Dr Paul Judge - Social Media & Security

good morning good morning uh I'm Paul Judge and I'm the chief research officer at Barracuda networks uh Barracuda uh spends our time uh providing some security products networking some storage products we we protect about 100,000 customers around the world uh my role specifically Ty Al is around Barracuda Labs our security research group uh there's a few areas where we spend time ranging from email to web security uh to intrusion prevention antivirus for our different products but what I want to spend some time on today is what we've been seeing uh in the way of social networking threats right so for the last couple years we spent a fair amount of time looking at kind of

how are things marfing between email between the web and and social networking and kind of what are the latest things the attackers are up to so what I want to spend some time on this morning is kind of walking through that and some of the things that we've seen and some of the technologies that we've been working on that we think kind of the industry uh would benefit from as a whole if we kind of collectively move in these directions right so if you look at last year look at 2010 right everybody remembers you know if you look back just five years ago five this is 2011 look back 2003 2003 there was maybe 5% of email was spam right

it's 5 to 10% of email was spam you might forget become so accustomed to spam being 90% of email you forget that it wasn't always like that right so just eight years ago like it was like 5 to 10% of of the email was was spaming it went to 20 and 30 and 40% in the group and so nowadays we're just accustomed to 90% of email being spamed well what happened last year if you look at 2010 this weird thing happened where half the spam disappear so so literally so this is a a view of the amount of spam showing up at uh bar customers around the world so if you look at the beginning of 2010 we

were averaging about uh 50 uh billion spam messages per day that we were seeing show up at our customers if you look from July to the end of the year it literally went down to 26 point so half the spam disappeared right so did all the spammers like go skiing did all the spammers kind of go hang out go hit a pup no so what happened is I mean think about it you put yourself in the the mind set of a spammer or attacker someone trying to illegally make money from computer activity right they're a business so they're like okay how can I make the most money how can I make the most money I have limited resources I

have some Bots I have some bandwidth I have some computers like how can I maximize my profits and you think about it I have some Bots what's the best thing to do with those I mean the spamming business is getting hard it's been hard for a while right because you're sending spam and you're hitting some spam gateways you're going to block 99% of those things then even the ones that go through you might send a spam folder people might not read it I barely can read my own real email like I can't keep up with a Spam as well so like the profit marget for spammers is getting worse and worse and so they're looking

at how do I make other ways of using these resources I have these Bots I have this bandwidth I have this code how can I continue to make money on it and so what we're seeing is you know more and more so they're moving over to kind of the web activities right they're moving over to where are the eyeballs if I can't get in front of your eyeballs while you're reading your email maybe I can get in front of your eyeballs while you're on a social network or while you're on a search engine and so that's kind of what I want to dig into a little

bit to uh paron my my my frequent coffee uh consumption the night before last I spent the night on an airplane and last night I spend it in a local Club so it was an improvement however it still didn't all sleep uh so uh so if you look at the web like you look at kind of all the activity that's happening on the web right now uh you know one thing I want to touch on is kind of why is it happening like what are the changes that are happening that's making it so easy for attackers right now and my theory is that there's these five things that have occurred that are kind of Innovations they've are

are beneficial things as a whole but they've also disrupted the traditional ways that we've secured web right so one of the things for example is just the rapid growth right there's 196 197 million domain names registered today right at a rate of new on or register exchange hands at a rate of 100,000 domains a day or about one domain per second exchanges H so either newly registered or new owner right so if you think about the traditional way as an industry we did web filtering we basically and I was there I mean I was before Barracuda I was at a company called Pure wire before that I was at a company called secure Computing that and

and we had a big web filtering database and people licensed our web filtering database and I was responsible for that team we had a a room of people about 80 people and everybody had a computer and a monitor and we spent the days and this how it was when I got there they've been doing this for 12 years before I got there when I got there they sitting there and 80 people in the room and we organized the wellb basically people logged in every day came to work I said oh I think that's business I think that's a weapon site I think that's a drug site I think that's por that's por and you know like but that's how they

they kind of spent the day is you just manually try to organize the web and you just can't keep up one main name per second you can't type it fast enough you can't you can't react fast enough so that's disrupted the traditional way that companies were dealing with this right so a second thing is just whatever you want to call it Dynamic web apps Ajax web2 the point is it's brought us great things like spreadsheets that run in a browser right it brought us great things like Outlook web access that feels like a desktop flying and but it's now made a point where a remote website has more control of your browser and your computer than ever before right

and now one of the problems is like traditional application security used to mean I would download an executable file I would virus scan that file I say okay this app is safe or not but nowadays I mean that app is just a web app right it's XML HTTP request so how do you virus scan that how do you tell if an app is safe or not like who's in the middle looking at all the calls and deciding if an app is safe or not because you no longer have an executable you're downloading a virus scanning right so that's a a shift that we've having to deal with these other two are pretty close related these are really about the

different types of devices and where people are are accessing things from I mean one problem is anybody here responsible for kind of corporate it or corporate security at a business the company yeah and full of folks right so if you look back you know five years ago or so you you built out these infrastructures that were very perimeter and Gateway focused and as long as somebody like walked into the office and plugged into the ethernet man they were safe right but as soon as you picked up the laptop you went across the street for coffee you went across the country for some for a com conference they're outside the perimeter they're outside your protection they're naked and

they're exposed and you can look at the stats here basically a large percentage of people that leave the office end up being infected a lot of those infections come from visiting malicious websites you very similar to that kind of new devices like these mobile devices uh how do you secure those things so it's really it's a Avenue for attackers to reach you while you're while you're exposed and then bring that attack back into into the network this fifth change this is one with spend all the time on is user generated content I mean if you think about just over the last several years how user generated content has taken over right half of the top 100 websites

in the world use user generated content whether that be like Facebook Twitter the obvious ones or even normal brick and Marty sites that added social media components right if you go now to buy a CD online or to buy a refrigerator online there's some social media there's user generated content people are posting things well the problem with that is you you think about the last time we educated the community about web security we said hey when you get on your computer if you're go into a website look for a little lock at the bottom of the browser and you see that little lock everything's fine right you're laughing because that's the last time we told like you like think about

your mother was the last time you told your mother anything about web security your grand or your sister like look for that little lock in the bottom of the browser as long as you see that everything's fine right and that mattered you know eight years ago 10 years ago it's like okay this is etbu.edu and that's really them you can trust them move on but now it's no matter no longer just a matter of this domain level trust you have this question of okay user generated content behind that domain that may be 500 million people there may be 100 million people so I don't need to just trust the domain I need to understand each of

these users are they legitimate or not are they even real or not right so there's this Gap there's this gap between kind of the the trust model that's possible on the web today and kind of what the functionality of user generated content has provided it and the attackers realize that this Gap is there there's this Gap I trust Facebook so the average user by default trust a lot of stuff that's on there or they trust Twitter and they by default trust a lot of stuff that's on there and so the attacker really leveraging this right now they're pounding it if you think about why half that that spam disappeared is because there's this big window and portal for them to carry out

these attacks and social networks so let's take a look at a couple things uh Facebook

so uh here's a guy he's a real guy that's actually a friend of mine on Facebook he was tagged in this person's photo album and see the photo got some of your attention right so even with the shadowing from the projector and even with the censored block that I put on there right it still is attention grabbing and it's hey I check out this website on model for sneaker hype. info right like okay what's the big deal well this shows up in my newsfeed right and if you look at the the photos you know they tag 50 people they tag 50 people per photo that they post and you assume that every person has a thousand friends then

there's 50,000 people that just received this link right so again think about you're an attacker and you're trying to make money would you rather sit there and send 50,000 spam messages only to have hit the wall of a Spam firewall somewhere and hit the floor or just post one photo on Facebook and have 50,000 people see your link right so if you think about the efficiencies like basically the viral features that made these networks grow so much that attackers are really learning how to take advantage of them right so 5050 people tag 50,000 people advertise this website so here's a website in this instance it's selling shoes sells whatever kind of shoes you want you like

Nikes you like Ugg boots whatever you want you're selling the shoes but if you look at the prices they're actually below wholesale prices so there's no way you're going to get a shoe in the Nike sign's going to fall off and there glue around the tongue and more realistically you're going to put in your credit card information and then you're going to see a lot of charges that you have no idea where they came from right but these are the the types of uh just kind of basic stuff that's happening uh like jacking how many have seen light jacking ja a couple folks so uh light jacking is is interesting because what's happening is they're

making use of the the Facebook open graph API and everybody wants like me like my company like this article like this thing well what happens is in the news feed you see oh my friend Scott over here like this link and the link is you know the beautiful Ma shows her brother on Italian TV so you're sitting at the office it's early in the morning he like the link maybe I'll take a look right so you take a look you click and what happens is it takes you to this page and you you're almost there it's a minute video you're ready to plus pray just see it right quick before you get back to work right

well the problem is when you click to to play this there's really no video it's a image that is encapsulated with the Facebook open graph API to take your click and turn it into a like right so you look at the the code here right so this this code is basically taking that entire image that video frame uh to to function as a Facebook like button right so on the first time you click it it's saying okay you liked it and meanwhile is already posting on your profile and posting on all your friends profiles that hey Paul likes Italian breast as well right and I didn't even see any Italian breast yet so then the other thing it does is after

I click on it it is sitting there and also going to redirect me to some surveys so it taking other opportunities to to monetize it take you to some surveys where they get affiliate money back for for pointing you to those right so it's kind of kind of see here once you click you get a like on your Facebook profile and then you get these surveys to fill out and they make money so it's it's interesting to see them really take advantage of of something that's as you know seems as simple as innocent as a Facebook life so malicious Facebook apps so here's one anyone saw the movie social network couple of you guys yeah so you

remember when it came out it was just it was buzzing all over the world right in France you see the pictures the posters in the US everybody's talking about it everybody wants to go like C and make the formula and you know they totally underestimated the technical work that it takes to actually build a website of that size so I had all kind of friends like hey you know what I'm going to do this weekend I'm gonna build a social network right but if you look at it so here's here's an app that was called The Social Network closedown app and it's saying hey Mark Zuckerberg the owner of the social network has decided he's

