The New Koobface Malware?

I received quite a number of malicious emails from a friend of mine via the Facebook Messenger this morning. It’s rather easy to tell that it’s a malware.

  • The email that display the message provides a link (screenshot 1), whereas, viewing the message via Facebook does not (screenshot 2).

Screenshot 1

Screenshot 2

  • My email address is part of the parameter in the URL (screenshot 1); a generic characteristic of a malicious link.
  • Looking at the target recipient of the message (screenshot 2), it’s suspicious that all the names beginning in J and K.
  • The message is sent from a friend of mine whom I rarely contact.

It’s something similar to the faced out Koobface malware (2008). I’m not very sure if this malware is a new version of Koobface malware, but it does have similar behaviors.

Security message (Quoted from ESET on the Koobface malware): “Don’t trust this new message or any like it sent to you via social network like Facebook. And of course, make sure your antivirus software is always up-to-date.”

To read more about Koobface Malware: Koobface Malware makes a Comeback (

CSIT Experience IT

Last Saturday, I had a remarkable experience at a roadshow organised by the Centre for Strategic Infocomm Technologies (CSIT). The objective for the roadshow was tuned towards recruitment; to get some talented folks who are graduating from universities to join them. So I went with a few of my friends who will soon graduate from NUS (National University of Singapore).

Interestingly, CSIT organised a mini-capture-the-flag competition. There’s an attacking server that will attack the participants’ Web server every 5 minutes (points will be deducted if successful). One of the objective is to secure the Web server. In the network, there’s also a vulnerable server which you can break in and capture the flag. Each flag captured will increase your points.

The competition only lasted for 30 minutes. Unfortunately, there’s no prize for the winning team. 😦 Good fun though. 🙂

It’s not the Technology… It’s the Assets!

Information security is no longer a “good to have”, but a “need to have”. Security mechanisms have become vital members of companies’ system architecture as more and more data are being digitalised, and business workflows and transactions are carried out on the network backbone. Moreover, users are becoming more and more concern with security threats. Information is the greatest assets to any organizations, those whom fail to secure their information won’t expect anything less than failing in their business.

Does simply introducing security mechanism to organizations’ system architecture really improve security?

Certainly, it helps the business reputation to shows that they take security matters seriously by implementing security mechanisms in their system. But, is it equivalent to taking assets security seriously?

The underline of security is asking yourselves: what are you defending from and against? In most cases, you implement security mechanisms to protect your assets. It has been the principle of security since many centuries ago. Defining your goals/objectives, set your priorities, and addressing your assets is vital. You do not want to allocate huge amount of resources to protect your secondary assets, and pay little attention to your primary assets. Having your primary assets less secured that your secondary’s one is a great treat to your adversaries.

Duress Code

According to Wikipedia, a duress code is a covert signal used by an individual that is under duress to indicate their state. Duress code is used widely across the world; in many different facets ranging from checkpoint, burglar alarm system, to computer security.

Duress Code in Action

My first encounter of duress code is as an antipode of false positive in a burglar alarm system; a code used to inform the security officer that you are under duress (e.g. held at gunpoint to indicate that the alarm is false positive). It is an interesting and useful innovation in the security field. It doesn’t take much longer for cryptographer to pick up the idea.

Duress Code Improvement

Personally I think duress code might not be as usable as we thought it would be especially when the user come to the state of duress. What’s the chance that people will forget the code in that state of mind? What’s the chance that people will remember the code they rarely use when most of the time they cannot recall the password of applications that they seldom use?

My idea is not exactly an improvement to the system. More like “better usability suggestion.” Adopted from form validation best practices – deny every thing, accepts what is expected. In other word, it means every thing is a duress code. You just need to remember your false positive code (remembering one code instead of two).

You may come to argue that you may forget your false positive code and your security agent will come running to your house when it’s just a false alarm. You just have to ask yourselves two questions:

What’s the chance of you unable to recall your “password” in a state of duress compared to when you are not?

Do you prefer your security agent to “drop-by” when it’s a false alarm? Or not caring about you because you could not remember your duress code when you are held at gunpoint?