Threats Posed by URL Shorteners

4 10 2011

About to click on a shortened URL link your friend posted on twitter – THINK AGAIN!!! Since you can’t see the real URL you might be led to a fake website only to realize that it is spam and it might be too late. The possibility of being infected by spam ware is heightened in the case of accessing shortened URL links. I would first like to explain why the feature of URL shortening came into existence. It can be frustrating when you can’t post a lengthy URL on twitter which is a short messaging site and limits the number of characters to 140. Lengthy URL’s in general are difficult to share and may break in emails[4]. This caused various vendors to offer free URL shortener programs.

The catch here is that URL shortener programs are free for attackers as well and can be used to hide the malicious destination address in the link. You are less likely to click on a full URL of a malicious website than on a shortened URL for the same website which might appear genuine. An incident about how attackers used the Google shortener goo.gl to spread malware in twitter is talked about in this link.  Ben Schmidt, a computer science major from University of Tulsa, demonstrated the ease with which a DDOS (Distributed Denial of Service) attack can be made by creating his own URL shortener just by requiring the user to follow a link. This attack doesn’t even require the user to download any software[3]. Another kind of attack is when attackers create fake URL shorteners which result in malicious shortened URLs for a genuine URL link provided by a legitimate user.

This issue has been raised in McAfee’s threat predictions for 2011. It predicts that the growing number of URL shorteners on social media websites such as facebook and twitter will help attackers lead unassuming people to websites containing malware. It also presents a figure of 3000 shortened URLs generated per minute out of which a large number may be used for malicious purposes[1]. McAfee in the context of all these threats has recently launched its own URL shortener http://mcaf.ee/ which it claims uses Global Threat Intelligence to warn users of any malicious websites that the link may lead to.

There are quite a few websites providing free URL shorteners. I performed a small exercise where I took a lengthy URL link from www.amazon.com and shortened it using a few popular URL shorteners. Let us look at how we can ensure we safely shorten our URL’s before sharing them with others.

  1. In the case of http://tinyurl.com/ , the site gives users two options for short URL’s that can be used and shared with people. The first one is a shortened URL (http://tinyurl.com/3toahum). The second one is 8 characters more and is a preview URL which leads to a tinyurl webpage containing the full length URL. At this point the user can verify the full URL and then can choose to go to the proposed link.
  2. Using http://mcaf.ee/# which is McAfee’s URL shortener, the shortened URL I got is http://mcaf.ee/g0ktc. There were no additional options available for users. I think the idea is that McAfee will be able to detect and warn the user if the URL leads to any malicious website.
  3. https://bitly.com/ lets users customize the second part of the shortened URL. The first half contains the destination’s website name in short.  In this example, since I used a link to www.amazon.com , the shortened URL is http://amzn.to/o8yQiX. However, I have the option to customize the second part of it and can change it to http://amzn.to/forinfsecblog to more accurately reflect the site it is referring to. This method helps add vital details for users to identify this as a genuine and trustworthy URL link they are expecting.

In conclusion, tinyurl and bitly incorporated some measures that could be taken when creating a URL to assure people that it is a trustworthy and genuine URL and can help them differentiate between the good and the malicious ones.

Now, let us look at it from the other end. Imagine you received a shortened URL link and want to access the link. Below are some measures you can take to verify the authenticity of the link[2].

  1. Please be sure to hover over the shortened URL link to see if the full URL is specified. For instance, in Twitter the entire URL is revealed when you hover over the link. Browsers have plugins that have similar functionality that can be used for other websites as well.
  2.  A few websites such as http://www.unshorten.com/ and http://www.findhiddenurl.com/ can be used to display the full length URL for the user to verify.
  3. Users can also paste the shortened URL in a search engine and find information about the destination site before they make a decision.

I believe that users do not have to shy away from using these shortened URL’s as they can be very efficient and can help overcome some of the issues we face with lengthy URL’s. However, we certainly need to take some due diligence measures on our part to ensure we are not being misled.

