First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you.

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010.  I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API.  Note that you may not have these settings enabled on your Facebook profile…yet.  They are slowly being rolled out to the Facebook user base and may take a few weeks.  Please share with friends, family and others!

Download the latest version of the Facebook Privacy & Security Guide here.

Jumping forward to today we see yet another iteration of these settings.  I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there.  The EFF has a good post up about the new settings.  They even have a YouTube video showing you the changes and their recommendations.  The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.

My thoughts are pretty much along the same lines as the EFF and others.  However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money.  This is Mark Zuckerberg’s business model and that won’t change anytime soon.  I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls.  This is a quote from Bruce Schneier.  It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:

“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”

Open Graph
The first significant change is Facebook’s “Open Graph”.  Open Graph is a significant departure from Facebook’s previous data connection strategy which used to be centered around Facebook Connect.  All of that is gone and replaced with Open Graph.  Open Graph basically allows partner websites and Facebook applications to share your public information and the public information of your friends with each other.  The other big change which is a departure from Facebook Connect is that developers can hold your data indefinitely.  The requirement was previously only for 24 hours (and we all know developers weren’t really holding to that anyway).

What’s also interesting is that Facebook has implemented an API called the Graph API. The Graphs API is how developers can easily integrate their applications with this new stream of user data.  In fact, now you don’t even need a Facebook account to search the Open Graph.  For example, https://graph.facebook.com/search?q=facebook&type=post will show you 25 recent status updates.  Note that these status updates are set to Everyone and it seems that Facebook has put a limit on data you can retrieve with one query (this will change most likely or you can figure out ways around this).  Before you had to log in to Facebook to do a search or use some creative Google queries for this information.  This is good news for attackers, spammers and data miners.  Facebook has made publicly available information even easier to search for and in my opinion, is going to start competing with Google for personalized search results.  Stay tuned, Open Graph is going to be a huge area that I will be focusing my research on.  As a penetration tester, my job just got easier.  Thanks Facebook!

Social Plugins
Social plugins are small bits of code (the “Like” button for example) that you probably have been seeing all over the web.  What Facebook has done is added simple plugins that web site developers can easily integrate.  Also note that there are many more plugins available besides the “Like” button.  Simply run the wizard, fill in a few lines and you’re done.  Lets take the “Like” button as an example.  If you are signed into Facebook (or not) you will see the button just like you do on Mashable:

Clicking on the button while you are signed in to Facebook posts a notice to your news feed that you like Mashable.  The button also works when you are not logged into Facebook by prompting you to sign in.  This is similar to how Facebook Connect worked.  If you want to “unlike” the page, simply click the “Like” button again.  Already, someone has found a potential security problem with the “Like” button that could possibly be abused by spammers.  Keep in mind that these social plugins are part of Facebook’s strategy to take over the world integrate their Open Graph protocol.  Once Open Graph starts to be more popular, you will see lots more attacks leveraging these new plugins.

Instant Personalization
Lastly, we have “Instant Personalization”.  Instant Personalization is the feature in which Facebook has “pre-approved” third-party web sites to gain access to your public information just by visiting them.  There is very little information available currently on how Facebook approves third-party sites.  Once you allow these sites full authorization, they have the same access that any developer would have to your Facebook information.  For example, here is what it looks like when you surf to Yelp.  You will get a pretty blue bar that shows up at the top of your browser window:

You should notice that you have the option to “Learn More” or say “No, thanks”.  You will also notice how instantly, if any of your friends on Facebook are using Yelp you can see any of their activity just below the blue bar.

Now something interesting happens once you visit one of these pre-approved sites.  I noticed that a Facebook application (in this case Yelp) gets installed and allows it permissions to post.  You don’t have to even click “No thanks”, the application is already installed.  Pandora and Microsoft Docs work the same way.  In fact, when testing the Microsoft Docs personalization I noticed the Facebook application that gets installed sets its privacy permissions to EVERYONE and allows one-line posts on your behalf.  This means that anyone can see any activity that is posted by that application.  Keep in mind that these controls are all being closely looked at by attackers and I suspect that we will see some hacks and/or abuse of this new personalization system soon.

Instant Personalization Privacy Settings
Facebook has put in a global “opt-out” check box in your privacy settings.  Of course in typical Facebook fashion they have buried this setting so it’s hard to find.  Ironically, just as I was writing this post Facebook changed the location of this setting.  So now you have to go down one more level by clicking an additional button to get to the setting (see the screen shot below).

