Tag Archives: bots

New Facebook Privacy Settings: For Better or For Worse?

8
Filed under Privacy on the Internetz, Social Networks
Tagged as , , , , , , , , ,

Everyone has probably already heard that Facebook rolled out new privacy settings today.  If you haven’t seen them or gotten the following pop-up box on login…you will soon:

message1

There are a great deal of articles already out about how this is such a great improvement and how these new settings give you more control over your privacy.  However, I would argue that these settings may possibly open up more issues then they are trying to prevent.  The best article on the new settings and the privacy implications is the one that the Electronic Frontier Foundation (EFF) released today titled: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly.  I recommend everyone (no pun intended) read this article as it provides much more detail then I will provide in this post.

What I want to do is provide you with a summary of the good and the bad of the new privacy settings.  I also want to give a security professional’s point of view on these settings.  As a penetration tester I can tell you that my job just got way easier!  You may have read my series on Enterprise Open Source Intelligence Gathering in which I tell you how you can find information on social networks about your company and employees.  Well, searching for information on Facebook just got easier thanks to status updates being available using new technology like Google Real-time Search!  Ok, on to the better and the worse!

The Better?

  • The new way privacy settings are “managed” is a good thing.  It’s easier to find and navigate through the settings.
  • I like that they ask you for your password to change privacy settings.  It’s just another layer.  Now, this doesn’t help much if you have a keylogger installed but it seems they put this in to prevent bots that may have taken over your account access to your settings.  Again, not fool proof but another layer.
  • The ability to fully customize privacy settings on all the content you post.  So for example, you can specify if you want everyone on the Internet to view your status updates (more on that in a minute) or Friends, Friends of Friends and Custom.
  • Users are now somewhat “forced” to check out their privacy settings.  It’s more accessible that’s for sure.

The Worse?

  • Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all available to be viewed by EVERYONE on Facebook! You cannot change these settings at all.  Note, there is a way to remove your entire Friends List from your profile but it’s all or nothing!  Here is a screen shot of this. You have to set it in your profile page using the “edit” button and check the box.These changes are quite disturbing considering that you used to be able to restrict this type of information.  I really believe that Facebook has done this on purpose so *more* information is being shared about you while stating “enhanced” more granular privacy settings.  If you have been to one of my talks in the past I always mention that social networks need to find ways to make money.  The way they make money is off of the information you share!  If you don’t get a choice about the basic information anymore…that’s more money in their pocket at the expense of your privacy.
  • What about the security ramifications of this? It opens up a whole new world for cyberstalking, predators and other attackers.  If you were someone that didn’t feel comfortable sharing this information in the first place, your choice is gone.  Sure, you can lock down your profile so no one can search for you but if you do that…why are you on Facebook to begin with?  You *have* to let your real friends search for you at some point!
  • By default Facebook “suggests” that you set your status updates to “Everyone”.  Here is the thing with status updates….Everyone means everyone on the Internet!  This is where new technology like Google RTS comes into play.  Imagine how easy it will be to find the latest information on “Tiger Woods” or now everything YOU are saying on Facebook, Twitter and other social networks.  Enter in some social engineering and things just got easier for attackers looking to use you or your information (which is easy to figure out now that I can see your friends, and things that interest you via the pages your a fan of).
  • Lastly, Facebook removed the ability to prevent Facebook applications your friends installed from pulling your “public” information.  That option is now gone and applications that your friends install can now view your “public” info.  Remember kids, “public” info is now: Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.

One final note…be sure to double check all your privacy settings after you run the wizard.  I found a few settings that reverted back to settings I never had.  So what are your thoughts?  Will this make you lock your profile down more?  Do you care?  Is privacy dead anyway? Will Zombies destroy us all? :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Zombies at OWASP AppSec DC this Week

0
Filed under Hacking, Social Networks
Tagged as , , , , , , , , , , ,

Continuing the zombie apocalypse from Defcon…Kevin Johnson and I will again be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at this week’s OWASP AppSec DC conference.  We will be speaking Thursday, November 12th at 2:10 in room 146c.  We will have some new material and updates from the presentation we gave at Defcon 17 this year including the release of a new version of Robin Wood’s KreiosC2 (beyond Twitter for C&C).  If your going to the conference we hope to see you there!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Zombies: Your Friends Want To Eat Your Brains Video from DEFCON Posted

