What’s behind that short URL?

plz click this short url

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL’s of shortened URL’s. What is URL shortening? For example…this long URL:




By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don’t freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What’s the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL’s without a mask (even manually typing in strange URL’s as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL’s? TinyURL and others offer you a service to “preview” URL’s but many sites don’t offer this and who is actually going to attempt to manually verify what is behind those links? That’s way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL’s if you hover your mouse over the links. This is great…for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The “Long URL Please” Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL’s on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site’s. No hovering over a link or clicking to a site to preview it. It just shows you the link…no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It’s going to take some work from the developer side to keep up with all of these new services. In addition, this doesn’t help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL’s won’t be going anywhere soon…lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?

Who are you giving your Twitter account to?

Twellow anyone?

It’s always interesting to me when I check out a new Twitter application, it always seems to ask you to “verify” your account or ask you to pass your Twitter user name/password to their application. This of course is done without any protections or any way of knowing what happens to your account information on the other end.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to “claim” your profile by putting in your Twitter password. This is where it gets interesting…

To the unsuspecting user it’s tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don’t record your credentials? The disclaimer says they don’t use your password for anything…you trust everyone right? :-)

What’s your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your “rank” on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application…BUT…why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness…we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What’s the fix?
First, social media users need more education. Seriously, don’t just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a “remote key” for all third-party interactions with your account. Of course this isn’t perfect but it’s a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn’t cut it.

Authentication of user credentials and social media is a big problem…(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?

Analysis of a new Facebook phish

Beware of this wall post!

I just posted an article for Blogsecurify about a new Facebook phish that I stumbled upon. Thanks again to Greg and Tyler for helping out with some of the detailed analysis! You guys rock!

LinkedIn Apps Announced

Posted originally on Neohaxor.org, re-posted with permission:

Business social network LinkedIn announced their LinkedIn Applications today. The applications directory can be viewed here There are only several applications to chose from at the moment. I am sure that number will grow soon. LinkedIn uses Google’s OpenSocial just like other social networks such as MySpace, Orkut, hi5, etc. I only spent like 5 minutes looking at a couple of things. So, the following are only my quick thoughts and impressions.

The applications are delivered though the domain lmodules.com. This makes them easy to identify and block if that’s what you would like to do.

At first glance it appears that the vetting process for LinkedIn is higher than some of the other social networks. They appear to only want known businesses to create applications for their network at this time. This would help root out some possible malicious users. A vetting process is a good first step in thwarting that type of malicious behavior. I didn’t look at the difficulty in attaining a developer account, but I am assuming it is much more difficult than other social networks like MySpace, Facebok, etc. Now, whether this vetting process will stay this stringent will remain to be seen. These procedures may be relaxed in the future due to demand.

Just because the name has changed doesn’t mean the threats have changed. As a matter of fact there may actually be more on the table. Business networks such as LinkedIn are more likely to contain real information about people vs other non-professional social networks. Not that people don’t share enough about their real self on other social networks. This means the same threats exist for the capture of information as on other social networks.

There are still technical threats from social network applications on LinkedIn as well. These are the very same issues as other social networks that we have discussed in the past and demonstrated. Malware distribution, social engineering, attacking clients, information harvesting, click fraud are just some of these threats from social network applications. Moral of the story is be careful. Don’t install apps you don’t need, even though you may do so on your iPhone ;)

So all in all the threats are the same with LinkedIn as any other social networks that employ applications. However, with a more stringent vetting process this should reduce the possibilities for malicious by making accounts harder to get.

Facebook Privacy & Security Guide Released

Today at the Ohio Information Security Summit I released my Facebook Security & Privacy Guide. This guide gives you suggested “baseline” security settings that you can use when configuring your Facebook account. Obviously, you can adjust these settings based on your own level of risk but it should give you a good starting point.

How did this project get started?
I have been doing several months of research with my own Facebook account as well as gathering the input of other Facebook users to determine what the privacy and security settings would be without loosing the key features of using a social network website…the networking!

Please feel free to distribute this document to friends and family or use it for any security awareness campaigns. I will hopefully be keeping up with any updates to the document when Facebook changes things. I might be putting together a similar document together for MySpace but MySpace is a totally different animal altogether. We shall see! :-)

You can download a pdf version of the guide here.

