Tag Archives: informationgathering

Two New Social Media Security White Papers Released

Filed under Social Networks
Tagged as , , , , , , , , , ,

My employer (SecureState) has released two white papers as part of our Social Media Security Awareness Month.  You can also download some cool wallpaper for this month created by Rob our graphic designer (see the picture on the right).  🙂

First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

Overview and Review of Maltego 3

Filed under Penetration Testing
Tagged as , , , ,

A few weeks ago the fine folks over at Paterva released the next version of their information gathering tool, Maltego 3.  Ever since day one of the product I’ve been a huge fan and have used it in multiple penetration tests and various reconnaissance activities.  I know I’m not alone as many of you in the security community use Maltego and also see the value that it brings.  Maltego 3 is no different.  However: it’s faster, more feature rich and has a damn sexy UI.  I won’t go into a ton of detail in this post but I want to highlight some of the awesome changes that I’ve noticed.

Setup and UI
The first thing you will notice is the startup wizard (Figure 1) that walks you though setting up your license and updating the TAS to download new transforms.  The wizard is a welcome addition especially for new users.

Figure 1. The Maltego 3 startup wizard.

You will notice that the transform manager itself has also gotten a face lift with a column showing you if a disclaimer is required or not (Figure 2).

Figure 2. The transform manager now shows you which transforms have a disclaimer or not.

Another noticeable change is the UI.  It’s sleek and sexy.  I also like how the main menu is grouped into two tabs: Investigate and Manage (Figures 3 and 4).  The Paterva team did a great job grouping items so its easy to select what you need.

Figure 3. Menu items are grouped into two tabs now.  Items are much easier to select.  This is the “Manage” tab.

Figure 4. The “Investigate” tab.

Back to the main UI.  Adding objects is similar to before but it’s faster and more responsive.  Figure 5 is a screen shot of the entire UI.

Figure 5. Simple Twitter search using the new Maltego 3 UI.

Entities connected to each other are easier to view.  When arrows connect to entities they move around other objects. (Figure 6).

Figure 6. Maltego 3 offers some nice UI improvements when moving entities around the screen.

Site Links and Entity Listings
Two other items I want to mention are some improvements on how links to and from a site are shown and the entity listing feature.  The site links transform rocks.  You can now see incoming and outgoing links to a website entity.

Figure 7. Links in and out of a website are easy to obtain in Maltego 3.

Lastly, I found the entity listing view most helpful.  This allows you to search and sort all the entities in your Maltego UI into a nice easy to view list (Figure 8).  Also, the dynamic view is pretty sweet as well.

Figure 8.  The entity list view provides a great way to search for things within the UI.

You can get the commercial version of Maltego now and the Community Edition is right around the corner.  Version 2 users can also use your same license key with Maltego 3.  Win!  Also, if your hesitant about buying a commercial product like this, don’t be.  Maltego is quite affordable for all the power you get and well worth it.  Reconnaissance is fun again! 🙂  More information about Maltego 3 is here.

Privacy and Security of Open Graph, Social Plugins and Instant Personalization on Facebook

Filed under Social Networks
Tagged as , , , , , , ,

As most major news organizations and blogs have covered the changes that Facebook has made from a high level, I wanted to focus this post specifically on Facebook’s “Open Graph”, “Social Plugins” and “Instant Personalization”.  In my opinion, these are three changes that will significantly impact the way you and your friends use Facebook.  As I usually do, I will provide a point of view from the eyes of an attacker.  As we all know, its only a matter of time before these new features begin to be abused by attackers.

Open Graph
The first significant change is Facebook’s “Open Graph”.  Open Graph is a significant departure from Facebook’s previous data connection strategy which used to be centered around Facebook Connect.  All of that is gone and replaced with Open Graph.  Open Graph basically allows partner websites and Facebook applications to share your public information and the public information of your friends with each other.  The other big change which is a departure from Facebook Connect is that developers can hold your data indefinitely.  The requirement was previously only for 24 hours (and we all know developers weren’t really holding to that anyway).

