 Good afternoon. Good afternoon. Thanks for joining us for this session. I'm Paul Judge. This is David Maynard. What we want to spend some time on today is search malware. Share with you some of the results that we've seen. We've probably the last several months have been looking into this issue. Certainly over the last year there's been many examples of malware poisoning popular search terms. I think we've all seen examples over the last year. So what our goal was to do was to really kind of understand how much this is happening, understand where it's happening, understand a little bit more about how it's happening. And so as we dug into this, one of the things that was pretty obvious here is kind of why the attackers are focused on the search engines. I mean, the number of eyeballs that are showing up on search engines every day is growing rapidly. I mean, if you look at the latest numbers from the search engines, you look at Microsoft, look at Yahoo, even Twitter now and Google. There are hundreds of millions of searches done on each one of these every day. Microsoft totals in at over four billion searches a day. Yahoo at over nine billion a day. Twitter now is claiming over 24 billion. Excuse me, a month, I said a day, but a month. And Google, of course, leaves with over 80 billion searches a month. So the point is, as more information and more users come online, we all use search engines more and more. I know I've personally kind of come to the point that I'm so lazy that even if I know I'm going to a site like CNN, instead of just typing CNN.com, I don't have time to type the extra four characters, so I just put it in my search toolbar and let it do the work. I see a lot of heads nodding, so a lot of people have kind of developed that habit. So the point is, there's so many people going to search engines every day, and the attackers realize today is a pretty good place to focus to get in front of eyeballs. And so what we wanted to do was understand kind of how they're targeting particular terms, how much they're targeting particular terms, are the particular categories that are more popular and so forth. So with that, we set up a system, a methodology that crawls to different search engines. And it actually, around the clock, pulled and looked at what were the most popular search terms? For Yahoo, for Bing, for Twitter, and for Google. And it looked at those most popular trendy search terms around the clock and looked at what were the search results for those. And so we pulled those search results and then actually pulled the pages that those were pointing to and analyzed them. So if you look at what we looked at, it was four different search engines over about two months, 57 days to be precise. In that time frame, there were 25,000 popular topics that we examined. And then over 5 million actual search results. So what we dig into is what we found. So one of the first points is we found malware. Anybody surprised by that? Over 8,000 examples of malware across the different engines. If you look at the breakdown, the leader is Google, with 69% of the malware that we found being found on results from the Google search engine. After that was Yahoo, with 18%, Bing with 12%. This was one of the first times in life Microsoft actually has this advantage of having a little market share. So kind of been the least attacked platform. The other one that you see on there is Twitter, with 1%. And at first it was a little strange to us because we were pretty familiar with how much malicious activity and misuse was happening on Twitter. But one of the things we understood as we dug into this is what happens is with Twitter, think about how a search engine works. It actually organizes and ranks results. So it makes it pretty easy for an attacker to use search engine optimization to actually make sure they're in that set of results that a user gets. Whereas with Twitter, for most of the time, the way their searches work, they just give you a snapshot of who's talking about this right now. So there's not that ranking, there's not that prioritization. And so for an attacker to try to poison a search engine, they're able to make sure they get their attacks in the top. For Twitter, they're more so kind of playing the odds and seeing where they end up in that random stream. And so this is what explains this only 1% number. But as we get further along, we're going to show some examples of specifically the types of things that are happening inside of Twitter. So if you look at the daily activity for each of the engines, you saw every day Google led the pack. Different days, different engines had a little bit more or less. But what becomes interesting is pretty much every day each engine led to something malicious. No engine really took a day off. But if you look at the different days of the week, one of the first things that we wanted to look at was if you look across the week, are there particular days that have more activity? The short answer is no, not really. Tuesday led about a little bit, represented about 16.7% of the overall malware for the week. But there wasn't a strong correlation about the day of the week. But what was a little interesting is if you look at the time of the