Vendor Hype ‘du Jour’: Blogs are Evil

Posted by in Analysis on Aug 4, 2006


Everybody’s at BlackHat except me and apparently Michael
Howard. I sort of figured that since BlackHat got bought out by the CSI
people last year, that there’d be less people in attendance, but apparently that
wasn’t the case…  Anyway, as a consequence of that, chatter in the press
is off the charts with respect to Infosec: press releases are way up,
announcements are being issued like bullets from a tommy-gun, and everybody and
their brother seems to be writing about what’s going on in Las Vegas. Of course,
vendor mouthpieces are saying those things that they say and using BlackHat as
their pulpit to spread the message.  Yesterday, Caleb Sima (CTO of SPI
Dynamics) took center stage to make the proclamation that
blogs are evil:

Internet users who employ Web-based services such as Bloglines or Web
browsers such as Firefox to read Web site feeds and blogs are vulnerable to
embedded malicious code that can install spyware, log users’ passwords, scan
PCs and corporate networks for open ports and more, said Caleb Sima, chief
technology officer at SPI Dynamics Inc., an Atlanta-based Web application
security company.

Yes, apparently the blogosphere is like a gigantic petri dish newly filled
with fresh auger; any day, colonies of bacteria could come and spread like
wildfire throughout the tasty substrate.  And the reason nobody’s doing
it?  According to Caleb, because malware authors are dumb:

"The only reason we haven’t had a lot of problems yet is because no
one has really thought of it," he said… A Web feed could contain a link
to another Web site or blog that’s hosting malicious JavaScript. Or the Web
feed’s author could unknowingly paste that JavaScript into his own blog. Or a
blog may have an area allowing readers to post public comments. Those can also
store malicious bits of JavaScript…

Well that’s certainly one possibility – but I doubt it.  I think there
are other things going on too.  For example, maybe it’s not as practicable
as one might think; for example, I can tell you that I think it’d be a cold day
in hell before I "unknowingly paste" malware code into my blog
entries.  But maybe that’s just me.  Maybe some other bloggers might
be tempted to paste 40-50 lines of dense
javascript code into their entries from an untrusted source without
understanding what it does, stranger things have certainly happened. But are
bloggers more likely to paste in this nefarious code than folks users on
bulletin boards, users of services like MySpace, or other authors?  If so,
why?  Of course, it could also have something to do with the (on by
default) HTML-filtering
capability in MT 3.2 comments.  Could it be that the fact that you
can’t put scripts into comments on most blogs helps to keep down the number of
people doing that?  I would argue that it does – after all, the
impossibility of doing something usually tends to keep it from happening…

So thanks to SPI Dynamics for pointing out this danger and putting blog
readers on their guard.  After all, who needs blogs anyway?  Better we
stick to traditional media where content is more strictly controlled and this
kind of hacker
activity can’t happen.

Search
  • http://none@toreport.com Tyler

    Sounds a bit interesting that you respond so quickly and yet, you didnt attend the presentation. I was there (and still am (jack…if you see this….i hope you’re really hung this morning…you deserve it)), listened to his presentation and came away with a very different opinion. I live in Southern California and am very involved in security and development and can absolutely see where this vector might present problems moving forward.

    Did you just read that other persons article and respond with your own opinion? Sounds a bit like CNN’s reporting style….

    T

  • Ed

    Tyler,

    You’re right – I didn’t attend his presentation and I am going only by what the press has reported about the presentation; certainly, the press has misreported things in the past so it could be that this talk was reported in a way that’s totally off base from what’s discussed during the conference. Of course, it seems to me that if people had to actually attend event before discussing it that we’d have a lot less discussion. For example, I don’t think I could make the claim that mankind landed on the moon – after all I wasn’t there.

    Additionally, as always I reserve the right to be totally wrong about stuff… Maybe SPI’s right and blogs are a petri dish – it’s certainly possible that RSS worms will turn out to be the next big thing in malware. I would have liked to hear his line of reasoning; those guys are pretty smart so it’s certainly possible that they are thinking about this in a way that I currently haven’t. HOWEVER…

    …none of those things change the premise on which my argument is founded. Namely, that it seems to me that if we were going to see RSS and/or blogging content in general as a viable transmission vector for malware, that we would to date have seen some activity in the wild. The MySpace worm was incredibly successful and received tremendous attention for the author in the press. Is it really the case that malware authors are unable to make the intuitive leap between the MySpace worm and a MoveableType worm? Seems to me that’s not giving them much credit…

  • http://securityplace.blogspot.com Michael R. Farnum

    I’m gonna play Bruce Schneier here. Maybe some of this comes down to the economic argument, namely, where’s the money in it? Since most worms coded today are for monetary gain, the bad guy out there has to determine a way of making money off creating a worm for RSS or for Moveable type or for WordPress, etc, etc, etc.

    I am not saying there is not a way to make money off of it. The baddies out there think about that way more than I do. But when you think that most blogs are run from either somebody’s house or hosted by a service, and there’s typically no selling or other monetary exchange going on for ID theft to be an angle, then I doubt it will be any issue.

  • http://www.securitycurve.com/blog Ed

    OK, just for the record. CNET picked this story up and ran the details with less FUD and panic than the link I referenced earlier (actual coverage of the talk vs. content from Caleb’s commentary.) Here’s the link: http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html

    As an aside, I think part of the disconnect is that this morning I was commenting on Caleb’s comments – *not* about the talk, although I guess it’s easy to assume the two things are related given the fact that it’s the same company doing both. But seriously, how could I know that from this morning’s story?

TwitterRssFacebook