Tag Archives: blog

Enterprise Open Source Intelligence Gathering – Part 3 Monitoring and Social Media Policies

0
Filed under Penetration Testing, Social Networks
Tagged as , , , , , , , , , , , , , ,

monitoringThis is the final article in my series on Enterprise Open Source Intelligence Gathering.  This information relates to the main topics from my presentation that I am giving this week at the 7th Annual Ohio Information Security Summit.  For more background information, see part one.  If you missed part two (blogs, message boards and metadata) you can check that out here.  This last article will be about putting together a simple monitoring program/toolkit and creating a social media policy for your company.

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered?  Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”.  The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important?  You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business.  Also, you want to pay particular attention to the areas of social media that your business has a presence on.  For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first.  Why?  These are the sites that you have most likely allowed certain employees to use this form of media for business purposes.  Lastly, keep in mind that choosing what to monitor should be a group collaborative effort.  Get your marketing and public relations people involved in the decision making process.  As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important.  There are two tools that I will talk about.  Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes?  The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web.  Like Unix pipes, simple commands can be combined together to create output that meets your needs:

– combine many feeds into one, then sort, filter and translate it.
– geocode your favorite feeds and browse the items on an interactive map.
– grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created!  If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own.  Creating a pipe is really easy as well.  Yahoo! provides good documentation on their site even with video tutorials if you are lost.  Everything is done in a neat visual “drop-n-drag” GUI environment.  For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS.  Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring.  Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice.  I personally like Google Reader because it’s easy to use and manage.  However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring.  This should be someone in your information security department and someone with social media skill sets.  Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to.  Finally, plug these feeds into your RSS reader and set up procedures for monitoring.  When will you check these feeds? What happens if the monitoring person is out?  Is there a backup for this person?  These are just a few of the things you need to think about when putting together these procedures.  There may be many more (or less) depending on your business.  Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy.  Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in.  This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company?  If you do, have you checked to see if they include specific things like social networks?  How about commenting on company news or issues on public social networks?  This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media.  The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy.  The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media.  Lastly, what is acceptable for employees to post?  Keep in mind that employees have Internet access *everywhere* nowadays.  iPhones, smartphones, Google phones…employees have these and guess what?  They are most likely using them at work.  How do you know that they are not commenting about company confidential business?  With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here?  Create the policy!  The last part of this article has examples of good policies that you can reference when creating your own policies.  There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations.  Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Enterprise Open Source Intelligence Gathering – Part 2 Blogs, Message Boards and Metadata

3
Filed under Penetration Testing, Social Networks
Tagged as , , , , , , , , , , , ,

message_boardThis post is part two of my three part series on Enterprise Open Source Intelligence Gathering.  This information relates to the presentation that I am giving this week at the 7th Annual Ohio Information Security Summit.  For more background information, see part 1.  Part three will be about putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates.  Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on.  These include blogs, message boards and document repositories.  One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments.  When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over.  The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems.  Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on.  Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT.  Message boards date back before blogs were popular and are still widely used today.  Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could).  Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories.  These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes.  These sites are probably my favorite since you will find all sorts of interesting information!  Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine.  I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents.  Now what?
Once you find interesting documents be sure to check out the document metadata.  What is metadata? Metadata is simply “data about data”.  Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document.  It goes without saying that document metadata is a treasure trove of information that could be used against your company.  For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below).  However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place!  If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers.  If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce.  Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation.  You may ask yourself, how does brand reputation relate to information security? Why should we care?  I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information.  Brand reputation is vital to an organization, even more so in this economy.  Think of the CIA triad…Confidentiality, Integrity and Availability.  All three have aspects that reflect brand reputation.  All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far.  This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about.  I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Spylogic.net Reloaded

0
Filed under Spylogic News
Tagged as , , , ,

You may have noticed something strange about my blog.  Clean, smooth, fast, different…these are all things that describe the look and feel of the new blog (hopefully).  What happened?  Well for starters I was fed up with the basic features of Nucleus CMS.  While Nucleus was a very stable and reliable (read: low on the blog hacking list), it’s about ten years behind in blogging technology.  No built in post tagging, no WYSIWYG editor, link lists that had to be edited in php, etc…I picked WordPress to upgrade to because it’s really the most user friendly and has some really great features and plugins.  Yeah, it’s a target for vulnerabilities but I’m willing to live with that as long as I have a blog that’s easy to maintain and can help me save time when posting/editing things.

