Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Monitoring Social Media for Security References to Your Organization

Published: 2011-05-25
Last Updated: 2011-05-26 03:38:48 UTC
by Lenny Zeltser (Version: 1)
1 comment(s)

Organizations large and small utilize social media for interacting with current and prospective customers, recruiting employees and tracking the sentiment regarding the organization's products and services. (In this context, social media includes blogs as well as social networking sites such as Facebook and Twitter.) As a security professional, you can also use social media for a related purpose: keeping track of malicious activities and threats against your organizations that attackers sometimes discuss publicly. 

If your goal is to keep an eye on social media statements or postings that merely mention your organization's name, a number of free tools can help you, including:

These tools allow you to specify the search term (such as your organization's name), and will then present you with a listing of relevant social media mentions. Some of them can send email alerts and generate RSS feeds.

The challenge comes when you have to keep an eye on the activities associated with a popular brand that is often mentioned in social media. In this case, the tools mentioned will likely overwhelm you with their findings. You'll need to be more selective when specifying your search terms, and will probably want the tool to support some form of Boolean logic.

Google Alerts is a good match for such activities. Another powerful and flexible source of data is Twitter Search. (Learned this from "JD"). Twitter is used for both curating content that's hosted elsewhere and directly expressing opinions. No wonder searching its public activity streams can be an effective way of keeping an eye on the discussions related to your organization. Best of all, the Twitter search engine supports Boolean logic--not just keyword searches. 

For instance, you may want to use Twitter to learn when someone has hacked or is planning to attack your organization. You can search it for your organization's brand name(s) and words such as "hacked", "breached", "pwned", "XSS", "SQLi", etc. If you get too much noise in the search result, consider specifying these words as hashtags by preceding them with the "#" sign.

Here's a proof-of-concept site I put together to demonstrate this technique: WasCompanyHacked.com

To fine-tune your Twitter search terms, consider searching for the brand's security is the hot topic at the moment and identify which hashtags or terms give you the right balance of meaningful content and a low rate of false positives.

Do you have tips for searching Twitter and other sources for activities related to your brand's security? Please leave a comment below or drop us a note.

For more thoughts on social media in the context of information security, see:

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.

 

1 comment(s)
Five new Cisco security advisories released. See http://www.cisco.com/go/psirt

Apple advisory on "MacDefender" malware

Published: 2011-05-25
Last Updated: 2011-05-25 00:05:17 UTC
by Daniel Wesemann (Version: 1)
2 comment(s)

 
Looks like Apple noticed that "MacDefender", a fake anti-virus tool that we covered earlier, is indeed starting to make inroads on the Mac user community. They have published an advisory today that describes how to "avoid" or "remove" the threat.

The advisory also states "In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware" which might turn out to be the first glimpse of an acknowledgment that yes, Macs can also have malware, and yes, Macs might even need a tool to remove malware. 

No matter which OS you are using, remember Krebs's Rule #1: If you didn't go looking for it, don't install it.

 

Keywords: apple malware
2 comment(s)
Diary Archives