Social Networking - An Ethical Hacker's View
•Download as PPT, PDF•
3 likes•1,335 views
People gossip because they like gossiping together. It’s in the make-up of the creature: humans are sociable gossiping animals. We can't change those core characteristics of our natures.
Recommended
Recommended
More Related Content
What's hot
What's hot (17)
Similar to Social Networking - An Ethical Hacker's View
Similar to Social Networking - An Ethical Hacker's View (20)
More from Peter Wood
More from Peter Wood (20)
Recently uploaded
Recently uploaded (20)
Social Networking - An Ethical Hacker's View
- 1. Social Networking An Ethical Hackers’ View Peter Wood Chief Executive Officer First•Base Technologies LLP
- 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Chair of Advisory Board at CSA UK & Ireland Vice Chair of BCS Information Risk Management and Audit Group Director UK/Europe Global Institute for Cyber Security + Research Member of ISACA London Security Advisory Group Corporate Executive Programme Expert FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, Mensa Slide 2 © First Base Technologies 2011
- 3. Information leakage Slide 3 © First Base Technologies 2011
- 4. Social technologies • Blogs and Wikis • Social networking • Instant Messaging • Web conferencing • VoIP • P2P • IPTV Slide 4 © First Base Technologies 2011
- 5. Yada yada yada • People have always talked about work to their friends • What has changed is the nature of how we interact • We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing • What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity • A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities Bruce Schneier Slide 5 © First Base Technologies 2011
- 6. Putting it all together Slide 6 © First Base Technologies 2011
- 7. Information harvesting • Identity theft - Both personal & business • Corporate hierarchy (social engineering) • E-mail addresses (spam, social engineering, malware) • Phone numbers (sales calls, social engineering) • Technical infrastructure (hacker footprinting) • Business plans (industrial espionage) • Sensitive information (legal, contractual penalties) Slide 7 © First Base Technologies 2011
- 8. A hacker’s perspective • “It's the easiest way passively to gain intelligence on the largest groups of society and nearly every walk of life” Robert Hansen, aka RSnake, founder of SecTheory LLC • Social networking sites by nature aren't secure • They typically don’t authenticate new members - you can’t always be sure that your online friend is who she says she is - and attackers can easily exploit and capitalize on the “trusted” culture within the social network • Users often don't deploy the security and privacy options that some of these sites offer, either Kelly Jackson Higgins, DarkReading Slide 8 © First Base Technologies 2011
- 9. Twitter from a hacker’s perspective • Twitter introduces a whole other element to social networking security - physical security ... leading to burglary, stalking, etc. • “I never talk about where I am, who I'm with, where I'm going, or any other specific details, but that doesn't stop anyone else who knows that same information from doing that behind my back - maliciously or not.” Robert Hansen, aka RSnake, founder of SecTheory LLC Slide 9 © First Base Technologies 2011
- 10. Please burgle my house A survey of >2,000 social media users in UK: • 38% posted status updates detailing their holiday plans • 33% posted that they are away for the weekend Legal & General’s Digital Criminal Report "We were saying, 'This has been the best vacation we ever had'," Claudette McCubbin said about her recent vacation to Florida. Unfortunately, all the relaxation was lost when they arrived back to Knoxville Wednesday. The family room and bedrooms in the West Knoxville house were all trashed. Thousands of dollars in electronics were missing. Claudette posted messages stating when the family was leaving and how much fun they were having when they arrived in Florida. "I wanted to share with our friends everything that we were doing. We know a lot of people. We have a really good support group. Who would've thought that one of them [a thief] saw that or maybe a friend of a friend. That was a huge mistake," Claudette WBIR.com said. 02/04/2010 Slide 10 © First Base Technologies 2011
- 11. LinkedIn from a hacker’s perspective • Hamiel and Moyer demonstrated at Black Hat USA and Defcon 16 that you don’t even have to have a social networking profile to be targeted • They were able to easily impersonate Marcus Ranum (with his permission) on LinkedIn • Ranum didn’t have an account, so they lifted Ranum’s photo off the Internet and gathered information on him online and built a convincing phony Ranum profile. Slide 11 © First Base Technologies 2011
- 12. SPAM and Trojans on social sites • Attackers hijacked some Facebook accounts • Posed as members and sent messages to their friends to dupe them into viewing a video clip link • In fact it was a Trojan that downloaded malware onto their machines once they opened the link http://news.cnet.com/8301-1009_3-10246536-83.html Slide 12 © First Base Technologies 2011
- 13. Widgets and apps • Users don’t always realize that third-party apps for Facebook, for example, aren’t written by Facebook • Some collect more information than necessary or safe • Others have been written specifically to install adware or generate revenue • “Secret Crush” on Facebook spread spyware • Victims received an invitation to find out who has a secret “crush” on them, lured them into installing the Secret Crush app, which spread spyware via an iFrame • The attack became worm-like when it required the victim to invite at least five friends before learning who their “crush” was Kelly Jackson Higgins, DarkReading Slide 13 © First Base Technologies 2011
- 14. Some key problems • Impersonation and targeted personal attacks • Identity theft • Spam and bot infections • Crossover of personal to professional online presence • Data Leakage • Corporate espionage Slide 14 © First Base Technologies 2011
- 15. Tips to minimise exposure • Don’t reveal personal or sensitive information in social networking sites or blogs • Set the privacy options in social networking sites • Don’t discuss confidential information online • Don’t ‘friend’ people (or accept invitations from people) you don’t know • Don’t post anything you wouldn’t want everyone to see • … and remember: what goes on the Internet, stays on the Internet! Slide 15 © First Base Technologies 2011
- 16. The social media attack Slide 16 © First Base Technologies 2011
- 17. Slide 17 © First Base Technologies 2011
- 18. Mr Bloggs is away from the office on holiday and will return on 5th May
- 19. “It’s great to be away from the Mr Bloggs office with no interruptions!”
- 20. “I’m a new boy at Fine Widgets and I report to Mr Bloggs” “Please connect with me!”
- 21. “Be my “Be my friend!” “Be my friend!” friend!” Help Desk person “Be my “Be my friend!” friend!” Help Desk person “Be my “Be my friend!” friend!” “Be my friend!”
- 22. “Hello Harry, this is Andy the new boy – we met on LinkedIn. I need an email account and a Windows account please!”
- 23. “Hello Andy. I’m sorry but I need authorisation from your manager before I can set up any accounts for you”
- 24. “My manager, Mr Bloggs, is on holiday, but he sent an email authorising this – I’ll send you a copy!” (Forwards fake email from personal mail account)
- 25. “Well, since you have an email from your manager, and as I know you from LinkedIn … I’ll set up your accounts for you now.”
- 26. “Now I have a valid email account, everyone will believe I work here!”
- 27. “With a valid Windows account, I can get access to all that sensitive data!”
- 30. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Blog: fpws.blogspot.com Twitter: peterwoodx
Editor's Notes
- Do you know why huskies run together, in harness, in front of a sledge? It’s not because they’re chasing the leader and it’s nothing to do with food, either, or the whip. They run together because they like running together… The scientist who made this discovery said that just as huskies enjoy running together, humans gossip because they like gossiping together. It’s in the make-up of the creature: huskies are sociable running animals; humans are sociable gossiping animals. Neither we nor the huskies can change those core characteristics of our natures. I thought knowing that might help tee-up what we’re talking about today.
