spylogic.net

Enterprise Open Source Intelligence Gathering – Part 3 Monitoring and Social Media Policies

Tom — Fri, 30 Oct 2009 03:36:48 +0000

This is the final article in my series on Enterprise Open Source Intelligence Gathering. This information relates to the main topics from my presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part one. If you missed part two (blogs, message boards and metadata) you can check that out here. This last article will be about putting together a simple monitoring program/toolkit and creating a social media policy for your company.

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered? Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”. The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important? You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business. Also, you want to pay particular attention to the areas of social media that your business has a presence on. For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first. Why? These are the sites that you have most likely allowed certain employees to use this form of media for business purposes. Lastly, keep in mind that choosing what to monitor should be a group collaborative effort. Get your marketing and public relations people involved in the decision making process. As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important. There are two tools that I will talk about. Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes? The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web. Like Unix pipes, simple commands can be combined together to create output that meets your needs:

- combine many feeds into one, then sort, filter and translate it.
- geocode your favorite feeds and browse the items on an interactive map.
- grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created! If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own. Creating a pipe is really easy as well. Yahoo! provides good documentation on their site even with video tutorials if you are lost. Everything is done in a neat visual “drop-n-drag” GUI environment. For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS. Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring. Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice. I personally like Google Reader because it’s easy to use and manage. However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring. This should be someone in your information security department and someone with social media skill sets. Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to. Finally, plug these feeds into your RSS reader and set up procedures for monitoring. When will you check these feeds? What happens if the monitoring person is out? Is there a backup for this person? These are just a few of the things you need to think about when putting together these pocedures. There may be many more (or less) depending on you business. Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy. Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in. This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company? If you do, have you checked to see if they include specific things like social networks? How about commenting on company news or issues on public social networks? This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media. The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy. The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media. Lastly, what is acceptable for employees to post? Keep in mind that employees have Internet access *everywhere* nowadays. iPhones, smartphones, Google phones…employees have these and guess what? They are most likely using them at work. How do you know that they are not commenting about company confidential business? With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here? Create the policy! The last part of this article has examples of good policies that you can reference when creating your own policies. There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations. Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Enterprise Open Source Intelligence Gathering – Part 2 Blogs, Message Boards and Metadata

Tom — Wed, 28 Oct 2009 21:00:36 +0000

This post is part two of my three part series on Enterprise Open Source Intelligence Gathering. This information relates to the presentation that I am giving this week at the 7th Annual Ohio Information Security Summit. For more background information, see part 1. Part three will be about putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates. Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on. These include blogs, message boards and document repositories. One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments. When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over. The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems. Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on. Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT. Message boards date back before blogs were popular and are still widely used today. Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could). Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories. These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes. These sites are probably my favorite since you will find all sorts of interesting information! Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine. I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents. Now what?
Once you find interesting documents be sure to check out the document metadata. What is metadata? Metadata is simply “data about data”. Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document. It goes without saying that document metadata is a treasure trove of information that could be used against your company. For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below). However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place! If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers. If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce. Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation. You may ask yourself, how does brand reputation relate to information security? Why should we care? I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information. Brand reputation is vital to an organization, even more so in this economy. Think of the CIA triad…Confidentiality, Integrity and Availability. All three have aspects that reflect brand reputation. All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far. This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about. I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Enterprise Open Source Intelligence Gathering – Part 1 Social Networks

Tom — Mon, 26 Oct 2009 19:49:23 +0000

UPDATE: You can now download my slide deck from SlideShare.

Next week I will be speaking at the 7th Annual Ohio Information Security Summit on “Enterprise Open Source Intelligence Gathering”. Here is the talk abstract:

What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Leading up to my talk at the summit this series of posts will focus on several of the main topics of my presentation. I plan on referencing these posts during the presentation so attendees can find out more information about a specific topic that will be discussed. I will touch on the following main points in this series: Part 1 – Gathering intelligence on social networks, Part 2 – Gathering intelligence from blogs/message boards/document repositories, Part 3 – Putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

This first post in the series will focus on gathering intelligence on social networks. The topic of gathering intelligence from social networks will be looked at in two ways. First, through the eyes of the penetration tester or attacker. Second, from a monitoring perspective relative to the enterprise and business.

What is OSINT?
Open Source Intelligence (OSINT) is basically finding publicly available information, analyzing it and then using this information for something. That something can be extremely valuable from the eyes of an attacker. For a fantastic overview of how OSINT is used specifically from a penetration testing perspective I suggest you check out the presentation that Chris Gates recently did at BruCON. Chris goes into detail and provides good examples on how OSINT can be used in gathering intelligence on a network infrastructure as well as how to profile company employees. All of the techniques Chris talks about should be used in a penetration testing methodology.

