Open letter to friends about… Facebook Friend Finder

When I’m on social networking sites, and I see friends who are using features like the Facebook Friend Finder, here’s what I send them, privately…

Hi ,

I saw your post about using the Friend Finder. There are a couple of risks in using features of sites like Facebook, where they ask for your email address and password so they can “Find your friends”.

What the site will do is log in to your Yahoo (or whatever) email account and start searching through all your contacts for email address that match ones of other members. They may say they do this safely, but I don’t recommend giving your password from one site to another site.

They don’t actually guarantee that your password won’t be lost or abused.

They also have exposure to “all” your email contacts, and while they “say” they won’t send email without your permission, they won’t guarantee it either.

So, if a hacker breaks their security (and Facebook is a BIG target for hackers), then your email account (and if you’ve used the same password for other sites, them too) could be used in Identity Theft, and your email contacts could all start receiving dangerous spam that might lead to their identities being stolen.

I might be a bit paranoid, but I’d just like to see you avoid future annoyances and embarrassment.

Site Meter

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:

Phone: 1-613-693-0997
Twitter ID:

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.



Site Meter

Using 25 random things against you

I have been seeing a bunch of friends on social networks filling out these “25 Random Things About Me” surveys. I just saw another one going around called “44 Odd Things About You” as well. I remember this similar type of activity passed along in email several years ago but now it’s made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been “tagged” by one of your friends:

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was where did you meet your spouse? did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took…so graciously put on photobucket you will see the google search for palin eloped or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social can all potentially be used against you.

Twitter for Information Gathering


If you are interested in using Twitter for information gathering/mining about potential targets for a penetration test or for “other” research…I highly recommend the very comprehensive article that Lenny Zeltser from SANS put together. Twitter is really becoming a great tool for not just marketing yourself or your business but also to find out detailed information about a company, individual or organization.

One thing I would add to Lenny’s article is that social media in general is the new “hotness” when it comes to information gathering and reconnaissance. If you are a penetration tester you really need to start leveraging all the information contained in social networks! Better yet, use Maltego which can help search multiple social networks and visually show you this data. You can even hit up the Twitter API with local transforms in the new version of Maltego…yummy!

Twitter photo via Jenny Hayden.

Twitter Leak

Gareth Heyes demonstrated on his blog that by exploiting a weakness in JSON, it is possible to extract the twits of the visitor’s friends.

Twitter have fixed this issue, by making authentication on the friends timeline mandatory, as is already on other pages with sensitive information.
Giorgio Maone, the creator of NoScript, shows that the JSON weakness can still be demonstrated on the public timeline page. Fortunately, this page is intended for public information.

Social Media Security on the Streetwise Security Zone Podcast

Late last week I was a guest on the Streetwise Security Zone Podcast talking about my Facebook Privacy & Security guide, social media security as well as some other interesting security topics.

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!

Summary of the Twitter Security Incidents

One of the 33 pwnd Twitter accounts

I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you. :-)

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0′s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?

LinkedIn Profiles Are Not “Serving” Malware


The past few days there has been a bit of a stink about some bogus LinkedIn profiles. There have been plenty of news sources reporting that LinkedIn profiles are serving malware or making it seem like profiles are infected somehow. A few examples of that can be found here and here and here. At least The Register called these people falling for this fools. What the titles of these reports imply are dead wrong. LinkedIn profiles are not actively attacking users.

The issue is very simple, it is a hyperlink to another site that infects idiots with Malware. A hyperlink to another site, not getting attacked from viewing a profile. When you allow users to link to off-site content, you lose control of the request, however, this isn’t like allowing users to pull content in from other sites to display on their profiles. This typically has very little impact. This is no different than any other site, message board, or social network.

Give me a break, like Beyoncé Knowles has a LinkedIn page and is going to have a hyperlink on there to a place to view her nude pictures. That’s the issue these sites are referring to, dumb isn’t it? How does that get turned in to words like serving, harboring, or redirecting? These words imply some sort of active action on LinkedIn’s part, which doesn’t describe the situation here AT ALL. If you ran a message board and someone had a hyperlink to Goatse, does that mean you are serving, harboring, or redirecting to Goatse? Of course it doesn’t. This would just be an indication of your user base. I wonder how many people were brave enough to click the Goatse link above :) It’s not Goatse, promise.

Is there really no end of the Internet news stories this week to scare people with so people decided we should be scared of LinkedIn? This is basically spreading FUD. I personally don’t see why LinkedIn should take any heat from this. The feature of LinkedIn that allows you to link to your Company, personal site, or some other site should remain a part of LinkedIn’s features. I really hope they don’t go with something like MySpace did with the msplinks stuff. This would basically put a big obnoxious splash page up that states you are about to visit content off of the site. Yeah, well no crap I just clicked on the link so of course I want to visit the page. I personally don’t think that is a very effective control for these types of attacks anyway. The only time that control is effective is if it isn’t clear to the user that they are visiting content off the particular site they are on. I have seen in the past MySpace profiles that were compromised and the whole profile links to a bogus MySpace login page. In that case the user seeing the warning would be alerted that something is wrong, however, you are still going to have a large amount of people just cough up their credentials anyway. Sometimes all the controls in the world just can’t fix stupid. The same people that would fall for this are the same ones that click on spam emails claiming the same thing. It’s a mentality not a technical security issue.

Let me state this, if you are not a complete idiot then this issue will not affect you in the least bit. These profiles are not performing any active attacks on users of LinkedIn. There are much more scary things out there than this, trust me. Don’t fear using LinkedIn because of issues like this. LinkedIn really has a very limited feature set which lowers their attack surface. They have much less functionality that other social network such as MySpace, Facebook, Hi5, etc. Would you really care to see Beyoncé Knowles’ LinkedIn profile anyway? I bet she is boring and fake. Her LinkedIn profile would state, “I have never had to work for anything in my life and everything has been handed to me because dummies think I have talent. I love screwing over my friends and taking money out of their pockets”. She should apologize to the world for creating that DirecTV Upgrade song. Yuck! Wait a minute, she doesn’t write her own music… Anywhoo….

I can’t believe I had to write this blog post, but the sheer number of people talking about this and linking to these stories was too much. Just practice smart Internet browsing habits mixed with common sense and you will be fine. As always, I recommend using the Firefox web browser with the extensions NoScript and Adblock Plus. Have a good week, the end of the Internet is next week :)

First Twitter Phishing Attack of 2009

Welcome to 2009! As many have said…it was just a matter of time before Twitter had a somewhat significant attack…well, here it is! I just had a post up last week about how many of us that use social media just blatantly trust every site that asks us for Twitter credentials. Well if you don’t look at the URL carefully even the security aware could be fooled by this one. Tonight there was a lot of tweets about the following phishing attack….

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you…

If you click on blogspot link this is basically a redirect to the following fake Twitter site:

Twitter Phishing Site

Looks just like an identical copy of the real Twitter site except for the URL! (don’t go to this URL…)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:

Web Forgery Reported

Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:


However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then The fake site in this case is Note that if you take off the “login” at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack…how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however…Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM’s. I’m not 100% sure how DM’s are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.

1 26 27 28 29