Social Media Security Podcast 30 – The Password Episode

This is the 30th episode of the Social Media Security Podcast sponsored by SecureState.  This episode was hosted by Tom Eston and Scott Wright.  In this episode we talk about the password problem and why we continue to choose easy to guess passwords.  Tom and Scott also talk about ways to select more secure passwords and how technology can help.  Below are the show notes, links to articles and news mentioned in the podcast:

The password Episode!  It’s episode 30!

Major password breaches in the last few months:
Brute force attacks on passwords is the #1 way we break into companies during pentests! Want to see the poor passwords people choose? SkullSecurity has very good lists from previous breaches.  Looking for more information? Tom wrote a white paper on how easy it is to profile user passwords on social networks.
The password problem.  Users continue to make poor password choices. Why? 
  • Too many to remember?
    • It’s easier to use the same password for each site
    • Also the same user id and email
  • Failures in user awareness?
  • Users are not provided the technology to help
  • Social networks and other sites make it easy to choose weak passwords, little adoption of two factor authentication because users will complain
  • Mobile apps are not designed to constantly enter passwords.  This is why you “stay logged in”.
Worse case scenario?
What is the solution?
Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Social Zombies Gone Wild: Totally Exposed and Uncensored

Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend.  This talk focused on how social networks are using geolocation and the abuse of location based services.

“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”

Slides are on SlideShare below:

Social Media Security Podcast 2 – Month of Facebook Bugs, What is XSS, Canadian Privacy Ruling

skullThis is the second episode of the Social Media Security Podcast recorded September 25, 2009.  This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Introducing our new co-host, Kevin Johnson.  Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.
  • Tom talks about the Month of Facebook Bugs (created by a security researcher called “theharmonyguy”) why this is important and how many vulnerable applications have been exploited and fixed so far.  Here is the list of top Facebook applications that Tom mentioned in the podcast.
  • Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS.  Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.
  • Scott talks about the recent ruling regarding the Canadian Federal Privacy Commissioner vs. Facebook.  This ruling in Canada has created wide reaching changes to privacy and the way applications function within Facebook.
  • Scott also included a brief interview with the Canadian Privacy Commissioner’s Office about this recent Facebook ruling.
  • Tom has updated his Facebook Privacy & Security Guide.  You can download the latest version here.

Please send any show feedback to feedback [aT] or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

Defeating MSPLinks on MySpace

myspace_msplinksThe following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because trusts post requests from

A working example can be found at:

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="" method="POST">
<input type="submit" name="coolbutton" value="SETTING DISCHECK" />
<input type="hidden" name="discheck" value="on" />
<form action="" method="GET">
<input type="submit" name="coolbutton" value="NO DISCHECK" />

What’s the point?  Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed.  Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method.  Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things.  Especially if they are already masked like they are via MSPLinks.  MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

New Research Released on Koobface

Today Trend Micro released probably the most comprehensive research yet on the Koobface social network worm.  This research details how Koobface works, the malicious payloads it carries and how this worm has spread to all the major social networks.  The most recent victim being Twitter.   Most alarming is that Koobface will still continue to evolve and is the beginning of a new generation of malware targeting social networks.

Check out the article and download the PDF for the full report.  We will also have this link posted in the “Research” section of the site.

Security and Privacy in Social Networks Bibliography

We just added a fantastic link to 70+ academic papers about security and privacy issues in social networks. It is maintained by Joseph Bonneau from the University of Cambridge.  You will see a page titled “Research” at the top of the page where you can get links to this and other academic papers and research papers.

Thanks to Joe for the submission!