The adventure of blog migration to WordPress
I started the transition from Nucleus CMS to WordPress early last week…of course thinking this would be an easy migration.  Ummm, no.  It was pretty painful actually.  You see, WordPress doesn’t have a official migration path from Nucleus CMS.  So I had to rely on the advice of others in the WordPress community that had done the same upgrade in the past.  Of course there were a bunch of different ways to do this so I basically took a few of the migration scripts that a few others have written, hacked them up even more and tested.  Testing took about a week…it really sucked.  I had to install version 2.1 of WordPress to use a certain migration script that I didn’t feel like recoding to get to work with 2.8.1.  Of course my categories and images were FUBAR so there was another script I had to write to fix that.  BUT, the biggest issue was how Nucleus handles URL’s for blog posts.  The problem was that I had lots of links out there in Google and other places pointing to blog posts.  In Nucleus my post links were like this:

http://spylogic.net/item/438

WordPress links are something like this:

http://spylogic.net/2009/07/password-length-and-complexity-for-social-media-sites/

So your probably thinking that I can just make my links in WordPress match the Nucleus links?  Nope.  WordPress renumbered all my posts out of order and writing another script to re-number 400+ posts wasn’t in my plan.  So…mod_rewrite and php scripting to the rescue!  I must say, I haven’t had a situation yet where I had to manipulate URL’s on a website yet but now that I did…mod_rewrite is awesome and it was a great learning experience.  I won’t go into gory detail but in a nutshell I used a SQL query to map my old numbered posts from the nucleus posts table to the WordPress style URL naming…by date so they match up.  I then took that query output and put it into a php script.  The php script is referenced in my .htaccess file that contains the RewriteRules.  So…when someone clicks on the old style Nucleus links the script maps it to the new links.  Cool.  If you want to see all of the code I followed the guide that another blogger posted about his migration but made my own modifications and did a few things different then his code did…but you should get the general idea.

What changes?
So besides the blogging platform other things I decided to do was a new logo/header that @JaneDeLay created for me (she rocks!) and I decided to include more of my other publications, articles and such in separate pages.  I also put a speaking page where you can find out where I’m speaking at and also a list of past talks (something a few of you have wanted to know).  RSS feeds are still through FeedBurner so you don’t have to update your feeds.  Lastly, I decided to move the majority of my social media security research to another site altogether.  This site is focused on social media security and will have guides, videos, presentations and research from not only myself but others.  I’m planning on launching the site at DEFCON 17 at my talk or right before it.  It’s been difficult blogging about anything lately because of my crazy work/home/life schedule so hopefully the new site will bring some focus back into blogging and about other things besides social media. :) I’ll probably mention some of the content from the new site on this blog if it seems relevant.

Anyway, let me know if you have any feedback on the new site (there might be a few bugs still) and thanks for reading my blog!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Security Bloggers Network has Moved!

0
Filed under General Security
Tagged as ,

You may have noticed that I removed the SBN (Security Bloggers Network) badge from my blog and that the SBN Feedburner site has not been updated in several weeks. Well, Alan Shimel has officially moved SBN over to Lijit. Lijit is kind of like FriendFeed but is really more about searching, linking searches, and putting your socnets together. It should be interesting to see how Lijit will improve distribution of the SBN site content. You can check out the new SBN here. If you haven’t checked out the large list of blogs that belong to the SBN…you really should! Lot’s of great security bloggers are on the list.

Subscribe to the SBN from here via RSS or OPML.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS