Kenyan Air Force used Twitter to warn Somalia of Air Strikes

The use of Twitter as an instant world wide news service is really gaining in popularity. As a matter of fact, in January of this year, Russian President Dmitry Medvedev learned of the Domodedovo International Airport bombing through Twitter.

But new ground was broken as the Kenyan Air Force tweeted Somalis warning them of incoming air strikes. According to the Wired article, “Kenyan Air Force Tweets Somalis: We’re About to Bomb You #Duck” Kenya sent a couple tweets warning of upcoming strikes:

““BAIDOA, BAADHEERE, BAYDHABO, DINSUR, AFGOOYE, BWALE, BARAWE, JILIB, KISMAYO and AFMADHOW will be under attack continuously,” Maj. Emmanuel Chirchir, a Kenyan military spokesman, Tweeted on Tuesday afternoon. In an interview with the BBC, Chirchir clarified that the attacks are targeting extremist camps near the listed towns.

Though hopefully the press will not spin this as a form of cyber attack, one thing is for certain, Somalia will definitely remove the Kenyan Air Force from their “Friends” list…

Collage: Defeating Censorship or Undetectable Botnet C&C?

Recently, during the protests in Iran, Iranians scrambled to get internet messages out to let the world know what was going on. And the Iranian government scrambled to intercept and block them.

Next, internet proxies started popping up; allowing Iranian protesters to bypass government filters, but these too were found out and shut down. A way is needed to send messages that could bypass internet filters and government scrutiny, something where you could place hidden messages inside normal everyday internet traffic.

Enter Collage, a project by Sam Burnett, Nick Feamster, and Santosh Vempala of the Georgia Institute of Technology. According to the Collage Project website:

Collage uses user-generated content (e.g., photo-sharing sites) as “drop sites” for hidden messages.  To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks.

Sounds like normal steganography, but there is a twist. Collage breaks the messages into small pieces and places them into several forms of electronic media, be it videos, pictures or tweets.

At the receiver, Collage fetches the cover content from content hosts and decodes the message. By hiding data inside user-generated content as they traverse the network, Collage escapes detection by censors.

This sounds great, but it could also be used for nefarious purposes. The same functions that allow Collage to bypass government censors could also be used by malware or botnets to, in essence, become invisible to network security monitoring.

Richard Bejtlich (GE’s CIRT team leader) explains this on his blog, TaoSecurity:

Collage makes it difficult for incident detection and response teams to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a message can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g., Web articles, email), perfect for command and control instructions.

As always a tool meant for good could be manipulated and used for evil. How would you stop or even detect botnet command and control messages, when they are hidden inside tweets or Flickr photos?

We may be fast approaching a time when all social media traffic and picture sharing is banned altogether from company networks.

Revealing Hack on Twitter Today

According to a FOX News article, the social media site Twitter was exploited by a security flaw. The hack used the Javascript onMouseOver to activate pop-ups, retweet malicious code, and redirect unsuspecting users to other sites, including hardcore porn sites…

According to security analysis firm Sophos, simply running your mouse over certain tweets could activate pop-ups, send you messages, or even redirect you to another site.

And a number of Twitter accounts were redirecting users to hardcore pornography sites — including the feed of Sarah Brown, wife of former British Prime Minister Gordon Brown.

By 10 AM this morning, Twitter released a statement claiming “all clear” that Twitter “should now be fully patched and is no longer exploitable“. But some security experts say that with sheer volume of infected messages involved, even though it was patched, there may be some issues.

Also, some users are using to flaw to mask their user ID’s:

“It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code.

Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of color (known as “rainbow tweets”). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.”

According to the article, third party Twitter apps were not affected, because they do not use the same script. The article also recommends people avoid using Twitter for a while.

It is a shame that people would do something like this. I really makes you think twice about letting your kids use the internet, when they could be talking to their friends one minute but then re-directed to a very questionable site the next.