See the video after the jump for a full explanation on why Anonymous might want to destroy Facebook. Yet, the first thing to know about the alleged destruction of Facebook, is that it is not wholly supported by the Anonymous collective. Various Anonymous-based Twitter accounts have said something along the lines of "no one can speak for the whole of Anonymous. There are some anons who support #opFacebook whilst others do not." Yet, what if the entire group was motivated to cause chaos and disruption? Are there any tactical advantages that Anonymous has that Facebook could not easily thwart?

In reality, it is not likely that Anonymous has the chops to really hurt Facebook. In its history, the favorite weapon of Anonymous and LulzSec has been the distributed denial of service attack (DDoS). A DDoS launches a bomb of requests at a target server (or servers) so that the server becomes overwhelmed and the website goes down. There are tricks that can be implemented into a DDoS attack, such as hidden lines of code within the packet bombs being sent that can worm their way into sensitive areas while the server is busy, but companies know to look for this and it can be turned away.

A DDoS attack would not work on Facebook. It is too large, too sophisticated and handles so much data already that there is little that a DDoS would accomplish. Maybe the service would be slow for a couple hours. Yet, even if Facebook did go down for a while from a DDoS, that is certainly not the "destruction" of the platform. Apple, Amazon, Google and Facebook are so big and handle so much data that they are almost immune from DDoS attacks.

"Destruction isn't a DDoS attack anyway. Destruction means dead, kaput, sayanora, forever," Graham Cluley of security firm Sophos told ReadWriteWeb. "A DDoS attack would be more Anonymous's style - but how likely it would be to succeed is very questionable, as Facebook has a strong infrastructure behind it. In the past we've seen Facebook manage to withstand heavy DDoS attacks when other social networks like Twitter have crumbled (see: Twitter DDoS). Although Facebook stumbled a little, it didn't go down."

Publicly Shame Facebook & Make Users Lose Trust

Cluley thinks that the way to destroy Facebook would be if it "permanently and devastatingly loses the trust of its user base." Yet, how can this be accomplished? If Anonymous (or anybody) does not possess the tools to destroy Facebook's infrastructure, what is the back door that would make users lose faith in Facebook?

This is where other Anonymous tactics come in. For instance, look at Booz Allen Hamilton. Its corporate infrastructure was attacked and it leaked 90,000 emails concerning the Department of Defense. If Anonymous really wanted to attack Facebook, digging up dirt in its own corporate communications would be the way to go.

"If hackers could find a backdoor into Facebook's corporate network and if they managed to gain high enough access rights, then they might be able to search emails and logs to hunt for evidence of Facebook selling information to governments if it were taking place," Cluley said. "But there's a lot of 'if's' there."

Spear Phish the Corporate Back Door

The best way for a hacker to gain access to Facebook's corporate communications would be a very well-targeted spear phishing attempt where a message is sent to a high-level executive with a Trojan that would enable the hacker to take control of that computer and then access the corporate network.

"And I would imagine, like most other businesses of such a size, Facebook would have layered defenses in place to reduce the chances of hackers breaking into their systems, and have locked down their most sensitive information with access control and encryption," Cluley said.

Overall, we are talking about theories. Maybe a portion of Anonymous will attack Facebook on November 5th, maybe they will not. Maybe they will be successful, though they probably will not be. Anonymous considers itself a movement, and as with any movement, there are going to be disagreements on which way it should go. Facebook, while maybe not always the most forthright company about its privacy policies, is hardly a secretive government or evil corporation bent on making war across the world for the sake of profit.

For all we know, this "threat" could be made by a 17-year-old kid who reads too much news. As Paul Ducklin of Sophos wrote on the company's Naked Security blog "someone with a computer, an Internet connection, a basic video editor and a voice synthesiser - has decided that Facebook should die."

