Unfortunately, the WebSpy Twitter account fell victim to a phishing scam, and as a result sent phishing spam to all our Twitter followers. We are embarrassed by the incident and we apologize to all of our followers, especially the ones that clicked the link in the DM and were caught by the phishing scam themselves.

Here’s a rundown of the event in the hope that it will help others know what to look out for.

What Happened?

The phishing scam works like this:

1. You receive a strange yet intriguing Direct Message from someone you follow and likely trust. This is the key element to the scams success.
2. The DM contains a link using a shortened URL such as dwarfurl.com/blah. In our case, most of them were using dwarfurl.com, wapurl.co.uk, and 3.ly
3. You click the link and get taken to what appears to be the Twitter login page. But if you look at the URL it is actually something like blogs.videos.dsfasdc.com or videos.twitter.dsfasdc.com. Checking the URL is the key to making sure the scam doesn’t get you too!
4. You enter your Twitter login details. Reports of what happens after this login page vary. You may see the Twitter fail whale, or a blank page, or a random blog.
5. Now that the phishing site has your login details, the same Direct Messages is sent to all your Twitter contacts.
6. You eventually discover what happened. You feel like a violated idiot and start scrambling to fix everything.

What to do if it happens to you

If the above sounds familiar, you need to login to Twitter right now and change your password to make sure the phishing site can no longer access your account. You also need to go to the Connections tab and disable any third party applications that look suspicious. You’ll then need to update the credentials in all the twitter clients, website/blog plug-ins, and anything else that may be using your old Twitter credentials.

Fortunately, we were still able to login to our Twitter account and change our password and disable third party connections. Thankfully there were not any new suspicious connections that we needed to worry about.

Lessons Learned

Now that we’ve fixed everything and regained control of our Twitter account, it’s good to sit back and reflect on what just happened and how to avoid it in the future.

You’ve probably heard all of this before. We had too. But it takes an incident like this to really think about and address any shortfalls in your own organization. Some of our followers were also caught out by the scam and these are people that are in the tech industry and generally know about these sorts of scams. We were definitely surprised that we fell for it! So take a moment of your time to imagine your own Twitter account was compromised in the same way, then imagine all the possible ways it could have happened. Now go and take every precaution to ensure it doesn’t happen.

Having now been through it, here are some tips to help you avoid the same fate in the future.

1. Just because a Direct Message comes from someone you trust, does not mean it is trustworthy. Always use caution!
2. Educate your employees – especially those that know your company’s Twitter credentials. The main goal you want to achieve here is getting your employees into the habit of glancing at the URL in the address bar of their browser before entering ANY login details. We used our own log analysis software (Vantage) to find out who ended up on the websites in question, and then spoke to them directly to ensure they understood what to look out for.
3. Use a Twitter application that can display the actual URL behind a shortened URL before clicking on the link. For TweetDeck users, go to Settings | General, and check ‘Show preview information for short URLs’. Please note, however that this function only works for a few specific URL shortening services.
4. If you’re using the Twitter web page directly, use a browser and plug-in that can expand shortened URLs such as Mozilla Firefox with Long URL Please.
5. Use a browser with integrated anti-phishing security (such as Firefox or Google Chrome) and keep it up to date, or ensure you have good third party anti-phishing / anti-malware software installed.
6. As always, keep your security software and OS up to date.

Our friends at Sophos also have some good information about the scam that you may like to read: http://www.sophos.com/blogs/sophoslabs/?p=7366

Sorry!

An event like this makes you realize how important Twitter is to the overall public perception of a company. Our followers trust us to deliver relevant and useful content about our key areas of expertise – log file analysis and reporting. We spend a large amount of effort researching and writing content to ensure our tweets provide our followers with a good source of information. Having a breach like this certainly degrades this public perception that we work so hard at trying to maintain.

I would therefore like to thank all our followers who have kept with us and not clicked the ‘Unfollow’ button. Now that everything is under control again we will continue to bring you the best content we can provide about the log analysis and surrounding industries.

Once again, many many apologies to all of our followers, especially those that were affected.

Here’s a short summary of the main topics discussed during the event. For more information please follow the related links at the bottom of the page.

Event Summary

Sophos’s Asia Pacific Managing Director initiated the event by discussing organized cyber crimes. He highlighted that online organized crime rates are escalating rapidly. Online criminals are becoming increasingly sophisticated in the techniques they use to try and scam private people and businesses alike. Unfortunately their techniques are evolving much faster than legislation and community awareness, estimated to be at least 12 months behind.

Police Cyber Crime Unit

The representative from WA’s Cyber Crime Unit expanded on the safety of children, and how Internet predators are becoming increasingly Internet savvy and often avoid getting caught by engaging in their illegal activities at work. Nevertheless the audience was happy to learn about a recent case where the Cyber Crime Unit successfully tracked down an online predator, who had managed to stay anonymous for a long time by exclusively using his employer’s Internet resources. He worked for a very large organization, but thanks to the employer’s internal security and monitoring system he was identified before he had the chance to commit further crimes.

Hiding in a Wireless Hotspot

Wireless hotspots, today free at many airports, coffee shops and fast food chains, was another concern raised by the police’s Cyber Crime Unit. More often than not, the companies providing this free access to customers do not have a system in place to monitor and alert on any inappropriate or illegal activities. When this is the case it is virtually impossible to prevent predators using these networks to stay anonymous. Unfortunately, legislation, or public outcry, to address the issue is not likely to occur until an illegal activity, enabled by the anonymous use of wireless hot spots, takes place and receives media attention.

At School

The representative from the educational sector continued to discuss online safety related to children and students. He highlighted that security system at schools and universities are essential, but not always enough. On many occasions students bypass the school’s firewall by using virus ridden public proxies to access blocked sites. Even students with studious intent occasionally use public proxies to access legitimate sites that have been blocked thanks to a “block worthy” word in a corporate blog, or something of similar virtuousness.

The importance of educating children about the dangers of social networking was also emphasized. Children are often overconfident in their abilities to spot a predator among their peers. However, in reality, they do not fully comprehend the psychological techniques used by online prowlers to gain their trust.

Best Practices

To sum up, the event focused the changing landscape of the internet and internet security. In our internet dependent world everyone is at risk, whether at work, at home, or at school. The best practices, when working towards a safer e-environment, keeps changing but the proactive theme throughout the event emphasized a combination of security systems, system monitoring, education of workforce (parents, teachers, students), and an increased involvement from all levels within organizations and community.

Related Links:
Western Australia Internet Association
Australian Communications and Media Authority
Wise up to IT
Cyber Smart Kids
Stay Safe
Think U Know
Virtual Global Task Force
Sophos

To some it might be obvious, but plenty of search queries used by visitors coming to our site contains phrases such as; “Why monitor internet usage important” and “Why analyze log files”.

Majority of benefits directly relate to the network device being monitored so I will structured the business benefits based on this.

Web Proxy Servers

Web proxy servers maintain log files listing every request, from outgoing traffic, made to the proxy server. By monitoring and reporting on log files from web proxy servers you will be able to identify aspects such as: who is accessing external sites, what sites are being accessed, when the sites were accessed, how much time was spent on the sites, how the user navigates through the sites, what page or search phrase referred the user to the sites, and the type and size of data downloaded from the sites. Use this information to:

• Maximize Employee Productivity
  Identify employees who excessively use corporate Internet resources for recreational purposes. Effectively publishing and communicating Internet usage policies and making employees aware of monitoring activities, and corresponding breach consequences, will assist in reducing personal Internet use.
• Ensure Policy Compliance
  Identify misuse and ensure compliance with acceptable Internet usage policies by monitoring which sites are being viewed, for how long, what is being downloaded and by whom.
• Ensure Legal Compliance
  Mitigate risk of costly liability and litigation issues by ensuring compliance with acts and regulations relating to Internet usage.
• Reduce & Verify Bandwidth costs
  Assess bandwidth usage and identify excessive downloading from particular websites, of specific files, and by which employee. Verify accuracy of Internet Service Provider’s charges.
• Understand and Reward Acceptable usage
  Please read my previous blog covering this area.

Web Servers

Web servers maintain log files listing every request from incoming traffic made to the server. Reporting on these log files can tell you: who is accessing the internal site, what pages are being accessed, when the pages were accessed, how much time was spent on each page, how visitors navigated through the pages, what site or search phrase referred the visitor to the site, and the type and size of data downloaded from the site. Use this information to:

• Verify Effectiveness of Online Campaigns
  View the most common sites referring traffic to your own website to validate the effectiveness of online marketing initiatives. Display search terms commonly used in search engines referring to your company’s website to optimize the website’s search ranking and maximize bids on the correct search terms for online pay-per-click campaigns. Or why not use the search phrases to inspire a new blog post .
• Optimize Website Performance
  Prioritize web page sequences, improve navigation, improve browser support and reduce link breaks by monitoring incoming website traffic, commonly accessed pages, user agents (browsers) accessing your website, client and server errors.

Email and messaging

Every time an email or messaging server sends or receives information they store log files containing data about the sender, the receiver, timing of delivery or receipt, subject line, size of attachment and, depending on the server, name of attachment and content of message. Use this information to:

• Reduce Bandwidth costs
  Identify emails and messages with large attachments, who sent them, and if they were work related.
• Protect Confidential Information
  Monitor email and instant messaging activity to protect the transmission of confidential organizational information.
• Mitigate Litigation Risks
  Mitigate risk of costly liability and litigation issues by ensuring compliance with acts and regulations in relation to sexual harassments, bullying and discrimination that can arise from improper email and messaging usage.
• Maximize Email Virus Protection
  Analyze log files from email virus scanning software, or devices, to identify source of viruses. Identify who sent the virus, who received it, attachment name and how your virus scanner dealt with it.

Network and security devices

Network devices, such as switches, routers and proxies, and security devices, such as firewalls, anti-virus, spyware and spam applications, store log files containing data about network activity and the external and internal traffic that has been blocked or filtered. Use this information to:

• Improve Network Management
  Investigate traffic between computers, ports or applications to diagnose network problems. Gather information to help decide which protocols to prioritize over others. Better manage network resources and troubleshoot certain events.
• Strengthen Security Controls
  Verify the configuration of a network’s firewall and its control of network traffic. Identify and investigate security breaches, determine the source of email viruses and manage their organizational impact.
• Maximize Effectiveness of Existing Blocking & Filtering Solution
  Review websites that employees have been denied and granted access to in order to validate the effectiveness of existing Internet filtering service.

Event logs

Designed to provide an audit trail of system use, event logging records the actions that occur within the system, such as users logging in, failure of a component to start, or an attempt to print a document.

Every event that occurs across a network can be recorded in an event log file. The list of events that are recorded by default can be modified to reflect the needs of the organization’s system. Use this information to:

• Monitor failed authentication attempts
  Identify users trying to access files and folders they are not authorized to access, or the system failing to provide legitimate user access.
• Prevent data loss and leakage
  Identify the access, modification or printing of confidential files to prevent information leakage or identify the person behind accidental or deliberate data loss.
• Ensure employees adhere to specified work schedules
  Monitor event logs that record when an employee’s computer has been powered on or shut down.

Hopefully this will give readers a better understanding of the benefits involved. Perhaps it can be helpful when explaining to employees / employer why and how your Internet and network resources need to be monitored and reported on.

What can log data do for you?

Organisations today are deploying a variety of security solutions to counter the ever increasing threat to their email and Internet investments. Often, the emergence of new threats spawns solutions by different companies with a niche or a specialty for that specific threat – whether it is a guard against viruses, spam, intrusion detection, Spyware, data leakage or any of the other segments within the security landscape.

This heterogeneous security environment means that there has been a proliferation of log data generated by the various systems or devices. As the number of different log formats increases coupled with the sheer volume of log data, the more difficult it becomes for organisations to turn this data into meaningful business information.

Transforming data into information means that you know the “who, what, when, where, and how” – giving you the ability to make informed business decisions. There is no point capturing data if you do not use it to improve aspects of your business. Reducing recreational web browsing, improving network performance, and enhancing security, are just a few outcomes that can be achieved using information from regular log file analysis.

To achieve these outcomes, it is important for organisations to have a log management process in place with clear policies and procedures and also be equipped with the appropriate tools that can take care of the ongoing monitoring, analysis and reporting of these logs.

Having tools that are only used when a major problem has occurred only gives you half the benefit. Regular reporting is required in order to be pro-active and track patterns or behaviours that could lead to a major breach of policy or impact mission critical systems.

10 tips to help organizations get started with an effective proactive logging and reporting system:

1. Establish Acceptable Usage Polices
Establish policies around the use of the Internet and email and make staff aware that you are monitoring and reporting on usage. This alone is an effective step towards reducing inappropriate usage, but if it’s not backed by actual reporting, employees will soon learn what they can get away with.

2. Establish Your Reporting Requirements
Gather information on what you want to report and analyse. Ensure this supports your obligations under any laws or regulations relevant to your industry or geography.

3. Establish Reporting Priorities
Establish priorities and goals based on your organisation’s risk management policies. What are the most important security events that you need to be alerted to?

4. Research your existing logging capabilities
Research the logging capabilities of the devices on your network such as proxy servers, firewalls, routers and email servers and ensure they are producing an audit log or event log of activity.

5. Address shortfalls between your reporting requirements and log data
Open each log file to get a feel for what information is captured and identify any shortfalls with your reporting requirements. Address any shortfalls by adjusting the logging configuration or implementing an independent logging tool such as WebSpy Sentinel.

6. Establish Log Management Procedures
Establish and maintain the infrastructure and administration for capturing, transmitting, storing and archiving or destroying log data. Remember that archiving reports may not be enough as sometimes you may be required to go back and extract from the raw data.

Ensure data is kept for an appropriate period of time after each reporting cycle and that the raw data related to important events is securely archived.

7. Evaluate and decide on a Log File Analysis Product
Evaluate log file analysis and reporting products such as WebSpy Vantage to make sure your log formats are supported, your reporting requirements are met and that it is capable of automated ongoing reporting.

Ensure it can be used by business users as well as specialist IT staff, removing the dependence on these busy and critical staff members.
Make sure the vendor is willing to work with you to derive value from your log data. Often a vendor that supports many different log formats will have some insight that may help you in obtaining valuable information from your environment.

8. Establish Standard Reporting Procedures
Once a report product has been decided on, establish how regularly reports should be created, who is responsible for creating them, and who is able to view them. Store user reports in a secure location to ensure confidentiality is maintained.

9. Assign Responsibilities
Identify roles and responsibilities for taking action on events, remembering that responsibility is not only the security administrator’s domain.

10. Review and Adapt to Changes
Because of the metamorphic nature of the security environment it is important to revisit steps 1-9 regularly and fine tune this process to get the maximum value.

Download pdf version.