0
Filed under General Security
Tagged as , , , , , , , , , , ,

The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo.  If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Old News: Twitter can be used for Botnet Command & Control

0
Filed under Hacking, Malware, Social Networks
Tagged as , , , , , , , , ,

Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information.  Kudos to the researcher, Jose Nazario, who found this.  It was an interesting read to say the least.  The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s.  Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17.  I even did this demo showing what else? Base64 encoded commands.  Ironically, I showed off the first version of this code at Notacon 6 back in April of this year.  Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter.  I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”.  Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code!  We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this).  Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things.  It always takes something bad to happen to create change…where have you heard that before? :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Zombies Slides and DEFCON Updates

0
Filed under Hacking, Social Networks
Tagged as , , , , , , , , ,

tom_kevin_zombieKevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend.  We had a great time giving the talk and thanks for the feedback!  Even the two Facebook developers that came to our Q&A enjoyed it!  Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON.  Oh well! At least @dualcoremusic got to play live! :-)

You can download the slide deck from SlideShare that was in the DEFCON 17 CD.  We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet.  However, we will post the video as soon as we get it.  The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.

Robin Wood’s fantastic tool called KreiosC2 was also released during our talk.  I did a demo which is posted here and talked a lot about how the PoC code functions.  If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter.  Very cool!  Also, check out the redesign of Robin’s website.  Awesome.  Make sure you follow Robin on Twitter!  He is one you need to follow!

DEFCON was awesome as usual!  Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks.  It was awesome catching up with everyone and meeting new people.  I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“.  This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial.  Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“.  I highly recommend this talk!

The podcasters meetup was also a success!  Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com!  The audio will be posted soon, probably over at the Security Justice site.

Pictures will be posted soon!  Still trying to recover from Vegas!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Zombies Invade Las Vegas!

0
Filed under Hacking, Social Networks
Tagged as , , , , , , , , ,

zombieYes, you are reading the title of this post correctly!  Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)!  Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson! :-)

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Network Bots Presentation and my Recap from Notacon 6

1
Filed under Social Networks
Tagged as , , ,

Melt your mind at Notacon!

I’m back from Notacon 6 that took place in Cleveland over the weekend and finally have some time to get a post up. All I have to say is…wow. What a great con! This was my first Notacon (yeah, I live in Cleveland…sad I know) and I was totally impressed! There was a great line up of speakers, really fun events and a kick ass game room. The game room was really cool. They had everything from a fully loaded NES and Commodore 64 for your retro gaming fix as well as Rock Band and Guitar Hero. Speaking of Rock Band…myself, Chris, Jack, and Jane entered into the Rock Band competition as the “Notabots”. We won the highest score competition and walked away with over a case and a half of Bawls energy drink, a few books and a sweet retro floppy disk clock. If you know me at all…the energy drink was the best prize ever! :-)

Just like most other smaller con’s the best part is still the great networking opportunities. One talk that was really outstanding was the talk by James “Myrcurial” Arlen titled “From a Black Hat to a Black Suit – The Econopocalypse Now Edition”. His talk is honestly one that anyone wanting to advance their career in Information Security should see. One thing I took away from his talk was that those of us in Information Security should never forget to mentor others, especially those in an entry level position. Remember, we were all the new guy just getting our feet wet at some point…having a mentor is invaluable to the learning process especially in the beginning of your career. In addition, James is a great guy and is someone who has pretty much “seen it all” when it comes to the corporate world.

Rise of the Autobots: Into the Underground of Social Network Bots Presentation Materials
My presentation went great! Thanks to everyone that came out to see it and for all the feedback. I was stoked that we were able to release some really cool code thanks to Robin Wood and announce a new open source project. You can download the Twitterbot POC code here from Robin’s website. I posted the slides from my presentation on Slideshare and the video should be up with the rest of the Notacon presentations soon. This won’t be the end of this research. I am hoping to put together a white paper on this subject using the research I have done thus far. The Notabot code I mentioned is available on the socialnetworkbots.com project site which I will talk about more below.

UPDATE: The video from my Notacon talk is available now to view on Vimeo.

Details on the Social Network Bots Open Source Project
I created a SourceForge project for all the development for the bot army I am looking to create (joke). Basically I’m looking for others interested in developing bots for social networks to join up on the team and contribute code to the project. I have already talked to some of you at Notacon and there looks like a few of you would like to work on N0tab0t version 1.1 which might be…well interesting to say the least! You can check out the project on socialnetworkbots.com. We are looking for any kind of social network bot…not just Twitter bots. If you want to join in, post something on the project forum or send me an email.

Stay tuned. Lots of more social media security research goodness coming soon! Thanks for sticking around for the ride! :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Speaking at Notacon 6 this week!

0
Filed under Social Networks
Tagged as , , ,

It’s time to gear up for Notacon 6 which starts for me on Thursday night at 7pm. I will be at the preview night giving a short overview of my presentation on Saturday “Rise of the Autobots: Into the Underground of Social Network Bots”. I have been busy tuning and making some last minute updates to the presentation. Some of these last minute updates include some code that myself and a few others have been working on as well as the announcement of a new open source project. What would a con be without a release of some code right? This is exciting stuff that I’m looking forward to talking about in my presentation. It all goes down at 5pm in the East Ballroom on Saturday.

Shortly after my talk on Saturday I will have my presentation posted as well as links to the code being released and links to the new project I will be talking about. Stay tuned to this blog for those details over the weekend.

At Notacon I will also be participating in Notacon Radio with the other co-hosts of the Security Justice podcast. Follow Security Justice on Twitter for details on when we will be live. We should be doing some interviews with some of the speakers as well. If you are at the con, stop by and say Hi!

Some other events at Notacon…there is a Security Twits meetup taking place on Thursday organized by @geekgrrl. If you plan on going you need to RSVP via DM to her like yesterday…I’ll be there as well as a few others from Twitter.

I also posted a list of recommended Notacon speakers and events on the Security Justice web site you can check out here so I won’t regurgitate the speakers that I will be going to see. Anyway, I should be live tweeting as I usually do at conferences so be sure to follow me for Notacon updates.

Lastly…this has been a crazy 2-3 months for me. Lots of changes going on with things I have been involved with and projects I have been working on. With all of this activity it has left little time for the blog but I will be getting back into regular posting once things slow down a little so thanks for sticking around. I am still amazed that this whole social media/networking security research has really taken off for me. I must have found a niche! :-) I still have a focus on pentesting (mostly for my job) but it’s cool to see how other interests evolve and morph into greater things. Such is life right?

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Social Network Bots at Notacon 6!

1
Filed under Social Networks
Tagged as , , ,

Autobots roll out!

What have I been doing lately? Why the lack of posts? Well…I have been preparing for my talk at Notacon 6 called Rise of the Autobots: Into the Underground of Social Network Bots. Who are these bots and what are they here for? From my abstract:

How do you know that last friend request or Twitter follower was an actual live human being? The truth is…you don’t! Bot’s and bot manufactures have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It’s simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend.

This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, *really* evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all.

This talk is the result of many months of research that I have been doing on this subject. Here are three things from my research as a teaser for my talk:

1. You will find it fascinating that bots are a huge part of social networks. Bots are not only used by the bad guys but legitimate users as well.

2. There will be discussion on why spammers are targeting social networks and how most of this bot activity falls under the guise of “Blackhat SEO“. I have been finding that there is a thin line between what constitutes “Blackhat” vs. “Whitehat” and that line will continue to blur. You will be amazed (as I was) with the business and money making model(s) that spammers and malware authors use. There is a ton of money being made from using these techniques and tools! Want an idea how much? Check out Jeremiah Grossman’s recent presentation on Blackhat SEO…you might want to quit your day job.

3. How do you use bots to create accounts? What are the most popular tools available? How about just buying hacked/bot created accounts in bulk then use these tools to SPAM friends lists? Also, as a tie in to the tools that are used we will talk about why CAPTCHA’s and other controls are not working. Finally, don’t forget about the new frontier of botnets and social networks…this is an untapped area thats only going to get more interesting.

So, if you are coming to Notacon 6 (April 16th-19th) hopefully you can stop by. I promise, my talk will be entertaining! Stay tuned to this blog…after the talk I plan on releasing detailed articles on some of the specific topics from the talk.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS