The Social Media Security Podcast

How to Write a Facebook Virus

Posted under Contributors, Facebook on August 24th, 2009 by theharmonyguy

Find a cross-site scripting vulnerability in a widely used Facebook application. At least three of the top 10 applications currently have one.
Craft a short link that redirects to a specially infected XSS link. You can use a clickjacking attack to help ensure that users who don’t have the application installed still get infected.
Write JavaScript code for your XSS injection that harnesses a user’s session secret and uses it to make Facebook API requests. More information about how this works is freely available online.
You’ll probably want to include code that harvests profile information (such as date of birth, interests, and educational history) from infected users and their friends, since that simply requires an FQL query. You could also download photos if you so desire. In order to appear inconspicuous, use the same FQL queries that advertising networks use for targeting.
If you want to include a few pop-ups or malicious redirects in your code as well, feel free. If you can do it in JavaScript, you can do it here.
Finish up your code with a few API requests that post a one-line story to a user’s wall or send notifications to their friends, since both of these are also generally possible with injected code. Include your short link in these posts. Finally, redirect the user to an innocent page so they don’t suspect anything.
Note that after a little while, someone may catch on and patch the hole in the application you’re exploiting. But since multiple applications typically have holes (see step 1), you can easily switch your code to a new one. Since you’re using mainstream applications, they’re not likely to be banned as quickly as suspicious-looking rogue applications, so that should buy you some time.

Fully functional demonstration code available to security researchers and media outlets upon request.

Note that this is not simply a problem with Facebook applications. This is a problem with the Facebook Platform. These instructions will remain valid until Facebook takes action on publicly noted issues with their current setup.

The inconvenient truths about social media risks to your enterprise

Posted under Contributors on August 21st, 2009 by Scott Wright's Security Views

This article (click HERE) has some great insights that are very consistent with what I am hearing from managers and professionals in the Legal and HR fields. Social media is here to stay, and you can’t block it completely out of your organization for very long. Sooner or later, you’ll have to look at it from every possible angle, and come up with a rational strategy for managing the risks.

You really need to stop and think about the implications and risks of Social Media, as they pertain to:

In-house Research, Collaboration and Development
Marketing, Sales and Business Development
HR screening
Product support forums
Employees’ home use of social media

There are many subtle risks that require cross-functional attention before letting people loose.

Are you just trying to close your eyes and hope it all goes away?

Or are you working with your team to lay out some ground rules for success with Social Media?

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

Vote for Inherent Dangers of Real-Time Social Networking panel at #SXSW

Posted under Social Media, Social Networking on August 18th, 2009 by Tom

We were happy to see that one of the panels up for selection at the South by Southwest (SXSW) Interactive Festival next year (March 12-16, 2010) is a panel about the security of social networks called “Inherent Dangers of Real-Time Social Networking”. The way panel selections work st SXSW is that they are up for open voting which ends on September 4th. Basically the voting works like this (from the SXSW site):

“SXSW is a community-driven event. So, knowing what kinds of topics you want to hear at the event next March is extremely important to us. Your voting accounts for about 30% of the decision-making process for any given programming slot.

Also important is the input of the SXSW Advisory Board, which is a group of industry professionals from across the US and around the world. The final part of the panel decision-making equation is the input of the SXSW staff.”

So yes, you have a big part in the selection process! This panel includes the following participants:

Jennifer Leggio (@mediaphyter), ZDNet
John Adams (@netik), Twitter operations and security incident response team
Damon Cortesi (@dacort), security consultant at Sevicron, founder of TweetStats, Twitter app developer
Mike Murray (@mmurray), CISO of Foreground Security

Awesome, awesome group for this panel. Here is the description of the panel (from the SXSW PanelPicker site):

“There’s plenty of chatter about social media and security issues, from social engineering to the naïveté of users. This panel of experts will explore how cyber criminals are taking advantage of socnets flaws and lack of user awareness, and what both individuals and companies can do to help protect themselves.”

Since this is one of the biggest media conferences of the year, we highly encourage you to vote for this panel. This will be one not to miss if selected! What are you waiting for? Go vote now!

Defeating MSPLinks on MySpace

Posted under Contributors, MySpace on August 17th, 2009 by Tom

The following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because MSPLinks.com trusts post requests from MySpace.com.

