October 2009 – The Social Media Security Podcast

Enterprise Open Source Intelligence Gathering – Part 3 Monitoring and Social Media Policies

Posted under Contributors, Social Networking on October 29th, 2009 by Tom

This is the final article in my series on Enterprise Open Source Intelligence Gathering. This information relates to the main topics from my presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part one. If you missed part two (blogs, message boards and metadata) you can check that out here. This last article will be about putting together a simple monitoring program/toolkit and creating a social media policy for your company.

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered? Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”. The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important? You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business. Also, you want to pay particular attention to the areas of social media that your business has a presence on. For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first. Why? These are the sites that you have most likely allowed certain employees to use this form of media for business purposes. Lastly, keep in mind that choosing what to monitor should be a group collaborative effort. Get your marketing and public relations people involved in the decision making process. As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important. There are two tools that I will talk about. Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes? The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web. Like Unix pipes, simple commands can be combined together to create output that meets your needs:

– combine many feeds into one, then sort, filter and translate it.
– geocode your favorite feeds and browse the items on an interactive map.
– grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created! If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own. Creating a pipe is really easy as well. Yahoo! provides good documentation on their site even with video tutorials if you are lost. Everything is done in a neat visual “drop-n-drag” GUI environment. For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS. Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring. Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice. I personally like Google Reader because it’s easy to use and manage. However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring. This should be someone in your information security department and someone with social media skill sets. Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to. Finally, plug these feeds into your RSS reader and set up procedures for monitoring. When will you check these feeds? What happens if the monitoring person is out? Is there a backup for this person? These are just a few of the things you need to think about when putting together these procedures. There may be many more (or less) depending on your business. Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy. Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in. This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company? If you do, have you checked to see if they include specific things like social networks? How about commenting on company news or issues on public social networks? This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media. The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy. The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media. Lastly, what is acceptable for employees to post? Keep in mind that employees have Internet access *everywhere* nowadays. iPhones, smartphones, Google phones…employees have these and guess what? They are most likely using them at work. How do you know that they are not commenting about company confidential business? With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here? Create the policy! The last part of this article has examples of good policies that you can reference when creating your own policies. There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations. Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Share and Enjoy

• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS

Enterprise Open Source Intelligence Gathering – Part 2 Blogs, Message Boards and Metadata

Posted under Contributors, Social Networking on October 28th, 2009 by Tom

This post is part two of my three part series on Enterprise Open Source Intelligence Gathering. This information relates to the presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part 1. Part three will be about putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates. Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on. These include blogs, message boards and document repositories. One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments. When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over. The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems. Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on. Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT. Message boards date back before blogs were popular and are still widely used today. Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could). Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories. These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes. These sites are probably my favorite since you will find all sorts of interesting information! Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine. I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents. Now what?
Once you find interesting documents be sure to check out the document metadata. What is metadata? Metadata is simply “data about data”. Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document. It goes without saying that document metadata is a treasure trove of information that could be used against your company. For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below). However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place! If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers. If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce. Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation. You may ask yourself, how does brand reputation relate to information security? Why should we care? I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information. Brand reputation is vital to an organization, even more so in this economy. Think of the CIA triad…Confidentiality, Integrity and Availability. All three have aspects that reflect brand reputation. All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far. This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about. I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Share and Enjoy

• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS

Cross-Gadget Security in Google Wave

Posted under Contributors on October 27th, 2009 by theharmonyguy

While examining the behavior of gadgets in Google Wave, I noticed another potential security problem in addition to the ones I’d already listed. Each gadget is loaded in a container iframe with a domain separate from the main page, preventing access to the DOM of the Wave interface itself.

However, I also noticed that the container iframes for all of the gadgets I tested used the same domain. That allows one gadget to access the DOM of another gadget. Pictured below is a test gadget that generates an alert displaying the HTML source of the first gadget in the wave, in this case a Yes/No/Maybe gadget from Google.

A test gadget accessing the DOM of another gadget in Google Wave.

What’s the danger in this sort of cross-gadget access? Consider that people have already created gadgets for accessing your Facebook and Twitter via gadgets. Granted, most of those gadgets have used iframes which load other sites, and thus cross-domain rules would prevent any data breaches. Also, one Twitter gadget I tried actually loaded using its own container URI instead of the standard Google server. But as developers continue to publish more powerful gadgets, cross-gadget access poses some serious risks for CSRF and data theft.

Google Wave as a Tool for Hacking

Posted under Contributors on October 26th, 2009 by theharmonyguy

Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.

After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery as I suspected.

Example of a BeEF zombie spawned via Google Wave

The picture above shows the results. I successfully created a Google Wave gadget that creates a new BeEF zombie whenever someone views the wave. This does not allow for the keylogger function of BeEF, but I did send an alert dialog (as shown) and used the Chrome DoS function to crash the browser tab. (I could also detect that the zombie machine had Flash installed – imagine the possibilities of using Flash or PDF exploits in an auto-loaded gadget.)

What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.

All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:

Allowing scripts and iframes in gadgets with no limits apart from sandboxing
Lack of control over what content or users can be added to a wave
No simple mechanism for verifying gadget sources or features
Automatically loading gadgets when a wave is viewed

Any one of these issues would be cause for concern, but taken together they present such alarming possibilities as a user getting their computer hacked simply by viewing a wave. Whatever may be said about Google Wave’s usefulness, I have to conclude that the product is not ready for prime time until these types of problems are addressed.

Enterprise Open Source Intelligence Gathering – Part 1 Social Networks

Posted under Contributors, Social Networking on October 26th, 2009 by Tom

UPDATE: You can now download my slide deck from SlideShare.

Next week I will be speaking at the 7th Annual Ohio Information Security Summit on “Enterprise Open Source Intelligence Gathering”. Here is the talk abstract:

What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Leading up to my talk at the summit this series of posts will focus on several of the main topics of my presentation. I plan on referencing these posts during the presentation so attendees can find out more information about a specific topic that will be discussed. I will touch on the following main points in this series: Part 1 – Gathering intelligence on social networks, Part 2 – Gathering intelligence from blogs/message boards/document repositories, Part 3 – Putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

This first post in the series will focus on gathering intelligence on social networks. The topic of gathering intelligence from social networks will be looked at in two ways. First, through the eyes of the penetration tester or attacker. Second, from a monitoring perspective relative to the enterprise and business.

What is OSINT?
Open Source Intelligence (OSINT) is basically finding publicly available information, analyzing it and then using this information for something. That something can be extremely valuable from the eyes of an attacker. For a fantastic overview of how OSINT is used specifically from a penetration testing perspective I suggest you check out the presentation that Chris Gates recently did at BruCON. Chris goes into detail and provides good examples on how OSINT can be used in gathering intelligence on a network infrastructure as well as how to profile company employees. All of the techniques Chris talks about should be used in a penetration testing methodology.

Why look for OSINT about your company?
I have found that OSINT is surprisingly often overlooked by most businesses from a security monitoring perspective. If a company does any monitoring of public information at all it is usually found in your public relations and/or marketing groups. These groups traditionally don’t look for things that could be used to target or profile an organization. The same information that is being viewed by your PR/Marketing department needs to be looked at by your in house information security professionals. Specifically, I suggest people in your information security department with an “attacker mindset” look at this OSINT. This could be people on an internal penetration testing team or someone involved with the security assessments in your organization. You should really ask yourself: If you don’t know what information is publicly available about your company…how can you properly defend yourself from attack?

OSINT and Social Networks
Social networks have recently become the 4th most popular method for online communication (even ahead of email) today. If you are not looking for OSINT on social networks you are potentially missing major and vital pieces of information. Having said that, searching for OSINT on social networks brings its own challenges and needs to be looked at slightly different then looking at other forms of OSINT. For example, you might find that searching for information on social networks like Facebook different because there is both private and public information. Facebook as an example has a built in search feature “behind” a valid login id and password. Searching Facebook in this manner can yield better results then just going to Google or using a specific social network search engine (I’ll talk more about Facebook below).

1. Social Network Search Engines
There are lots of different search engines that specifically look for “public” information on some of the major social networks. The disadvantage about these types of search engines is that they only pull public information that can be easily indexed. Private information like the Facebook example above cannot be indexed without violating the TOS (Terms of Service) even though there are tools like Maltego that can have transforms written to “page scrape” this information (more on that in the Maltego section below). Here is a list of social network search engines that I recommend you check out to search for this type of public information (there are more…this is just the list I use). While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) the list below just mentions search engines that search multiple networks:

Wink http://wink.com/
Spock http://spock.com (has a search for “private” profile info but is a pay service…haven’t checked that feature out)
Social Mention http://socialmention.com/
WhosTalkin http://www.whostalkin.com/ (this is one of my favorites! Lots of socnets included!)
Samepoint http://www.samepoint.com/
OneRiot http://www.oneriot.com/
Kosmix http://www.kosmix.com/
YackTrack http://www.yacktrack.com
Keotag http://www.keotag.com/
Twoogle http://twoogel.com/ (Google/Twitter search combined)
KnowEm Username Check http://knowem.com/
Firefox Super Search Add-On https://addons.mozilla.org/en-US/firefox/addon/13308 (over 160 search engines built in)

Don’t forget about photo/video social networks and social bookmarking sites:

Pixsy http://www.pixsy.com/
Flickr Photo Search http://www.flickr.com/search/?s=rec&w=all&q=”comapny name”&m=text
YouTube/Google Video Search http://video.google.com/videosearch?q=”company name”
Junoba Social Bookmark Search http://www.junoba.com/ (Digg, Delicious, Reddit, etc..)

Pay Services (might be worth checking out):

Filtrbox http://www.filtrbox.com/
Vocus http://www.vocus.com/

2. Maltego
Maltego goes without saying…it’s probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it. I have found that Maltego works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available). The Twitter transforms are probably the highlight since you can dig into conversations as well. There is also a Facebook transform that was specifically written to search within the Facebook network using a real user account. However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded. Note that this transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines! If anyone wants to help get this transform working again there is a thread on the Maltego forum about it.

Lastly, if you want more information on Maltego and how to use it I suggest checking out the work Chris Gates has done in his Maltego tutorials here and here to learn more. Keep in mind. Maltego works great for finding information if you need it for a specific scope, like a pentest. Maltego even works great if you need to dig a little deeper into something you find on a social network. In terms of automating a monitoring process, I suggest using Google dorks, Yahoo Pipes!, and other techniques which we will talk about here and in future posts.

3. Google Dorks (Facebook, MySpace, LinkedIn)
While you can just simply type in your company name into Google and see what comes up…It’s way easier to use a little Google dork action to search for information on specific social networks. As I stated before, this will only pull publicly available information but you might be surprised what you find about your company just in these searches! Simply paste these into the Google search bar/window. Note: change “bank of america” to whatever you like…not picking on bofa but there is a ton of information about them on social networks!

Facebook Dorks
Group Search: site:facebook.com inurl:group (bofa | “bank of america”)
Group Wall Posts Search: site:facebook.com inurl:wall (bofa | “bank of america”)
Pages Search: site:facebook.com inurl:pages (bofa | “bank of america”)
Public Profiles: allinurl: people “John Doe” site:facebook.com

*To search personal profile status updates (unless they were made public wall posts via pages or groups) you need to be logged into Facebook and use the internal Facebook search engine. Setting your status updates privacy settings to “Everyone” is actually everyone in Facebook. Rumor has it that next year “Everyone” will mean everyone on the Internet! FTW!

MySpace Dorks
Profiles: site:myspace.com inurl:profile (bofa | “bank of america”)
Blogs: site:myspace.com inurl:blogs (bofa | “bank of america”)
Videos: site:myspace.com inurl:vids (bofa | “bank of america”)
Jobs: site:myspace.com inurl:jobs (bofa | “bank of america”)

LinkedIn Dorks
Public Profiles: site:linkedin.com inurl:pub (bofa | “bank of america”)
Updated Profiles: site:linkedin.com inurl:updates (bofa | “bank of america”)
Company Profiles: site:linkedin.com inurl:companies (bofa | “bank of america”)

While these are Google dorks from the top three social networks (Twitter actually has a really good search engine, search.twitter.com, which I don’t think needs explaining), you can easily modify these for your own use and even include more advanced search operators to include or exclude additional queries. The point of using Google dorks is to make it easier to quickly search for information on social networks without going to each site individually. Still, with most social networks if you want to find private information you either need to login as a user or use some social engineering get the information you want.

What’s next?
In part three of this series I will talk about how to use Google dorks and various search queries for monitoring purposes. Once you have the dorks you want to query, it’s trivial to plug these into Google Alerts to create RSS feeds. Take your feeds and plug them into your favorite RSS reader and you have a simple monitoring tool. More on this in part 3 including a section on aggregating this type of into and customizing it via Yahoo! Pipes which I like to think as the preferred and most customizable method for monitoring social networks.

Next up…in part 2 I will talk about how to find company information on blogs, message boards and document repositories. Oh, and sprinkle a little bit of metadata into the mix as well.

Share and Enjoy

• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS

Have You Seen the New Facebook Gadget for Google Wave?

Posted under Contributors on October 20th, 2009 by theharmonyguy

The above screenshot shows an actual gadget inside a Wave that I created to demonstrate it. Imagine the possibilities of connecting Facebook with Google Wave. You could post information to your Facebook profile right from within Wave, or connect wave participants to Facebook profiles. If you came across this gadget in a wave you were viewing, wouldn’t you love to at least try it out?

There’s just one problem. The above gadget is fake. Not the screenshot, mind you – if you’re a Google Wave user, you can see the gadget in action by inserting the gadget http://theharmonyguy.com/facebook.xml into a wave. But nothing will happen when you try to connect.

And in this case, truly nothing will happen, since I’ve designed the gadget to be harmless – your login information is not sent anywhere. But I imagine many users would fall prey to such a trick, which could be easily adapted for phishing attacks. Ask yourself honestly, would you have tried to login? More importantly, if you came across such a gadget in a wave, how would you know whether it came from theharmonyguy.com, facebook.com, or a malicious host?

I post all this to raise a broader point than simply “beware of phishing attacks.” I realize that the balance between security and usability is a constant struggle for developers, or at least should be. Yet I’m somewhat concerned by the patterns we are training users to be accustomed to.

Case in point: chromeless gadgets within a wave that provide no indication of source. In some ways I almost feel that Google Wave is recreating the web browser. Browsers are applications that can load any sort of web page. Google Wave is an application that can load all sorts of web pages within waves. Yet many of the features developed for browsers to warn a user of insecure sites or phishing attacks (even as basic as the address bar, which shows the current domain) are not replicated when a user loads a gadget in Wave. Many have described Wave as a reinvention of e-mail. Reinventing a technology can be very beneficial, but let’s not forget lessons learned in the old technology – there’s a reason most e-mail clients don’t allow iframes and JavaScript, for instance.

I’m certainly not the first to raise these concerns; others have previously mentioned the danger of login forms on iGoogle gadgets. Nor am I saying that I don’t want Google Wave to succeed. But if we’re going to reinvent a technology, let’s address some of these basic issues of user expectations and security precautions from the start.

First Impressions on Security in Google Wave

Posted under Contributors on October 19th, 2009 by theharmonyguy

Nearly two years ago, many technology sites brimmed with hype over a new Google technology called OpenSocial. Bloggers questioned if OpenSocial would spell the end of Facebook. Amid all the discussion, I felt that many people were ignoring several serious issues regarding how OpenSocial would handle user data, privacy, and security. A few people brought up questions on this topic, but until an actual implementation hit the market, no one seemed completely sure how OpenSocial would work in practice.

When I heard that Plaxo had brought an OpenSocial framework online, I decided to check out its security for myself. That led to the first hack of an OpenSocial application, and my white-hat hacking hobby began. Admittedly, the “hack” came from poor coding practices on RockYou’s part, but highlighted the need for better authentication in OpenSocial, a problem corrected in later revisions. Still, the event was an inspiration, and led me to continue investigating my previous hacks of Facebook applications, which led to the more serious issues in this year’s FAXX hacks.

Memories of two years ago came back to mind yesterday when I received a Google Wave invite from a friend. Wave has received its share of hype, despite not being publicly available, though lately it’s drawn increasing criticism. Yet I’ve not seen many people explore the security or privacy implications of using the new platform. I decided to take advantage of the invite and start hacking Wave.

What I find was rather surprising, though not entirely unexpected. I’ve noticed several issues with the current version that could be exploited or create more serious problems in the future. Some will argue that bugs should be expected in early versions of a new product, and that future upgrades will improve the situation. However, I would contend that some of the points raised here deal with basic aspects that should have been addressed from the very beginning. I would also add that I think Google overlooked an opportunity to add more social networking components to their system that could allow them to offer a stronger alternative to Facebook.

