Continuing the zombie apocalypse from Defcon…Kevin Johnson and I will again be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at this week’s OWASP AppSec DC conference. We will be speaking Thursday, November 12th at 2:10 in room 146c. We will have some new material and updates from the presentation we gave at Defcon 17 this year including the release of a new version of Robin Wood’s KreiosC2 (beyond Twitter for C&C). If your going to the conference we hope to see you there!
Tag Archives: socnetsec
The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo. If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.
Share and Enjoy
Kevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend. We had a great time giving the talk and thanks for the feedback! Even the two Facebook developers that came to our Q&A enjoyed it! Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON. Oh well! At least @dualcoremusic got to play live!
You can download the slide deck from SlideShare that was in the DEFCON 17 CD. We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet. However, we will post the video as soon as we get it. The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.
Robin Wood’s fantastic tool called KreiosC2 was also released during our talk. I did a demo which is posted here and talked a lot about how the PoC code functions. If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter. Very cool! Also, check out the redesign of Robin’s website. Awesome. Make sure you follow Robin on Twitter! He is one you need to follow!
DEFCON was awesome as usual! Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks. It was awesome catching up with everyone and meeting new people. I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“. This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial. Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“. I highly recommend this talk!
The podcasters meetup was also a success! Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com! The audio will be posted soon, probably over at the Security Justice site.
Pictures will be posted soon! Still trying to recover from Vegas!
Share and Enjoy
I wanted to get this post up before I leave for DefCon since it will be hard to have time to blog in Vegas. In a nutshell, I started a new web site called socialmediasecurity.com. This was originally a project that I started to move my social media research over to a separate web site but has since evolved into something much larger. What I have done is consolidated (with permission) research from other security researchers such as Aviv Raff, Joseph Bonneau, Kevin Johnson, Nathan Hamiel, Scott Wright, theharmonyguy and more. Each article links back to the original author. The purpose of this was to have an easy way to search on a specific topic or social network (for example: Twitter) and get the security information you are looking for. You can subscribe to post updates via RSS, Email or through Twitter.
In addition, at the top of the page are links to downloadable guides, presentations, video’s and more. All of this content is related to user education and awareness on social media security issues. This is obviously a work in progress and I plan to have more content added to this very soon. One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide). I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future. The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.
So…you can also concider this a call for volunteers! :) If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net). There are a few other researchers and volunteers working on some really cool stuff for the web site. Far too many ignore the security and privacy issues of social media. We welcome your participation to help make a difference!
Share and Enjoy
One of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you. When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post. The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”. If you did fall victim to this you better change your password ASAP! Check out the screenshot of the site before it was taken down…yeah, phishy indeed.
Who knows what the developers of this application were planning (malicious or others). Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials. In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter. That way you don’t have to give your credentials to the web site and worry about them being compromised. Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.
Think about this. If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services. They can then use these credentials for anything else they wanted. Unfortunatly, most users of these sites use the same password for everything. Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything. See this article for more information on password managers and social media web sites.
Share and Enjoy
Yes, you are reading the title of this post correctly! Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)! Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.
My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks. I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon). I’ll be providing a live demo showing the new and improved features of his tool! Big shoutout to Robin for all the work he did on this tool!
The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework). Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking). When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks. Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s. He will also talk about manipulating social networks (and thier users) with third-party applications. Remember: please accept any and all “friend requests” from Kevin Johnson!
From our talk abstract:
In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.
This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.
The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.
Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.
Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.
How did this talk come together? Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together. Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks. Oh, and we both like Zombies. See you at DefCon!