day. So these time periods are based on an eastern standard time. But if you look at the 11 p.m. to 5 a.m. blink, really over 50% of the malware was found in this cycle. Usually, Dave's points out kind of the things that are happening at this time of the night, or what's happening at that time of the day if you're in Europe. But the next thing that we looked at, we're seeing that between the 11 to 5 a.m. slot, over 50% of the malware was showing up. So if you think about this engine running around the clock, pulling the popular search terms, pulling the results, and then analyzing those, we had over 50% activity in that six-hour block that was the end of the night. Another question that we looked to answer was were these known attacks? Or were these attacks that were new? Kind of what types of attacks are malware that are using on the other end of search poisoning? So this looks at kind of the over time, the amount of malware that was detected each day that was kind of found on the previous day, but wasn't detected to later. So let's take a break for a moment. How many people are here because they couldn't get to the Barnaby Jack talk? Raise your hands. You're a bunch of lying people, you know that? So it's funny, let's go back a second. The malware captured by time, so everything in my world is acclimated by Eastern Standard Time, which is the best time zone. However, we take a look at the breakdown in time, and no one on the East Coast is working between 11 and 5 unless you're asking if you want fries with that. So if you take a look and correlate this, who is working generally are people in Eastern Europe or in Asia somewhere. That kind of fits into a weird kind of hacker time, but you also have to invert the time that people, you would think that normal people work and make that a hacker time. So the amount of malware detected each day, it's kind of a funny thing because it went, you know, I was expecting, and we went into this research, you know, completely with our own biases, and we thought, you know, we had ideas of what we'd find. And the days that seemed to have the most malware were the days that seem to correlate to the biggest, like, pop culture events, like the MTV Music Awards and, you know, things like that. And this kind of represented the charts. So we started this research, and research ran for 57 days. And that's a number we picked that we felt would be a good indication of, you know, total traffic. So it ran for 57 days from, you know, April to June. And there were a lot of kind of pop culture stuff that happened in there. As you see towards the end of the graph, you know, that's World Cup malware and stuff like that. At the beginning it's more, you know, Justin Bieber malware. So, and if anybody thinks that kid's not evil, this is the second topic we've given this week, and he's a primary reason why people's machines get infected. So if you have kids and they buy Justin Bieber CDs, tell them they're going to get viruses. So if you look at this kind of one of the points of this particular point is that, you know, 98% of the malware that we found on the other end of these search results was identifiable by the techniques that we used. So, you know, one of the things to understand is you look at the results that we pulled and the ways that we analyzed them. So we used three different methods. One was a traditional category-based URL filtering database. So kind of looking at the URL and seeing what category of site is this, right? So everybody kind of understands the limitations there. A second source that we used was Google's safe browse lookups, okay? So everyone kind of understands the safe browse lookup. The third type of analysis that we used was a malicious JavaScript detector. And so what this does is actually kind of pull the JavaScript that's sitting on the page and look for behavior that indicates kind of unwanted activity, looking for, you know, too many create elements, looking for code that's being revowed within the browser and so forth. So those are kind of really the three detection techniques that we used to flag the different malware. And the point here is 98% of the malware that were on the other side of these search results were detectable, right? So kind of the good news is there is that attackers aren't using kind of true, say, zero-day on the other end of search results. 98% of the stuff is detectable if someone was actually using something in between them. So basically, as David said, kind of pointed out, looking at the low-hanging fruit. So we'll look at some examples in a second. You know, one of the other interesting things that we came across in this is really looking at the relationship between the different search engines. If you look at something that pops up on Twitter versus something that pops up on Google or Bing or Yahoo, kind of what's the difference in timing or delay on the time that it shows up on Twitter and the times it shows up on different search engines. And so this takes a look at this. This looks at the top 10 trendy topics on Twitter and looks at how long it took them to show up on a different search engine. And so the green bar here is the number of days on Yahoo, the red bar is on Bing, the blue bar is on