Social Zombies: Your Friends Want to Eat Your Brains

•

2 j'aime•1,465 vues

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues. This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined. Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions. Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information. Presentation is from the DEFCON 17 CD not the one we gave live. Full presentation will be posted in a few months after we give the talk a few more times.

Technologie Formation

“Social networks & Blogs are
now the 4th most popular online
activity, ahead of personal
email.”

-Nielsen Online Report, March 2009

Trust is Everything!

• It’s how social networks work
• More trust, the better for the
socnet!
• Attackers LOVE trust
relationships!

It’s built to
Exploit Trust
• Who is the person behind the
account?
• Bots are Everywhere
• Accounts are easy to create
• Socnet User Verification = FAIL
• Connections based on other “friends”

25 Random Things
About You...
• I’m your friend, I want to know more
about you!

• Innocent?
• These are PASSWORD RESET QUESTIONS
people!!

Corporate
Espionage?

• Very effective in a Penetration test
• Socnet Information = GOLD
• Information Leakage on a Mass
Scale!

Default Privacy
Settings
• Wide Open for a reason!
• Facebook has very good
controls...but...
• Do you know where they are?
• Do your Friends/Family?
• Do They Care?

Security Concerns

• Socnets are #1 Target for Malware
• Spam
• Disinformation
• XSS, CSRF and more!

Return of Koobface

• Recycled ExploitS
• Exploits Trust
• STILL EFFECTIVE!

Delivery VIA Socnet API

• Twitter Bots (n0tab0t, Realboy)
• Automated tools and scripts...

Facebot POC

• Malicious Facebook APplication
(looks normal)
• Turns your PC into a Bot used for
DDOS!

Browsers and
Features... Oh My!
• Browsers are getting
more feature-rcih
• Read that as more
vulnerable!
• Forget exploiting vulns
• Abuse the features we
are provided

Browser Zombies
• JavaScript used to hook
the browser
• Other technologies will
work
• Many frameworks
available
• BeEF
• BrowserRider
• Anehta

SocNet Delivery
• Embedded applications can
insert JavaScript
• Multiple options
• Hook scripts are pushed
• Userssitesredirected to
hook
are

• Why would we allow this!?!?

Information is
Power

• Information gets us access
• Social networks are littered with
info
• By how do we connect it together

Third party apps to
the rescue

• Third party apps have
access to everything
• Permissions are open by
default
• Once a user says accept

API’s FTW

• Myspaceto anfacebook both provide
access
and
api
• These APIs provide the access we
want
• Allows connecting different users
• Based on friends, groups, jobs or
interests

Social Butterfly
• Social Butterfly is a third party
application
• Runs on attacker controlled
servers
• Collects the data from application
users
• Crosses the line between different
sites
• Fine line before violating TOS!

Prevention

• User Education
• End “opt-In” Socnet Developer
Models
• Control API Usage
• Better Account verification
• SPAM Throttling

MoRe Information

• Facebook Privacy & Security Guide
SPYLOGIC.NET
• Kreios C2
www.digininja.org
• New website dedicated to Social
media security (announced at
Defcon)

Contenu connexe

Plus de Tom Eston

Just when you thought “bath salts” were turning innocent humans into flesh eating Zombies in Florida…mobile devices have begun taken over the world like an infectious Zombie virus outbreak. Tablets and mobile phones are being used by everyone today and are more powerful than ever before. The technology implemented in these devices is truly bleeding edge. From new wireless technology like NFC (Near Field Communication) to social networks being integrated directly into mobile operating systems, the times are rapidly changing. These new technology advancements also introduce new privacy and physical security concerns not seen before as well. In addition, with new technology come new responsibilities and challenges for security professionals and consumers alike especially in a world of BYOD. In this presentation Tom Eston and Kevin Johnson explore and exploit the new technology being implemented by these mobile platforms. Tom and Kevin have discovered interesting security and privacy issues with Android Jelly Bean, Apple iOS 6, OS X Mountain Lion, NFC and many popular mobile applications. New tools and exploits will be discussed that can be used by penetration testers to exploit these new technologies. Tom and Kevin will also discuss strategies to combat the ensuing mobile device onslaught into the enterprise. This information alone will help you to survive the “Rise of the Mobile Dead”.