That is up for debate. A Google security researcher (acting independently of Google) named Tavis Ormandy reverse engineered part of security firm Sophos's security products and published his research (PDF). He presented his findings at the Black Hat security conference in Las Vegas yesterday and had some hearty criticism not just for Sophos, but for the security industry in general. The issue, in part, is about how open security companies are with the codes and algorithms they use to protect users' computers. How open do security companies need to be to have the most effective product?

Kerckhoff's Principle

Ormandy starts the abstract of his paper with a fairly simple declaration:

"Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed."

The notion is that security companies hide their algorithms, codes and practices so that the bad actors will not be able to study them and easily sidestep them. Kerckhoffs' principle (from 19th century cryptographer Auguste Kerckchoffs) states: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."

What Ormandy did with Sophos was pick apart a couple different subsections of the overall security product, including parts of Sophos's cryptology and obfuscation practices that it uses to protect data. Specifically, Ormandy looked at Sophos's buffer overflow protection, signature matching and cryptography (SPMAA, proprietary to Sophos) and its "genes and genotypes" product that detects the behavior of malicious programs.

Only A Piece Of The Puzzle

Sophos researcher and blogger Graham Cluley said that Ormandy is not an ordinary security engineer or computer user.

"No doubt he is a very bright chap," Cluley said in a call to ReadWriteWeb. "I think he comes at this problem from a very unusual angle. I imagine he is the type of fellow who analyzes every piece of code that he puts on his computer ... That is not something that scales. Tavis's mom could not do that."

Yet, Cluley notes that while what Ormandy did was helpful and informative for Sophos, it was only a piece of the company's larger security product. Cluley notes that Ormandy did not actually test the product against malware and that if he did he would have found that it is quite capable of blocking malicious programs.

Yet, Ormandy does have some pertinent points and Sophos is right to acknowledge them. The security vs. cyber-criminal battle is a two-step, a dance where one actor tries to take a step ahead of the other. If a hacker has specific knowledge of how the company detects malware and encrypts data, they have the advantage. A Sophos researcher that attended Ormandy's talk downplays that aspect.

"Malware writers have to be very generic in terms of what they write," Sophos researcher Vanja Svajcer said, according to Forbes. "They don't have time to investigate forty or fifty vendors to circumvent their products."

In general, that is true. Malware writers are interested in the richest targets available with the lowest barrier to success. Yet, that does not preclude any specific hacker from studying the weaknesses of a particular security product and finding ways around it. Spear phishing, attacks designed to exploit specific targets (nominally through some type of social engineering like email) is on the rise and as we have seen with the attacks against Sony, Booz Allen Hamilton and the state of Arizona by LulzSec and Anonymous, dedicated attacks can be successful. As much as the security industry likes to tout their own products (which are effective for the most part), they are not perfect. Part of what Ormandy is doing with Sophos is pointing that out. At the same time, even the best security products cannot protect against employees not following best practices and poorly instituted security policies, which is often the case in large-scale hacks, such as Sony or HB Gary.

Not Cluley v. Ormandy: Round 2

Cluley wanted to point out that Ormandy's latest criticism of Sophos products was not another case of "Ormandy v. Cluley." Last year Ormandy published zero-day vulnerabilities in Microsoft's code that led to attacks. Cluley slammed Ormandy for not giving the security industry or Microsoft enough time to respond to the vulnerability. Cluley says that is not the case this time around.

"This is not some Ormandy v. Cluley feud," Cluley said. "One of the things about this is that Tavis and Sophos have been working really closely together. It has been a friendly and open process."

Cluley responded to Ormandy's findings in a blog post at Naked Security stating that the cryptography algorithm that Ormandy found to be "weak" was being phased out and that the company is working to fix the other vulnerabilities in the next version of its product.

Yes, You Can Trust Your Security Companies

Yet, the question remains: can the security companies be trusted? In short, yes. For the most part, security products are an effective way to detect and eliminate malware. Some products are better than others. That does not excuse the industry from, at times, creating hype or fear (as an industry, not specifically Sophos) in reference to certain exploits. It is decent business sense - scare people in to buying your product. Cluley says that the security companies have been guilty of that in that past and he hopes the industry is more responsible recently.

