Social Media Security Podcast 32 – The Privacy Paradox, Twitter Hacks, Facebook Home

avatarThis is the 32nd episode of the Social Media Security Podcast sponsored by SecureState.  This episode was hosted by Tom Eston and Scott Wright recorded April 25, 2013.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunesfollow us on Twitter and like us on Facebook.  Thanks for listening!

Social Media Security Podcast 28 – Facebook Timeline, US Privacy Questions, Twitter Acquisitions

This is the 28th episode of the Social Media Security Podcast recorded back a few months ago.  Content is still relevant! :-) This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Don’t worry! We are still planning on getting back to regular podcasts.  Stay tuned.  Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

 

The race for the most personal Twitter followers

I have had a great reply on this topic while going around the USA talking about social media security.  During my talk I give an example of why it is NOT okay to allow just anyone the right to follow you or vise versa.

I choose a volunteer out of the crowd.  Usually a nice looking woman because…why not.  I give a hypothetical situation.  We were dating and things are starting to get serious.  So serious that I take her to meet my mom for the first time. While we are at my ma’s house, I introduce her to my new brother-in-law.  My brother-in-law was in charge of bringing the dinner rolls and once again forgot.  He asks her to go to the Italian (not french) bakery down the road with him to get these rolls.  She says yes.  While they are picking up the rolls he notices that he forgot his wallet and asked her for $4.98 to cover the rolls.  She just happens to have $5.00 in her left pocket.

Would she give him the $5.00 and why?

The answer has always been “yes” and because he is associated or was introduced to her by me.  There is an applied level of trust set prior to them going to the bakery.  Well this level of trust in my opinion can be accomplished within twitter.  If I follow you and we start having a friendly conversation(your favorite sports team) I will then go after your friends and family for a small amount to help me with my “cure/run/walk”.  All I have to do is introduce myself as your friend as they can see our past conversations in twitter.  I  have had a over 90% success rate of getting their followers to click my cause link.  This success is based on the applied trust between two strangers.  So although it is really #kwel to have 70,000 twitter followers it can also cost your friends and family $4.98

For more information feel free…info@unixbox.ws

Firesheep’s Revenge

No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.

I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field.  While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default.  So, Why the “Firesheep’s Revenge” title?  Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools.  These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually.  We have been testing these SSM’s and found that:

http://hootsuite.com/dashboard#
http://sproutsocial.com/dashboard
http://standard.cotweet.com/channels#

Are not using secure browsing by default, allowing us to hijack sessions.  What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts.  Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located.  If they do not have this option then maybe you should look for another tool.

James F. Ruffer III
Unixbox
@jruffer

Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Social Media Security Podcast 11 – Google Buzz, Geostalking, Twitter’s Phishing Filter

This is the 11th episode of the Social Media Security Podcast recorded March 15, 2010.  Sorry for the delay on releasing this!  We should be back on our biweekly schedule soon.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 8 – Would You Commit Social Media Suicide?

This is the 8th episode of the Social Media Security Podcast recorded January 8, 2010.  This episode was hosted by Tom Eston, Kevin Johnson and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 3 – Phishing and Koobface, What is CSRF, Protected Tweets

skullThis is the third episode of the Social Media Security Podcast recorded October 23, 2009.  This episode was hosted by Scott Wright, Tom Eston and Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Tom and Scott talk about phishing on social networks. How can you tell the difference between a fake friend request and a real one? Here is a screen shot of a fake friend request and a real friend request.  Just by looking at the email…it’s really hard to tell the difference isn’t it?  The only way you can tell the difference is to look at the URL the link is going to by looking at the message source (code and/or mail header info).  We advise you check your Facebook Inbox for legitimate friend requests, don’t click on friend request links in email.
  • Tom gives a primer on Koobface. What is the Koobface worm and how does it spread?  If you want to learn more about Koobface check out this very good paper created by TrendMicro on how Koobface works.
  • Kevin gives a great non-technical overview of CSRF (Cross-site request forgery).  Want to see a real CSRF attack demonstrating stealing private Facebook profile information? Check out this video and blog post.  Here is the great talk by Jeremiah Grossman about exploiting business logic flaws that Tom mentioned.
  • Interested to know more about CSRF? Check out Security Now! Episode 166.
  • Are your protected tweets able to be searched by Google?  Tom clarifies that this article was not true at all.  However, there are some important things you need to know about protected tweets and why making your Twitter account private doesn’t buy you much.
  • Due to popular demand we are going to try recording the podcast bi-weekly!
  • Be sure to follow us on Twitter to stay up-to-date on all the latest news in the world of social media security!

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

1 2 3 7