There are some very important caveats about this setting.  First, this setting is enabled by default. Yes, that’s right.  If you have a Facebook account this setting is checked right now and you are opted in.  I had thought that Facebook would have learned from the Beacon fiasco but it appears they haven’t.  Secondly, just because you “opt-out” doesn’t mean your information is safe.  Just like other Facebook applications if your FRIENDS use Yelp, Pandora or Microsoft Docs these sites can still get your public information or anything else you have made available to be shared with friends.  To completely opt-out you need to MANUALLY block each and every application (in this case Yelp, Pandora and MS Docs).  It goes without saying, this is a huge pain and I look forward to the long list of complaints and privacy concerns regarding this psudo opt-out.  The other problem is that I have already seen posts by Facebook that they already have partner sites that they are going to announce soon.  What this means is that if you want to truly “opt-out” you need to keep up to date on all the new third-party partners with Facebook and manually block their applications.  This is a terrible control in my opinion.

So where are these settings?  Click on Account –> Privacy Settings –> Applications and Websites –> Instant Personalization (Click the Edit Settings button).  In the screen shot below you can see the box that you need to uncheck.

UPDATE: Yvan Boily on Twitter had mentioned that you should also uncheck every box under “What your Friends can share about you” in your privacy settings (in my guide on SocialMediaSecurity.com this is what I recommend as well).

I will be updating my Facebook Privacy & Security Guide over on SocialMediaSecurity.com to reflect all of these changes soon.  In the meantime, tell your friends on Facebook about these settings and check out a few other good articles on the recent changes.  Here are three articles I recommend reading: Pros and Cons of Today’s Facebook Announcements by theharmonyguy, How to Opt Out of Facebook’s Instant Personalization (with a nice video walk-through) by the EFF and Facebook Open Graph: What it Means for Privacy by Mashable.

The point is that these fake groups are targeting Facebook users thinking that Facebook has these new “features” like a dislike button and even ones like “see who viewed your profile”.  Folks, these techniques and/or modifications to Facebook don’t exist.  Sorry.  Just in the last week I have seen more and more of my Facebook friends sharing links to these groups.  Almost all of the groups I have looked at that were being shared lead to very bad places which I will demonstrate below.

Example #1 – The Typical “Get the DISLIKE BUTTON” Scam
In this example we have one of *many* groups that promise you the uber magic secret “dislike” button if you just join the group, invite your friends to do the same and follow some strange link off to Neverland.  This group has 1,162,238 members.  I wish I was making that number up.

The first thing you will notice is that there is a link to a Facebook profile they want you to friend.  That profile was deleted (your first clue).  Next, they want you to check out a link in Step 5.  That link sends you here:

Which will eventually install some nasty adware/spyware on your Windows machine called Adware.Mywebsearch.DV.  It’s not easy to get rid of.

In a similar group like the one above with a mere 697,375 members the last link takes you to this:

If you go through with entering in your cell phone number and getting the confirmation code per the instructions you have just signed up for a monthly charge to your cell phone account to the tune of $9.99 per month.  The monthly charge details is in the very tiny text you can hardly read.  Nice.  But wait, if you were smart enough to try and close the quiz window, you get this pop-up:

Really?  Hopefully you don’t fall for that one even though it shows your real city.

Example #2 – The Typical “See everyone who viewed your profile” Scam

This is one of my favorites as this is another impossible feat of Facebook technology.  Here is what the screen shot look like:

Note the PhotoShop job on the notification window showing who has “viewed” your profile.  Clicking on the bit.ly link leads you to another quiz application or adware/spyware or other forms of dangerous malware.  Don’t worry, there are *lots* of these groups out there. Good times.

So the lesson here is…don’t click on anything in these groups that tempt you with magical Facebook powers!  If it seems too good to be true, it probably is!

Regardless of settings I think that there are just *stupid* people using social networks.  In fact, I think that even if social networks didn’t exist these people would still be classified as ones with “no brain cells” (no pun intended with this example).  For example, here is tweet from a girl talking about a job interview she has scheduled with some company:

Now if that wasn’t bad enough…check out her profile picture:

I have nothing else to say but…FAIL.  Perhaps this is the start of a new series of blog posts. 

There are a great deal of articles already out about how this is such a great improvement and how these new settings give you more control over your privacy.  However, I would argue that these settings may possibly open up more issues then they are trying to prevent.  The best article on the new settings and the privacy implications is the one that the Electronic Frontier Foundation (EFF) released today titled: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly.  I recommend everyone (no pun intended) read this article as it provides much more detail then I will provide in this post.