Google. If there's no bar, it didn't show up. Exactly. So if there's no bar, it didn't show up on the other search engines. And so what you see is this delay. And so what happened is on average, it took 1.2 days for something to become a trendy topic on Google after it became a trendy topic on Twitter. It took about a little over 4 days, 4.3 days to become a trendy topic on Bing and 4.8 days on Yahoo. And so what's interesting, this was now the set of things that were trendy topics on Twitter. Now there were things that were trendy topics on the search engines that were not on Twitter. And so what we saw in general was like things that were kind of culture related or are pop related became trendy topics on Twitter first. And things that were like more serious news, like the all spill or election results, those things became trendy topics on the search engine before they became topics on Twitter. And kind of the one of the points in understanding this is from an attacker's viewpoint, kind of where should you target your attacks first? If you see kind of the timing of when things move from one network to another and they're going to become popular and going to become things that people are searching for, this gives a pretty interesting roadmap for where you should spend your attention early on in a particular event that's happening. So when you go home, make sure you tell your kids that if they search for news sites, they'll less likely get malware than if they search for Justin Bieber. We really don't like that kid, I've got to be honest. So here's a view of kind of all the trending topics that we looked at, over the 25,000 trending topics, what types of sites were trending? So what are the categories? And so one of the top things here is news. So 26% of the sites that were trending were news sites. After that was entertainment. So 23% of the sites were entertainment. And then after that, things pointed to news groups and to trending media and so forth. So big surprises here. People like news and people like entertainment. Right now, if you take a look at the top categories for malware, it's a little different. One of the things you see here is the top site is category spyware. So 35% of the sites that were pointed to were classified by traditional URL filtering engine as being bad sites. So these were sites that were known to continually to carry malware over time. So that's kind of the good news we're able to capture a third of this just with well filtering technology. But then you see entertainment here. You see search engines here. You don't see news pretty high up in the results. So one thing we want to look at were the particular categories that malware liked or didn't like. So what we saw is these are the top ten categories overall. So news bin one, entertainment, then forum and news groups. If you look at the third column, that's the ranking for malware. So news. It was the number one site overall for trending topics. It was number 17 for malware. If you look at streaming media, when I was number four overall, it was 21 for malware. It was sports similarly. Number six overall, but 14 for malware. So this shows examples of the types of sites that malware doesn't necessarily, authors don't necessarily particularly like to target. But then if you look at categories that are popular, you see some names that you would expect. You see kind of overall the malware ranking for hosting sites is number five, where in general is 20. You look at peer-to-peer. It's number six for malware, but number 46 overall. So you see some of the usual suspects. Hosting peer-to-peer and proxy sites being targeted by the search terms where they're leading to. Kind of from there, I want to transition a little bit over to some more specific, like looking at the domains and looking at some actual examples of malware that we saw on the other side of these links. Want to walk through? So these aren't a lot of big surprises. Except for the polling thing. I mean, the most malware we found seemed to be hosted in Poland and although that's technically somewhere around the Eastern European place that we all, everybody quotes the media, all the malware comes from, I just didn't think the Polish had it in them. But apparently they did. Right. So, you know, it's normal stuff. Casa.com. Five ounces of pain. MC Hawking. You know what, it might sound like to you we've never looked at these before, but every time we look at these, it's just shocking. And what is this hope? Hope? Don't know. But, you know, these are the top domains that we found. And like I said, like Paul said, we use three different methods to do this. The Google Safe Browse, our internal database, and a tool called MJD. And we would cross-verify the results with each one of those tools and actually, you know, go and do random spot checks to make sure we were actually getting malware. And it wasn't just false positives. So here's an example of a guy named LeBron James. I don't personally know who he is. I think he's a golfer. Apparently his wife hit him with a club or something. I don't know. But if you were to search for... Right. Right. So if you were to look a couple of weeks ago on Google, you would find there was a link, you know, when you just put LeBron James in, it would take you to a website that would ask you to install a flash player update. And we all know how great flash player updates are. And you see it in the news all the time. So you want to get the latest greatest. So when you download that, bam. So, you know what's funny is we're looking at examples of malware. And it's kind of funny because I don't really think there's any other profession where you spend a lot of time looking at like the worst-case scenarios of things, except for maybe doctors. Now I always think that looking at malware like this is the example, like the classic, it's the doctor's time to go look at pictures of what happens at SCD days or something like that. So let's go with Daryl Stingley here. Does anybody know who Daryl is? Five people. So I felt bad because, you know, like we said several times, most of the stuff that's used for like trending talk, like this malware search poisoning, are pop culture stuff. And we look at the list of these things. I'm like, I don't know who any of these people are. One of them ended up becoming an LPGA player and this guy apparently took the hardest hit ever in the NFL. And, you know, being a computer nerd slash hacker type, I don't really know what the NFL is. So this actually happened on Tuesday. We wanted to show you a more recent example. So if you were to put his name into Google, you'd get a site that redirects you that installs malware that does this. And it's pretty well documented that it's malware. And if you notice for the Freedom's Open Source Advocates, ClamAV does not catch this. Yeah, no. So you take that same term and go over to Twitter. You'll notice there's a, there will be a whole lot of people that, well, there's a whole lot of links or, you know, discussion about them. And there's a lot of different URLs, but they all take you to the same kind of site at YouTube. And if you notice over on the right hand side, they use this video of Daryl to promote Lindsay Lohan porn. Which although I'm not happy with, it's better than, you know, the Justin Bieber stuff we find. So they even get clever about this and they'll use, they'll embed these videos and they'll put overlays over the videos. And this one says, due to copyright in YouTube Terms of Service, we cannot upload the whole video here. Go to this website and get instead. And apparently people follow this stuff. And, you know, you'll get pwned. So, in our last example, we have three different accounts talking about three different trending topics with three different URLs. But when you follow them all, they all lead you to a .cn site. And as everybody knows, you don't click on anything in .cn. And if you do, bad things happen. So, we'll go without further. Got it. So, you know, a couple of the other examples that David was just showing were, you know, some on Google, some on Twitter. It's interesting the relationship between the different ones. You know, you saw an attack going from Google to YouTube, you know, from Twitter to YouTube. And really the interrelations that are happening. People using these terms to take you to a malicious site. People using these terms to take you to a spam site. And so, you know, we were looking at, you know, we were looking at the top search results, the top search results. And to get them up, you know, whether they be porn or otherwise. So, you know, as we saw earlier, you know, over the snapshot that we examined, only one percent of the results were to Twitter. But, you know, we talked about kind of why that was. Because of the lack of actual ranking. Right. So, because we were really kind of going to it from the eyeballs trying to reach eyeballs. It's actually a little inefficient for you. It's a little inefficient because you don't have that opportunity to make your stuff go higher in the ranking. So, when it comes to Twitter, we want to take a look a little bit closer at what actually is going on. You know, even though from a viewpoint of a random user clicking, you know, your chances are a little bit lower. What else is taking place in that network? And so, we spent some time looking at the different characteristics and types of Twitter accounts. We were looking at if we connect to the Twitter stream. And we did this from two standpoints. One was through the streaming API and getting a view of kind of almost real-time sample of all the tweets that are happening. The other is through white-listed API key access, being able to come back and query accounts to ask for particular information. And so, what we were able to see is, you know, for any particular account, how many times they've tweeted? How many people are following them? How many people are following them? What do you think about Twitter? There's really only three things that you can do. And so, that's really your feature space. I mean, you can also look at someone's profile. You can also look, as we just did, the actual URLs that are in the tweets. What we want to really understand kind of what's the behavior, how legitimate users are using this network, and then kind of how we're illegitimate users using it. And is there an opportunity to build out a reputation? Is there an opportunity to build out a