I will be speaking at MITRE’s Social Media Strategy and Implementation Workshop in the Washington, DC area on September 28th. My topic is Attacking Social Networks. The goal of the talk is to show some of the darker aspects of social networking. These will be items and attack vectors that people may not be thinking about. Believe it or not some people are still oblivious to common social network attacks If you are in the DC area stop on by.

Business social network LinkedIn announced their LinkedIn Applications today. The applications directory can be viewed here There are only several applications to chose from at the moment. I am sure that number will grow soon. LinkedIn uses Google’s OpenSocial just like other social networks such as MySpace, Orkut, hi5, etc. I only spent like 5 minutes looking at a couple of things. So, the following are only my quick thoughts and impressions.

The applications are delivered though the domain lmodules.com. This makes them easy to identify and block if that’s what you would like to do.

At first glance it appears that the vetting process for LinkedIn is higher than some of the other social networks. They appear to only want known businesses to create applications for their network at this time. This would help root out some possible malicious users. A vetting process is a good first step in thwarting that type of malicious behavior. I didn’t look at the difficulty in attaining a developer account, but I am assuming it is much more difficult than other social networks like MySpace, Facebok, etc. Now, whether this vetting process will stay this stringent will remain to be seen. These procedures may be relaxed in the future due to demand.

Just because the name has changed doesn’t mean the threats have changed. As a matter of fact there may actually be more on the table. Business networks such as LinkedIn are more likely to contain real information about people vs other non-professional social networks. Not that people don’t share enough about their real self on other social networks. This means the same threats exist for the capture of information as on other social networks.

There are still technical threats from social network applications on LinkedIn as well. These are the very same issues as other social networks that we have discussed in the past and demonstrated. Malware distribution, social engineering, attacking clients, information harvesting, click fraud are just some of these threats from social network applications. Moral of the story is be careful. Don’t install apps you don’t need, even though you may do so on your iPhone

So all in all the threats are the same with LinkedIn as any other social networks that employ applications. However, with a more stringent vetting process this should reduce the possibilities for malicious by making accounts harder to get.

Password Reset: Your passport to a fuxored account.

Password Reset Methods Vulnerable? Really? Get out of here, you mean that many password reset methods are vulnerable to attack? You have to be kidding. The fact that people think vulnerable password reset is newsworthy have got to be crazy. This is something that many of us have been talking about for years. Now Sarah Palin’s email gets attacked and it is big deal. It amazes me why we always wait to get screwed by something before we fix it.

Why does everything in the security world have to be a response to something. Ok, not the security world but the business security world. They are definitely two different entities. I am truly tired of reactive security. Just think if other professions followed this reactive model, like a cop asking for a bullet proof vest after they have already been shot. Nobody can say they didn’t see this coming either. People make more of their life known through social networks, photo sharing, and blogs than ever before. The simple password reset questions just don’t hold up.

There is a lot of unnecessary fear about data from social networks being used to steal someone’s identity. Although this is mostly FUD, social networks can be a great source for password recovery data. A while back we recovered a password (with his permission of course) from my friend Brian’s Sprint account using data from his MySpace page. This is when we were first starting our research for the social network hacking project.

Let’s take a step back from social networks for a sec, would your friends, co-workers, significant other, etc. be able to recover your password with the information they know about you? If the answer to that question is yes, then you need to change something. Passwords should be something that you know, not you and a couple of other people.

What Types of Data are on Social Networks?

The information that people put on their social network pages range from minimal to wildly over the top. Some people even go above and beyond by posting survey questions that tell a lot about their personalities. Although they want to show off the depth of their personality, all it really does is show off the shallowness of their brain.

Social networks by their default nature basically allow you to “friend” the world. The information on people’s social network page typically contains information that was previously only known to traditional friends and acquaintances. This can be a huge problem for the password reset mechanism, not to mention a person’s privacy. If it’s deep and kinda scary from a privacy standpoint then it is probably on a social network. Remember when I mentioned if your friends knew enough about you to reset your password then you are in trouble, well you just friended the world with the information from your social network profile. Beyond standard profile information there are a users actions taken on a social network site and possibly social network applications that are being used as well. All of this information can be leveraged when attacking a password reset mechanisms.

You can use an email address to look up people’s accounts on social networking sites. On the flip side, someone social network profile might directly tell you a person’s email address or you can use the search features of the social network to query owner’s of certain email addresses. There are no secrets in social networking

Email Accounts are Gold

With password resets an email account is really the jackpot. Many password reset mechanisms, including the ones from social networks, rely on sending either the password or a temporary password to the email address of the account owner. Someone who gets their email account compromised might just find that they have every other account tied to that email account compromised as well. I mean, it wouldn’t be a far stretch to figure that out once someone had access to the email account. Just think of all the crap that sites like Amazon, eBay, MySpace, Facebook, etc. send to your email account.

Typical Password Questions

Typical password recovery questions really vary in complexity from site to site. What is the problem with password recovery questions in general? Well, they are not typically made up of data that is private. Unlike a password which is supposed to be something that only you know, recovery questions may be known to many people around you.

Here are some questions from Yahoo:

• Where did you meet your spouse?
• What was the name of your first school?
• Who was your childhood hero?
• What is your favorite pastime?
• What is your favorite sports team?
• What is your father’s middle name?
• What was your hight school mascot?
• What make was your first car or bike?
• What is your pets name?

Some of these questions look like questions that social networks ask when you are filling out a profile, don’t they? If not questions they ask, certainly data that people put on their social network profiles or divulge through other means on a social network.

The Obvious

Take a glance at someone’s profile or maybe your profile on a social network. From just this page without further probing there may be an enormous amount of information. Depending on the mechanism that is being attacked, it may be all that is needed. Here is an example of some of the things that may be found just on the profile page:

• Name
• Date of Birth
• Hometown
• Current town
• Favorite movies, artists, music, people, TV, sports teams, etc
• High School
• College
• Personal description
• Personality traits
• Networks and Groups
• Relationship information
• Family information
• Employer

The list really goes on and on. Remember that many people are on multiple social networks. Checking out other social networks may fill in the blanks. It is easy to see why this information could be a problem and I don’t think it needs any further explanation.

The Not So Obvious

Some data is not so obvious and might not be directly spelled out. This may be information that has to be aggregated or inferred from the profile data, friends list, blog, group, network, etc.

• Photos and photo tags
• Comments on other profiles
• Photo data (cloths, background, other individuals, etc)
• Pets
• Children
• Siblings
• Relatives (potentially ones with your mother’s maiden name?)
• Potential usernames
• Instant messenger data
• Blogs and comments in friends’ blogs
• Favorite teachers
• Sexual preference
• Religious views
• Political views

The data is really limitless, but after all isn’t that what a nice web 2.0 application is supposed to provide? On the surface some of this data may seem silly for password resets but it is really not. This not so obvious information can be really helpful when when non-standard questions are used in the password reset process. This typically happens when people are left to their own devices when creating security questions. They typically create questions that are common and familiar to them. Stupid things like pet’s names, favorite teams, favorite TV shows, etc.

Just think for a moment about tagging. People may tag photos themselves with useful information. Also, friends may tag people in photos helping better define a person’s relationships with people and activities they are involved in. The URL of the social network may lead you to potential usernames / IM information such as www.myspace.com/(username). Maybe the data is completely visual like photo data. A lot of information can be obtained by looking at pictures. Favorite places, sports teams, cars, and countless other possibilities. You name it, people like pictures with their favorite things.

The actions people take on social networks helps better define relationships, networks, group affiliations, and activities. The person may place comments on other people’s photos, profiles, walls, blogs, etc. You may see comments like “That is why you are my BFF”. You may also see that someone is a member of a political party or religious group. People may discuss on boards or blogs about certain things happening in their life. Sharing is caring right?

So what you get in the end is a clear picture of who these people are. You get their likes, dislikes, friends, and affiliations are all in a nice clean package. You may have never even met this person but you have all of the information a traditional friend may have, possibly more.

Need a bit more?

If you almost have the nail in the coffin then you can turn to other sites to complete the task. You could look for name / username collisions on other sites to gain more data. You could take their high school and age information and find out who they went to school with. The possibilities are endless.

The User’s Choice

When people are given the option to choose their own security it has historically been bad. There is nothing that seems to suggest that allowing user’s to choose their security will get any better, so some of this may be wasted breath.

When looking at sites like Google, it seems they have slightly better security questions. Questions such as your library card number, frequent flyer number, etc. I think sites like these with better security questions probably have a high amount of people that end up just choosing their own questions when this option is available. People don’t seem to understand that this isn’t a function that you are going to use everyday. It is ok and preferable to use data that you may not be able to recall without looking up.

So What Can We Do?

The problem of personal data leakage isn’t going to stop until people realize the potential impacts of their data being strung out for the whole world to see. I personally don’t think this will change, in fact, I think with time it will get a lot worse. We live in this voyeuristic, virtual world where people create digital representations of how they see themselves. I think that has an appeal to many people, especially those who don’t particularly find their lives that exciting.

Don’t play by the rules when dealing with a sites password reset questions. Put blatantly wrong, hard to guess, or nonsensical information in to the answer blocks. This will make any information gathered on you useless when attempting to recover your password.