Anyway, here are a few of the problems with Google Wave I’ve noticed so far that I’ve not seen on several other lists of Wave criticisms:

Allowing iframes in waves. Creating a gadget that loads an iframe is a fairly trivial task. The iframe loads within a container iframe that separates it from the DOM for Wave itself. Still, one can load just about any page using such an iframe. This means that any attack requiring a user to load an infected page, such as my original demonstration of a FAXX hack, can be automated, since viewing the wave loads the iframe page. This can also be easily adapted to make POST requests for CSRF attacks.
Allowing invisible iframes in waves. Not only can a gadget include an iframe, it can style that iframe to be invisible, either hiding the attack from wave participants or to create a clickjacking attack within the gadget. Basically, while gadgets load in container iframes, they otherwise have free reign to include any HTML a coder desires. Note that allowing iframes could potentially let an attacker include code for finding browser exploits, which can then allow for malware delivery or even taking over a user’s system.
Allowing scripts in waves. Once again, the scripts execute in a container iframe, so one cannot simply wreak havoc with the main application DOM. But scripts do open up several possibilities. In fact, I’ve already created a wave that forwards users to a particular page as soon as they view the wave, since the script is loaded automatically when someone views the wave.
Allowing dynamic changes to gadgets. Google may argue that this problem is actually a feature. Essentially, a gadget is loaded dynamically from its source every time a wave is loaded. That means someone could insert an innocent-looking gadget into a wave, then the gadget owner could switch the gadget for a malicious one later on. In fact, since gadgets can be hosted anywhere, an included gadget could even be taken offline, taking away from one of Wave’s selling points (better preserving a record of communications).
Allowing gadget access to participant information. Currently, a gadget can only access basic identifying information about who participates in a wave and who is viewing the wave when the gadget loads. However, one can already note several indications that Google will likely expand this functionality to resemble a more complete OpenSocial implementation. As with Facebook applications, allowing such unfettered access for any gadget on initialization raises a number of concerns.
Not allowing users to be removed from a wave. I realize that since waves are shared among participants, removing users raises questions of who in the wave is authorized to make such decisions. Still, I find it a glaring oversight that the product includes no mechanism for removing a user whatsoever, especially considering that anyone can join a public wave.
Allowing users to add anyone to a wave without approval. If I know the Google account you use for Wave, I can add you as a contact and add you to a wave, which will then appear in your inbox. This all happens without any action on your part. And if I include a malicious gadget, you will load that gadget as soon as you click on the new wave to find out what it’s about.

Once again, many will argue that Google will eventually address these problems, and I certainly hope they do. But I find such oversights of basic security issues rather disconcerting. And while sites such as iGoogle have included “gadgets” with scripts for some time, Wave adds a new dimension in that such gadgets can be loaded with hardly any user interaction or approval.

One possible solution that people will raise is that Google can shut down accounts of known attackers or spammers, ensuring that each Wave user corresponds to a real person who will abide by certain rules, as Facebook has sought to do. But doesn’t this turn Google Wave into exactly the same kind of closed garden which Facebook’s critics have lambasted so often? Yet if Google is not the gatekeeper and opens up the system to users with Google accounts, what has Wave done to address spam and malicious attacks? In fact, as expounded above, if Wave is open to anyone, it provides a powerful new means for delivering malware and exploiting vulnerable users.

Again, I realize that Wave will probably include more privacy controls, such as who can add you to a wave without your permission. But if Google is not building such controls into the product to start with, how effective will they be when they do finally appear?

The Dangers of Clickjacking with Facebook

Posted under Contributors on October 14th, 2009 by theharmonyguy

Clickjacking is an admittedly difficult problem to solve entirely, though I question why invisible iframes are necessary. Still, a few techniques to combat the attack exist, such as frame-busting scripts. Twitter implemented this approach after a proof-of-concept attack circulated earlier this year, at the time, several researchers speculated on the ramifications for other sites, such as Facebook.

I’ve noted previously that authorizing a Facebook application requires only a single click, even if you’ve exempted your profile from the Facebook Platform. After noticing another possible clickjacking attack vector, I began compiling a list of single-click actions that should give any Facebook user pause. All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:

Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.
Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.
Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.
Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.
Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.
Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.
Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.

This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.

Most of these are already known or fairly trivial to figure out. I am not aware of anyone reporting my method for the last attack, however, and I will be reporting the details of it to Facebook, as I believe it involves a code issue that can be patched apart from any clickjacking protection. Update: Facebook pushed a fix last night which I’ve confirmed. The hole came from a dialog page that one could load via a POST request. Outside its normal context, clicking the submit button on the page would forward a user back to the referring page but with the post_form_id appended.

I hope this list will help raise awareness of the potential dangers of clickjacking. Creating a Facebook version of Twitter’s “don’t click” worm would be fairly simple, and as this list indicates, one could do far more than simply post a link in the process.

1 2 Next »