Thursday, 16 September 2010

An Evening with Samy, creator of the Samy MySpace Worm

Last night I was out talking security, drinking beer and eating curry with Samy Kamkar, following his presentation at an OWASP Chapter event in Leeds. Samy was responsible for writing and delivering the infamous Samy MySpace Worm in October 2005, which was one of the fastest growing malware infections to date.

Samy Kamkar
Samy delivered an excellent and fresh presentation at the OWASP Leeds Chapter meeting, highlighting several areas of new research and frankly new concern for us all. But I’ll save that for another blog posting once I’ve investigated it further, however you can read a little about one issue he discussed, which was highlighted in a recent BBC News report “The Web attack knows where you live

What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.

As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.

I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet -

A MySpace Samy Worm Infected Profile
Aside from the Samy text you can see,
there is script code you can't see which executes

Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.

Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.

Thursday, 9 September 2010

No Data Protection in Outer Space!

I just found out my name is on board the IKAROS spacecraft, which is currently solar sailing its way from Earth to Venus. Apparently this is a benefit of my membership of the Planetary Society – yes I do have other interests outside information security.


I don’t recall agreeing for my name to be sent into space, but I’m sure glad they did it, especially as this spacecraft may change course of interplanetary and interstellar exploration forever, plus the spacecraft could end up drifting in space for eternity, but I'll save further discussion on that for a different themed blog. So getting back to security, to be perfectly clear, an individual’s name on its own doesn’t require any protection and is not a requirement of legal acts such as the UK Data Protection Act. This is a common misnomer, it is only when you combine an individual’s name with another pieces of their personal information, such as a date of birth when it comes into scope of requiring protection. Although I have to say not many small UK businesses are up to speed with their legal data protection obligations.

I personally believe the Data Protection Act is outdated, and is in need of a major review and overhaul. The Act was written in the nineties before the Internet usage really took shape, and in this day and age of social networking and instant availability of UK citizen personal information, such within online electrical roll websites, there could be an argument there is actually little point in trying to make businesses protect certain aspects of our personal information anyway, because the horse has already bolted.

But even if my full personal details were along side my name on the IKAROS spacecraft, I would argue adequate data protection was in place. Due to the vacuum of millions of miles of space, my personal information isn’t exactly publically assessable. I consider my details to be certainly more secure in space than within the care of certain government departments and companies I could mention. I mean it’s not like I’m at risk of identity theft by extra terrestrials, or am I?