It seems that many sites want you to log in. You shouldn’t use the same password on every site. Use a trusted password safe such as KeePass to store your login credentials. KeePass is open source and multi-platform. Using a mechanism like this allows you to be in control of your password recovery along with allowing you to use different passwords for different sites. It would also be a good idea to back up the database of whatever password safe you choose to use as well. Just a thought

The biggest mistake someone can make is thinking that there is nobody out there that gives enough of a crap about them to attack their accounts. People do weird things. Anybody is capable of just about anything. This isn’t being paranoid, it’s being safe. Think of it as locking the door on your house when you leave, only instead of your valuables you are protecting your data.

Hello Everyone. I just wanted everyone to know that Shawn Moyer and I will be speaking at PhreakNIC 12. We are going to do the Satan is on my Friends List talk again. There were people who didn’t get to see it out in Las Vegas, and well, since BHJP is in a different part of the world we figured if people still wanted to see it we would do it again in the United States. We will have some updates so it won’t totally be the same talk we did in Vegas.

If you aren’t familiar with PhreakNIC it is a small conference in Nashville, TN. It’s loads of fun, there is great people, great conversation, and no vendor overload. I highly encourage people to go.

I find this funny, here is an article where it talks about Facebook users leveraging developer accounts they signed up for, so they can go back to the old Facebook. When you have the developer application installed it puts a link at the top of your profile page to switch back to the old Facebook. This makes sense since developers may have to maintain functionality on the old Facebook as well as the new. The funny thing is, I have had a developer account almost as long as I have had a Facebook account. I just assumed that option was on everyone’s page. It is a nice little hack, although Facebook is going to turn that option off soon.

It also seems that the users flooded the developer message boards voicing their distaste for the new Facebook. Ah… well… I hate to break it to them, but shhhh… those message boards are for the apps developers. There are Facebook staff that hang out and such, but all you are doing is irritating the person who wrote that stupid app you put on your page and don’t use. Stop! You are distracting them from doing input validation

I don’t really understand this UI rebellion. Who cares. I mean, really you can do the same stupid things you could do previously. If you don’t like it use MySpace. The more you look at Facebook the more it looks less and less like a social network anyway. The other day on TechCrunch there was an article called Facebook Isn’t A Social Network. And Stop Trying to Make New Friends There. I agree with this viewpoint. MySpace and other social networks are much more conducive to meeting new people and finding individuals with similar interests. It all depends on what you use a social network for.

I have an idea for all of the people who don’t like the new Facebook, the best way to rebel, is to quit using Facebook. That will get their attention. I know it won’t happen, but it isn’t like there aren’t alternatives. I mean, what does Facebook give you that other social networks won’t? The answer is nothing. Most people have accounts on multiple soc nets anyway. There are some 800,000 users in the I hate the new Facebook group. If they all quit using their accounts, that would have an impact. Do it or quit complaining. The choice is yours. The reason nothing changes is because they know you won’t leave.

Recently Facebook announced their Application Verification Program in an attempt to give user’s assurances that particular applications are secure. I think the intent is good but the implementation may actually cause more harm than good. Giving users an assurance that a malicious applications are secure can cause a lot of damage. People with assurances are a lot more loose with their actions where they may normally not be with no expectation of security.

Given the way many of Facebook’s applications are written it doesn’t lend itself to a proper review. The Facebook team is going to have to do reviews of submitted code that does not run on Facebook servers. This would only be a snapshot of the code at that given time. After the verification procedures are done, the developer can make whatever changes they want. They could change the verified app to a malicious app at will. I am getting so tired of security measures that don’t address the real problems. They are a waste of time. The only thing this verification program may do is stop the idiot who just learned PHP from creating the HackMe Back of social network applications. It doesn’t address the major problem that attackers are gaining access to the API and attacking social network users.

The best way to protect against malicious applications is to control the access to the API in the first place. Don’t just let anyone access the API and only need 5 friends to publish the app. Proper vetting procedures would go a long way in curbing the amount of malicious applications that get published on Facebook and other social networks. Why don’t the major social networks have vetting procedures for API access? It completely blows my mind, but that’s social network culture for ya.

Social networks are riding a thin line with security as it is. Introducing security measures that aren’t effective only cause more confusion on the part of their users. Social networks should strive to create a balance between functionality and security for everyone’s sake. Will that happen? Only time will tell. One thing is for sure though, attacks on social networks are only going to go up. The more surface you give an attacker the more options and success they are going to have.