A working example can be found at: http://www.myspace.com/socnetsec

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="POST">

<input type="submit" name="coolbutton" value="SETTING DISCHECK" />

<input type="hidden" name="discheck" value="on" />

</form>

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="GET">

<input type="submit" name="coolbutton" value="NO DISCHECK" />

</form>

What’s the point? Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed. Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method. Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things. Especially if they are already masked like they are via MSPLinks. MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

Old News: Twitter can be used for Botnet Command & Control

Posted under Contributors, Social Networking on August 13th, 2009 by Tom

Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?

Share and Enjoy

• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS

Sex Offenders in IL Banned from Social Networking Sites

Posted under Privacy, Social Media, Social Networking on August 13th, 2009 by Tom

There was an interesting post on Mashable today about a new law that was just passed in Illinois by the governor Pat Quinn. Basically, it bans sex offenders from using social networking sites. The problem is that social networking is so loosely defined that this could mean any news site or blog. Think about Facebook Connect or anything that shows a profile picture with media links and/or text. In addition, how would this stop a sex offender from using an alias and/or fake name on these sites (if you can even define what these sites are)?

There is some interesting conversation brewing around this one especially around the fact that just by peeing in public you are considered a sex offender in 13 states!

Read the entire article on Mashable here.

Your Facebook Profile is Already Public

Posted under Contributors, Facebook on August 13th, 2009 by theharmonyguy

As Facebook’s privacy settings continue to evolve, many have discussed the increased openness as users gain more options to share content publicly. All the while, though, ongoing problems with the Facebook Platform detract from the perceived level of control over privacy.

In essence, you should already think of your profile information as public. First, any application you authorize has carte blanche access to your data. You have no way to limit this access apart from avoiding authorization to start with. Second, if a friend authorizes an application, that application likely has the same amount of access to your profile via your friends’ sessions. You can limit the available data if you have not also authorized the application.

Finally, the current architecture of the Platform leaves users vulnerable to attacks that allow others to harvest profile information. I have demonstrated such attacks before, and the more I investigate them, the more ridiculous the situation becomes.

This morning I found yet another XSS hole in a top 10 Facebook application (by monthly active users). However, this was another FBML application, and as with several other cases, I could not immediately replicate my old XSS+CSRF attack for stealing profile data. With a bit of experimenting, though, I realized another trick. Rather than trying to insert script directly, I took a slightly different approach for executing this script. This new technique ensured script execution, at the price of easy access to the session secret. Using referrers, though, I gained access to the session secret as well. This does require a user to have referrers enabled for JavaScript, but I’m fairly certain that’s the default on most browsers.

Not only did this new trick enable the attack on that particular application, it allowed me to launch the attack using another top 10 application that I already knew had an XSS hole. Both of these applications also allow for clickjacking installs, meaning I could once again relaunch the full attack if I so desired.

Keep in mind that you need not visit an attack page for this to affect you. If you’ve not limited unauthorized applications or the attack uses an application you’ve already installed, your data is vulnerable if a friend visits an attack page.

In short, an attacker could launch pages right now (this is zero-day stuff, people) that silently harvest profile information and photos from nearly any Facebook user. Between these hacks and the threat of rogue applications, you should regard anything you post on Facebook as public information.

View proposed changes to the Facebook SRR/ToS

Posted under Facebook, Social Media, Social Networking on August 12th, 2009 by Tom

You can view and comment on changes to the Facebook SRR (Statement of Rights and Responsibilities or better known as “Terms of Service”) located on the Facebook Governance Page. You can download and review the redlined proposed changes here. The deadline for comment is 12pm PST August 18th. It is important for Facebook users to review these new terms as there are significant changes to the SRR and the wording that is used. Most of the SRR will affect your privacy as a Facebook user.

For example, make sure you note the following:

1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non‐exclusive, transferable, sub‐licensable, royalty free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account (unless your content has been shared with others, and they have not deleted it).

3. When you add an application and use Platform, your content and information is shared with the application. We require applications to respect your privacy settings, but your agreement with that application will control how the application can use the content and information you share.

4. When you publish content or information using the “everyone” setting, it means that everyone, including people off of Facebook, will have access to that information and we may not have control over what they do with it.

You should already know these things though, right? 🙂 Remember: Anything you post to Facebook private or not…consider it public information. You can leave your comments on the Facebook Governance Page or feel free to comment here. We would love to hear your opinion of these upcoming changes.

« Previous 1 … 17 18 19 20 21 … 29 Next »