going to shut down your account unless you verify it you have to click here to verify it it's an official announcement account verification starting today and they use the Facebook logo and it's showing up and if you don't know where you're going You're like okay well let me go I don't want my Facebook account to disappear right so you click on it it takes you to this it takes you to this uh social network closedown official announcement and it wants you to install the app and you look at what this app wants to do right this app would like to have access to all your basic information which your name your profile pictures all your friends your phone

number your email address just to start off with it wants to also post to your wall it would like to also be able to do this at any time so whether you're Lo into Facebook or even you're awake or sleep it would like access to just you know mess around with your Facebook page on your behalf the last thing it wants to do here is manage your Facebook pages which means if you are administrator for your company's Facebook page or for your churches or your soccer team whatever it may be it wants to manage those pages for you too how greedy some of these these apps are you're like oh don't close out on my account next thing you

know you just basically gave away the the keys to your Facebook Kingdom uh here's one from uh about a week ago and it actually makes use of two things it makes use of these photo taggings as well as making use of these uh Facebook apps so this one saying hey this guy was tagged in this album this guy was tagged in this album this album is called hidden truth and it's claiming that it has all of this information about what happened with the tsunami in Japan and what happened with the World Trade Center attacks it has all this information it has pictures and it's it's grabbing your attention and there's a link so you're like hey if I go click

on this link I'll see a website and I'll get an explanation of what happened well if you click that link what happens is you get a couple series of redirections and brings you back to a Facebook app this one's not as greedy this one only wants access to all your information it wants to post to your wall and it would also like access to your photos right because it wants to use your photos to lure more people in right and so you look at it it's like the hidden truth video app this is pretty fresh it had zero users so far so if you actually go to the application page here's the application page they

didn't put a logo up they don't have any ratings don't have any monthly active users but there there's a developer kit agam developer let's so let's take a look at that developer profile so kid a kid are you here no kid's not here so supposedly this is a a developer that built that app right and here's the music she's into here the movies that she's into and and so the the attacker has taken the time to create this identity create this profile and make the the account look more and more real and we're seeing that a lot nowadays they're actually taking the time to create fake profiles specific to geographic regions right and so they'll

have one for something as as specific as you know a little town uh in a certain state and they'll show that this person went to this college this person went to this high school and they work at this company and use that to lure people that went to those places so they they have no problem making thousands and thousands of accounts and using them specifically to lure people from different regions so Facebook examples my last last Facebook example here uh so this automated social

engineering so this a real chat session that popped up to me and this lady Kate Wrigley is a lady that I I I work with at Barracuda work with for years a couple different companies and she is a sales engineer so she's I don't C customer sites and dealing with things and so she doesn't really ping me a lot through Facebook so when I get something from her and says hey Paul got a second like oh what's wrong what's wrong customer s was a problem and so I said hey what's up and she writes back she says Hey I want you to try something real quick like oh man she found a bug in one of the products

or something and I'm like okay so she said okay Paul try this test and see what you get I can't get over a 105 it's ridiculous it gives me a link like uh uh what is it she says let me know what you get everyone so far beat me except Adam and Yad Yad so at this point I'm like wait a second this doesn't sound like you and I'm like hey where are you and no more response right but obviously this wasn't her this is an automated kind of Bot sitting on her computer had access to her Facebook credentials and it's sitting there going back and forth having a dialogue right so you think about user

education how do you teach a user to ignore this I sat there and talked to it uh I mean they use very casual language they go back and forth estimate what you're going to say and so I mean you think again about those spammers and why that spam volume went down so much you're sitting there with a bunch of bots out there you rather send spam messages out with those Bots or you rather sit there and do Facebook chats which was going to get you a higher click rate so you know that was a a piece of uh malware running on that on that computer uh you know one thing that we we we see

is we get tens of thousands of pieces of hour a day uh across email and web and so one thing that we've done to try to keep up with it we try to if not you have to like manually take one sample malware install in an environment run it analyze it see what it's going to do um we created this thing we call Mal trce and basically it's a a virtual environment for analyzing and uh and observing malware and so what we do is we let the malware come in and we run it on a VM we let it run on a nice Windows BM with all the apps loaded and it it gets in there and it gets comfortable

right it gets comfortable it makes itself at home it starts changing registry settings and starts calling out to command and control and sending out some spam and just does everything out where it's supposed to do but meanwhile it's it's in it's in a VM it's not really connecting to anything we're just capturing all the network traces and understanding what domains what command and controls what this and that so it actually allows us to you know go through 60 80,000 pieces of hour a day and make Network traces and turn that back into kind of interesting data we can use to kind of protect people uh so it's kind of one thing that has been sparked by just all these different

pieces of malware uh that we're seeing uh the other thing so this kind of Facebook I'm switch to Twitter a little bit here uh you guys use Twitter yeah I know I saw a couple people that I've met on Twitter and just met in person for the first time uh so it's amazing how much time people spend on Twitter right so I'm G to jump out here for a second so we did the thing where we took a look at how much time can you see that yeah how much time people spent on Twitter and this was around the time you guys familiar with Kanye West yeah Kanye West music artist yeah okay uh so this was

the time he joined he he joined Twitter and he sent some tweets and like within a week he had uh you know half a million people follow him and everybody was talking about what he was tweeting and seeing everyone was talking about it so we were like wow like how much time could collectively did the world spend this week like reading his tweets right and we've seen a similar example uh like a month ago with Charlie Sheen you guys seen Charlie Sheen join Twitter yeah so a similar example uh but this is a view that we looked at uh when when when Kanye joined and so we said if you add up kind of all the people that