Exploiting trust in social networks

Over the weekend I posted my first article on Social Network/Media security over at Blogsecurify. You can check out the post here. My next article will talk about the security of third-party applications and widgets for social media applications.

Attacking Password Resets w/ Social Networks

Posted originally on Neohaxor.org, re-posted with permission:

Password Reset: Your passport to a fuxored account.

Password Reset Methods Vulnerable? Really? Get out of here, you mean that many password reset methods are vulnerable to attack? You have to be kidding. The fact that people think vulnerable password reset is newsworthy have got to be crazy. This is something that many of us have been talking about for years. Now Sarah Palin’s email gets attacked and it is big deal. It amazes me why we always wait to get screwed by something before we fix it.

Why does everything in the security world have to be a response to something. Ok, not the security world but the business security world. They are definitely two different entities. I am truly tired of reactive security. Just think if other professions followed this reactive model, like a cop asking for a bullet proof vest after they have already been shot. Nobody can say they didn’t see this coming either. People make more of their life known through social networks, photo sharing, and blogs than ever before. The simple password reset questions just don’t hold up.

There is a lot of unnecessary fear about data from social networks being used to steal someone’s identity. Although this is mostly FUD, social networks can be a great source for password recovery data. A while back we recovered a password (with his permission of course) from my friend Brian’s Sprint account using data from his MySpace page. This is when we were first starting our research for the social network hacking project.

Let’s take a step back from social networks for a sec, would your friends, co-workers, significant other, etc. be able to recover your password with the information they know about you? If the answer to that question is yes, then you need to change something. Passwords should be something that you know, not you and a couple of other people.

What Types of Data are on Social Networks?

The information that people put on their social network pages range from minimal to wildly over the top. Some people even go above and beyond by posting survey questions that tell a lot about their personalities. Although they want to show off the depth of their personality, all it really does is show off the shallowness of their brain.

Social networks by their default nature basically allow you to “friend” the world. The information on people’s social network page typically contains information that was previously only known to traditional friends and acquaintances. This can be a huge problem for the password reset mechanism, not to mention a person’s privacy. If it’s deep and kinda scary from a privacy standpoint then it is probably on a social network. Remember when I mentioned if your friends knew enough about you to reset your password then you are in trouble, well you just friended the world with the information from your social network profile. Beyond standard profile information there are a users actions taken on a social network site and possibly social network applications that are being used as well. All of this information can be leveraged when attacking a password reset mechanisms.

You can use an email address to look up people’s accounts on social networking sites. On the flip side, someone social network profile might directly tell you a person’s email address or you can use the search features of the social network to query owner’s of certain email addresses. There are no secrets in social networking ;)

Email Accounts are Gold

With password resets an email account is really the jackpot. Many password reset mechanisms, including the ones from social networks, rely on sending either the password or a temporary password to the email address of the account owner. Someone who gets their email account compromised might just find that they have every other account tied to that email account compromised as well. I mean, it wouldn’t be a far stretch to figure that out once someone had access to the email account. Just think of all the crap that sites like Amazon, eBay, MySpace, Facebook, etc. send to your email account.

Typical Password Questions

Typical password recovery questions really vary in complexity from site to site. What is the problem with password recovery questions in general? Well, they are not typically made up of data that is private. Unlike a password which is supposed to be something that only you know, recovery questions may be known to many people around you.

Here are some questions from Yahoo:

  • Where did you meet your spouse?
  • What was the name of your first school?
  • Who was your childhood hero?
  • What is your favorite pastime?
  • What is your favorite sports team?
  • What is your father’s middle name?
  • What was your hight school mascot?
  • What make was your first car or bike?
  • What is your pets name?

Some of these questions look like questions that social networks ask when you are filling out a profile, don’t they? If not questions they ask, certainly data that people put on their social network profiles or divulge through other means on a social network.

The Obvious

Take a glance at someone’s profile or maybe your profile on a social network. From just this page without further probing there may be an enormous amount of information. Depending on the mechanism that is being attacked, it may be all that is needed. Here is an example of some of the things that may be found just on the profile page:

  • Name
  • Date of Birth
  • Hometown
  • Current town
  • Favorite movies, artists, music, people, TV, sports teams, etc
  • High School
  • College
  • Personal description
  • Personality traits
  • Networks and Groups
  • Relationship information
  • Family information
  • Employer

The list really goes on and on. Remember that many people are on multiple social networks. Checking out other social networks may fill in the blanks. It is easy to see why this information could be a problem and I don’t think it needs any further explanation.

