page when they try to visit a specific Web site or try to insert a "shim" that could "ship your internal pages off to a remote server once you're in a VPN."

The few defenses Kershaw suggested were continuously manually clearing the cache, or using private-browser mode. "Who knows how to clear the browser cache in an iPhone?" he asked.

Kershaw acknowledged he doesn’t know how widely attacks based on poisoning the browser cache via 802.11 actually are. But the potential for trouble is so evident he said he'd advise corporate security professionals to try to "forbid users from taking laptops onto open networks," though he admitted, "Your users may lynch you." He said some vendors, including Verizon, are looking at solving this problem with a custom client that is tied to specific operating systems.

Tales from the Shark Tank

Just our way of saying thanks


Pilot fish takes a job at a big manufacturing plant -- one with big IT problems. "It was a mess," fish says. "No backups, bad networking, you name it."
So he gets to work hammering things into shape. And after two years, backups are well-organized, the network is running perfectly, and fish is pretty satisfied with his efforts. And so, apparently, are his bosses.
"I got called into HR one afternoon," fish reports. "I was told, 'We have to let you go to save money. We're going to support the plant remotely. "'But we couldn't have done this without the great work you did.'"

Motivational Monday

6 Lessons for Life

I woke up Saturday morning in Newport News, Virginia, looked out the hotel window and all I could see was snow. I called the airport and heard the news no traveler wants to hear. The airport was shut down. I was set to speak to Lia Sophia Jewelry that morning at the hotel where I was staying and that night I was scheduled to be at an event in New York City. I knew one thing in that moment. If I was going to get to NY I wouldn't be flying there. And most likely I would be stranded for a few days in Virginia. I decided to make the best of it and focus on inspiring, serving and impacting those in the audience.

As fate would have it, the President of Lia Sophia, Tory Kiam, was attending my talk and was also heading to NY. When I walked off stage I was told he arranged for a taxi to take us to Washington DC where we would take a train to NY. Sounded like a great plan, Except for the fact that to get to the train station we would have to travel 182 miles through a snow storm on icy, snow covered roads and avoid getting stuck or into an accident along the way. It was an experience I will never forget!

Here are 6 Lessons I learned along the way. I hope they will help you on your journey through life.

1. The Right Driver Means Everything - Samud, the taxi driver, was amazing. He avoided ten accidents, handled ice patches with the driving skill of NASCAR's Jimmy Johnson, and stayed calm the entire time. Leadership is everything and the right leader is the difference between cruising past or crashing into the obstacles before us. Samud never doubted that we would get through the storm to reach our destination and his skill and confidence made it possible.

2. Every Driver Needs a Great Team - There were times when Samud couldn’t see and Tory and I would guide him by looking out the sides of the van. We were his co-pilots and advised him when to slow down, when to avoid other cars, and when to speed up the windshield wipers which were accumulating ice. We couldn't have reached our destination without Samud and he couldn't have done it without us. Teamwork made all the difference.

3. Tap into the Ultimate GPS - When you are driving on sheet of snow and ice you come face to face with the reality that no matter how confident and talented you are there is a lot you can't control. So you bet I prayed a lot and tapped into the ultimate GPS, God's Positioning System, and asked God to guide us safely on our journey.

4. Drive with Optimism - Tory kept laughing at me because every hour I would say the roads would get better the closer we got to DC. The first few hours the roads got worse. But sure enough as we approached DC the roads were plowed and smooth. I didn't know if the roads really would be better but I hoped they would be better. And that hope kept our spirits up when it seemed like we would never make it. Faith in a positive future keeps you moving in the right direction and helps you reach your destination.

5. It Could be Worse - Along the way instead of focusing on our predicament I kept thinking about the people in Haiti. Our situation was a walk in the park compared to what they are going through. Keeping things in perspective helps you stay positive through your challenges and keeps you humble and grateful.

6. Showing up Matters - I arrived at the event in NY with an hour left. It was a fundraiser for the George Boiardi Foundation. George died in 2004 when a ball hit him in the chest during a lacrosse game at Cornell University. George was known for his character, persistence, heart, work ethic and his plans to join Teach America after graduation. George's life was cut short but his dream lives on through his foundation. When I arrived I met his mom. We hugged and she thanked me for making the effort to be there. I couldn't help but think that if George was in my shoes he would do the same. He showed up on and off the field every day of his short life and his legacy lives on through so many people impacted by his example. So, no matter how long the journey I want to encourage you to "show up." Whatever it takes, show up. Whether it’s by plane, train or automobile, or all three, show up.

-

Jon Gordon

Why OpenSource Software