They said they did it to prove you could turn a social network in to a botnet, you know, the same thing that we already talked about and demonstrated at both Black Hat and Defcon this year. As a matter of fact a copy of our presentation can be obtained here: Satan_Blackhat_Defcon

The title of their paper is “Antisocial Networks: Turning a Social Network into a Botnet”. The title of our HOPE presentation that we had to back out of was “Antisocial Networking: Vulnerabilities in Social Nets”. You can see this here from back in June. I am not quite sure what to think about all this, I guess it could all be coincidence. Like I said, I don’t know.

Now on Facebook the way you would have to go about turning their users in to a botnet is by creating an application. Facebook doesn’t allow linking to offsite content the way MySpace does. So if you want to use img tags, meta tags, and iframe tags you would have to use them in an application that you created.

So, my impression is Yup. Everything we talked about at Black Hat and Defcon. It’s old news, not sure why anyone is making a big deal or even writing about it.

What made these request forgeries that much worse was that fact that we inserted them on the site we were attacking. In our case we used an image tag that linked to some offsite Python code doing a redirect back to MySpace. This basically gave us almost a 100% success rate due to the fact that we knew the user was viewing the page at that particular time. We could not only do this to profiles that we own but also anywhere that allows us to link to offsite content such as profile comments, photo comments, blog postings, classifieds, and many others.

I am not sure if people realize how serious this can be to the particular social network owner. If attacks using these particular methods propagate though the social network by some automated, semi-automated, or even planned method they could potentially cause DoS conditions that would be hard for the lay person to identify and fix. Being logged out constantly would be bad but more covertly someone could get you to block communication with everyone that visits your profile. That could be hard to catch.

Offsite Content = Fail

When you allow linking to offsite content you are inviting failure. This content is beyond the control of the particular social network. As an attacker all you care about is GET that the browser is using to retrieve the content. The fact that it fails on the return is inconsequential. What we did was use what was available to us on a MySpace profile page and comments, which was the IMG tag. We used the IMG tag to get the victims browser to make a request for an image that didn’t exist. This GET request from the browser hit a redirect which then sent a crafted GET back to MySpace with whatever payload we wanted. In our case it was a friend request or a logout.

Just think if MySpace disabled linking to offsite content, suddenly millions of MySpace profiles would instantly looked much better

Same Site Content = Fail

Sometimes content on the same site can equal fail as well. If the social network allows certain HTML tags such as iframes or meta tags these can be used to construct request forgeries as well. The src attribute of the iframe tag and the meta refresh can be used to specify other locations in which to request content. These would not even have to leave the social network and be redirected. This would make it SSRF (Same Site Request Forgery) or just RF (Request Forgery). Hahah. Ok, now this is getting silly, let’s move on.

Combining Technical and Social Attacks

Think about the impacts from combining a couple of these attacks with a social attack. For instance, you may want to take over the profile of another user. Most likely, based on privacy settings, you can see the friends of a particular individual. You tag their profile with a request forgery that blocks communication to all visitors of the profile. You then create a new profile of the person you want to impersonate and send their friends new friend requests. You could state that you forgot your password and want to re-add them as friends. Combined technical and social attacks can lead to a higher degree of success depending on what the attacker’s goal is.

This blended threat is going to be much more common in the future and we are starting to see this now. Sites that use social methods to get people to download malware or take an action that an attacker wants. The reason these attacks are so successful is the implied trust of the user and their complacency. Be on the lookout for this more and more in the future, especially as defenses go up.

Fixing Your Profile

If your comments, photo pages, blog, or some other part of your profile tagged there are a couple of steps you can take to remove the content and protect yourself in the future. Since the profile content is rendered HTML it takes a few steps to remove the content. In the case of a logout, comments will be rendered and log you out prior to you being able to remove them. What you can do is use something to block the domain that is calling the logoff, which will most likely be collect.myspace.com. Once you block that domain you can go ahead and remove the content, then re-enable collect.myspace.com. If it is something such as a communication block you can go ahead and just remove the content (which ever it may be) and then use some out of social network band to contact your friends.

You should also go through your profile settings and ensure that HTML comments are turned off wherever possible. This will help give you a better handle on what content people have the ability to put on your profile. Of course, this doesn’t help you visiting other people’s pages.

If you notice shenanigans where you suspect someone is doing something malicious you should report it to the abuse contact at MySpace or at the social network you are using. That is what they are there for. The MySpace security team is working hard behind the scenes looking for items such as described here, so make sure if you notice shenanigans that you report it to them.

Oh… I am already on their watch list so don’t blame it on me because they will know it wasn’t 0_0 They are watching me 0_0

Thank you to all who showed up, we hope you enjoyed the presentation. Let us know if you have any further questions.