__________________

1)     http://ilookbothways.com/2011/01/08/mcafee-threat-predictions-for-2011-geolocation-mobile-devices-and-apple-will-be-top-targets/

2)     http://www.earthlinksecurity.com/articles/shortened_links_safety/index.html

3)     https://www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.html

4)     http://ilookbothways.com/2010/02/11/mitigate-risks-when-using-shortened-url%e2%80%99s/

Advertisements




Welcome to Heinz College’s Intro to Information Security Management

30 06 2011

If you’ve made it here, you’re likely a student at Carnegie Mellon University and registered for Heinz College’s Introduction to Information Security Management – 95752. The learning objectives, schedule, syllabus and documents for the course will be discussed in class and distributed on the CMU Blackboard site.  This course blog and accompanying Twitter feed have been created and will be maintained to support the course in other ways. The main objective for the blog is to share posts with each other (and the broader Information Security community) about current events and relevant topics in Information Security. For example, the last 6 months have seen several high profile compromises, such as NASDAQ, RSA SecureIDs, and the Sony Playstation network, as well as significant publicity about the ongoing Wikileaks case and Lulzsec/Anonymous attacks. We need to cover a broad set of topics during class lectures, and we would be remiss to ignore these important events, but we would rather constrain the discussion on those current events to thoughtful posts and responses on this blog.

Being mildly omniscient (or perhaps just not that far removed from academic programs ourselves), you are probably asking some questions:

As a student, what am I going to have to do?

You will be required to compose more than 1, but less than 5, posts during the entire semester. The posts will be expected to be well researched, written, edited, clearly cited, and be generally thought-provoking. The length will vary, but you are all likely familiar enough with blog posts to know when one is rambling (or when it was clearly written with half a brain at 2am). An example or two will be posted later to show you what to do and what not to do. It may actually be harder to be concise and make a solid case for your argument in approximately 5-7 paragraphs than to blather for pages, so don’t leave these until the last minute.  It will not be a requirement for you to comment on others’ posts, but the blog will be so much the better if you do. The combination of these blog posts will be considered as part of your overall homework grade.

If we’re already using Blackboard, why not just use the built-in discussion board or blog functionality?

First, we will be using the discussion board, but for more administrative topics. The good thing about the discussion board is that anyone can post anything at any time, but the bad thing is that trawling through six different forums about current events often doesn’t lead to thoughtful discussions. Discussion threads decay into the author posting a link with a sentence or two, but very little analysis beyond that. So, rather than require that you post a certain number of posts to the discussion board per semester, we’d rather foment quality, not quantity. Furthermore, the Blackboard blog would permit similar functionality, but would be less flexible and less public. For example, if a new post appears and you want to read it on your mobile phone with an RSS reader, you can easily do that here.  Not so much on Blackboard. Finally, the blog posts will be mentioned publicly on Twitter and maybe, just maybe, the White House cybersecurity czar himself will comment on the terrific analysis you just posted.

So, if I only have to do a few posts and it counts as part of my homework grade, I never have to read others’ posts?

That’s right, you don’t. Then again, this is Carnegie Mellon University, you are almost all graduate students and professional enough to know that doing the bare minimum does not really contribute to an environment of growth and learning. So, this entire site will only be as good as the time you spend on the posts and the hopefully engaging discussion that takes place afterwards.

Why is there a Twitter feed and do I really have to do the tweeting?

The Twitter feed has been started to give you all a sense of some people out there who are active in social media AND influential in information security. I mean seriously, why wouldn’t you want some tweets from Bruce Schneier himself delivered to you? No, you don’t have to tweet, but you do have to create an account and follow our account (@CMU_95752) so you can see some things we tweet ourselves (maybe a quiz hint?) and retweet from others. Perhaps it will also help you amass a list of bloggers/tweeters that contribute to your learning for this class and well beyond. Heck, tell us if we’re missing one and we’ll add it.

The details of how many posts, how they’ll be assigned, applicable topics, the logistics of sending/posting and other things will be discussed elsewhere. If you’re reading this before class has started, we look forward to meeting you. If you’re reading this during the first class, start paying attention because you just missed something we said. In either case, welcome to 95752 and let’s have a good semester together.

Adam and Ron