Monthly Archives: July 2009

Launching: SocialMediaSecurity.com

0
Posted by Tom on July 29, 2009 – 4:45 pm
Filed under Social Networks
Tagged as , , , ,

skullI wanted to get this post up before I leave for DefCon since it will be hard to have time to blog in Vegas.  In a nutshell, I started a new web site called socialmediasecurity.com.  This was originally a project that I started to move my social media research over to a separate web site but has since evolved into something much larger.  What I have done is consolidated (with permission) research from other security researchers such as Aviv Raff, Joseph Bonneau, Kevin Johnson, Nathan Hamiel, Scott Wright, theharmonyguy and more.  Each article links back to the original author.  The purpose of this was to have an easy way to search on a specific topic or social network (for example: Twitter) and get the security information you are looking for.  You can subscribe to post updates via RSS, Email or through Twitter.

In addition, at the top of the page are links to downloadable guides, presentations, video’s and more.  All of this content is related to user education and awareness on social media security issues.  This is obviously a work in progress and I plan to have more content added to this very soon.  One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide).  I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future.  The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.

So…you can also concider this a call for volunteers! :)   If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net).  There are a few other researchers and volunteers working on some really cool stuff for the web site.  Far too many ignore the security and privacy issues of social media.  We welcome your participation to help make a difference!

Another Twitter Scam: Twitviewer

0
Posted by Tom on July 28, 2009 – 4:16 pm
Filed under Social Networks
Tagged as , , ,

twitviewerOne of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you.  When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post.  The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”.  If you did fall victim to this you better change your password ASAP!  Check out the screenshot of the site before it was taken down…yeah, phishy indeed.

Who knows what the developers of this application were planning (malicious or others).  Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials.  In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter.  That way you don’t have to give your credentials to the web site and worry about them being compromised.  Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this.  If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services.  They can then use these credentials for anything else they wanted.  Unfortunatly, most users of these sites use the same password for everything.  Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything.  See this article for more information on password managers and social media web sites.

Social Zombies Invade Las Vegas!

0
Posted by Tom on July 21, 2009 – 10:00 am
Filed under Hacking, Social Networks
Tagged as , , , , , , , , ,

zombieYes, you are reading the title of this post correctly!  Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)!  Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson! :-)

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

Spylogic.net Reloaded

0
Posted by Tom on July 14, 2009 – 11:27 pm
Filed under Spylogic News
Tagged as , , , ,

You may have noticed something strange about my blog.  Clean, smooth, fast, different…these are all things that describe the look and feel of the new blog (hopefully).  What happened?  Well for starters I was fed up with the basic features of Nucleus CMS.  While Nucleus was a very stable and reliable (read: low on the blog hacking list), it’s about ten years behind in blogging technology.  No built in post tagging, no WYSIWYG editor, link lists that had to be edited in php, etc…I picked Wordpress to upgrade to because it’s really the most user friendly and has some really great features and plugins.  Yeah, it’s a target for vulnerabilities but I’m willing to live with that as long as I have a blog that’s easy to maintain and can help me save time when posting/editing things.

The adventure of blog migration to Wordpress
I started the transition from Nucleus CMS to Wordpress early last week…of course thinking this would be an easy migration.  Ummm, no.  It was pretty painful actually.  You see, Wordpress doesn’t have a official migration path from Nucleus CMS.  So I had to rely on the advice of others in the Wordpress community that had done the same upgrade in the past.  Of course there were a bunch of different ways to do this so I basically took a few of the migration scripts that a few others have written, hacked them up even more and tested.  Testing took about a week…it really sucked.  I had to install version 2.1 of Wordpress to use a certain migration script that I didn’t feel like recoding to get to work with 2.8.1.  Of course my categories and images were FUBAR so there was another script I had to write to fix that.  BUT, the biggest issue was how Nucleus handles URL’s for blog posts.  The problem was that I had lots of links out there in Google and other places pointing to blog posts.  In Nucleus my post links were like this:

http://spylogic.net/item/438

Wordpress links are something like this:

http://spylogic.net/2009/07/password-length-and-complexity-for-social-media-sites/

So your probably thinking that I can just make my links in Wordpress match the Nucleus links?  Nope.  Wordpress renumbered all my posts out of order and writing another script to re-number 400+ posts wasn’t in my plan.  So…mod_rewrite and php scripting to the rescue!  I must say, I haven’t had a situation yet where I had to manipulate URL’s on a website yet but now that I did…mod_rewrite is awesome and it was a great learning experience.  I won’t go into gory detail but in a nutshell I used a SQL query to map my old numbered posts from the nucleus posts table to the Wordpress style URL naming…by date so they match up.  I then took that query output and put it into a php script.  The php script is referenced in my .htaccess file that contains the RewriteRules.  So…when someone clicks on the old style Nucleus links the script maps it to the new links.  Cool.  If you want to see all of the code I followed the guide that another blogger posted about his migration but made my own modifications and did a few things different then his code did…but you should get the general idea.

What changes?
So besides the blogging platform other things I decided to do was a new logo/header that @JaneDeLay created for me (she rocks!) and I decided to include more of my other publications, articles and such in separate pages.  I also put a speaking page where you can find out where I’m speaking at and also a list of past talks (something a few of you have wanted to know).  RSS feeds are still through FeedBurner so you don’t have to update your feeds.  Lastly, I decided to move the majority of my social media security research to another site altogether.  This site is focused on social media security and will have guides, videos, presentations and research from not only myself but others.  I’m planning on launching the site at DEFCON 17 at my talk or right before it.  It’s been difficult blogging about anything lately because of my crazy work/home/life schedule so hopefully the new site will bring some focus back into blogging and about other things besides social media. :) I’ll probably mention some of the content from the new site on this blog if it seems relevant.

Anyway, let me know if you have any feedback on the new site (there might be a few bugs still) and thanks for reading my blog!

Password Length and Complexity for Social Media Sites

1
Posted by Tom on July 2, 2009 – 10:33 pm
Filed under Social Networks
Tagged as , , , , , , ,

July 1st was “Twittersec” day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!