What’s also interesting is that Facebook has implemented an API called the Graph API. The Graphs API is how developers can easily integrate their applications with this new stream of user data.  In fact, now you don’t even need a Facebook account to search the Open Graph.  For example, https://graph.facebook.com/search?q=facebook&type=post will show you 25 recent status updates.  Note that these status updates are set to Everyone and it seems that Facebook has put a limit on data you can retrieve with one query (this will change most likely or you can figure out ways around this).  Before you had to log in to Facebook to do a search or use some creative Google queries for this information.  This is good news for attackers, spammers and data miners.  Facebook has made publicly available information even easier to search for and in my opinion, is going to start competing with Google for personalized search results.  Stay tuned, Open Graph is going to be a huge area that I will be focusing my research on.  As a penetration tester, my job just got easier.  Thanks Facebook! 🙂

Social Plugins
Social plugins are small bits of code (the “Like” button for example) that you probably have been seeing all over the web.  What Facebook has done is added simple plugins that web site developers can easily integrate.  Also note that there are many more plugins available besides the “Like” button.  Simply run the wizard, fill in a few lines and you’re done.  Lets take the “Like” button as an example.  If you are signed into Facebook (or not) you will see the button just like you do on Mashable:

Clicking on the button while you are signed in to Facebook posts a notice to your news feed that you like Mashable.  The button also works when you are not logged into Facebook by prompting you to sign in.  This is similar to how Facebook Connect worked.  If you want to “unlike” the page, simply click the “Like” button again.  Already, someone has found a potential security problem with the “Like” button that could possibly be abused by spammers.  Keep in mind that these social plugins are part of Facebook’s strategy to take over the world integrate their Open Graph protocol.  Once Open Graph starts to be more popular, you will see lots more attacks leveraging these new plugins.

Instant Personalization
Lastly, we have “Instant Personalization”.  Instant Personalization is the feature in which Facebook has “pre-approved” third-party web sites to gain access to your public information just by visiting them.  There is very little information available currently on how Facebook approves third-party sites.  Once you allow these sites full authorization, they have the same access that any developer would have to your Facebook information.  For example, here is what it looks like when you surf to Yelp.  You will get a pretty blue bar that shows up at the top of your browser window:

You should notice that you have the option to “Learn More” or say “No, thanks”.  You will also notice how instantly, if any of your friends on Facebook are using Yelp you can see any of their activity just below the blue bar.

Now something interesting happens once you visit one of these pre-approved sites.  I noticed that a Facebook application (in this case Yelp) gets installed and allows it permissions to post.  You don’t have to even click “No thanks”, the application is already installed.  Pandora and Microsoft Docs work the same way.  In fact, when testing the Microsoft Docs personalization I noticed the Facebook application that gets installed sets its privacy permissions to EVERYONE and allows one-line posts on your behalf.  This means that anyone can see any activity that is posted by that application.  Keep in mind that these controls are all being closely looked at by attackers and I suspect that we will see some hacks and/or abuse of this new personalization system soon.

Instant Personalization Privacy Settings
Facebook has put in a global “opt-out” check box in your privacy settings.  Of course in typical Facebook fashion they have buried this setting so it’s hard to find.  Ironically, just as I was writing this post Facebook changed the location of this setting.  So now you have to go down one more level by clicking an additional button to get to the setting (see the screen shot below).

There are some very important caveats about this setting.  First, this setting is enabled by default. Yes, that’s right.  If you have a Facebook account this setting is checked right now and you are opted in.  I had thought that Facebook would have learned from the Beacon fiasco but it appears they haven’t.  Secondly, just because you “opt-out” doesn’t mean your information is safe.  Just like other Facebook applications if your FRIENDS use Yelp, Pandora or Microsoft Docs these sites can still get your public information or anything else you have made available to be shared with friends.  To completely opt-out you need to MANUALLY block each and every application (in this case Yelp, Pandora and MS Docs).  It goes without saying, this is a huge pain and I look forward to the long list of complaints and privacy concerns regarding this psudo opt-out.  The other problem is that I have already seen posts by Facebook that they already have partner sites that they are going to announce soon.  What this means is that if you want to truly “opt-out” you need to keep up to date on all the new third-party partners with Facebook and manually block their applications.  This is a terrible control in my opinion.

So where are these settings?  Click on Account –> Privacy Settings –> Applications and Websites –> Instant Personalization (Click the Edit Settings button).  In the screen shot below you can see the box that you need to uncheck.

UPDATE: Yvan Boily on Twitter had mentioned that you should also uncheck every box under “What your Friends can share about you” in your privacy settings (in my guide on SocialMediaSecurity.com this is what I recommend as well).

I will be updating my Facebook Privacy & Security Guide over on SocialMediaSecurity.com to reflect all of these changes soon.  In the meantime, tell your friends on Facebook about these settings and check out a few other good articles on the recent changes.  Here are three articles I recommend reading: Pros and Cons of Today’s Facebook Announcements by theharmonyguy, How to Opt Out of Facebook’s Instant Personalization (with a nice video walk-through) by the EFF and Facebook Open Graph: What it Means for Privacy by Mashable.