- Web 2.0 appeals to that facet of human nature: we’re gossiping animals. We’re sociable, we seek companionship however and wherever we can get it. And now we can get it everywhere ... It’s good to talk, and it feels great to share – and not just words, but voices, pictures, videos, music, websites: first with workmates and friends, then with strangers who seem sympathetic. First locally, then nationally, and then, if you like, over the entire planet. There are blogs, where everyone has their own soap box or on-line diary, depending on their personality. And there are wikis, where the knowledgeable (and the not so knowledgeable) share their expertise with the world. Of course, social networking sites have proved to be incredibly popular, with Facebook claiming 750 million members at the last count. Then there’s instant messaging – a sort of on-line text messaging system, and web conferencing - providing virtual meetings and seminars. VoIP (or voice over IP) provides free or low-cost telephone calls via the Internet, and peer-to-peer networks which allow people to share files wherever they are. Together these technologies allow us to share not just text but all kinds of media – photos, videos, music, cross-linking of sites
- This slide is a take on our predicament by Bruce Schneier, one of the top industry gurus. What he’s saying is essentially this: thanks to Web 2.0, what we can do online is more or less what we do when, say, we meet friends in a café or pub. Which is gossip about work, or friends. I show you my holiday snaps, or lend you that DVD or CD you wanted to borrow... What happens in the café or pub if a stranger gets too close? We lower our voices. We move away to a table in the corner... But in the virtual world, you don’t know the stranger is at your shoulder, and there’s nowhere secluded to move to. And there’s two other big differences. Everything we say in the café or pub vanishes into the air, and while it remains for a while in our two memories, it’s locked there for a bit and usually fades away. But everything we say and do on-line is imprinted, indelibly and publicly, forever. And it’s searchable, of course, by our old friend Google.
- The second difference is that the technology lets us link our all our favourite places together So, to keep the analogy going, we can connect the café to the pub and the restaurant and the bowling alley and the library and the social club and the works canteen... So that when we say something in one of them, either it turns up in all the others, or intruders can make their way from one to the next picking up items of critical intelligence as they go. Which means that a crook who knows what he or she is doing can gather pieces of the jigsaw from the disparate places where we left them and begin to assemble a whole picture. And it’s probably a picture, if you looked at it in its entirety, which you wouldn’t want to share with strangers.
- So where are the main dangers? Personal? Professional? Both, I’m afraid. Just look at the kinds of intelligence a skilled hacker can harvest from these sites: intelligence that can be used for impersonation, or to attack an IT system with a virus, or to entrap individuals’ computers without their knowledge and use them to distribute spam or pornography; or to enslave a whole lot of computers and use them to jam a company’s website and hold it to ransom. Then there’s varieties of sensitive and secret corporate information which can be stolen and sold; and crooks can raid your sites to steal your identity and use it for all kinds of nefarious purposes; or seize your passwords and credit card details and empty your bank account... The Web 2.0 industrial spy doesn’t need a set of disguises and skeleton keys. All he or she needs is just a laptop, web-literacy, patience and brainpower.
- Robert Hanson [ CEO of SecTheory, a security consulting firm, and who has been working with web application security since the mid 90’s ] points out here how very simple it is to harvest information and Kelly Jackson Higgins [ senior editor at Dark Reading, and who has been called ‘the best connected reporter in security’ ] shows why it’s so easy: in essence, the social sites are open spaces and the users don’t bother to fence them in – or to mix the metaphor, the users are holding great big dinner parties with open front doors and letting anyone who wants to come in and join them at the table. Have you done anything to secure your social sites? Most people try but don’t know whether they’ve ever done quite enough, and to be honest, the sites themselves hardly make it a front page issue with an easy-steps guide, do they? There are an awful lot of settings to contend with, but also (some would say) it’s in the interest of social networking sites to have people expose their personal information. After all, selling personal information and targeted advertising is how they make their money! Can we boil down all these vulnerabilities to a single factor? Yes - it’s about our psychology: our innocent, trusting nature.
- Do you use Twitter? What kind of things do you tweet to your vast army of followers? Do you tell your select group of fans what you’re doing, thinking... Tell them where you are, ever? Here’s a true story from a client: A young lady started to receive emails at work from an anonymous Hotmail account. At first they were annoying but the emails continued over a period of time (perhaps some weeks). It came to a head and caused some distress when the girl received an email which said something along the lines of "you looked gorgeous in your gym-kit last night". We were then contacted by her line manager and asked to investigate. We were unable to trace the source or the sender of the emails. A Google search on the girl's email address took us straight to her Facebook profile which he accessed and discovered that her contact email was her employer’s email address, her presence at the gym and a variety of social events were advertised and her photo albums contained photos of her at some of those social events …The girl was informed and the emails stopped abruptly (as far as we know).
- Here’s a real world example of how posting your location on social networking sites can result in burglary. Legal and General’s survey of more than 2,000 social media users in the UK showed that people just don’t think about the risks of what they post!
- Let’s move on from tweeting to twocking. If you don’t know, it’s police slang. T.W.O.C stands for “taking without the owner’s consent.” Only in this instance we’re not talking about twocking a car, but an ID. Now, in the example on the slide, which is two guys working a couple of conferences, the ID was twocked with the owner’s consent, but the theory concerns “without” Let’s suppose we’re con artists. We find a desirable person, and we pinch his photo from here, and his biog and CV from somewhere else, and his blog from another site again, then we go to an online business forum where he doesn’t have a presence, and we bring it all together and put him there large as virtual life – only the traffic from that forum comes back to us. If the person behind whose ID we’re now masquerading is, as I say, one with desirable intellectual or commercial goodies, then a lot of folks will want to link up with him, and their lives, their secrets and their goodies might be ours for the taking.
- You should always make sure that anyone you connect to really is who you think they are. Impersonation is an online epidemic. Sometimes the motives are criminal and sometimes they’re just plain malevolent, and sometimes they’re a mixture of both. Once tricksters or fraudsters have stolen a Facebook ID, and it happens all the time, then they’re got a route through to all the victim’s friends, and maybe they send them a video clip with “hey, you have to look at this”, and once the friends open up and look, in comes the Trojan and down comes the malware onto their machines. Be circumspect, be cautious. Ask yourself, “would he, would she, really send me this? Is this typical behaviour?” Fall back on an old technology. Make a phone call. Ask and check. I’ll give you another human vulnerability that’s there for the exploitation. “I can’t be bothered.” So you don’t check “I’ll take it on trust.” So you hit the key and it’s “bye bye security, farewell identity.”
- Facebook and sites like it are pretty generous hosts – actually, a harsher description would be undiscriminating hosts – not just for you, but for outsiders offering games, quizzes, services, all kinds of apps Some of them aren’t the harmless fun they pretend to be. So your basic rule is always, if in doubt, check. And if you can’t check, say no – say no, in particular, to anything that’s appealing to your baser instincts – sex, greed, something-for-nothing, because that’s precisely where the scammers hope your reaction will be “oh, what the heck? I’ll take it on trust.” Like the “secret crush” scam. Who wouldn’t be tempted to find out who had a “secret crush” on them? But then you should think, “wait a minute, why do I have to get at least five friends to join in before I find out who is this lunatic who fancies me?” Why else, if not to lure five friends and then five more and five more again into the same trap and spread the virus.
- A security expert called Graham Cluley created a fake profile of a small plastic frog called Freddi Staur (which is an anagram of ID Fraudster) and invited strangers to become Freddi's friend. And sure enough scores of people accepted the invitation, and many of them revealed their full names, addresses, dates of birth, phone numbers and even - in one case of a real klutz - their mother's maiden name. Freddi Staur ate my ID. Identity theft is a real and present danger on social sites and it takes on average 6 months for victims to restore their credit rating! Then you get spam and bot infections where attackers hijack Facebook accounts and send messages to the victims’ friends to dupe them into viewing a video clip link, which, once they open it, turns out to be a Trojan that silently downloads malware onto their machine. The crossover of personal to professional online presence is something you have to watch out for like a hawk: Even if you keep a Facebook account for personal use, and a LinkedIn one for professional networking, there’s no guarantee that those late-night partying pictures aren’t going to end up in front of your colleagues on LinkedIn, or worse, your boss. So don’t post anything on the one that you wouldn’t want to turn up unannounced in the other. And real Fredi Staurs with their eyes on crime could eat up the organisation’s secrets as well – both from information you accidentally broadcast to the world on a social networking site and by using your details to conduct a social engineering attack - take a look at this next slide …