"I think industry has gotten better and more responsible. The thing that fascinates me is that you are stuck between a rock and a hard place," Cluley said. "You want people to wake up and stop clicking on naked pictures of Angelina Jolie. Still, we have to get the message out there."

Chet Wisniewski of Sophos Security is calling shenanigans on Microsoft's statistics. In a blog post on Sophos' blog, Naked Security, Wisniewski says, "Microsoft is comparing Apples to...nothing." Microsoft's post says that users get two pop-up warnings a year, which Wisniewski says means that IE users make 20 downloads a year. Wisniewski looks at these numbers and thinks something is not quite right in Microsoft land.

"I don't know anyone who only downloads 20 files per year," Wisniewski writes. "These numbers just don't really add up."

Microsoft concludes that one out of every 14 downloads made by IE users is malicious. It concludes that users are falling prey to phishing and targeted malware attacks much more than drive-by exploits (such as happening to visit an infected site).

Update: Microsoft's public relations firm got in touch with us to try and add clarification. Here is what they had to say: "Microsoft blog post actually says "1 out of every 14 programs downloaded is later confirmed as malware." I take this to mean 1 in 14 executable downloads are malicious which would affect the other mathematical statements made in the Sophos blog post."

"SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn't presented any data on how often exploits are actually being used," Wisnieski writes.

When is a Pop-Up Warning Really Malicious?

Microsoft says that over 90% of user downloads do not trigger a warning and of those warnings, 30% to 75% of the time the warnings are false positives. This begs the questions - if three out of every four times you get the pop-up warning and it there is truly nothing wrong with the file you are downloading, why even bother heeding the warning?

Yet, not all download circumstances are identical. For instance, say you download a particular file from Adobe quite often and know that it is safe. Every so often you get a warning from IE telling you it is not. You know that is not true so you click through anyway. Yet, there may be times that you are on a site you do not know and have little reason to trust. Are you still going to click through a pop-up warning to get at something you think you want?

Microsoft says that the malware it finds with its reputation rankings and the subsequent pop-up warnings lead to users not downloading and running the malicious software 99% of the time.

Wisniewski does not trust the average computer user to know the difference.

"I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems," he writes. "When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock."

Microsoft has been running data on malware for the SmartScreen Application Reputation program in its lead up to the release of IE9. It is a community reputation engine where users can submit malicious links to the database to be incorporated into the browsing experience. Reputation ranking is not new to security on the Web. Symantec and other companies run every malware exploit they come across through a reputation database, and community reputation company Web of Trust just teamed with Facebook to protect users.

This post was updated May 25, 2011 at 10:48 EST with information from Microsoft.

The Sophos research showed that over the past year the number of SQL injection attacks against innocent websites increased, a trend Sophos expects will continue next year.

Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware.

A recent report from the Internet Crime Complaint Center also points to an increase in SQL injection attacks in 2008, specifically relating to financial services and the online retail industry. Unfortunately, cyber criminals prey on the needs of Web users at any given time, and this time the economic crisis is their meal ticket.

The article is well worth reading if you're interested in how attackers compromise websites by SQL Injection or if you want ideas on how to reduce the likelihood of intruders gaining access to your private data.

Third Party Advertising Agencies and Scareware

In February 2008, Sophos confirmed a 'poisoned Web advertising campaign' on BBC competitor ITV's website that affected both Windows and Mac machines. While we've all seen Scareware, the pop ups designed to scare people into buying anti-virus software, this is the first time it has been seen for the Mac.

According to Sohpos, a Flash file was injected into traffic served up by ITV.com via third party advertising agencies. Designed to promote a program called Cleanator (Windows) or MacSweeper (Macs), the programs claimed to detect "compromising files" and encouraged users to purchase a full version of the package.

As websites often use third parties to serve up their advertising, Graham Cluley, senior technology consultant at Sophos suggests taking care when selecting agencies. "Website owners should ask the third party agencies they use what procedures they have implemented to positively vet the adverts that they deliver for malicious content or unsavory links.

Social Networking Sites

With social networking on the rise, the bad guys have found yet another playground on the Web. The Sophos report reveals 1800 Facebook users had their profiles defaced in August by an attack that installed a Trojan while displaying an animated graphic of a court jester.

Gated sites appeal to the bad guys because they form a "launching pad" for mass distributing malware attacks and spam, like the recent Koobface Trojan which attacked both MySpace and Facebook and transformed victim machines into zombie computers to form botnets.

Twitter too has become a tool for cyber criminals to distribute malware and marketing messages. In many cases, the bad guys steal members' usernames and passwords and bombard the victims' friends with marketing messages or direct them to third party websites. With Twitter especially, it is difficult to discern where links are going due to the 140 character limit and the use of services that shorten URLs.

On the flip side however, Chris Boyd of FaceTime Security Labs at this years RSA Conference explained that social networking sites are incredibly useful for security researchers. "The people that create these things have been on social networking sites since the beginning; they need to be on them a lot to understand them intimately enough to exploit them. But many times they leave a trail online that we can use to track them, to find out things like their names, ages and friends."

Apple Macs Becoming "Soft Targets"

While Mac malware is miniscule compared to Windows malware, Sophos recommends Mac users follow safe computing best practices and avoid complacency even though cyber criminals are more likely to stick to attacking Windows computers in the foreseeable future due to the higher financial incentive.

With so many Windows home users seemingly incapable of properly defending themselves against malware and spyware, it seems sensible to suggest that some of them should consider switching to the Apple Mac platform. This is not because Mac OS X is superior, but simply because there is significantly less malware currently being written for it.

Along with the scareware attack mentioned earlier, there have been other attempts to infect Mac computers in 2008: the OSX/Hovdy-A Trojan, the Troj/RKOSX-A Trojan, and the OSX/Jahlav-A Trojan.

Smartphones: A New Toy for Cyber Criminals

While most malware and spam is produced as a result of financial incentive, with smartphones, Sophos believes malware will more likely be written by those wanting to make headlines. As neither the iPhone or the G1 has yet been the target of a significant attack, someone will want to be the first and claim the title.

Apple iPhone

According to Sohpos, iPhone users are more vulnerable to phishing attacks than their desktop counterparts for three reasons:

• They may be more willing to click on links because entering URLs on a touch screen is more difficult
• The iPhone version of Safari doesn't display URLs embedded in emails before they are clicked on making it more difficult to tell whether a link leads to a phishing site
• The iPhone browser doesn't display full URLs making it easier for the bad guys to trick users

Google Android

Hackers are only just getting a real look at the Android OS so there is not much to report however, one security flaw was revealed only days after the G1 went on sale. The flaw, discovered by Charles Miller, a principal security analyst at Independent Security Evaluators, was in the browser partition of the phone. According to the New York Times, the flaw enabled keystroke logging software to be installed, making it an easy trick to steal identity information and passwords.

Additionally, while many are impressed with Google's open attitude to applications, others are concerned about the ease in which malicious software could be distributed and caution when it comes to downloading third party apps is advised.

Sophos predicts as more people purchase smartphones, creating threats will become increasingly attractive to cyber criminals: Imagine a generic Mac OS X attack made for the iPhone that could also cripple the Mac computer.

Other Interesting Stats from the Sophos Report

• There were five times as many malicious e-mail attachments at the end of 2008 than at the beginning of 2008
• The United States hosts the most malware on the Web at 37 percent
• Computers in the United States relay the most spam at 17.5 percent

Cyber criminals will always be ahead of security experts simply because most of what the anti-malware providers discover is generally published for the public; the bad guys aren't as open with what they do. But, being aware of trends, keeping security patches up to date, and installing firewalls will do much to thwart the majority of attacks.

What security threats do you think we should be thinking about in 2009?

Photo Credit: Flickr tsevis