What I want to do is provide you with a summary of the good and the bad of the new privacy settings.  I also want to give a security professional’s point of view on these settings.  As a penetration tester I can tell you that my job just got way easier!  You may have read my series on Enterprise Open Source Intelligence Gathering in which I tell you how you can find information on social networks about your company and employees.  Well, searching for information on Facebook just got easier thanks to status updates being available using new technology like Google Real-time Search!  Ok, on to the better and the worse!

The Better?

• The new way privacy settings are “managed” is a good thing.  It’s easier to find and navigate through the settings.
• I like that they ask you for your password to change privacy settings.  It’s just another layer.  Now, this doesn’t help much if you have a keylogger installed but it seems they put this in to prevent bots that may have taken over your account access to your settings.  Again, not fool proof but another layer.
• The ability to fully customize privacy settings on all the content you post.  So for example, you can specify if you want everyone on the Internet to view your status updates (more on that in a minute) or Friends, Friends of Friends and Custom.
• Users are now somewhat “forced” to check out their privacy settings.  It’s more accessible that’s for sure.

The Worse?

• Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all available to be viewed by EVERYONE on Facebook! You cannot change these settings at all.  Note, there is a way to remove your entire Friends List from your profile but it’s all or nothing!  Here is a screen shot of this. You have to set it in your profile page using the “edit” button and check the box.These changes are quite disturbing considering that you used to be able to restrict this type of information.  I really believe that Facebook has done this on purpose so *more* information is being shared about you while stating “enhanced” more granular privacy settings.  If you have been to one of my talks in the past I always mention that social networks need to find ways to make money.  The way they make money is off of the information you share!  If you don’t get a choice about the basic information anymore…that’s more money in their pocket at the expense of your privacy.
  
• What about the security ramifications of this? It opens up a whole new world for cyberstalking, predators and other attackers.  If you were someone that didn’t feel comfortable sharing this information in the first place, your choice is gone.  Sure, you can lock down your profile so no one can search for you but if you do that…why are you on Facebook to begin with?  You *have* to let your real friends search for you at some point!
• By default Facebook “suggests” that you set your status updates to “Everyone”.  Here is the thing with status updates….Everyone means everyone on the Internet!  This is where new technology like Google RTS comes into play.  Imagine how easy it will be to find the latest information on “Tiger Woods” or now everything YOU are saying on Facebook, Twitter and other social networks.  Enter in some social engineering and things just got easier for attackers looking to use you or your information (which is easy to figure out now that I can see your friends, and things that interest you via the pages your a fan of).
• Lastly, Facebook removed the ability to prevent Facebook applications your friends installed from pulling your “public” information.  That option is now gone and applications that your friends install can now view your “public” info.  Remember kids, “public” info is now: Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.

One final note…be sure to double check all your privacy settings after you run the wizard.  I found a few settings that reverted back to settings I never had.  So what are your thoughts?  Will this make you lock your profile down more?  Do you care?  Is privacy dead anyway? Will Zombies destroy us all?

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered?  Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”.  The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important?  You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business.  Also, you want to pay particular attention to the areas of social media that your business has a presence on.  For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first.  Why?  These are the sites that you have most likely allowed certain employees to use this form of media for business purposes.  Lastly, keep in mind that choosing what to monitor should be a group collaborative effort.  Get your marketing and public relations people involved in the decision making process.  As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important.  There are two tools that I will talk about.  Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes?  The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web.  Like Unix pipes, simple commands can be combined together to create output that meets your needs:

- combine many feeds into one, then sort, filter and translate it.
- geocode your favorite feeds and browse the items on an interactive map.
- grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created!  If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own.  Creating a pipe is really easy as well.  Yahoo! provides good documentation on their site even with video tutorials if you are lost.  Everything is done in a neat visual “drop-n-drag” GUI environment.  For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS.  Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring.  Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice.  I personally like Google Reader because it’s easy to use and manage.  However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring.  This should be someone in your information security department and someone with social media skill sets.  Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to.  Finally, plug these feeds into your RSS reader and set up procedures for monitoring.  When will you check these feeds? What happens if the monitoring person is out?  Is there a backup for this person?  These are just a few of the things you need to think about when putting together these procedures.  There may be many more (or less) depending on your business.  Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy.  Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in.  This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company?  If you do, have you checked to see if they include specific things like social networks?  How about commenting on company news or issues on public social networks?  This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media.  The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy.  The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media.  Lastly, what is acceptable for employees to post?  Keep in mind that employees have Internet access *everywhere* nowadays.  iPhones, smartphones, Google phones…employees have these and guess what?  They are most likely using them at work.  How do you know that they are not commenting about company confidential business?  With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here?  Create the policy!  The last part of this article has examples of good policies that you can reference when creating your own policies.  There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations.  Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates.  Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on.  These include blogs, message boards and document repositories.  One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments.  When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over.  The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems.  Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on.  Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT.  Message boards date back before blogs were popular and are still widely used today.  Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could).  Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories.  These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes.  These sites are probably my favorite since you will find all sorts of interesting information!  Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine.  I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents.  Now what?
Once you find interesting documents be sure to check out the document metadata.  What is metadata? Metadata is simply “data about data”.  Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document.  It goes without saying that document metadata is a treasure trove of information that could be used against your company.  For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below).  However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place!  If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers.  If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce.  Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation.  You may ask yourself, how does brand reputation relate to information security? Why should we care?  I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information.  Brand reputation is vital to an organization, even more so in this economy.  Think of the CIA triad…Confidentiality, Integrity and Availability.  All three have aspects that reflect brand reputation.  All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far.  This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about.  I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Next week I will be speaking at the 7th Annual Ohio Information Security Summit on “Enterprise Open Source Intelligence Gathering”.  Here is the talk abstract:

What does the Internet say about your company?  Do you know what is being posted by your employees, customers, or your competition?  We all know information or intelligence gathering is one of the most important phases of a penetration test.  However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence.  How can your enterprise put an open source intelligence gathering program in place without additional resources or money.  What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications.  Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited.   Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Leading up to my talk at the summit this series of posts will focus on several of the main topics of my presentation.  I plan on referencing these posts during the presentation so attendees can find out more information about a specific topic that will be discussed.  I will touch on the following main points in this series: Part 1 – Gathering intelligence on social networks, Part 2 – Gathering intelligence from blogs/message boards/document repositories, Part 3 – Putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

This first post in the series will focus on gathering intelligence on social networks.  The topic of gathering intelligence from social networks will be looked at in two ways.  First, through the eyes of the penetration tester or attacker.  Second, from a monitoring perspective relative to the enterprise and business.

What is OSINT?
Open Source Intelligence (OSINT) is basically finding publicly available information, analyzing it and then using this information for something.  That something can be extremely valuable from the eyes of an attacker.  For a fantastic overview of how OSINT is used specifically from a penetration testing perspective I suggest you check out the presentation that Chris Gates recently did at BruCON.  Chris goes into detail and provides good examples on how OSINT can be used in gathering intelligence on a network infrastructure as well as how to profile company employees.  All of the techniques Chris talks about should be used in a penetration testing methodology.

Why look for OSINT about your company?
I have found that OSINT is surprisingly often overlooked by most businesses from a security monitoring perspective.  If a company does any monitoring of public information at all it is usually found in your public relations and/or marketing groups.  These groups traditionally don’t look for things that could be used to target or profile an organization.  The same information that is being viewed by your PR/Marketing department needs to be looked at by your in house information security professionals.  Specifically, I suggest people in your information security department with an “attacker mindset” look at this OSINT.  This could be people on an internal penetration testing team or someone involved with the security assessments in your organization.  You should really ask yourself: If you don’t know what information is publicly available about your company…how can you properly defend yourself from attack?

OSINT and Social Networks
Social networks have recently become the 4th most popular method for online communication (even ahead of email) today.  If you are not looking for OSINT on social networks you are potentially missing major and vital pieces of information.  Having said that, searching for OSINT on social networks brings its own challenges and needs to be looked at slightly different then looking at other forms of OSINT.  For example, you might find that searching for information on social networks like Facebook different because there is both private and public information.  Facebook as an example has a built in search feature “behind” a valid login id and password.  Searching Facebook in this manner can yield better results then just going to Google or using a specific social network search engine (I’ll talk more about Facebook below).

1. Social Network Search Engines
There are lots of different search engines that specifically look for “public” information on some of the major social networks.  The disadvantage about these types of search engines is that they only pull public information that can be easily indexed.  Private information like the Facebook example above cannot be indexed without violating the TOS (Terms of Service) even though there are tools like Maltego that can have transforms written to “page scrape” this information (more on that in the Maltego section below). Here is a list of social network search engines that I recommend you check out to search for this type of public information (there are more…this is just the list I use).  While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) the list below just mentions search engines that search multiple networks:

Wink http://wink.com/
Spock http://spock.com (has a search for “private” profile info but is a pay service…haven’t checked that feature out)
Social Mention http://socialmention.com/
WhosTalkin http://www.whostalkin.com/ (this is one of my favorites! Lots of socnets included!)
Samepoint http://www.samepoint.com/
OneRiot http://www.oneriot.com/
Kosmix http://www.kosmix.com/
YackTrack http://www.yacktrack.com
Keotag http://www.keotag.com/
Twoogle http://twoogel.com/ (Google/Twitter search combined)
KnowEm Username Check http://knowem.com/
Firefox Super Search Add-On https://addons.mozilla.org/en-US/firefox/addon/13308 (over 160 search engines built in)

Don’t forget about photo/video social networks and social bookmarking sites:

Pixsy http://www.pixsy.com/
Flickr Photo Search http://www.flickr.com/search/?s=rec&w=all&q=”comapny name”&m=text
YouTube/Google Video Search http://video.google.com/videosearch?q=”company name”
Junoba Social Bookmark Search http://www.junoba.com/ (Digg, Delicious, Reddit, etc..)

Pay Services (might be worth checking out):

Filtrbox http://www.filtrbox.com/
Vocus http://www.vocus.com/

2. Maltego
Maltego goes without saying…it’s probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it.  I have found that Maltego works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available).  The Twitter transforms are probably the highlight since you can dig into conversations as well.  There is also a Facebook transform that was specifically written to search within the Facebook network using a real user account.  However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded.  Note that this transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines!  If anyone wants to help get this transform working again there is a thread on the Maltego forum about it.

Lastly, if you want more information on Maltego and how to use it I suggest checking out the work Chris Gates has done in his Maltego tutorials here and here to learn more.  Keep in mind.  Maltego works great for finding information if you need it for a specific scope, like a pentest.  Maltego even works great if you need to dig a little deeper into something you find on a social network.  In terms of automating a monitoring process, I suggest using Google dorks, Yahoo Pipes!, and other techniques which we will talk about here and in future posts.

3. Google Dorks (Facebook, MySpace, LinkedIn)
While you can just simply type in your company name into Google and see what comes up…It’s way easier to use a little Google dork action to search for information on specific social networks.  As I stated before, this will only pull publicly available information but you might be surprised what you find about your company just in these searches!  Simply paste these into the Google search bar/window.  Note: change “bank of america” to whatever you like…not picking on bofa but there is a ton of information about them on social networks!

Facebook Dorks
Group Search: site:facebook.com inurl:group (bofa | “bank of america”)
Group Wall Posts Search: site:facebook.com inurl:wall (bofa | “bank of america”)
Pages Search: site:facebook.com inurl:pages (bofa | “bank of america”)
Public Profiles: allinurl: people “John Doe” site:facebook.com

*To search personal profile status updates (unless they were made public wall posts via pages or groups) you need to be logged into Facebook and use the internal Facebook search engine.  Setting your status updates privacy settings to “Everyone” is actually everyone in Facebook.  Rumor has it that next year “Everyone” will mean everyone on the Internet! FTW!

MySpace Dorks
Profiles: site:myspace.com inurl:profile (bofa | “bank of america”)
Blogs: site:myspace.com inurl:blogs (bofa | “bank of america”)
Videos: site:myspace.com inurl:vids (bofa | “bank of america”)
Jobs: site:myspace.com inurl:jobs (bofa | “bank of america”)

LinkedIn Dorks
Public Profiles: site:linkedin.com inurl:pub (bofa | “bank of america”)
Updated Profiles: site:linkedin.com inurl:updates (bofa | “bank of america”)
Company Profiles: site:linkedin.com inurl:companies (bofa | “bank of america”)

While these are Google dorks from the top three social networks (Twitter actually has a really good search engine, search.twitter.com, which I don’t think needs explaining), you can easily modify these for your own use and even include more advanced search operators to include or exclude additional queries.  The point of using Google dorks is to make it easier to quickly search for information on social networks without going to each site individually.  Still, with most social networks if you want to find private information you either need to login as a user or use some social engineering get the information you want.

What’s next?
In part three of this series I will talk about how to use Google dorks and various search queries for monitoring purposes.  Once you have the dorks you want to query, it’s trivial to plug these into Google Alerts to create RSS feeds.  Take your feeds and plug them into your favorite RSS reader and you have a simple monitoring tool.  More on this in part 3 including a section on aggregating this type of into and customizing it via Yahoo! Pipes which I like to think as the preferred and most customizable method for monitoring social networks.

Next up…in part 2 I will talk about how to find company information on blogs, message boards and document repositories.  Oh, and sprinkle a little bit of metadata into the mix as well.

In addition, at the top of the page are links to downloadable guides, presentations, video’s and more.  All of this content is related to user education and awareness on social media security issues.  This is obviously a work in progress and I plan to have more content added to this very soon.  One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide).  I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future.  The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.

So…you can also concider this a call for volunteers!   If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net).  There are a few other researchers and volunteers working on some really cool stuff for the web site.  Far too many ignore the security and privacy issues of social media.  We welcome your participation to help make a difference!

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!