Social Zombies: Rise of the Mobile Dead

Tom Eston

Android and Apple mobile devices have taken the market by storm. Not only are they being used by consumers but they are now being used for critical functions in businesses, hospitals, government and more. This trend is expected to continue with the popularity of mobile devices such as tablets well into the future. In this presentation we put Android up against Apple iOS to determine which, if any, are ready for enterprise or federal use. Once and for all we battle the Apple App Store vs. Google Play, device updates, developer controls, security features and the current slew of vulnerabilities for both devices. Which platform will emerge the victor? You might find that while the "tech is hot" the implementation and built in security controls are "not".

The Android vs. Apple iOS Security Showdown

Tom Eston

Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives. In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...

Tom Eston

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization. This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.

Smart Bombs: Mobile Vulnerability and Exploitation

Tom Eston

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments. In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers

Tom Eston

IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.

Attacking and Defending Apple iOS Devices

Tom Eston

Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed. Tom Eston is a Senior Security Consultant for SecureState. Tom focuses his research on the security of social media. Tom is also the founder of SocialMediaSecurity.com and co-host of the Security Justice and Social Media Security podcasts. Kevin Johnson is a security researcher with Secure Ideas. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS. Presented at Notacon 8 in Cleveland Ohio.

Social Zombies Gone Wild: Totally Exposed and Uncensored

Tom Eston

In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.

Social Zombies II: Your Friends Need More Brains

Tom Eston

Presented at the Ohio Information Security Summit, October 30, 2009. What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information. This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Enterprise Open Source Intelligence Gathering

Tom Eston

Staying Safe & Secure on Twitter

Tom Eston

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.

New School Man-in-the-Middle

Tom Eston

How do you know that last friend request or Twitter follower was an actual live human being? The truth is...you don't! Bots and bot manufacturers have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It's simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend. This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, really evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all. This was presented at Notacon 6 in Cleveland Ohio.

Rise of the Autobots: Into the Underground of Social Network Bots

Tom Eston

Information Gathering With Maltego

Tom Eston

Automated Penetration Testing With Core Impact

Tom Eston

Automated Penetration Testing With The Metasploit Framework

Tom Eston

Physical Security Assessments

Tom Eston

I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.

Online Social Networks: 5 threats and 5 ways to use them safely

Tom Eston

Plus de Tom Eston (17)

Social Zombies: Rise of the Mobile Dead

The Android vs. Apple iOS Security Showdown

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...

Smart Bombs: Mobile Vulnerability and Exploitation

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers

Attacking and Defending Apple iOS Devices

Social Zombies Gone Wild: Totally Exposed and Uncensored

Social Zombies II: Your Friends Need More Brains

Enterprise Open Source Intelligence Gathering

Staying Safe & Secure on Twitter

New School Man-in-the-Middle

Rise of the Autobots: Into the Underground of Social Network Bots

Information Gathering With Maltego

Automated Penetration Testing With Core Impact

Automated Penetration Testing With The Metasploit Framework

Physical Security Assessments

Online Social Networks: 5 threats and 5 ways to use them safely

Dernier

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Dernier (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

MINDCTI Revenue Release Quarter One 2024

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Top 10 Most Downloaded Games on Play Store in 2024

Powerful Google developer tools for immediate impact! (2023-24 C)

Automating Google Workspace (GWS) & more with Apps Script

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

A Year of the Servo Reboot: Where Are We Now?