Why look for OSINT about your company?
I have found that OSINT is surprisingly often overlooked by most businesses from a security monitoring perspective. If a company does any monitoring of public information at all it is usually found in your public relations and/or marketing groups. These groups traditionally don’t look for things that could be used to target or profile an organization. The same information that is being viewed by your PR/Marketing department needs to be looked at by your in house information security professionals. Specifically, I suggest people in your information security department with an “attacker mindset” look at this OSINT. This could be people on an internal penetration testing team or someone involved with the security assessments in your organization. You should really ask yourself: If you don’t know what information is publicly available about your company…how can you properly defend yourself from attack?

OSINT and Social Networks
Social networks have recently become the 4th most popular method for online communication (even ahead of email) today. If you are not looking for OSINT on social networks you are potentially missing major and vital pieces of information. Having said that, searching for OSINT on social networks brings its own challenges and needs to be looked at slightly different then looking at other forms of OSINT. For example, you might find that searching for information on social networks like Facebook different because there is both private and public information. Facebook as an example has a built in search feature “behind” a valid login id and password. Searching Facebook in this manner can yield better results then just going to Google or using a specific social network search engine (I’ll talk more about Facebook below).

1. Social Network Search Engines
There are lots of different search engines that specifically look for “public” information on some of the major social networks. The disadvantage about these types of search engines is that they only pull public information that can be easily indexed. Private information like the Facebook example above cannot be indexed without violating the TOS (Terms of Service) even though there are tools like Maltego that can have transforms written to “page scrape” this information (more on that in the Maltego section below). Here is a list of social network search engines that I recommend you check out to search for this type of public information (there are more…this is just the list I use). While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) the list below just mentions search engines that search multiple networks:

Wink http://wink.com/
Spock http://spock.com (has a search for “private” profile info but is a pay service…haven’t checked that feature out)
Social Mention http://socialmention.com/
WhosTalkin http://www.whostalkin.com/ (this is one of my favorites! Lots of socnets included!)
Samepoint http://www.samepoint.com/
OneRiot http://www.oneriot.com/
Kosmix http://www.kosmix.com/
YackTrack http://www.yacktrack.com
Keotag http://www.keotag.com/
Twoogle http://twoogel.com/ (Google/Twitter search combined)
KnowEm Username Check http://knowem.com/
Firefox Super Search Add-On https://addons.mozilla.org/en-US/firefox/addon/13308 (over 160 search engines built in)

Don’t forget about photo/video social networks and social bookmarking sites:

Pixsy http://www.pixsy.com/
Flickr Photo Search http://www.flickr.com/search/?s=rec&w=all&q=”comapny name”&m=text
YouTube/Google Video Search http://video.google.com/videosearch?q=”company name”
Junoba Social Bookmark Search http://www.junoba.com/ (Digg, Delicious, Reddit, etc..)

Pay Services (might be worth checking out):

Filtrbox http://www.filtrbox.com/
Vocus http://www.vocus.com/

2. Maltego
Maltego goes without saying…it’s probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it. I have found that Maltego works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available). The Twitter transforms are probably the highlight since you can dig into conversations as well. There is also a Facebook transform that was specifically written to search within the Facebook network using a real user account. However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded. Note that this transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines! If anyone wants to help get this transform working again there is a thread on the Maltego forum about it.

Lastly, if you want more information on Maltego and how to use it I suggest checking out the work Chris Gates has done in his Maltego tutorials here and here to learn more. Keep in mind. Maltego works great for finding information if you need it for a specific scope, like a pentest. Maltego even works great if you need to dig a little deeper into something you find on a social network. In terms of automating a monitoring process, I suggest using Google dorks, Yahoo Pipes!, and other techniques which we will talk about here and in future posts.

3. Google Dorks (Facebook, MySpace, LinkedIn)
While you can just simply type in your company name into Google and see what comes up…It’s way easier to use a little Google dork action to search for information on specific social networks. As I stated before, this will only pull publicly available information but you might be surprised what you find about your company just in these searches! Simply paste these into the Google search bar/window. Note: change “bank of america” to whatever you like…not picking on bofa but there is a ton of information about them on social networks!

Facebook Dorks
Group Search: site:facebook.com inurl:group (bofa | “bank of america”)
Group Wall Posts Search: site:facebook.com inurl:wall (bofa | “bank of america”)
Pages Search: site:facebook.com inurl:pages (bofa | “bank of america”)
Public Profiles: allinurl: people “John Doe” site:facebook.com

*To search personal profile status updates (unless they were made public wall posts via pages or groups) you need to be logged into Facebook and use the internal Facebook search engine. Setting your status updates privacy settings to “Everyone” is actually everyone in Facebook. Rumor has it that next year “Everyone” will mean everyone on the Internet! FTW!

MySpace Dorks
Profiles: site:myspace.com inurl:profile (bofa | “bank of america”)
Blogs: site:myspace.com inurl:blogs (bofa | “bank of america”)
Videos: site:myspace.com inurl:vids (bofa | “bank of america”)
Jobs: site:myspace.com inurl:jobs (bofa | “bank of america”)

LinkedIn Dorks
Public Profiles: site:linkedin.com inurl:pub (bofa | “bank of america”)
Updated Profiles: site:linkedin.com inurl:updates (bofa | “bank of america”)
Company Profiles: site:linkedin.com inurl:companies (bofa | “bank of america”)

While these are Google dorks from the top three social networks (Twitter actually has a really good search engine, search.twitter.com, which I don’t think needs explaining), you can easily modify these for your own use and even include more advanced search operators to include or exclude additional queries. The point of using Google dorks is to make it easier to quickly search for information on social networks without going to each site individually. Still, with most social networks if you want to find private information you either need to login as a user or use some social engineering get the information you want.

What’s next?
In part three of this series I will talk about how to use Google dorks and various search queries for monitoring purposes. Once you have the dorks you want to query, it’s trivial to plug these into Google Alerts to create RSS feeds. Take your feeds and plug them into your favorite RSS reader and you have a simple monitoring tool. More on this in part 3 including a section on aggregating this type of into and customizing it via Yahoo! Pipes which I like to think as the preferred and most customizable method for monitoring social networks.

Next up…in part 2 I will talk about how to find company information on blogs, message boards and document repositories. Oh, and sprinkle a little bit of metadata into the mix as well.

Social Zombies: Your Friends Want To Eat Your Brains Video from DEFCON Posted

Tom — Fri, 28 Aug 2009 13:00:49 +0000

The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo. If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.

Old News: Twitter can be used for Botnet Command & Control

Tom — Fri, 14 Aug 2009 03:51:10 +0000

Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information. Kudos to the researcher, Jose Nazario, who found this. It was an interesting read to say the least. The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s. Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17. I even did this demo showing what else? Base64 encoded commands. Ironically, I showed off the first version of this code at Notacon 6 back in April of this year. Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter. I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”. Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code! We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this). Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things. It always takes something bad to happen to create change…where have you heard that before?

Social Zombies Slides and DEFCON Updates

Tom — Thu, 06 Aug 2009 13:00:08 +0000

Kevin and I want to thank everyone that came out to our talk at DEFCON 17 this past weekend. We had a great time giving the talk and thanks for the feedback! Even the two Facebook developers that came to our Q&A enjoyed it! Having said that, Kevin and I will never, ever get a Facebook party invite while at Black Hat and/or DEFCON. Oh well! At least @dualcoremusic got to play live!

You can download the slide deck from SlideShare that was in the DEFCON 17 CD. We plan on giving the talk a few more times in the next few months so we don’t plan to release the full version of the slide deck yet. However, we will post the video as soon as we get it. The slides on the DEFCON CD are mostly text…no cool Zombie graphics (thanks to @JaneDelay for the Photoshop work BTW) but it should give you a good overview of the talk.

Robin Wood’s fantastic tool called KreiosC2 was also released during our talk. I did a demo which is posted here and talked a lot about how the PoC code functions. If you don’t know already…KreiosC2 is a tool written in Ruby which allows IRC like command and control of systems over Twitter. Very cool! Also, check out the redesign of Robin’s website. Awesome. Make sure you follow Robin on Twitter! He is one you need to follow!

DEFCON was awesome as usual! Lot’s of people this year..perhaps an increase from last year and of course the usual hijinks. It was awesome catching up with everyone and meeting new people. I attended lots of great talks including the “DEFCON Security Jam 2: The Fails Keep on Coming“. This was one that you should see the video for…especially the presentations by @haxorthematrix and @myrcurial. Speaking of @mycurial…you really need to see the awesome yet scary presentation that @myrcurial and @TiffanyRad did on Sunday titled “Your Mind: Legal Status, Rights and Securing Yourself“. I highly recommend this talk!

The podcasters meetup was also a success! Thanks to @pauldotcom for hosting and for throwing such an awesome party this year and a shout out to the guys over at I-Hacked.com! The audio will be posted soon, probably over at the Security Justice site.

Pictures will be posted soon! Still trying to recover from Vegas!

Launching: SocialMediaSecurity.com

Tom — Wed, 29 Jul 2009 20:45:31 +0000

I wanted to get this post up before I leave for DefCon since it will be hard to have time to blog in Vegas. In a nutshell, I started a new web site called socialmediasecurity.com. This was originally a project that I started to move my social media research over to a separate web site but has since evolved into something much larger. What I have done is consolidated (with permission) research from other security researchers such as Aviv Raff, Joseph Bonneau, Kevin Johnson, Nathan Hamiel, Scott Wright, theharmonyguy and more. Each article links back to the original author. The purpose of this was to have an easy way to search on a specific topic or social network (for example: Twitter) and get the security information you are looking for. You can subscribe to post updates via RSS, Email or through Twitter.

In addition, at the top of the page are links to downloadable guides, presentations, video’s and more. All of this content is related to user education and awareness on social media security issues. This is obviously a work in progress and I plan to have more content added to this very soon. One thing I am working on that I wanted to get out before my talk at DefCon was a detailed walk-through video of the Facebook Privacy Settings (basically a walk-through of my guide). I haven’t finished the video yet and I might have to redo it since Facebook will be releasing a new interface for privacy settings in the near future. The plan is to do one for each of the major social networking sites as well as a downloadable guide like the Facebook one.

So…you can also concider this a call for volunteers! If you would like to contribute anything (guides, videos, research, tools, blog on the site) or have feedback let me know by sending me an email (tom[aT]spylogic.net). There are a few other researchers and volunteers working on some really cool stuff for the web site. Far too many ignore the security and privacy issues of social media. We welcome your participation to help make a difference!

Another Twitter Scam: Twitviewer

Tom — Tue, 28 Jul 2009 20:16:29 +0000

One of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you. When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post. The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”. If you did fall victim to this you better change your password ASAP! Check out the screenshot of the site before it was taken down…yeah, phishy indeed.

Who knows what the developers of this application were planning (malicious or others). Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials. In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter. That way you don’t have to give your credentials to the web site and worry about them being compromised. Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this. If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services. They can then use these credentials for anything else they wanted. Unfortunatly, most users of these sites use the same password for everything. Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything. See this article for more information on password managers and social media web sites.

Social Zombies Invade Las Vegas!

Tom — Tue, 21 Jul 2009 14:00:28 +0000

Yes, you are reading the title of this post correctly! Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)! Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks. I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon). I’ll be providing a live demo showing the new and improved features of his tool! Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework). Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking). When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks. Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s. He will also talk about manipulating social networks (and thier users) with third-party applications. Remember: please accept any and all “friend requests” from Kevin Johnson!

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together? Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together. Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks. Oh, and we both like Zombies. See you at DefCon!

Spylogic.net Reloaded

Tom — Wed, 15 Jul 2009 03:27:28 +0000

You may have noticed something strange about my blog. Clean, smooth, fast, different…these are all things that describe the look and feel of the new blog (hopefully). What happened? Well for starters I was fed up with the basic features of Nucleus CMS. While Nucleus was a very stable and reliable (read: low on the blog hacking list), it’s about ten years behind in blogging technology. No built in post tagging, no WYSIWYG editor, link lists that had to be edited in php, etc…I picked Wordpress to upgrade to because it’s really the most user friendly and has some really great features and plugins. Yeah, it’s a target for vulnerabilities but I’m willing to live with that as long as I have a blog that’s easy to maintain and can help me save time when posting/editing things.

The adventure of blog migration to Wordpress
I started the transition from Nucleus CMS to Wordpress early last week…of course thinking this would be an easy migration. Ummm, no. It was pretty painful actually. You see, Wordpress doesn’t have a official migration path from Nucleus CMS. So I had to rely on the advice of others in the Wordpress community that had done the same upgrade in the past. Of course there were a bunch of different ways to do this so I basically took a few of the migration scripts that a few others have written, hacked them up even more and tested. Testing took about a week…it really sucked. I had to install version 2.1 of Wordpress to use a certain migration script that I didn’t feel like recoding to get to work with 2.8.1. Of course my categories and images were FUBAR so there was another script I had to write to fix that. BUT, the biggest issue was how Nucleus handles URL’s for blog posts. The problem was that I had lots of links out there in Google and other places pointing to blog posts. In Nucleus my post links were like this:

http://spylogic.net/item/438

Wordpress links are something like this:

http://spylogic.net/2009/07/password-length-and-complexity-for-social-media-sites/

So your probably thinking that I can just make my links in Wordpress match the Nucleus links? Nope. Wordpress renumbered all my posts out of order and writing another script to re-number 400+ posts wasn’t in my plan. So…mod_rewrite and php scripting to the rescue! I must say, I haven’t had a situation yet where I had to manipulate URL’s on a website yet but now that I did…mod_rewrite is awesome and it was a great learning experience. I won’t go into gory detail but in a nutshell I used a SQL query to map my old numbered posts from the nucleus posts table to the Wordpress style URL naming…by date so they match up. I then took that query output and put it into a php script. The php script is referenced in my .htaccess file that contains the RewriteRules. So…when someone clicks on the old style Nucleus links the script maps it to the new links. Cool. If you want to see all of the code I followed the guide that another blogger posted about his migration but made my own modifications and did a few things different then his code did…but you should get the general idea.

What changes?
So besides the blogging platform other things I decided to do was a new logo/header that @JaneDeLay created for me (she rocks!) and I decided to include more of my other publications, articles and such in separate pages. I also put a speaking page where you can find out where I’m speaking at and also a list of past talks (something a few of you have wanted to know). RSS feeds are still through FeedBurner so you don’t have to update your feeds. Lastly, I decided to move the majority of my social media security research to another site altogether. This site is focused on social media security and will have guides, videos, presentations and research from not only myself but others. I’m planning on launching the site at DEFCON 17 at my talk or right before it. It’s been difficult blogging about anything lately because of my crazy work/home/life schedule so hopefully the new site will bring some focus back into blogging and about other things besides social media. I’ll probably mention some of the content from the new site on this blog if it seems relevant.

Anyway, let me know if you have any feedback on the new site (there might be a few bugs still) and thanks for reading my blog!

Password Length and Complexity for Social Media Sites

Tom — Thu, 02 Jul 2009 22:33:55 +0000

July 1st was “Twittersec” day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!

Establishing your social media presence with security in mind

Tom — Mon, 01 Jun 2009 23:51:41 +0000

If you have been using social media or are curious of the security of this emerging technology you may be interesting reading my recently published article in issue 21 of (IN)SECURE Magazine. In my article I discuss why companies are starting to use social media, the benefits/risks and what information may be posted about your company on social media/networking web sites. I also talk about some cost effective tools your company can use to start your own social media monitoring program (without spending a ton of cash) and how to put in place guidelines for employees regarding the use of social media. Yes, even if you block these sites in the workplace employees are going to use social media/network sites outside of work if you like it or not…you had better get used to it and adapt your policies!

This article started from me actually seeing how much information there is about businesses within social networks. Both good and bad! The information I have found has been extremely valuable when conducting penetration tests. In fact, this information can be so valuable that you may be surprised how easy it is to use this information for social engineering or more…the possibilities are endless. As I pointed out in my article, get together with the business leaders in your marketing and/or public relations group and talk about social media and how to use it with a bit of security and privacy in mind. You might be surprised how receptive they are to the input from a security professional!

Links from my NEOISF Talk: New School Man-In-The-Middle

Tom — Wed, 20 May 2009 20:00:00 +0000

Here are the links for the tools from my talk titled “New School Man-In-The-Middle” that was given at the North East Ohio Information Security Forum (NEOISF). I will update this post with a link to the slide deck on SlideShare by the end of the week. Thanks to everyone for coming out!

Old School!
Wireshark
Ettercap
Cain

New School!
Network Miner
The Middler
SSLStrip

* Note: …both the new and old school tools provide the pentester with a ton of value! Use them all!

MITM Defense
ArpON
ArpWatch

UPDATE: Click here to view the slide deck.

Potential dangers of BlackBerry Syncing Applications

Tom — Tue, 05 May 2009 04:59:06 +0000

Do you have a BlackBerry for work and you have a corporate policy pushed down and managed by your corporate IT team? Depending on how locked down the policy is for your corporate BlackBerry deployment you may be syncing sensitive or confidential data to a public web site.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way…sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will “periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends.”

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the “setup wizard” that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation…but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn’t think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts…both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn’t evil, right? :-/

What can we do about this? As a user…opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I’m no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!

