Firesheep’s Revenge

No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.

I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field.  While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default.  So, Why the “Firesheep’s Revenge” title?  Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools.  These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually.  We have been testing these SSM’s and found that:

http://hootsuite.com/dashboard#
http://sproutsocial.com/dashboard
http://standard.cotweet.com/channels#

Are not using secure browsing by default, allowing us to hijack sessions.  What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts.  Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located.  If they do not have this option then maybe you should look for another tool.

James F. Ruffer III
Unixbox
@jruffer

LinkedIn Apps Announced

Posted originally on Neohaxor.org, re-posted with permission:

Business social network LinkedIn announced their LinkedIn Applications today. The applications directory can be viewed here There are only several applications to chose from at the moment. I am sure that number will grow soon. LinkedIn uses Google’s OpenSocial just like other social networks such as MySpace, Orkut, hi5, etc. I only spent like 5 minutes looking at a couple of things. So, the following are only my quick thoughts and impressions.

The applications are delivered though the domain lmodules.com. This makes them easy to identify and block if that’s what you would like to do.

At first glance it appears that the vetting process for LinkedIn is higher than some of the other social networks. They appear to only want known businesses to create applications for their network at this time. This would help root out some possible malicious users. A vetting process is a good first step in thwarting that type of malicious behavior. I didn’t look at the difficulty in attaining a developer account, but I am assuming it is much more difficult than other social networks like MySpace, Facebok, etc. Now, whether this vetting process will stay this stringent will remain to be seen. These procedures may be relaxed in the future due to demand.

Just because the name has changed doesn’t mean the threats have changed. As a matter of fact there may actually be more on the table. Business networks such as LinkedIn are more likely to contain real information about people vs other non-professional social networks. Not that people don’t share enough about their real self on other social networks. This means the same threats exist for the capture of information as on other social networks.

There are still technical threats from social network applications on LinkedIn as well. These are the very same issues as other social networks that we have discussed in the past and demonstrated. Malware distribution, social engineering, attacking clients, information harvesting, click fraud are just some of these threats from social network applications. Moral of the story is be careful. Don’t install apps you don’t need, even though you may do so on your iPhone ;)

So all in all the threats are the same with LinkedIn as any other social networks that employ applications. However, with a more stringent vetting process this should reduce the possibilities for malicious by making accounts harder to get.