LAS VEGAS – When you’re talking to Dave Marcus aboutsecurity, and he gets a mischievous grin on his face and a sparkle in his eye,chances are he’s about to show you how innocuous tools can be used by bad guysin decidedly non-innocuous ways. And as director at McAfee Labs, he knows lotsof those ways.
At the company’s annual Focus conference here this week, hecast his eye on social networks, demonstrating how, in a relatively brief time span,he could learn enough about a person to induce him to click a malicious linkand infect his PC with malware.
“It’s self-inflicted damage,” he said. “You’re just takingthe information they offer and using it in a different way.”
To prove the point, he described following a user on Twitterwho was wandering ArlingtonNational Cemetery,posting photos as he went. Since the user had location information displayenabled, Marcus was then able to track the man’s route as he headed home,tweeting on the way, and identify his residence. Then he messaged the user,complimenting him on the photos, and included a link that supposedly led toanother view of one of the tombs. The user clicked on it immediately. HadMarcus been a hacker, this user’s computer would have been compromised.
He has also followed peoples’ daily travels via thegeo-location of their tweets, documenting their schedules, where they work,shop and live. This is invaluable information for marketers, and, he pointedout, it’s equally valuable to criminals. From the information they glean, theycan craft messages containing malicious links that are guaranteed to grab thevictim’s interest and generate clicks, or deduce when no one will be at home ifburglary is their goal.
It’s also easy to create messages targeting large numbers ofusers, simply by examining trending topics and using as many of the keywords aspossible in a tweet that includes a malicious link. And if that link isshortened using a service such as TinyURL, the victim often can’t easilydetermine where it actually goes without clicking on it. There is, Marcus says,an average of 3,000 shortened links sent on Twitter every minute.
The problem is, TinyURL and its ilk don’t check linksuploaded for shortening. Those links can go to known bad sites. Marcus saysthat Bit.ly is abused in this way more than most.
McAfee has addressed this issue by developing its ownshortener that checks the original link on its Global Threat Intelligence (GTI)network and flags it if it is unsafe. The shortener, still in beta, isavailable at http://mcaf.ee. The company is also working on plugins for Twitterclients that will check and preview short URLs.
Facebook users, too, are at risk, as are users of photosharing sites and any other social networks. They must be prudent about whatinformation they share, and they often aren’t, Marcus laments. “They don’t wantto go to the trouble to lock down their profiles, they just want to get mad atFacebook.
“People need to have an awareness of social networks as anabuse network,” he went on. “You have to expect your information will not beprivate.”