Social Network Bots Presentation and my Recap from Notacon 6

Tom — Tue, 21 Apr 2009 04:43:01 +0000

I’m back from Notacon 6 that took place in Cleveland over the weekend and finally have some time to get a post up. All I have to say is…wow. What a great con! This was my first Notacon (yeah, I live in Cleveland…sad I know) and I was totally impressed! There was a great line up of speakers, really fun events and a kick ass game room. The game room was really cool. They had everything from a fully loaded NES and Commodore 64 for your retro gaming fix as well as Rock Band and Guitar Hero. Speaking of Rock Band…myself, Chris, Jack, and Jane entered into the Rock Band competition as the “Notabots”. We won the highest score competition and walked away with over a case and a half of Bawls energy drink, a few books and a sweet retro floppy disk clock. If you know me at all…the energy drink was the best prize ever!

Just like most other smaller con’s the best part is still the great networking opportunities. One talk that was really outstanding was the talk by James “Myrcurial” Arlen titled “From a Black Hat to a Black Suit – The Econopocalypse Now Edition”. His talk is honestly one that anyone wanting to advance their career in Information Security should see. One thing I took away from his talk was that those of us in Information Security should never forget to mentor others, especially those in an entry level position. Remember, we were all the new guy just getting our feet wet at some point…having a mentor is invaluable to the learning process especially in the beginning of your career. In addition, James is a great guy and is someone who has pretty much “seen it all” when it comes to the corporate world.

Rise of the Autobots: Into the Underground of Social Network Bots Presentation Materials
My presentation went great! Thanks to everyone that came out to see it and for all the feedback. I was stoked that we were able to release some really cool code thanks to Robin Wood and announce a new open source project. You can download the Twitterbot POC code here from Robin’s website. I posted the slides from my presentation on Slideshare and the video should be up with the rest of the Notacon presentations soon. This won’t be the end of this research. I am hoping to put together a white paper on this subject using the research I have done thus far. The Notabot code I mentioned is available on the socialnetworkbots.com project site which I will talk about more below.

UPDATE: The video from my Notacon talk is available now to view on Vimeo.

Details on the Social Network Bots Open Source Project
I created a SourceForge project for all the development for the bot army I am looking to create (joke). Basically I’m looking for others interested in developing bots for social networks to join up on the team and contribute code to the project. I have already talked to some of you at Notacon and there looks like a few of you would like to work on N0tab0t version 1.1 which might be…well interesting to say the least! You can check out the project on socialnetworkbots.com. We are looking for any kind of social network bot…not just Twitter bots. If you want to join in, post something on the project forum or send me an email.

Stay tuned. Lots of more social media security research goodness coming soon! Thanks for sticking around for the ride!

Speaking at Notacon 6 this week!

Tom — Wed, 15 Apr 2009 02:50:41 +0000

It’s time to gear up for Notacon 6 which starts for me on Thursday night at 7pm. I will be at the preview night giving a short overview of my presentation on Saturday “Rise of the Autobots: Into the Underground of Social Network Bots”. I have been busy tuning and making some last minute updates to the presentation. Some of these last minute updates include some code that myself and a few others have been working on as well as the announcement of a new open source project. What would a con be without a release of some code right? This is exciting stuff that I’m looking forward to talking about in my presentation. It all goes down at 5pm in the East Ballroom on Saturday.

Shortly after my talk on Saturday I will have my presentation posted as well as links to the code being released and links to the new project I will be talking about. Stay tuned to this blog for those details over the weekend.

At Notacon I will also be participating in Notacon Radio with the other co-hosts of the Security Justice podcast. Follow Security Justice on Twitter for details on when we will be live. We should be doing some interviews with some of the speakers as well. If you are at the con, stop by and say Hi!

Some other events at Notacon…there is a Security Twits meetup taking place on Thursday organized by @geekgrrl. If you plan on going you need to RSVP via DM to her like yesterday…I’ll be there as well as a few others from Twitter.

I also posted a list of recommended Notacon speakers and events on the Security Justice web site you can check out here so I won’t regurgitate the speakers that I will be going to see. Anyway, I should be live tweeting as I usually do at conferences so be sure to follow me for Notacon updates.

Lastly…this has been a crazy 2-3 months for me. Lots of changes going on with things I have been involved with and projects I have been working on. With all of this activity it has left little time for the blog but I will be getting back into regular posting once things slow down a little so thanks for sticking around. I am still amazed that this whole social media/networking security research has really taken off for me. I must have found a niche! I still have a focus on pentesting (mostly for my job) but it’s cool to see how other interests evolve and morph into greater things. Such is life right?

Social Network Bots at Notacon 6!

Tom — Mon, 16 Mar 2009 19:13:56 +0000

What have I been doing lately? Why the lack of posts? Well…I have been preparing for my talk at Notacon 6 called Rise of the Autobots: Into the Underground of Social Network Bots. Who are these bots and what are they here for? From my abstract:

How do you know that last friend request or Twitter follower was an actual live human being? The truth is…you don’t! Bot’s and bot manufactures have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It’s simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend.

This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, *really* evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all.

This talk is the result of many months of research that I have been doing on this subject. Here are three things from my research as a teaser for my talk:

1. You will find it fascinating that bots are a huge part of social networks. Bots are not only used by the bad guys but legitimate users as well.

2. There will be discussion on why spammers are targeting social networks and how most of this bot activity falls under the guise of “Blackhat SEO“. I have been finding that there is a thin line between what constitutes “Blackhat” vs. “Whitehat” and that line will continue to blur. You will be amazed (as I was) with the business and money making model(s) that spammers and malware authors use. There is a ton of money being made from using these techniques and tools! Want an idea how much? Check out Jeremiah Grossman’s recent presentation on Blackhat SEO…you might want to quit your day job.

3. How do you use bots to create accounts? What are the most popular tools available? How about just buying hacked/bot created accounts in bulk then use these tools to SPAM friends lists? Also, as a tie in to the tools that are used we will talk about why CAPTCHA’s and other controls are not working. Finally, don’t forget about the new frontier of botnets and social networks…this is an untapped area thats only going to get more interesting.

So, if you are coming to Notacon 6 (April 16th-19th) hopefully you can stop by. I promise, my talk will be entertaining! Stay tuned to this blog…after the talk I plan on releasing detailed articles on some of the specific topics from the talk.

Want to learn more about Social Engineering?

Tom — Thu, 26 Feb 2009 01:48:12 +0000

Of course you do!

If you don’t know who Chris Nickerson is…then you should. Chris is the founder of Lares Consulting, was on the Tiger Team TV show and also a frequent speaker at security conferences who talks about tiger team/red team operations. He also talks about how social engineering is more important then ever to include in your penetration testing program. I couldn’t agree more! In fact, he’s giving a free webcast with Mike Murray on March 10th called “Modern Social Engineering – A Vital Component of Pen Testing”.

Via the Carnal0wnage Blog:

“The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. “

You can sign-up for the webcast here. Also, Chris and Mike are doing a “Social Engineering Master Class” at ChicagoCon this year which looks awesome! Looks like there are only 25 seats so check it out if you can. Interestingly enough Chris has just started blogging so be sure to check out his blog. If that wasn’t enough…we (Security Justice) recorded a special edition podcast with Chris in which he talks about his adventures on the Tiger Team TV show.

Using 25 random things against you

Tom — Thu, 12 Feb 2009 04:08:38 +0000

I have been seeing a bunch of friends on social networks filling out these “25 Random Things About Me” surveys. I just saw another one going around called “44 Odd Things About You” as well. I remember this similar type of activity passed along in email several years ago but now it’s made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been “tagged” by one of your friends:

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was where did you meet your spouse? did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took…so graciously put on photobucket you will see the google search for palin eloped or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.

What to attend at ShmooCon 2009

Tom — Fri, 06 Feb 2009 01:01:49 +0000

I’m here in DC getting ready for ShmooCon which starts tomorrow. I had some time to blog before things get crazy later tonight when everyone starts to arrive for the con.

UPDATE: Ummm…someone *may* have hacked the Windows kiosks at the hotel…saw Ubuntu loading on one and Howard the Duck playing on another…probably shouldn’t use those kiosks, huh?

Anyway, I thought I would share some first impressions of the talks and what I will probably attend. Keep in mind, there are lots of great talks going on all weekend and it will be really hard to make all the ones I want to see but here is my short list of not to miss talks:

Friday, February 6th

Open Vulture – Scavenging the Friendly Skies Open Source UAV Platform
Ethan O’Toole and Matt Davis

An open source UAV? How friggin’ sweet is that? Now you too can spy on your own neighborhood…

Building the 2008 and 2009 ShmooBall Launchers
Larry Pesce and David Lauer

Of course I will be in this one! Dave from Security Justice and Larry from PaulDotCom will be talking all about the new ShmooBall launchers for this year. Dave and Larry never disappoint and I assume there will be some surprises as well.