reputation? So, there's certainly a fair amount of work on doing kind of content-based classification. But if you think about what happened in the email world, everybody was doing content-based classification. Everybody was doing Bayesian. Everybody was doing reg access and so forth. And then kind of the world looked up and realized, wait a second. There's a small set of good senders, and then there's this big set of bad guys. So, we can actually use the reputation or the behavior of this particular IP email. I mean, it got us 95%, 99% catch rates. And so, kind of one of our goals here is to understand is there the potential for the same type of classification for social networks. To be able to take those users and without looking at their profile, without waiting to look at the content that they posted, be able to build some user reputation and classify them. So, when we dug into the different networks, if you dug into Twitter, it's a great example because the API is so open, it gives us the ability to easily ask questions. But on the other side, it also gives the attackers the ability to kind of also easily create lots of accounts and also easily inject lots of content for very low costs in terms of computing and bandwidth. So, one of the things that we looked at, we have a little over 25 million Twitter accounts that we've analyzed. So, you think about the whole set of over 100 million Twitter accounts that exist. We have access to over 25 million of those that we've examined. So, you know, a pretty substantial sample or subset of the Twitter universe. So, after looking at that, you know, one of the things that was one of the first questions that we wanted to ask was kind of what's the actual Twitter user? You know, what's the true Twitter user? Who uses Twitter in here? I probably should ask who doesn't. So, most people. So, now see if, you know, people in this room are a true Twitter user or not. And, you know, we said the bar pretty low. We said, hey, a true Twitter user, somebody that has sent at least 10 tweets, they have at least 10 people following them, and they're following at least 10 people. It's a pretty low bar for you guys that have actually used the network. But what we saw is only 29% of the accounts on the network meet that criteria. So, you think about it, you know, 71% of the accounts on Twitter really aren't using it. So, you know, that was kind of this first thing that we noticed. I mean, the vast majority of the network is not using it. The, if you look at it a little more closely, I mean, what we saw is if you look at how many followers each account has, the point here is, you know, 16% of the accounts have no followers. So, you think about that. Basically, one in every six accounts is on the network, nobody's listening to them. Right? If you think about it, you know, over half of the network, 52% of the network have less than five followers. So, a couple of people are listening, but not many people care. Right? But, you know, it's interesting that only 9% of the network has over half of the followers. So, the various kind of small set of the overall population that kind of people are kind of tuning into and listening to what they're saying. So, that's kind of one feature. So, what's funny is it seems like that Twitter's become high school again. That, you know, you have your clicks of people that know like five people, then there's people that everybody know. Exactly. Exactly. So, what happens is, you know, that's the looks at kind of who's following. The thing we looked at next is how many people are you following. And so, the point here, again, out of all 10% of them aren't following anybody. They went on, they created an account and they don't care to listen to anyone. There's one in five accounts following nobody. There's only 10% of the accounts that are following more than 100 people. There's only 10% of the people that are listening to a stream that's kind of interesting enough to kind of actually pay attention around the clock. The next thing we looked at was kind of more interesting the relationship between those two numbers. You know, if you think of a normal social network, you're kind of following the same number of people that are following their relationship. It's kind of a two-way connection. Where in Twitter you have this opportunity to have it one way. And so, what we saw is that 55% of the network is actually using it with a kind of almost a two-way graph where they have roughly the same number of people following them as they're following. You know, plus or minus five is the criteria window that we use. So, 55% of the network is kind of using it like a normal social network. What we saw is that, you know, 13% have more followers than they have and the other side is, you know, 32% of the network is following more people. So, it really shows that about half the network are using it like friends. There's about 13% that are celebrities. And then there's about 30% that are consumers of content. So, one thing we want to look at was, okay, how many of these are real accounts? How many of these are legitimate people and legitimate accounts? So, we look to examine this thing that we call the Twitter crime rate. And the Twitter crime rate that