If you are having trouble viewing this email, click here to view this online



   ISSUE 10

18 May 2012

Article of the Month   Around the World

Social network sites originated threats to organizations

The use of online social networks such as Twitter, LinkedIn, FaceBook, MySpace, Orkut and Friendster by the mass public from the young to the old has provided an assistive environment for individuals to learn, play and to keep in touch with long lost friends and colleagues. However this new "country" allows those who want to find out the best means to attack big corporations for various nefarious intensions, to carry out research in order to do so.

Generally, new recruits of companies that are intended to be targeted are prime candidates for such exploitation. Why is this so? New recruits are normally in the process of �fitting in� to their new work-environments, they are more trusting and reliant on others and less likely to know about the company culture and security procedures [1]. This fact leaves them vulnerable to the possibility of someone pulling out sufficient information, from their different social media accounts, to end with a successful attack on the intended target, namely the organization that they work for.

For example let us say Mr P, has been hired by XYZ, ABC�s (a multinational corporation) underhanded competitor to confirm rumours whether ABC is going to expand its business into India. P looks at ABC�s LinkedIn page and sees that a Ms M has been recently recruited by ABC as an Offshore Marketing Executive. On finding M�s personal profile, he notices that M had conveniently given the link to her Facebook account; in which photos of her trip to India are posted and on her facebook wall she has written:

�Hi guys just got back from India, went on work related matter� Lovvvveeeed the country and the food, mmmmmm. Sorry did not inform you guys early of my departure as it was a sudden thing, new venture and all, supposed to be hush, hush�.

P now has evidence of a project in India and knows that M is working on it.  However this is just the first steps. By calling her up or going through her company�s boss�s Facebook account Mr P could glean more �insignificant� pieces of information, in the point of the user, through which a rough project plan could be created, thereby justifying P�s salary and helping the strategy of ABC�s competitor, XYZ.

However, social networks can not only be used just to conduct research for evil intent, but they can also be the means to actually perpetrate an attack on the unsuspecting corporation.

Even though the social networks seem to be the interactions between friends, colleagues, university batch mates, etc, they are actually physical interactions  between computers connected to the World Wide Web. Hackers having understanding of this fact have now developed what are known as Social Networking Worms [2]

These worms use an inherent weakness of social network site users - our readiness to extend trust [3] - in order to entice us to carry out a task that would ultimately lead to our computers being infected. By clicking on a link which seems to be, for example, a video clip of a favourite music artist, or a picture of a celebrity, a malicious script could then be downloaded into the unsuspecting user�s computer which can in turn compromise the user�s operating system. On successful infection, these worms can hijack the user's computer and lead a succession of events that can lead it to turning this victim�s computer into a Zombie or Host Computer. Furthermore, this could also lead to set a series of events that could end with the hacker being able to steal valuable information from the user's organization. This is what is termed "Spear Fishing" in today's hacking jargon. Some recent attacks on several United States top companies are said to have been carried out by using similar methods.

Once the user's computer is turned into a Zombie, it can also be used to perpetrate further attacks on other more valuable systems of top multinational corporations, without the user knowing that he or she is doing so. As the unsuspecting user would not complain (since they are not aware that this is happening to them)  and the relevant authorities once getting wind of this would not know what or who they are supposed to prosecute, the perpetrator generally goes unpunished. These types of crimes are coined as �Victimless Crimes�. However, the revenue earned by these the criminals who perpetrate these crimes would span millions of dollars [3].

In short, social networking has given birth to a new aspect of interaction between various peoples in the online world. However, even though these social networks are virtualized in nature and seem to be of a different world, the impact on the lives of the individuals is real.


1.   Michael Pike, �Social Engineering�, BCS, http://www.bcs.org

2.   Aditya K. Sood, Richard Enbody Ph.d, �Chain Exploitation Social Networks Malware�, ISACA, http://www.isaca.org

3.   Nart Villenuve, �Koobface: Inside a Crimeware Network�, 2010, http://www.infowar-monitor.net/ Koobface

Kumar Manthri

Kumar is in the Board of Directors of ISACA Sri Lanka Chapter, serving as the Marketing Director. Kumar works as an Information Systems Auditor at SJMS Associates, an esteemed firm of Chartered Accountants backed by Deloitte Touche Tohmatsu.



Danger In The Download

'....Does it matter that Mark Zuckerberg wears a hoodie? How might the blitzkrieg of the future arrive? By air strike? An invading army? In a terrorist's suitcase? In fact it could be coming down the line to a computer near you.....'

To read the complete article see:



75% Of Phone-Based Malware Now Targets Android 

By Andy Greenberg, Forbes Staff  | May 15, 2012


'....According to data released Monday by the Finnish antivirus firm F-Secure, 37 of the 49 variants of malicious software targeting smartphones in the last quarter were aimed at Android devices, compared with just ten out of the 16 malware variants it found in the same quarter last year......'

Google in Africa?..It's a hit

May 15, 2012

'....Online Africa is developing even faster than the new highways of offline Africa. Undersea cables reaching Africa on the Atlantic and Indian Ocean coasts, plus innovative mobile-phone providers, have raised internet speeds and slashed prices. 

This burgeoning connectivity is making Africa faster, cleverer and more transparent in almost everything that it does. 

Google can take a lot of the credit. The American search-and-advertising colossus may even be the single biggest private-sector influence on Africa. It is not just that its internet-search and e-mail are transforming Africa. Take maps.

Before Google, ordinary Africans struggled to find maps. Military and civilian mapping offices hoarded rolls of colonial-era relics and sold them at inflated prices. By contrast, Google encourages African developers to layer maps with ever more data. In Kenya 31,000 primary schools and 6,900 secondary schools are marked on Google maps. Satellite views even let users see if the schools have built promised new classrooms or water points. Similar initiatives let voters verify local voting figures at election time. Satellite views of traffic jams have also shamed some African cabinets into spending more on city infrastructure......'

Month in Brief

Facebook Incidents Reported to Sri Lanka CERT|CC in April 2012


  Fake + Harassment



Statistics - Sri Lanka CERT|CC



APT attackers are increasingly using booby-trapped RTF - documents, experts say             

By Lucian Constantin | IDG News Service | Published 18:00, 10 May 12


'....Microsoft Officer RTF parsing vulnerabilities are a common target for attackers who distribute advanced persistent threats.....'

See Who Viewed your Facebook Profile ? Popular Facebook Scam Technique

  by Jason Ding � Barracuda Labs

'....A new trend of scam, more advanced than click-jacking, has just started to become popular on Facebook. It also uses the ?profile viewer? curiosity as the hook but creates Facebook apps to gain users information and permissions to post. The whole process works as follows......'

  Notice Board
  Training and Awareness Programmes - April 2012  
Date Event Venue
- 11-15 Workshop on Education content development Provincial ICT Center, Pannipitiya
- 22 "Safe Use of Internet"  Student Awareness  session with the collaboration of Sri Lanka CERT|CC D.S.Senanayake College, Colombo8
- 25 Awareness  session on School ICT centers  (Provincial Level)on ICT Championship competition organized with the collaboration of Computer Society of Sri Lanka and ICT Branch , Ministry of Education ICT Branch, Ministry of Education

Brought to you by:                           

In Partnership with: