Social Media Security Podcast 4 – Death by Twitter, Open Source Intelligence, Policies, Google Wave

skullThis is the 4th episode of the Social Media Security Podcast recorded November 6, 2009.  This episode was hosted by Scott Wright, Tom Eston and Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • More scams on Twitter including the recent IQ quiz attack.  Disinformation on social networks…someone died example..are you sure they are really dead?
  • Tom talks about his Open Source Intelligence Gathering talk that he recently gave.  How do you find information posted about your company on social networks and why should you look?  Now is probably a good time for your company to create a social media strategy and then develop a Internet postings policy around this strategy.
  • Cisco has a great Internet posting policy to reference when created one for your company.
  • Scott talks about creating a postings policy for your company.  Here is a link to the Forrester book titled “Groundswell” that talks about creating a social media strategy.
  • Kevin talks about Google Wave.  What is it and why would we want to use this?  What are some of the security issues with Google Wave?  Check out the great research that theharmonyguy has been doing on Google Wave.
  • Developers! Please start coding securely from the beginning of the project! ktksbai.
  • Be sure to follow us on Twitter to stay up-to-date on all the latest news in the world of social media security!

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

Should you use Twitter for Online Banking?

Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking.  Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.

However, there are a few potential security issues/concerns with this type of service.  While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.

  • Plain and simple, Twitter is a third-party service.  When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers.  Not the banks.  The bank is simply retrieving these messages.  You should never have any expectation of privacy from DMs *at all*.  Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs.  Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
  • What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests?  A simple attack like this could easily compromise the users Twitter account.  Guess what, people like to reuse user id’s and passwords…we all know where that could lead to.  I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account.  Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
  • How about the security of the @myvcu Twitter account you send your direct messages to?  Attackers *will* target this account, it’s only a matter of time.  You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well.  It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
  • I question the correspondence authentication codes that they have put in place.  Relying on the user to change these multiple codes is an interesting choice.  I could see this being spoofed quite easily.
  • Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)?  Attackers can easily script a bot to look for these patterns and target these users.

I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology.  My opinion is that it just seems that there are too many points of security “fail” in this system.  Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to.  Social networks are not for online banking in any form…srsly.

Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.

Social Media Security Podcast 2 – Month of Facebook Bugs, What is XSS, Canadian Privacy Ruling

skullThis is the second episode of the Social Media Security Podcast recorded September 25, 2009.  This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Introducing our new co-host, Kevin Johnson.  Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.
  • Tom talks about the Month of Facebook Bugs (created by a security researcher called “theharmonyguy”) why this is important and how many vulnerable applications have been exploited and fixed so far.  Here is the list of top Facebook applications that Tom mentioned in the podcast.
  • Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS.  Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.
  • Scott talks about the recent ruling regarding the Canadian Federal Privacy Commissioner vs. Facebook.  This ruling in Canada has created wide reaching changes to privacy and the way applications function within Facebook.
  • Scott also included a brief interview with the Canadian Privacy Commissioner’s Office about this recent Facebook ruling.
  • Tom has updated his Facebook Privacy & Security Guide.  You can download the latest version here.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

New Version Released: Facebook Privacy & Security Guide

Facebook has made some changes to the privacy settings for Facebook profiles since the last time I updated the Facebook Privacy & Security Guide which was back on it’s original release (October 2008).  As with all things on the web…we want to keep this guide as current as possible so users of Facebook know how to configure each of the privacy settings in their profile.  Updates in this version (v1.1) include:

  • News Feed and Wall settings have been updated.  Facebook removed settings such as “time and date” and streamlined other settings
  • I have provided more information on how Facebook applications work and how you should configure your application privacy settings based on if your friends install an application
  • Updated information about Facebook Ads, Facebook Connect settings and Beacon websites

Click here to download the new version of the Facebook Privacy & Security Guide (v1.1)
(if you are downloading this to your browser, be sure to clear your browser cache prior to downloading as you may have the old version in your cache.  Better to do a “Save Link As…”)

As usual, please send any feedback about the guide to feedback[aT]socialmediasecurity.com or post a comment below.  As a supplement to this guide, stay tuned for a video walk through which we plan to post on YouTube and also make it available for free download.  If you have any other suggestions for user awareness guides, articles, video’s etc…consider joining our mailing list.

Vote for Inherent Dangers of Real-Time Social Networking panel at #SXSW

SXSW2010_logo_squareWe were happy to see that one of the panels up for selection at the South by Southwest (SXSW) Interactive Festival next year (March 12-16, 2010) is a panel about the security of social networks called “Inherent Dangers of Real-Time Social Networking”.  The way panel selections work st SXSW is that they are up for open voting which ends on September 4th.  Basically the voting works like this (from the SXSW site):

“SXSW is a community-driven event. So, knowing what kinds of topics you want to hear at the event next March is extremely important to us. Your voting accounts for about 30% of the decision-making process for any given programming slot.

Also important is the input of the SXSW Advisory Board, which is a group of industry professionals from across the US and around the world. The final part of the panel decision-making equation is the input of the SXSW staff.”

So yes, you have a big part in the selection process!  This panel includes the following participants:

Jennifer Leggio (@mediaphyter), ZDNet
John Adams (@netik), Twitter operations and security incident response team
Damon Cortesi (@dacort), security consultant at Sevicron, founder of TweetStats, Twitter app developer
Mike Murray (@mmurray), CISO of Foreground Security

Awesome, awesome group for this panel.  Here is the description of the panel (from the SXSW PanelPicker site):

“There’s plenty of chatter about social media and security issues, from social engineering to the naïveté of users. This panel of experts will explore how cyber criminals are taking advantage of socnets flaws and lack of user awareness, and what both individuals and companies can do to help protect themselves.”

Since this is one of the biggest media conferences of the year, we highly encourage you to vote for this panel.  This will be one not to miss if selected!  What are you waiting for?  Go vote now!

Sex Offenders in IL Banned from Social Networking Sites

There was an interesting post on Mashable today about a new law that was just passed in Illinois by the governor Pat Quinn.  Basically, it bans sex offenders from using social networking sites.  The problem is that social networking is so loosely defined that this could mean any news site or blog.  Think about Facebook Connect or anything that shows a profile picture with media links and/or text.  In addition, how would this stop a sex offender from using an alias and/or fake name on these sites (if you can even define what these sites are)?

There is some interesting conversation brewing around this one especially around the fact that just by peeing in public you are considered a sex offender in 13 states!

Read the entire article on Mashable here.

View proposed changes to the Facebook SRR/ToS

fb_governanceYou can view and comment on changes to the Facebook SRR (Statement of Rights and Responsibilities or better known as “Terms of Service”) located on the Facebook Governance Page.  You can download and review the redlined proposed changes here.  The deadline for comment is 12pm PST August 18th.  It is important for Facebook users to review these new terms as there are significant changes to the SRR and the wording that is used.  Most of the SRR will affect your privacy as a Facebook user.

For example, make sure you note the following:

1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non‐exclusive, transferable, sub‐licensable, royalty free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”).  This IP License ends when you delete your IP content or your account (unless your content has been shared with others, and they have not deleted it).

3. When you add an application and use Platform, your content and information is shared with the application.  We require applications to respect your privacy settings, but your agreement with that application will control how the application can use the content and information you share.

4. When you publish content or information using the “everyone” setting, it means that everyone, including people off of Facebook, will have access to that information and we may not have control over what they do with it.

You should already know these things though, right?  :-) Remember: Anything you post to Facebook private or not…consider it public information.  You can leave your comments on the Facebook Governance Page or feel free to comment here.  We would love to hear your opinion of these upcoming changes.

Security and Privacy in Social Networks Bibliography

We just added a fantastic link to 70+ academic papers about security and privacy issues in social networks. It is maintained by Joseph Bonneau from the University of Cambridge.  You will see a page titled “Research” at the top of the page where you can get links to this and other academic papers and research papers.

Thanks to Joe for the submission!

1 2 3