Monthly Archives: January 2009

Twitter for Information Gathering

0
Posted by Tom on January 25, 2009 – 8:00 am
Filed under Social Networks
Tagged as , ,

Twitter!

If you are interested in using Twitter for information gathering/mining about potential targets for a penetration test or for “other” research…I highly recommend the very comprehensive article that Lenny Zeltser from SANS put together. Twitter is really becoming a great tool for not just marketing yourself or your business but also to find out detailed information about a company, individual or organization.

One thing I would add to Lenny’s article is that social media in general is the new “hotness” when it comes to information gathering and reconnaissance. If you are a penetration tester you really need to start leveraging all the information contained in social networks! Better yet, use Maltego which can help search multiple social networks and visually show you this data. You can even hit up the Twitter API with local transforms in the new version of Maltego…yummy!

Twitter photo via Jenny Hayden.

Who’s managing information security in your city?

1
Posted by Tom on January 23, 2009 – 12:07 am
Filed under Network Security
Tagged as , , ,

There was something shocking in my local suburban newspaper today. I opened up to page two and behold…an article that touched on information security! Specifically, the article was about how a small municipal court system in my area had a PC that was infected by an email “virus”. This virus caused a “hard drive to shut down”. Shut down I would assume means the MBR was corrupted or the PC was so bogged down with malware that it had to be rebuilt. Don’t worry, it gets better. The reporter goes on to say that an employee opened an email that had something to do with Nigeria and winning money. Hmmm…Sinowal Trojan perhaps? Regardless, the reporter goes into details from the interview he did with the city “IT manager”. Here are some quotes from the article:

“The court computer system has a small firewall, he said, but the anti-virus on the computer was either non-existent or never upgraded.”

“The IT manager has been trying to bring the city computer systems up to speed. There hasn’t been a system-wide upgrade in years.”

“The employee opened the email because there’s no formal training.”

“One of his goals is to work out a way he can send out software updates, especially anti-virus, to all city computers at night when they aren’t in use.”

I like this one the best…

“The main issue is spending the money for software, licenses and equipment. It’s pretty down-to-earth-basic, he said. “You’ve got to start throwing money around to get it to work.”

Huh? Throw money at the problem…classic. Multiple levels of FAIL right? Oh, if you haven’t figured it out yet…read those quotes again. What would a hacker think about after reading this newspaper article? This court/city computer system is a target rich environment to say the least!

While we could talk all day about how the city could implement a better more cost effective solution to the issues, there are two main problems that I see:

Be careful what you say to the media after an incident
The IT manager gave out way too much information to the media about the problems the city is facing with IT security issues. Just by reading this article someone with bad intentions and a bit of technical skill now knows that the city employs non security aware people and the entire network probably hasn’t been patched in years. This would be even more scary if police and fire computer systems were on the same network! However, the article did point out that police and fire systems are on a separate network. Yet, things don’t look good for the police and fire networks if this same IT manager is running those as well! :-/ Local city government should carefully review all media requests for information about an incident.

Local cities, municipal court systems, fire and police networks are left for dead
This doesn’t surprise me but just like a lot of small businesses, small city governments or suburbs don’t spend the money or have the staff to keep systems patched or up-to-date. Especially in a recession! Your IT guy or contracted support is an easy thing to cut for a city. I would think that most city networks are in worse shape then some home PC networks because of outdated equipment, knowledge and lack of funds. Case in point, I wrote about a potentially dangerous vulnerability that was found on another local city network last year. Luckily this city took the vulnerability seriously, resolved the issue and hopefully improved their security.

Imagine the problems that could happen if police, fire and court systems were breached or compromised. Critical infrastructure like police and fire networks are at serious risk with unsecured systems that are not maintained. As a citizen that lives and works in these cities you should question your local city government about how they maintain and manage their networks. I have an email en route to the mayor of this city that will hopefully help them with some ideas and suggestions to get them back on track. However, I think we may only be scratching the surface of the problem. Lets hope your city takes computer and network security more seriously.

Social Media Security on the Streetwise Security Zone Podcast

0
Posted by Tom on January 12, 2009 – 5:00 pm
Filed under Social Networks
Tagged as , , ,

Late last week I was a guest on the Streetwise Security Zone Podcast talking about my Facebook Privacy & Security guide, social media security as well as some other interesting security topics.

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!

Maltego 2.0.2 Released with Local Transforms!

0
Posted by Tom on January 9, 2009 – 12:19 pm
Filed under Penetration Testing
Tagged as , ,

Just a quick blog post about the latest release of Maltego that was just announced. This is great! You can now create custom transforms that will integrate directly with Maltego! This is something that many of us have requested and it’s finally here. From first glance it looks like you can code them in any language as well. Should be interesting to see what the community comes up with in regards to transforms now. I know I have some ideas….

Oh and if that wasn’t enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don’t know about it?
“Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Read more about Maltego here.

Summary of the Twitter Security Incidents

1
Posted by Tom on January 8, 2009 – 1:56 am
Filed under Social Networks
Tagged as ,

One of the 33 pwnd Twitter accounts

I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you. :-)

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0’s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?

First Twitter Phishing Attack of 2009

0
Posted by Tom on January 3, 2009 – 10:02 pm
Filed under Social Networks
Tagged as , ,

Welcome to 2009! As many have said…it was just a matter of time before Twitter had a somewhat significant attack…well, here it is! I just had a post up last week about how many of us that use social media just blatantly trust every site that asks us for Twitter credentials. Well if you don’t look at the URL carefully even the security aware could be fooled by this one. Tonight there was a lot of tweets about the following phishing attack….

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you…
hxxp://jannawalitax.blogspot.com

If you click on blogspot link this is basically a redirect to the following fake Twitter site:

Twitter Phishing Site

Looks just like an identical copy of the real Twitter site except for the URL! (don’t go to this URL…)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:

Web Forgery Reported

Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:

Removed

However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then twitter.com. The fake site in this case is twitter.access-logins.com/login. Note that if you take off the “login” at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack…how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however…Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM’s. I’m not 100% sure how DM’s are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.