August 04, 2006
Vendor Hype 'du Jour': Blogs are Evil
Everybody's at BlackHat except me and apparently Michael
Howard. I sort of figured that since BlackHat got bought out by the CSI
people last year, that there'd be less people in attendance, but apparently that
wasn't the case... Anyway, as a consequence of that, chatter in the press
is off the charts with respect to Infosec: press releases are way up,
announcements are being issued like bullets from a tommy-gun, and everybody and
their brother seems to be writing about what's going on in Las Vegas. Of course,
vendor mouthpieces are saying those things that they say and using BlackHat as
their pulpit to spread the message. Yesterday, Caleb Sima (CTO of SPI
Dynamics) took center stage to make the proclamation that
blogs are evil:
Internet users who employ Web-based services such as Bloglines or Web browsers such as Firefox to read Web site feeds and blogs are vulnerable to embedded malicious code that can install spyware, log users' passwords, scan PCs and corporate networks for open ports and more, said Caleb Sima, chief technology officer at SPI Dynamics Inc., an Atlanta-based Web application security company.
Yes, apparently the blogosphere is like a gigantic petri dish newly filled with fresh auger; any day, colonies of bacteria could come and spread like wildfire throughout the tasty substrate. And the reason nobody's doing it? According to Caleb, because malware authors are dumb:
"The only reason we haven't had a lot of problems yet is because no one has really thought of it," he said... A Web feed could contain a link to another Web site or blog that's hosting malicious JavaScript. Or the Web feed's author could unknowingly paste that JavaScript into his own blog. Or a blog may have an area allowing readers to post public comments. Those can also store malicious bits of JavaScript...
Well that's certainly one possibility - but I doubt it. I think there are other things going on too. For example, maybe it's not as practicable as one might think; for example, I can tell you that I think it'd be a cold day in hell before I "unknowingly paste" malware code into my blog entries. But maybe that's just me. Maybe some other bloggers might be tempted to paste 40-50 lines of dense javascript code into their entries from an untrusted source without understanding what it does, stranger things have certainly happened. But are bloggers more likely to paste in this nefarious code than folks users on bulletin boards, users of services like MySpace, or other authors? If so, why? Of course, it could also have something to do with the (on by default) HTML-filtering capability in MT 3.2 comments. Could it be that the fact that you can't put scripts into comments on most blogs helps to keep down the number of people doing that? I would argue that it does - after all, the impossibility of doing something usually tends to keep it from happening...
So thanks to SPI Dynamics for pointing out this danger and putting blog readers on their guard. After all, who needs blogs anyway? Better we stick to traditional media where content is more strictly controlled and this kind of hacker activity can't happen.
Posted by Ed at August 4, 2006 07:44 AM | TrackBackSounds a bit interesting that you respond so quickly and yet, you didnt attend the presentation. I was there (and still am (jack...if you see this....i hope you're really hung this morning...you deserve it)), listened to his presentation and came away with a very different opinion. I live in Southern California and am very involved in security and development and can absolutely see where this vector might present problems moving forward.
Did you just read that other persons article and respond with your own opinion? Sounds a bit like CNN's reporting style....
T
Posted by: Tyler at August 4, 2006 11:05 AMTyler,
You're right - I didn't attend his presentation and I am going only by what the press has reported about the presentation; certainly, the press has misreported things in the past so it could be that this talk was reported in a way that's totally off base from what's discussed during the conference. Of course, it seems to me that if people had to actually attend event before discussing it that we'd have a lot less discussion. For example, I don't think I could make the claim that mankind landed on the moon - after all I wasn't there.
Additionally, as always I reserve the right to be totally wrong about stuff... Maybe SPI's right and blogs are a petri dish - it's certainly possible that RSS worms will turn out to be the next big thing in malware. I would have liked to hear his line of reasoning; those guys are pretty smart so it's certainly possible that they are thinking about this in a way that I currently haven't. HOWEVER...
...none of those things change the premise on which my argument is founded. Namely, that it seems to me that if we were going to see RSS and/or blogging content in general as a viable transmission vector for malware, that we would to date have seen some activity in the wild. The MySpace worm was incredibly successful and received tremendous attention for the author in the press. Is it really the case that malware authors are unable to make the intuitive leap between the MySpace worm and a MoveableType worm? Seems to me that's not giving them much credit...
Posted by: Ed at August 4, 2006 12:29 PMI'm gonna play Bruce Schneier here. Maybe some of this comes down to the economic argument, namely, where's the money in it? Since most worms coded today are for monetary gain, the bad guy out there has to determine a way of making money off creating a worm for RSS or for Moveable type or for Wordpress, etc, etc, etc.
I am not saying there is not a way to make money off of it. The baddies out there think about that way more than I do. But when you think that most blogs are run from either somebody's house or hosted by a service, and there's typically no selling or other monetary exchange going on for ID theft to be an angle, then I doubt it will be any issue.
Posted by: Michael R. Farnum at August 4, 2006 01:04 PMOK, just for the record. CNET picked this story up and ran the details with less FUD and panic than the link I referenced earlier (actual coverage of the talk vs. content from Caleb's commentary.) Here's the link: http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html
As an aside, I think part of the disconnect is that this morning I was commenting on Caleb's comments - *not* about the talk, although I guess it's easy to assume the two things are related given the fact that it's the same company doing both. But seriously, how could I know that from this morning's story?
Posted by: Ed at August 4, 2006 02:09 PM