Potential dangers of BlackBerry Syncing Applications

Syncing dangers?

Do you have a BlackBerry for work and you have a corporate policy pushed down and managed by your corporate IT team? Depending on how locked down the policy is for your corporate BlackBerry deployment you may be syncing sensitive or confidential data to a public web site.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way…sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will “periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends.”

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the “setup wizard” that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation…but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn’t think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts…both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn’t evil, right? :-/

What can we do about this? As a user…opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I’m no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!


Social Networks and Black Magic

Social networks are shrouded in mystery. Just their very existence defies the laws of physics. If it were the late 40′s men in strange suits would be trying to dissect them at some top secret facility, but we have come so far since then :) Even though this sounds ridiculous, this is what many would have you believe about social networks. Why you ask? Because many of the people that talk about attacks and the dangers of social networks don’t even use them. They make all kinds of assumptions about soc nets that are completely false. The funny thing about assumptions when you are theorizing attacks is if your assumptions are faulty then your conclusions are faulty. Let’s cut the crap and focus on the real threats to social networks and their users.

Bruce Schneier just had a post in his blog about Social Networking Identity Theft Scams. In this blog post he refers to an article on ITworld titled Why you can’t trust ‘friends’ on Facebook as clever. This isn’t clever, this is dumb and extremely improbable. This is a perfect example of people talking about social networks that have no idea how they are used. The explanation of the scenario shows a clear lack of understanding of how social network users view and interact with their network.

I will not go in to all the specifics of what they were talking about, but it is based on the premise that you view your social network “friends” as you view your friends and family from the non-web world. Now, it’s possible and even likely that you may meet someone on a social network and actually become friends with them. This may even be part of the appeal for someone participating in a social network. The problem for an attacker is cultivating a true friendship takes time, effort, and resources. Attackers and scammers are all about effort vs reward. They are not going to take 6 months to a year of effort to try and scam someone out of 100 dollars.

Some other faulty logic they used is blurring the lines between the topic they were talking about and the Nigerian scam where they compromised peoples actual accounts. They then sent messages to their friends saying they were stuck in Nigeria and needed money. Still dumb, but this is a compromise of an already established social network presence. A far greater difference than a friend of a friend that you don’t know asking for money. You can see more information about that here. True they both ask for money, but the scenarios are far different.

Now This is Nasty

If you want to talk about dangerous, during the talk Shawn Moyer and I did at Black Hat and Defcon last year and even our ShmooCon talk this year I mention a concept that involved attacking innocuous functions. On certain social networks this would allow you to semi-hijack a person’s social network identity. The concept deals with blocking communication and creating a denial of service condition for all visitors to someone’s social network profile. You could then create a new, duplicate identity with the user’s information and try to re-friend previous friends. In the message you tell them something went wrong with your account and you had to create a new one.

This is far more dangerous than the scenario that the article goes in to. It’s much easier than trying to compromise someone’s account, you are able to disrupt normal communications between friends, and you are able to potentially hijack already established trust. An attacker could then run a scam under this identity giving them a higher percentage of success.

Social Networks and Safety

I am the last one to say that social networks are safe, for example see here and here. I just can’t stand bad information and fear mongering. Yes, fear mongering. “The child molesters are going to get your kids on the social networks”. Yuck! In a comment on his own blog post Bruce said,

“I’ve seen some of my friends on Facebook put their address and phone number on their information page. Anyone they add can see it, and one such person I know has well over 1,000 friends. Not a good combination with videos of his two small children posted.”

Why is that not a good combination. You can’t possibly believe that 0.1% of the Facebook population are child predators?

Now it’s true that some people do put far too much information on their pages. This is due to the fact that it is not clear to them what is really sensitive.

A Note To Parents

Child predators are not trolling social networks (with any significance) trying to molest your kids. Child predators are opportunistic just like other types of attackers. They are not going to see an address on a social network and pay the house a visit. There are just too many variables for the predator to deal with. Parents, guns, neighbors, witnesses, geographic locations, and many other factors make this a prohibitive method for them to use.

Now as far as them using social networks to try and contact your kids there are many factors there as well. Social networks do monitor their network. Some networks are better at it than others, but there is the monitoring factor. Not to mention the person would have to spend quite a bit of time creating a relationship with your kids, which leaves them at risk for being found out by parents. I mean hopefully your kids don’t just go off to meet with strangers. If that is the case then you have much larger problems.

As parents you have control over the internet connection and your kids usage of the Internet. Know who they are talking to and what their activities online are. Remember your being curious not paranoid. You get paranoid over things you have no control over, these are your kids :) Know who they talk to and who their friends are. After all, a predator is going to try to get them alone and away from parents.

There is always the rare case that is the exception to the rule. Things happen and there are people who are just nuts and don’t think logically. People have been watching too much To Catch A Predator and think that the world is crawling with child molesters. Common sense should be your guide not a television show that is trying to get ratings. Besides in that show they had people posing as teens in an adult chat rooms, not social networks. Which just goes more to the point that I made about these individuals being opportunistic.

If you want more proof about the social network threats to kids being overblown you can read more about it from the New York Times here.

The Thief Scenario

Having your address on your soc net page and then a message saying, “On vacation out of the country” seems like (and really is) a stupid thing to do. Let’s look at it closer from the viewpoint of a thief. There are many variables here as well that still wouldn’t make this feasible. What about alarms, house sitters, family, neighbors, etc. This is on top of the information gathering activities that a thief would have to do prior to targeting someone anyway.

Now what is much more likely that attacker would target someone and augment their activities with information they find on social networks. These sort of targeted, personal information gathering activities can be pretty dangerous, but still not very realistic from a thief’s perspective. Thieves are opportunistic as well. What would change the scale is if you had known assets that someone REALLY wanted. This would warrant the time put in to the information gathering activities. Even in these scenarios the information from social networks only helps, the person would most likely be targeted anyway. There are rare exceptions, but just trying to put this in to perspective.

Social Landscape

There are aspects that make social network ripe targets for attack. They are a large collecting point for users. They are made up of mostly user generated content, many allow extensions and 3rd party applications. Any large collecting point of users is going to be looked at by an attacker. These are just the facts, but when discussing dangers and threats we need to look at them in terms of real risk. When we raise the danger flag for things that aren’t necessarily a risk we may draw attention away from things that really are a danger.

I particularly enjoy the individuals who say that they would never join a social network or communicate with people who do. As if people that use social networks somehow don’t know something that they do. I turn that around, why not use social networks? Are you socially inept and not able to communicate with your fellow man? Do you even know what social networks are used for? Of course, using social networks is a personal preference. It doesn’t have any bearing on the user’s awareness or intelligence level. However there are millions of the ugliest MySpace pages in history just waiting for you to view them :)

Now there are some social impacts when professionals use social networks that I may cover in another post, because these have impacts as well.

In Closing

The low level of probability of these attacks is no excuse to be careless with your information. I just wanted to put some things in perspective and curb potential fear mongering. When you participate in a social network you are responsible for the information you post about yourself.

I think ultimately if you read articles or hear people theorizing about attacks on social networks and they don’t have a social network presence, be skeptical. This is especially true when they are discussing social attacks. While it’s true that social networks are just web applications sometimes the vulnerabilities come from how users interact with them. This often requires participation for understanding.

Lastly, I want to make it clear once again, I am not vouching for the safety of social networks by any means. There are many dangers on social networks. I just want to make sure that we focus on the true dangers of social networks so we can raise awareness for those issues.

Open letter to friends about… Facebook Friend Finder

When I’m on social networking sites, and I see friends who are using features like the Facebook Friend Finder, here’s what I send them, privately…


Hi ,

I saw your post about using the Friend Finder. There are a couple of risks in using features of sites like Facebook, where they ask for your email address and password so they can “Find your friends”.

What the site will do is log in to your Yahoo (or whatever) email account and start searching through all your contacts for email address that match ones of other members. They may say they do this safely, but I don’t recommend giving your password from one site to another site.

They don’t actually guarantee that your password won’t be lost or abused.

They also have exposure to “all” your email contacts, and while they “say” they won’t send email without your permission, they won’t guarantee it either.

So, if a hacker breaks their security (and Facebook is a BIG target for hackers), then your email account (and if you’ve used the same password for other sites, them too) could be used in Identity Theft, and your email contacts could all start receiving dangerous spam that might lead to their identities being stolen.

I might be a bit paranoid, but I’d just like to see you avoid future annoyances and embarrassment.

Site Meter

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Using 25 random things against you

I have been seeing a bunch of friends on social networks filling out these “25 Random Things About Me” surveys. I just saw another one going around called “44 Odd Things About You” as well. I remember this similar type of activity passed along in email several years ago but now it’s made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been “tagged” by one of your friends:

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was where did you meet your spouse? did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took…so graciously put on photobucket you will see the google search for palin eloped or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.


Twitter for Information Gathering

Twitter!

If you are interested in using Twitter for information gathering/mining about potential targets for a penetration test or for “other” research…I highly recommend the very comprehensive article that Lenny Zeltser from SANS put together. Twitter is really becoming a great tool for not just marketing yourself or your business but also to find out detailed information about a company, individual or organization.

One thing I would add to Lenny’s article is that social media in general is the new “hotness” when it comes to information gathering and reconnaissance. If you are a penetration tester you really need to start leveraging all the information contained in social networks! Better yet, use Maltego which can help search multiple social networks and visually show you this data. You can even hit up the Twitter API with local transforms in the new version of Maltego…yummy!

Twitter photo via Jenny Hayden.


Twitter Leak

Gareth Heyes demonstrated on his blog that by exploiting a weakness in JSON, it is possible to extract the twits of the visitor’s friends.

Twitter have fixed this issue, by making authentication on the friends timeline mandatory, as is already on other pages with sensitive information.
Giorgio Maone, the creator of NoScript, shows that the JSON weakness can still be demonstrated on the public timeline page. Fortunately, this page is intended for public information.

Social Media Security on the Streetwise Security Zone Podcast

Late last week I was a guest on the Streetwise Security Zone Podcast talking about my Facebook Privacy & Security guide, social media security as well as some other interesting security topics.

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!


Summary of the Twitter Security Incidents

One of the 33 pwnd Twitter accounts

I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you. :-)

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0′s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?


1 31 32 33 34 35