we want that are created and then suspended. And these are suspended by Twitter. So, these obviously aren't all the accounts that are doing things that are malicious, but at least a measure of over time how many accounts were created doing malicious misuse and then kicked off the network. So, if you look back since the beginning of the network, so this top left view is a view of since the beginning of the network, the growth of the network. So, this is the user growth of Twitter since 2006. You know, one of the interesting things is red carpet error. If you look at from November of 2008 to April of 2009, what happened is, you know, all the celebrities came. So, if you look at the top 100 people on Twitter today, 50% of them joined in the same 6 month period. So, you know, the Ashton Kutcher, the Kim Kardashian, the Diddy's, all the world, all joined in the 6 month period. If you look at what it did to the growth rate of Twitter, it went from 2% to 20% a month in that 6 month period. So, what happened there, as we know, kind of where the users go, the attackers go. So, this looks at the Twitter crime rate since the beginning of the network. So, since 2006, when the network first started, there was 1% of the accounts that were created in any given month that were suspended or kicked off by Twitter. If you look at 2007, it went up to 1.7%. You know, 2008 went to 2.2%. In the middle of this red carpet error, it increased 60% to 3%. But four months later, the crime rate jumped to 12%. Right? So, one in every eight accounts that were created on this network were being kicked off. And again, these are only the ones that were being kicked off down. So, it kind of simmered back down as the user growth simmered down. And so, if you look at what we've seen so far this year, it's basically it's gone from 2% to 1% and fluctuated in that range. So, the average this year is 1.6% of the accounts that are created in any given month are being kicked off for misuse or inappropriate activities. And again, these are only the ones that are identified successfully. So, we want to understand that better. Kind of, what are the behaviors and properties of these types of accounts? So, one of the things that we looked at is we look back at this friend follower delta. This friend follower delta, remember what's kind of the difference between the number of people you follow and how many people are following you. And the thing that we notice here is that the attackers are using pretty aggressive kind of recruitment activity to get a higher number of followers. And so, their delta is higher. So, what you see here in the green space is the delta for legitimate accounts. So, on either side, people that have more of the suspended accounts, you see a very much higher delta because either they have successfully created a higher number of followers or they're still in the process of following people so those people can follow them back and so they have a higher number of friends. And so, the pretty interesting attribute to use to get some separation. The other thing that we looked at to get some separation is this number that we call the tweet number. And the tweet number is pretty simple math. How many days have you been on the network and we divide by how many tweets you've sent? So, it's basically on average, how many tweets have you sent since you joined Twitter? And so, for example, my tweet number happens to be like 1.8. And I think Dave is like, what, 3? 3.2. So, it's interesting. I know some friends, a couple of you guys in the room, was tweeting numbers 40. So, you're like tweeting every 15 minutes on a work day. And I'm like, wow, that's pretty high. You're kind of annoying. But then there are some other accounts, if you know, that are actually tweeting 100 times a day. You think 100 times a day, but it's only, you know, 0.19 percent of the population. So, you know, it seems like, okay, it's only a small number of people, 0.19 percent of the population. But what happens if you think of that 0.19 percent of 50 million users? You're talking about a couple hundred thousand users tweeting at least 100 times a day. You're talking about, you know, 19 million tweets out of 50 million. You're talking about 38 percent of all of the traffic on Twitter being generated by this 0.19 percent of the population. So we thought this was a pretty interesting attribute. So what we did from there is kind of really looked into how can we begin to build some level of reputation by coupling these features together. Coupling together this friend follower delta along with this tweet number. And as we did it, we got some interesting separation or interesting clusters of user types. So, David, step us through a few of those. So this is a friend follower delta on the positive side, which means that there's generally a lot more people following them than they're following. And, you know, the usual suspects are there, Fox News. It's funny to note that number three, number four, number five are that Bieber kid. And, you know, at least Miley Cyrus makes it on the top list there. So when you go from, you know, the friend follower delta, you know, like 119,000 down to, like, you know, in the 4,000, 5,000 range, you get people like