followed him and we actually went and looked as the number of followers increased uh uh how much time you read each tweet and you spent a second or two reading each tweet and how much time did world spin uh reading this guy's tweets and if one person had that much time what could you do with it right so you add it all up you actually uh you actually came to me jump to the end here you know so if you look at it there's 400,000 people that followed him during that first week and like if you look at three seconds per tweet there were 2.5 million cumulative human minutes spent reading this one guy's Tweets in one

week right so like what could a person do with with 2.5 million minutes and so we kind of added it up and we said okay you had 2.5 million minutes to spend here's all the things you could do first of all if you're interested in Kanye West you can listen to each one of his albums 101 times each right and then you can go and watch like every movie Kevin Bacon's been in five times each right and then you can matter of fact got some spare time you could do Lindsay Lohan's gel sentence and while you're doing that you might as well kind of sit back you get TI's gel sentence and you could do

Lil Wayne's Jael sentence and then you can fly back from Chicago and Paris and Back 12 times you actually drive from New York La back and forth 12 times 10 times you can actually take every Rosetta Stone course available you can sit through coursework at three colleges and get three degrees you can build a Habitat for Humanity home you can go to Taylor Swift concert in every state you can watch every NFL NBA and Major League Baseball game this season right just kind of look at the time that human spent you can climb Mount Everest and Mount McKinley and then you can watch every episode of South Park ever made three times each get a lap dance from

every stripper in Las Vegas right so there's 100,000 registered strippers in CL Clark County Nevada if anyone's ever wondered right and we estimated three minutes per Dance I mean that's a personal preference though right but if you just look at the amount of time like humans spent on Twitter it's kind of just a funny example of how much time goes into this and this is reading one guy's Tweets in one week and so the the point is you know attackers realize there's there's a lot of eyeballs uh out there

uh was

so there's a lot of eyeballs out there so the attackers are saying how do I get in front of these eyeballs uh so a couple things have happened you look at Twitter they've had a couple different types of incidents they've had account hijackings where the high-profile person had their account taken over attacker use it to either send funny messages out or malicious messages out and so forth they had a series of things that were kind of Twitter security problems like coding flaws that they had on their Network that caused problems and then they have this other problem of people using Twitter as a platform to distribute malicious links right so it's kind of have three different types of

things that they've had to deal with over the years so we take a look at at some of the account hijackings uh for a second here's one where uh New York Times has a publication called the moment so New York Times pretty reputable publication one of their Publications the account was hijacked and someone just used it for Pure spam like hey look here take a look at naked cam wow I thought you were New York Times right so here's one where someone took over uh BP BP America around the time of the O spill they took over the account and they're making comments about the guy that's in charge okay we'll we'll finish the all spill cleanup

as soon as we can find a double extra large sweatsuit for this guy right okay so here's one someone took over Little Wayne's account and they Ed it to to make jokes about another artist called Soulja Boy he's like hey I see you didn't sell that many albums don't worry I'll send a a PayPal to your account I'll help you out buddy right so here's a here's here's one that actually perhaps caus a little bit more confusion so this is actual roles of guns and roses and someone sent a tweet out that said hey all the upcoming Guns and Roses shows are cancelled forget about it go call somebody and get your money back right so how many people were just not

happy that day right so you know you look at some of these are funny examples but just the ability of of having an account hijacked and taking over and using that as a soap box to get your message across whether it be a joke or whether it be something malicious if you look in the neighborhood of of security flaws there's been a few problems over the years I mean one is you guys remember this one uh this 25 year old uh kid from France broke into the internal Administration system over at Twitter so it basically broke into the backend support system and use it to access accounts like the the president of the US Britney Spears Ashton Kutcher uh he

actually went to court in March of last year uh they sentenced him to to five months on they suspended it but uh he basically broke into the back end and had full access to Twitter support system uh another problem that they had this was last year was a thing called Force follow did anyone hear of this they kept it pretty quiet uh so Force follow there was a uh some codes sitting there in the back of Twitter that if you sent a tweet and it said except yeah okay uh if you sent a tweet and it said accept username so you know if it said accept Adam then it would make Adam follow me right so I just W

around I want to make everybody in here follow me except Bob you're following me now and so there was this logic that was built into Twitter from the beginning it's been there from day one somehow they forgot about it and no one ever stumbled across it but it was this thing to force someone to follow you and so this 17 year-old kid in in Turkey found it notified them and they actually fixed it but it was a kind of interesting problem that was sitting out there uh there was a a cross- a scripting problem uh back in September on mouseover where you can on Mouse over a link and it would actually retweet that that that

that tweet on your behalf right that same month they had another problem uh there was a csrf problem where uh it would post a link to to your account whenever you click their link so one was a mouse server one took an actual click to do uh so you know this is an actual Snapshot from from Twitter's blog like hey a malicious link is making rounds that will post a tweet to your account when clicked we fix the exploit and in the process of removing the offending tweets right so they've had kind a series of of these types of problems uh they've done a couple things to to try to address some of them right so one uh

thing is this URL Sher twittle has anyone ever seen a twittter link anyone ever heard of twittter yeah so yeah it's interesting so the beginning of last year they came out and you guys familiar with bitley like all these URL shorteners right the Twitter came out and said hey we're going to do our own URL shener and the world was like wow why are you know why are you doing that to bitly and your other partners and their answer was oh we're doing it for a security measure we need to analyze all the content that's coming in uh so we're going to have our own URL shortener so that we can analyze the content and make sure

it's safe before we post the links well they announced it and we really haven't seen a whole lot from it yet uh and in August of last year they rolled out oo right so they made it mandatory that if you want to give a third party you want to give a different app access to your Twitter account then you had to use oo where you can give them a token instead of having to actually give them your username password uh so that's actually a step in the right direction let's take a look at some of the malware that's been out there like actually people using Twitter to to propagate their their

links so funniest video ever this was one that went around and it was saying haa this is the funniest video ever this is the funniest video ever and it was providing links and it used different keywords hey Justin Bieber Stacy Dash alfield all these different things Olympics like all types of stuff to get your attention and provided this link and it was actually installed in a bank in tros that was an information Stiller right so you know that's that's one example here's another example of the the bifrost troan they were using accounts they were talking about the stuff that was going on in in Israel at the time right so hey yada yada g a

shrip uh click this link like this guy was a little bit lazy he's actually put in a full URL with raw files and ex so if you're on Twitter and you're clicking on exe I don't know about but so he didn't even use a URL Sher uh a lot of guys are using URL shers here's the one that was using Google Shen then pointing to to neit so it actually they they compromised a website of a furniture manufacturer in France we're hosting the the exploit kid from there and know went from your Google shortener to Tak you to that guy and install a NEOS split on on your system uh a lot of examples of Rog antivirus right so this

is using Google shortener and say hey very good antivirus hey a very good antivirus and you click this thing it says hey here's an antivirus you can install and sure enough uh it's not a real one uh here's an example of using Rogue antivirus and connection with triny topics right so you guys familiar with triny topics there's different topics that people are talking about every day so on this particular day you see like follow Friday TGIF Jay-Z pirate day and so here are three different accounts talking about three different things one's talking about Pirate Day one's talking about follow Friday one's talking about TGIF and they're pointing to three different URLs totally different URL and then what happens is all of those

were redirecting you to security. CN which was a traffic distribution system for rogue antivirus and then you have this lovely decoration on your desktop right so you're there trying to find out about this Pirate Day movie next thing you know you have new decoration on your desktop so this is kind of what the the average user is seeing on on Twitter on a regular basis so one of the areas that we've been spending some time is exploring how can you build a reputation system uh for social networks right in the same way that we've built over the years we built reputation systems for like email right you familiar like IP reputation systems for email right the

world went from like content based filtering to kind of Ip based Blacklist IP based uh reputation systems for email it's one of the things that in my opinion kind of Saved email it kind of kept to the point that the industry could keep 90 plus perc effective catch rates and stop spam for showing up in inbox because it was all about understanding IP as an identity and taking the behavior of that IP and turning into indication of this the guy useful or not right so how can you take that same concept and apply it to a social network how can you apply it to a particular account how can I look at your behavior and decide if you're a

real account or not or your legitimate account or not and so that was kind of the goal is to based on someone's Behavior not not wait to read their content not do signature scans and URL filter and stuff on the content but if I can understand the behavior of one account versus another how can I use that to decide if you're legitimate or not so so we we we built this system that uh it it it goes through the the the the Twitter stream to get information it also does some queries to get information but the goal again is right not content based purely activity based so if you think about Twitter what are the activities I mean basically what do

you know about account I know when you joined I know how many times and what frequency you tweet I know how many people follow you and I know how many people you follow and I can look at the relationships between those things so just based on that how can I begin to figure out who's good and who's bad so there's a few things one thing that we need to look at first is kind of what's the Baseline what's a normal user what's a normal user there's a 100 million plus Twitter users what does a normal user look like feel like and so we created a pretty low bar we said okay you're a true Twitter user if

you've tweeted at least 10 times and 10 people follow you and you follow 10 people you're you're true Twitter user you're at least turned the thing on right you kick the tires well you look at all the accounts on Twitter what we've seen is less than half of them qualify for that low bar so 43% of them are a true Twitter user that's 10 follows 10 tweets 10 so you have over half of the network that's just sitting out there with accounts right so that's the first thing half of the network is just sitting out there with accounts so then you start to look at okay well how many people uh are are are you following

right how many people are you are you following uh and what happens is if you look at Twitter as a whole basically 16% of the accounts are following nobody right almost you add 16 plus 27 almost half of the accounts are are following less than 10 people right so you think about the whole network 16% of them following nobody so you have a Twitter account you're not following anybody what do you see when you log in right so you start to think about what's the normal user trying to profile and Baseline a normal user so we can figure out what are the outliers right so this an interesting just stuff about kind of how people are using the network because

all you ever hear is oh Twitter's growing it's growing it's growing it's growing but you never really hear data about okay how are people actually using it so the fact that 16% of the accounts I it was that one in every eight one in every seven accounts not following anybody you know how it happens you can log into your Twitter client you're not following anybody you get an empty screen right so other thing that we start to look at is the relationship between how many people you're following and how many people following you and so the question is are people using uh Twitter like a normal social network where you have a a two-way connection or two-way graph

right you look at Facebook as soon as we're Facebook friends it's a two-way relationship I'm your friend you're my friend whereas on Twitter there's oneway relationships right I follow you and then you decide whether or not you want to follow me so we wanted to look at were people using it in more of a two-way connection mode or were there people that were more so consumers of information more so producers of information and so what we looked at is basically 43% of the accounts on Twitter have the same number of friends and followers so the same being plus or minus five right so 43% of the accounts almost half of the accounts out there are using as a full kind of two-way

connected uh graph relationship but then you look there's there 34% that have more followers they're a little bit more producers of content and then there's 23% that have more people that they're following so they're a little bit more consumers of content right so I get to I get to kind of why that's important here the other thing that we want to measure is what we call the Twitter crime rate right the Twitter crime rate what's that that's basically if you look at all the accounts that were created any given month on Twitter what percent of those accounts were kicked off right they violated the terms of service and they were suspended not they quit they were suspended right so if you

look at any particular month what percent of the accounts were suspended so to look at that the other thing we looked at was the growth we look at every month the Twitter account will tell you what day they join so we look at enough Twitter accounts I can see what day you join I can kind of really look at the growth cycle of Twitter and so that's what we did we went back and looked at since 2006 what was the growth cycle of Twitter so one interesting thing that we stumbled across is there's this period at the end of 08 right between November of 08 and April of 09 you look at the top 100 users on

Twitter right now by number of followers the top 100 people on Twitter half of them came in the same six-month period right so pick your favorite celebrity like whether it Martha Stewart or Kim Kardashian or 50on or or you know whatever you're into half of the celebrities came in the same six-month period so I don't know if they all called each other they're like celebrity committee meeting and they're like okay we're going to join Twitter now but if you look back there's literally look at the top 100 people on Twitter 50% of them join in the same six month period so what happened is the growth rate of Twitter went up two to from 2% to 20%

right so all the users you can see kind of the Twitter account creation during that time period right and what do we know in security kind of wherever the users go is kind of where the attackers will come and so we wanted to measure that we wanted to see like how is that really happening how fast is that happening how quickly are the attackers responding and so what we looked at is this measures the crime rate right what percent of accounts are suspended uh that were created any given month so since the beginning of the network 2006 Twitter was averaging about 1.2% of accounts that were created any given month where suspended 2007 it went up to 1.7% 2008

it was at 2.2% then you had this red carpet error and during the red carpet area it went from 2% to to 3.3% so it increased 60% right during this red carpet era but then kind of within four months after that it jumped up to 12% so from two to three to 12 as the users increased right so 12% look like one in every eight accounts that's created suspended and that's just the people they're catching right are they catching half I doubt it are they catching 10% maybe catching 20% so they're not catching 99% right so it just shows the ability of the attacker to respond quickly oh wait all the users are here all right

I'm over here now and and dig in so kind of with that that understanding we we started to then look at okay how do we kind of find these accounts how do we find these accounts proactively so we take a look so what this is looking at is the Delta between uh how many people you're following how many people are do you have as followers right how many followers you have how many people you're following and it the the red are suspended accounts and the green are uh still active accounts right and so what you see is that people that were suspended had a larger Delta between their friend count and their follower account than normal legitimate users

well why is that why is that well you look at you're kind of creating a fake account on Twitter and you're trying to get a bunch of followers what do you do the first thing you go do you go follow a lot of people right you go follow a lot of people and you hope that they follow you back and the attackers have tools right to automate this for them they'll go follow a thousand people they'll wait 100 of them to follow back they'll unfollow they'll go follow next thousand people try to recruit people to follow so they as they crank these accounts up they go and they follow a lot of people and then once

they're successful they actually unfollow they unfollow most of them so then they end up here they end up with way more followers than they than they have uh following so they go back and forth between these two sides of things trying to uh create and harvest that account and so you see a pretty big distinction between legitimate accounts and illegitimate accounts in that friend follower Delta so that's kind of just one data point another thing that we wanted to look at was kind of how much does someone tweet how much do you tweet and so you could see I can see like Twitter AP will tell you the number of tweets you sent you sent this many tweets sent this many

tweets well the number of tweets that you sent isn't as interesting as like the rate right have you sent 100,000 tweets that you send have you been on Twitter for two days or five years so if you look at the the average and just basically here the average average number of tweets that you you send per day and so we call the Tweet number right you got a Sleep Number you a tweet number and it was kind of interesting at first because we said oh okay let me see what my tweet number is and my tweet number is like 1.4 right so some days I tweet twice and some days I don't tweet and so my tweet

number is 1.4 the guy sitting next to me in the office was like 3.1 what are you doing all day right and so then we have some friends that tweet a lot like hey let's look at this guy George what he does wow 30 how you have a tweet number of 30 what do you what do you every 15 minutes like get a job right so we start to look and so this is a if you can read this this shows the percentage of accounts that have tweet numbers in different ranges so you know about 80% of the accounts out there tweet less than once a day on average right there's 10% that tweet between one and four times a

day five% that tweet between five and 10 nine times a day you know 3% that tweet between 10 and 100 0.2% that tweet over 100 times who's tweeting over 100 times a day what's interesting about that there're 0.2% of the population but if you do the math uh they can actually represent about 38% of all the traffic on Twitter because of the number of times that they tweet right then you compare like someone tweeting 200 times to someone tweeting you know one time every two days this 0.2% of the population can represent about 40% of the overall tweets on the network so it's pretty pretty unbalanced if imbalanced if you look at it so you know

if you look at a reputation system what you want to do is take different features I want to take just different characteristics and use that to basically profile right there's a lot of talk in the world about you know profiling people at the airport and this and that but that's really what it comes down to there's certain characteristics that are indicative of a good Twitter account and a bad twitter account and I want to take those features and use a classifier to show me okay some separation between two data sets right so just looking at these two basic features for a second looking at like tweet number as well as this uh friend follow ratio I just look at those two

two features what can I do so here's some here's some manual stuff we can show so here I'm looking at at high tweet numbers and high friend follower Deltas right so your friend follower Deltas about the 2500 range have tweet numbers over a 100 what do you see you start to see some spammy stuff you start to see you know earn money today uh revs by seller my sports tracker so you see a real spammy accounts you have high tweet numbers and you have a high friend follow Delta so these are accounts that have like really out there following a lot of people trying to attract traffic and followers back to them right so they're kind of

scammy accounts uh if you look at the other direction these are still people with even higher tweet numbers 100 to 400 tweets a day and they have a negative follower friend dels which means that they've gone out recruited people to follow them and then they've unfollowed them right so they have this negative number between their follow friend ratio so you look at that you start to really see some scammers coming out you got voucher code you have instant bis tips you have Cam for porn right uh tweet stock tips you start to be able to get some separation kind of just based on some features I never looked at their content I never looked at their cont content but

I just looked at two things I looked at their tweet number and I looked at their friend follow ratio and I can tell you that I don't want anything to do with these accounts right so you know just example of kind of building user reputation based on Behavior features so here's a here's a Twitter account download heaven and if you never looked at download Heaven what you know is what you can see is they have a very low friend follow R uh ratio uh very high you know negative friend follow Delta and tweet number over a 100 so we kind of look at that and say okay well let's see are they good or bad so

download Heaven actually go back wait no that away some on participate there we go so download Heaven runs this website right download Heaven if you look up the Google safe browsing diagnosis for download Heaven well in the last 90 days they had 15 pages resulted in malicious software being downloaded right uh the malicious software included five trojs and one exploit and it redirects and hosts that on two different domains there appears to be one domain action as aition intermediary and there's a neighborhood of like five different examples of Twitter accounts all registered to the same person all registered to the same set of domains right so you started off with nothing more than excuse me start off with nothing more

than what's your friend follow Delta and what's your Tweet number and sure enough it pointed me to a militia account that's been proven out over the last few months to to be a source of militia software so there's kind of more of that there kind of more of that but as I uh kind of look at the time uh here's a tool that we created it's called profile protector it's a free thing uh it's profile protector.com it's a free website that you can go and we'll scan your Facebook profile as well as your Twitter feed and look for malicious activity so you know just basically go you log in and scan your Facebook profile scan your Twitter feed for

malicious activity so it's something to to take a look at so the last topic I want to touch on uh as I uh kind of what about 10 minutes here so we looked at at Twitter we looked at Facebook one thing that's happening a lot is people using Twitter a lot as a search engine right there's some people that go and I follow you guys as friends there's some people that go to Twitter to look for information I'm looking for what's going on right now I'm using it as a search engine and Twitter as well as the other search engines are becoming a very kind of interesting data point for for attackers because as the web is growing so quickly

the search volumes that are occurring every day are higher than ever the number of searches that happen on Google I mean the reason Google's such a huge company is people use it to search same thing for Bing same thing for Yahoo so the attackers will realize oh there's a lot of eyeballs how do I get front of those eyeballs so they're using search engine optimization to kind of make themselves rank high for certain searches they're actually going out and compromising certain sites that that already have high rankings so what we wanted to do was understand kind of how much is this happening how often is happening so we built this thing that we call search engine malware

crawler and it does just that it goes to each of the engines and it says hey what are the popular Search terms right now and it goes and just searches for them and it looks at the results and analyzes them look from outwhere so it basically just does what a user would do I figure out what are the popular Search terms for each engine because they'll all tell me like hourly or daily depending on how they're configured I ask you hey Google what's the popular Search terms those okay let me go search for them let me take the results and then I'll go analyze them same thing with Bing same thing with Yahoo same thing with Twitter

and so that's what we did we've been running this for I don't know the last year year and a half or so so here's a snapshot of of some of the results so four different search engines these are 153 days the last five months of 2010 so in a femon period you ask every search engine regularly what are the popular Search terms that gets you 157,000 popular topics right you actually go and pull the results for those that gets you 36 million search results so all we're doing is saying hey what's popular give me search results let me see if I find any malware so we find any malware yeah maybe a little bit so we found 34,000 pieces of malware we

just looking at top search results for popular terms we didn't go looking for hey let me go find screen savers and see what I can find let me go over here and search for malware and see what I can find it was whatever was popular right then we searched for it and got the results 34,000 pieces of malware right so that on average one in every 1,000 search results led to malware right and on average uh basically one in every five search topics led to malware right if you look at the distribution of where that malware was this is interesting Google was 38% Yahoo 30 being 24 Twitter at eight so two two interesting points here one the last

time we did this the middle of last year Google was 69% right now what happened is the amount of malware found daily on Google remained about the same so it didn't go down in half the amount on the other engines went up right so we finding about almost twice as much malware at the end of the year as we were finding in the middle of the year and it's not that the Google the proportion that they look at and Google probably I think they did an announcement hey look our search percent went down according to Barracuda lab no like your actual number of malare a day actually remain consistent it's just that the attackers my opinion is

that the attackers are trying this out on Google oh man this works they went over to being and started do the same thing they went over to Yahoo started to do the same things that's why the numbers went up same thing on Twitter and the reason in my opinion that the number on Twitter is low compared to the others is because I mean a search engine what a search Eng is supposed to do is take results for you and make them relevant you know it's supposed to go find what you're looking for and help you find it whereas Twitter you know the way search works on Twitter espeically oh what term do you want all right

there's a latest snapshot of who's talking about that right there's no relevance there's no ranking and so that works for and against the attacker in that they don't have the opportunity to do search Eng optimization and make their sites rank higher so attacker if you're smart and you have resources you have opport opportunity to get your attack higher in a Google search results than you do on Twitter where Twitter is a gamble it's just you're playing the odds right it's like playing roulette like uh put my data in there did they get picked put my data in there did they get picked so that's why kind of artificially the the number for Twitter is is lower because attackers don't have

the ability to use search engange optimization in their in their favor right so uh a quick example of search Eng malware so anybody know this guy yeah I think he plays basketball or something yeah right so if you guys remember last year he was changing teams remember he used to have a jersey that's said Cleveland and he was changing teams and it was a big deal right it was a big deal in certain parts of the world and a lot of people were searching for oh what team is he going to go to is he going to New York is he going to La what team is he going to so a lot of people were

searching for they were looking for his Twitter feed they're looking for information about where is LeBron James going to play and so here's a result from Google you search for LeBron James Twitter this is a result from first page of Google it's like hey right here here's LeBron James Twitter and you click on this thing it says oh okay wait if you want this content you just need to update to Adobe Flash Player you just need version 11 Adobe has a release version last time I checked right it wasn't one my computer so I'm like okay cool let me get version 11 you go ahead it gives you executable to download and the next thing you know what do you get new

decoration on your desktop right so here we are first page results for Google for triny topic and you're you're basically getting hit with Rog virus so those are the types of things that the attackers are up to on the search engine malware side and kind of how it relates to social networks so my last point you remember I started off talking about spam and while the spam volume's been going down and all this other stuff is going up so I want to take a look at at some of my favorite spammers right so you've been following the spam problem for a while you go back to like 2003 right 2004 there were some famous spammers you guys remember these guys at

all Alan ralsky Scott RoR no well Alan Rous remember there used to be a top 10 list of spammers and so there's a top 10 list of spammers that was published all the time it was like monthly would change based on their spam volume and this guy uh Allan Rousy used to always be number one you know he was in Mill hundreds of millions of messages a day almost right but this guy Scott RoR he would be number two but he would also be number nine because he had two different companies right and these guys used to brag they used to brag one of them called himself The Godfather of spam the other was like I'm the king of spam I'm

The Godfather spam and the king of spam it's like James Brown and Michael Jackson right and so you know one of the guys bragged about oh I made $3 million this summer doing pump and dump right and this guy's well I sold 20,000 copies of the RQ card deck before I ever printed them I made a million dollars in card decks before they ever printed right so these guys were ranking in the money then they start to have some problems one of these guys had the FBI raid his apartment other guy was sued by New York attorney general by Myspace so they they both ran into these problems so point is let's take a look at what

are these guys up to today right what are they up to so Alan Rousy after the FBI rated his apartment in 2005 he is in the middle of a fouryear sentence at a federal prison okay his buddy Scott RoR after a bunch of lawsuits New York attorney general all this and that he just started a social gaming company right so you think about who's behind these things right these are same guys that are trying to figure out ways to monetize their skill set illegally uh the same guys that were sending email spam the same guys that were sending fishing attx the same guys doing social networking threats so I don't know if anybody wants to install a game from

lunatic games let me know how that works out right so uh with that I I wrap up uh but you know basically what we saw is there's a lot of interesting stuff that's been happening on the web social networks are growing the viral features are growing the web is growing One D no main name per second all these things are happening but it's creating this window window for the attackers it's creating this window because it's truly disrupting the traditional ways that we secured our users and so we looked at a few different ways that the attackers are taking advantage of it and so kind of with that this is how we're spending our time at Barracuda Labs kind of

looking at more ways to be more proactive about building reputation systems for these networks uh looking for ways to actually go out and find the threats before users stumble across them uh so with that uh you know take a look at at profile protectors a free Tool uh take a look at at Barracuda Labs if if you're not uh doing that already there some more threat reports that dig into this in more detail and so thanks for spending the first part of your day with

me