Boost PC performance: How more available memory can improve productivity

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Partners Life - Insurer Innovation Award 2024

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Data Cloud, More than a CDP by Matt Robison

Social Zombies: Your Friends Want to Eat Your Brains

1. SOCIAL ZOMBIES Your Friends Want to Eat Your Brains

2. STARRING...

3. TOM ESTON

4. KEVIN JOHNSON

5. Social Networks “The New Hotness”

7. 225 Million Users

9. 110 Million Users

10.

11. Grew 752% in 2008!

12. 8 million visitors in march 2009

13. “Social networks & Blogs are now the 4th most popular online activity, ahead of personal email.” -Nielsen Online Report, March 2009

14. How do socnets make $$?

15. It’s in your Profile! • More information you share...more $ $ it’s worth! • Targeted advertising • Sell your Demographic Info • Sketchy Privacy/ToS Policies....

16. In Social networks we Trust...

17. Trust is Everything! • It’s how social networks work • More trust, the better for the socnet! • Attackers LOVE trust relationships!

18. Fake Profiles

19. It’s built to Exploit Trust • Who is the person behind the account? • Bots are Everywhere • Accounts are easy to create • Socnet User Verification = FAIL • Connections based on other “friends”

20. Privacy Concerns

21. 25 Random Things About You... • I’m your friend, I want to know more about you! • Innocent? • These are PASSWORD RESET QUESTIONS people!!

22. Corporate Espionage? • Very effective in a Penetration test • Socnet Information = GOLD • Information Leakage on a Mass Scale!

23. Default Privacy Settings • Wide Open for a reason! • Facebook has very good controls...but... • Do you know where they are? • Do your Friends/Family? • Do They Care?

24. Security Concerns • Socnets are #1 Target for Malware • Spam • Disinformation • XSS, CSRF and more!

25. Twitter Clickjacking & XSS

26. Return of Koobface • Recycled ExploitS • Exploits Trust • STILL EFFECTIVE!

27. Social Network Bots

28. Delivery VIA Socnet API • Twitter Bots (n0tab0t, Realboy) • Automated tools and scripts...

29. Automated Tools

30. Pay Services

31. Social Network Botnets?

32. Facebot POC • Malicious Facebook APplication (looks normal) • Turns your PC into a Bot used for DDOS!

33. Introducing... Kreios C2

34. Kreios C2 Demo

35. Browser Based Bots

36. Browsers and Features... Oh My! • Browsers are getting more feature-rcih • Read that as more vulnerable! • Forget exploiting vulns • Abuse the features we are provided

37. Browser Zombies • JavaScript used to hook the browser • Other technologies will work • Many frameworks available • BeEF • BrowserRider • Anehta

38. SocNet Delivery • Embedded applications can insert JavaScript • Multiple options • Hook scripts are pushed • Userssitesredirected to hook are • Why would we allow this!?!?

39. Oh Yeah Mafia Wars

40. Server Side Information Collection

41. Information is Power • Information gets us access • Social networks are littered with info • By how do we connect it together

42. Third party apps to the rescue • Third party apps have access to everything • Permissions are open by default • Once a user says accept

43. API’s FTW • Myspaceto anfacebook both provide access and api • These APIs provide the access we want • Allows connecting different users • Based on friends, groups, jobs or interests

44. Social Butterfly • Social Butterfly is a third party application • Runs on attacker controlled servers • Collects the data from application users • Crosses the line between different sites • Fine line before violating TOS!

45. Social Butterfly DEMO

46. Prevention • User Education • End “opt-In” Socnet Developer Models • Control API Usage • Better Account verification • SPAM Throttling

47. Conclusions

48. MoRe Information • Facebook Privacy & Security Guide SPYLOGIC.NET • Kreios C2 www.digininja.org • New website dedicated to Social media security (announced at Defcon)

49. Questions for the Zombies?

Social Zombies: Your Friends Want to Eat Your Brains

Recommandé

Recommandé

Contenu connexe

Plus de Tom Eston

Plus de Tom Eston (17)

Dernier

Dernier (20)

Social Zombies: Your Friends Want to Eat Your Brains