Sorry for the long delay on posting the slides from the presentation that myself, Josh Abraham and Kevin Johnson did at Black Hat USA and DEF CON 19. I’ve uploaded the slides from DEF CON to SlideShare (you can also download a copy there as well) and below are the links to the tools and white paper. I’m currently in the process of working with OWASP to get the testing methodology put into the next version of the OWASP testing guide (v4). If you have any comments or bug reports for the tools and vulnerable web services please let Josh and Kevin know, they would appreciate it!
Tag Archives: defcon
Continuing the zombie apocalypse from Defcon…Kevin Johnson and I will again be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at this week’s OWASP AppSec DC conference. We will be speaking Thursday, November 12th at 2:10 in room 146c. We will have some new material and updates from the presentation we gave at Defcon 17 this year including the release of a new version of Robin Wood’s KreiosC2 (beyond Twitter for C&C). If your going to the conference we hope to see you there!
Share and Enjoy
The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo. If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.
Share and Enjoy
Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.
What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.
The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?
Share and Enjoy
Kevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend. We had a great time giving the talk and thanks for the feedback! Even the two Facebook developers that came to our Q&A enjoyed it! Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON. Oh well! At least @dualcoremusic got to play live!
You can download the slide deck from SlideShare that was in the DEFCON 17 CD. We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet. However, we will post the video as soon as we get it. The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.
Robin Wood’s fantastic tool called KreiosC2 was also released during our talk. I did a demo which is posted here and talked a lot about how the PoC code functions. If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter. Very cool! Also, check out the redesign of Robin’s website. Awesome. Make sure you follow Robin on Twitter! He is one you need to follow!
DEFCON was awesome as usual! Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks. It was awesome catching up with everyone and meeting new people. I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“. This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial. Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“. I highly recommend this talk!
The podcasters meetup was also a success! Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com! The audio will be posted soon, probably over at the Security Justice site.
Pictures will be posted soon! Still trying to recover from Vegas!
Share and Enjoy
I wanted to get this post up before I leave for DefCon since it will be hard to have time to blog in Vegas. In a nutshell, I started a new web site called socialmediasecurity.com. This was originally a project that I started to move my social media research over to a separate web site but has since evolved into something much larger. What I have done is consolidated (with permission) research from other security researchers such as Aviv Raff, Joseph Bonneau, Kevin Johnson, Nathan Hamiel, Scott Wright, theharmonyguy and more. Each article links back to the original author. The purpose of this was to have an easy way to search on a specific topic or social network (for example: Twitter) and get the security information you are looking for. You can subscribe to post updates via RSS, Email or through Twitter.
In addition, at the top of the page are links to downloadable guides, presentations, video’s and more. All of this content is related to user education and awareness on social media security issues. This is obviously a work in progress and I plan to have more content added to this very soon. One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide). I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future. The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.
So…you can also concider this a call for volunteers! If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net). There are a few other researchers and volunteers working on some really cool stuff for the web site. Far too many ignore the security and privacy issues of social media. We welcome your participation to help make a difference!
Share and Enjoy
Yes, you are reading the title of this post correctly! Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)! Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.
My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks. I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon). I’ll be providing a live demo showing the new and improved features of his tool! Big shoutout to Robin for all the work he did on this tool!
The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework). Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking). When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks. Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s. He will also talk about manipulating social networks (and thier users) with third-party applications. Remember: please accept any and all “friend requests” from Kevin Johnson!
From our talk abstract:
In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.
This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.
The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.
Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.
Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.
How did this talk come together? Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together. Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks. Oh, and we both like Zombies. See you at DefCon!
Share and Enjoy
I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.
To start off…this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!
I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to “live tweet” the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest…(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It’s the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale’s talk on “Owning the users with the Middler”. I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay’s talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn’t finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons…I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a “f***ton” of people! Oh, and the badges were pretty cool as well…once I waited in a long line for mine on day 2. The badge is actually a “tv-b-gone”…I could turn the TV on and off in my hotel room with the badge. Neat!
Speaking of podcasts…I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I’ll post a link if it is.
Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.
It looks like my plane just arrived…I hope to post more stuff on Black Hat/Defcon in the coming days.
Share and Enjoy
I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG’s over at Carnal0wnage). Here is my tentative list of talks I plan on attending:
10:00 to 11:00
Nmap: Scanning the Internet – Fyodor Vaskovich
If your a penetration tester, don’t miss this one…Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so…the man has stalkers! ) and I’m looking forward to hear about new and unique ways to use Nmap.
11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It – Dan Kaminsky
Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan’s talks) but well worth attending.
13:45 to 15:00
Client-side Security – Petko D. Petkov
Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.
15:15 to 16:30
Bluetooth v2.1 – a New Security Infrastructure and New Vulnerabilities – Andrew Lindell
This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will “show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long”. Sounds interesting.
16:45 to 18:00
MetaPost Exploitation – Val Smith
This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on “Tactical Exploitation” and it was outstanding.
The Pwnie Awards 2008
If I’m not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks – Shawn Moyer and Nathan Hamiel
I was tossed between this one and “Encoded, Layered and Transcoded Syntax Attacks”. However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I’ll jump in the other talk.
11:15 to 12:30
Threats to the 2008 Presidential Election (and more) – Oliver Friedrichs
While not pentest specific…this one looks pretty interesting. The synopsis notes the following: “…we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election.” Sounds cool!
13:45 to 15:00
Hacking and Injecting Federal Trojans – Lukas Grunwald
The “infection proxy” demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker…with the amount of technical detail she usually covers…it’s tough to keep up.
15:15 to 16:30
…Continuing “Hacking and Injecting Federal Trojans”. If it seems to suck, I’ll be at the following:
The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation – Nathan McFeters, John Heasman, Rob Carter
Get Rich or Die Trying – Making Money on the Web, the Black Hat Way – Jeremiah Grossman, Arian Evans
I can’t decide between these two, perhaps I will attempt to see a little of both!
16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents – Bruce Dang
We all have seen a rise in this type of attack over the last year. It’s true…there isn’t a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what’s behind them and help with introducing some new prevention methods.
Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even…it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I’ll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter…or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I’ll be there representing the Security Justice podcast.
Stay tuned for my Defcon 16 “talks to attend” post in the next few days.