Icekeet then tweet. Which I don't know what that means, but polishers, I mean, it's great. Live blogger jobs, you know, it's more like, you know, localized recruitment kind of things. I don't know what the Icekeet then tweet is recruiting, but it looks like the rest of the stuff kind of is like financial news or, you know, tweeting kind of stuff. And then, you know, the lower you get or the closer to zero you start to see some scammers like the money wholesale. You know, nobody sells money wholesale. I'm aware of, but if you do, I'd like to know about this. You know, in the L.A. restaurants, I mean, there's not really anywhere good to eat in L.A. except for pinks. But so when you get the negative numbers, you definitely find scammers like, you know, instant biz tips, camphor porn. I do know what that one is. Tweet stock tips and this 365buying.com. So the lower, like the farther down negative you go on the tweet number, the more distinctive people or scammers are becoming. So like this is an example. This is a site of a Twitter follower. He has got a friend follower, Delta of negative 3-2, but he's got a tweet number of 108, which means he's basically tweeting all the time. But no one's really, you know, following. And if you take a look at it and go to the site, it's a free software site where you can download well, they purport, you can download all kinds of different activities. But if you take a look at the Google Diagnostic page, it becomes more clear what it actually is. You know, 10 Trojans, 4 exploits, 1 scripting exploit in the last 90 days that, you know, Google scanned it. So obviously it's not a very good site. And with that, we're going to go into the top 10 search terms used by malware. This is actually the money shot of our presentation. The money shot. The money shot. So it's interesting. So we looked at, you know, kind of what's going on on the different search engines. We looked at kind of what's happening on Google being Yahoo. We drilled into Twitter a little bit more to see kind of how the attackers are creating fake accounts. We saw that over 70% of the accounts on there really aren't using the network. We looked at the types of categories that the malware doesn't like. And so, you know, we learned a lot about kind of how this is happening, the scale of the search engine optimization attacks. And so, you know, one of the things we talked about are the categories. We talked about the fact that, you know, we did this for 57 days. We saw over 25,000 search terms, 5 million results. But out of those 25,000 search terms, you know, there are some that are more popular than others. There are some that are kind of used more in those search terms. Which ones are being used? So it's a very wide set of things. You know, so on the list we had a couple NFL players. We had some politicians, some actresses. We had, you know, you look at, you know, one of the guys on the list was a guy named Adam Willer. Anyone heard of Adam Willer? It's a guy that cheated his way into Harvard, kind of forged transcripts. They got into Harvard full scholarship and now he's facing about 20 charges. Identity fraud, forgery, larceny. So, you know, the poor guy is kind of having some troubles right now. So, as this news broke, he became, you know, one of the top... Yeah, he's hiding. Yeah, that's the least of his problems. So, you know, look at the top search term. It was a lady named Lois Wilson. Lois Wilson and her husband started Alcoholics Anonymous. So, you know, what happened, the reason she was trending is on April 24th, there was a movie that came out that told her life story. And so, she was actually... If you look at all the tally of the results of the malware that we found, she was the top search result that was being used. And we're like, we're in Vegas, this is DEF CON. That's not a very interesting term to, like, say it was the top of the list. So, we went to our scientific poll and we said, hmm, let's really understand kind of what's our favorite search term that was used for malware? What's the viewer's choice? So, what we came up with is if you look at the number two search term that is Hope Dwarfsky. Hope was a model, actress, TV personality. She was playmate of the month in April 2009. She was on the cover with South Roger. And last month, she was playmate of the year. So, if you look back at the covers, you know, South is having fun with a fan there. If you look at the issue in June, it was interesting because it was actually a 3D photo shoot. So, you know, you got the magazine, glasses, and, you know, I was sitting here thinking like, hey, can we get enough 3D glasses for the room? And I wasn't able to get enough 3D glasses for the room, but what we were able to do was have Hope come and join us as the viewer's choice of the best reason to click on malware in 2010. So, I'd like to introduce Hope. Thank you for having me. So, thanks for coming up. Thanks for stopping by Vegas, for stopping by DEF CON. Have you ever been to DEF CON before? I've never been here, but I've been told to turn my Wi-Fi off in my Bluetooth. I don't know if that's right, but it's off. So, you know, obviously you've been busy, had a lot of success. Your name's all over the place, and what