Category Archives: Hacking

Social Zombies Slides and DEFCON Updates

Filed under Hacking, Social Networks
Tagged as , , , , , , , , ,

tom_kevin_zombieKevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend.  We had a great time giving the talk and thanks for the feedback!  Even the two Facebook developers that came to our Q&A enjoyed it!  Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON.  Oh well! At least @dualcoremusic got to play live! 🙂

You can download the slide deck from SlideShare that was in the DEFCON 17 CD.  We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet.  However, we will post the video as soon as we get it.  The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.

Robin Wood’s fantastic tool called KreiosC2 was also released during our talk.  I did a demo which is posted here and talked a lot about how the PoC code functions.  If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter.  Very cool!  Also, check out the redesign of Robin’s website.  Awesome.  Make sure you follow Robin on Twitter!  He is one you need to follow!

DEFCON was awesome as usual!  Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks.  It was awesome catching up with everyone and meeting new people.  I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“.  This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial.  Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“.  I highly recommend this talk!

The podcasters meetup was also a success!  Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at!  The audio will be posted soon, probably over at the Security Justice site.

Pictures will be posted soon!  Still trying to recover from Vegas!

Social Zombies Invade Las Vegas!

Filed under Hacking, Social Networks
Tagged as , , , , , , , , ,

zombieYes, you are reading the title of this post correctly!  Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)!  Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson! 🙂

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

What to attend at ShmooCon 2009

Filed under Hacking
Tagged as ,

I’m here in DC getting ready for ShmooCon which starts tomorrow. I had some time to blog before things get crazy later tonight when everyone starts to arrive for the con.

UPDATE: Ummm…someone *may* have hacked the Windows kiosks at the hotel…saw Ubuntu loading on one and Howard the Duck playing on another…probably shouldn’t use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture – Scavenging the Friendly Skies Open Source UAV Platform

Ethan O’Toole and Matt Davis

An open source UAV? How friggin’ sweet is that? Now you too can spy on your own neighborhood… 🙂

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us

Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk…. 🙂

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn’s talk titled “Satan is on my friends list”. These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures. 😉

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year…that didn’t happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire…

802.11 ObgYn or “Spread Your Spectrum

Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies

Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I’m sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance…

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables…can’t wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one…good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it’s all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.