The Not So Obvious

Some data is not so obvious and might not be directly spelled out. This may be information that has to be aggregated or inferred from the profile data, friends list, blog, group, network, etc.

  • Photos and photo tags
  • Comments on other profiles
  • Photo data (cloths, background, other individuals, etc)
  • Pets
  • Children
  • Siblings
  • Relatives (potentially ones with your mother’s maiden name?)
  • Potential usernames
  • Instant messenger data
  • Blogs and comments in friends’ blogs
  • Favorite teachers
  • Sexual preference
  • Religious views
  • Political views

The data is really limitless, but after all isn’t that what a nice web 2.0 application is supposed to provide? On the surface some of this data may seem silly for password resets but it is really not. This not so obvious information can be really helpful when when non-standard questions are used in the password reset process. This typically happens when people are left to their own devices when creating security questions. They typically create questions that are common and familiar to them. Stupid things like pet’s names, favorite teams, favorite TV shows, etc.

Just think for a moment about tagging. People may tag photos themselves with useful information. Also, friends may tag people in photos helping better define a person’s relationships with people and activities they are involved in. The URL of the social network may lead you to potential usernames / IM information such as www.myspace.com/(username). Maybe the data is completely visual like photo data. A lot of information can be obtained by looking at pictures. Favorite places, sports teams, cars, and countless other possibilities. You name it, people like pictures with their favorite things.

The actions people take on social networks helps better define relationships, networks, group affiliations, and activities. The person may place comments on other people’s photos, profiles, walls, blogs, etc. You may see comments like “That is why you are my BFF”. You may also see that someone is a member of a political party or religious group. People may discuss on boards or blogs about certain things happening in their life. Sharing is caring right?

So what you get in the end is a clear picture of who these people are. You get their likes, dislikes, friends, and affiliations are all in a nice clean package. You may have never even met this person but you have all of the information a traditional friend may have, possibly more.

Need a bit more?

If you almost have the nail in the coffin then you can turn to other sites to complete the task. You could look for name / username collisions on other sites to gain more data. You could take their high school and age information and find out who they went to school with. The possibilities are endless.

The User’s Choice

When people are given the option to choose their own security it has historically been bad. There is nothing that seems to suggest that allowing user’s to choose their security will get any better, so some of this may be wasted breath.

When looking at sites like Google, it seems they have slightly better security questions. Questions such as your library card number, frequent flyer number, etc. I think sites like these with better security questions probably have a high amount of people that end up just choosing their own questions when this option is available. People don’t seem to understand that this isn’t a function that you are going to use everyday. It is ok and preferable to use data that you may not be able to recall without looking up.

So What Can We Do?

The problem of personal data leakage isn’t going to stop until people realize the potential impacts of their data being strung out for the whole world to see. I personally don’t think this will change, in fact, I think with time it will get a lot worse. We live in this voyeuristic, virtual world where people create digital representations of how they see themselves. I think that has an appeal to many people, especially those who don’t particularly find their lives that exciting.

Don’t play by the rules when dealing with a sites password reset questions. Put blatantly wrong, hard to guess, or nonsensical information in to the answer blocks. This will make any information gathered on you useless when attempting to recover your password.

It seems that many sites want you to log in. You shouldn’t use the same password on every site. Use a trusted password safe such as KeePass to store your login credentials. KeePass is open source and multi-platform. Using a mechanism like this allows you to be in control of your password recovery along with allowing you to use different passwords for different sites. It would also be a good idea to back up the database of whatever password safe you choose to use as well. Just a thought ;)

The biggest mistake someone can make is thinking that there is nobody out there that gives enough of a crap about them to attack their accounts. People do weird things. Anybody is capable of just about anything. This isn’t being paranoid, it’s being safe. Think of it as locking the door on your house when you leave, only instead of your valuables you are protecting your data.

Malware on Twitter

Well, it seems like it didn’t take that long for the malware authors to notice the opportunity in abusing Twitter as a malware distribution platform.
According to Kaspersky Labs:
“…This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular…”

Unfortunately, the auto-follow-me vulnerability is still exploitable for Internet Explorer users. I’m still withholding the technical details of this vulnerability in a hope that it won’t be exploited in the wild, more than it was probably already did.

1 27 28 29