we've found is that, you know, the attackers are using your name. Did you know about this at all? What do you think about it? Everybody Googles themself, first of all. First, I've Googled myself, and I've seen my name with things that I know I haven't been a part of, or I haven't done. So, that was not news to me, I guess, but the part where I was part of viruses or any of this definitely was. So, when I got the call to come in, I was more interested and I wanted to know why or find out more about it. Interesting. So, you know, one thing we looked up is you use Twitter. Your tweet number happens to be 1.03 if you need to know that. 1.03 means what? 1.03 means you tweet on average 1.03 times a day. Okay, cool. Just in case you needed to know that. Sometimes I'm like seven times in a day and other times I go like two weeks without doing it, so it's different all the time. So, you actually, you've been on Twitter for a while now. You have this verified account. You have over 10,000 followers. You know, we're talking about how the you know, how are you using it? How does it change your life at all or what do you think about the technology at all? I think the coolest thing about Twitter having a Facebook account mainly Twitter is that you can communicate with people instantly. So, I might send out a tweet. Last night I took my grandmother who told me to pose for Playboy when I was questioned whether I should do it or not. I took her to the Playboy mansion to meet Hugh Hefner. So, I tweeted that this morning and read, you know, whoever's replying immediately and it's really cool to read it and then sometimes reply or send a direct message. So, that's what I use it for. I get that I can communicate with people that normally can't reach me and I can't normally reach. So, we didn't talk about this beforehand, but so your grandmother told you to pose and then you took your grandmother to meet Hefner last night. It's really a funny story. I'm from Texas, a small town in Texas and when I was approached to pose for Playboy, I was scared to death to tell anybody. So, I put it off for months and I didn't tell, you know, anybody like, hey, they want me to be on a cover with Seth Rogen from, like, Knocked Up and Pineapple Express. So, I didn't tell anybody. I was just, like, leaving it on the table and the first person I told was my Nana and Nana said if I was your age and I had the opportunity, I'd go for it. So, so, when she visited me in LA last week, last night was her last night there and so I took her up to meet Hef. Can I ask a question? I just have a, I want to ask a question everybody wants to know here. So, if you're a computer hacker and you're in a casino and you see a playmate at the bar, how do you approach her? Probably start talking nerdy to us because we're kind of into that. If you're telling us you could do it but you won't because you think we're nice or sweet, we'll be into you because I really don't want any of my stuff hacked after I leave here. Got it. So, the best way to impress is not to hack her site. She's, we're walking in. She's like, am I going to go home with my site? My site's going to be down. So, with that, that wraps up our session. Thanks again to Hope. We have a little talking for you again as, you know, a best excuse to click on malware for 2010. So, thank you. Got it. So, we, you know, actually have a couple minutes left. So, are there any questions? For us. Yeah, are there any questions for us? The two guys. I'm Paul, he's David, Barracuda, anybody remember that? Okay. Sir. Got it. So, a question? The best defense. So, you know, it was interesting. Thanks. So, the question was, any recommendations for the best defense for these attacks? So, my marketing department would like if I said Barracuda right now. But, you know, the point is that, the point is that, you know, most of these things, you know, 98% of them were things that were flagged by existing technology. Right? So, you were all filtering, you know, antivirus signatures, malware lookup databases. So, the good news is, as long as you're using some protection, right? We're still talking about the search stuff, right? Hey, apply that to any part of your life that's appropriate. As long as you're using some protection, you know, 98% of these things you would actually be definitive from. So, the biggest problem, and it's hard to say this as a security researcher, we spend more time looking at the problem than the solution. And most of the solution just seems to be train people better. But that's not really a scalable solution. Another question? So, the question was about, you know, Paul Vixie creating a reputation site and being sued. So, it's interesting, you know, always to kind of see the attackers use the legal system against kind of people that are trying to defend. So, we, you know, we kind of had to deal with things along those lines certainly, but it's kind of part of the risk of the business. So, with that, I think I'll wrap. For those of you that are interested, we'll be in room QA5. Our friend Hope will be there as well for a few minutes if you're interested in and ask you more questions about our result or having a picture with Hope. So, hey, thanks for having us. Have a good day.