Decoding the SmartKey
Shane Lawson

I love physical security just about as much as information security so this one should be interesting. Shane will talk about how to decode the Kwikset SmartKey with materials costing under $5.

Podcasters Meetup/HacDC party

I will be there along with Matt and Dave from Security Justice. Looks like we are going to do a live show at 8pm, give away some prizes, start FireTalks then party with the folks from HacDC. Check out the podcasters meetup site for more details on times and official schedule.

Saturday, February 7th

Radio Reconnaissance in Penetration Testing – All Your RF Are Belong to Us
Matt Neely

My friend and fellow co-host of the Security Justice podcast, Matt Neely is doing a talk on ways to use radio reconnaissance in pentests. Matt does a ton of research with wireless so it should be really interesting to see what new techniques he has come up with. I hear that Shmoo Balls may be launched during this talk….

Fail 2.0: Further Musings on Attacking Social Networks
Nathan Hamiel and Shawn Moyer

I was at BlackHat last year and saw Nathan and Shawn’s talk titled “Satan is on my friends list”. These guys do great research on social network security and I am looking forward to see the new stuff they came up with for this year. As a bonus, they should have AFF (Adult Friend Finder) pr0n and related adventures.

Man in the Middling Everything with The Middler
Jay Beale

Jay Beale is speaking once again about the Middler! You may remember the Middler was to be released at Defcon last year…that didn’t happen for a bunch of reasons. However, I think Jay will finally be ready to release it! Jay is a great presenter to boot..highly recommended you attend this one. Another talk to beware of Shmoo Ball cannon fire…

802.11 ObgYn or “Spread Your Spectrum“
Rick Farina

All Your Packets are Belong To Us: Attacking Backbone Technologies
Enno Rey and Daniel Mende

The Fast-Track Suite: Advanced Penetration Techniques Made Easy
David Kennedy

You may remember Dave from one of the first Security Justice Special Editions last year. Dave will be going in depth with the Fast-Track suite which is part of Backtrack 3. Knowing Dave, I’m sure he will be talking about and/or demoing new features in Backtrack 4. Shmoo Ball cannon may make an appearance…

Sunday, February 8th

Enough with the Insanity: Dictionary Based Rainbow Tables
Matt Weir

Yes! Improvements to rainbow tables…can’t wait!

RFID Unplugged
3ric Johanson

Looks like RFID is going to torn apart in this one…good stuff! Interested in the PayPass vulnerabilities he is going to talk about.

0wn the Con
The Shmoo Group

What to know what it takes to put ShmooCon together? Be sure to check out this talk and learn how it’s all done.

If you are around the con send me a tweet on Twitter or stop by the Podcasters Meetup if you want to chat! Hoping I can blog and/or live Tweet from some of the talks.

Twitter for Information Gathering

Tom — Sun, 25 Jan 2009 12:00:00 +0000

If you are interested in using Twitter for information gathering/mining about potential targets for a penetration test or for “other” research…I highly recommend the very comprehensive article that Lenny Zeltser from SANS put together. Twitter is really becoming a great tool for not just marketing yourself or your business but also to find out detailed information about a company, individual or organization.

One thing I would add to Lenny’s article is that social media in general is the new “hotness” when it comes to information gathering and reconnaissance. If you are a penetration tester you really need to start leveraging all the information contained in social networks! Better yet, use Maltego which can help search multiple social networks and visually show you this data. You can even hit up the Twitter API with local transforms in the new version of Maltego…yummy!

Twitter photo via Jenny Hayden.

Who’s managing information security in your city?

Tom — Fri, 23 Jan 2009 04:07:04 +0000

There was something shocking in my local suburban newspaper today. I opened up to page two and behold…an article that touched on information security! Specifically, the article was about how a small municipal court system in my area had a PC that was infected by an email “virus”. This virus caused a “hard drive to shut down”. Shut down I would assume means the MBR was corrupted or the PC was so bogged down with malware that it had to be rebuilt. Don’t worry, it gets better. The reporter goes on to say that an employee opened an email that had something to do with Nigeria and winning money. Hmmm…Sinowal Trojan perhaps? Regardless, the reporter goes into details from the interview he did with the city “IT manager”. Here are some quotes from the article:

“The court computer system has a small firewall, he said, but the anti-virus on the computer was either non-existent or never upgraded.”

“The IT manager has been trying to bring the city computer systems up to speed. There hasn’t been a system-wide upgrade in years.”

“The employee opened the email because there’s no formal training.”

“One of his goals is to work out a way he can send out software updates, especially anti-virus, to all city computers at night when they aren’t in use.”

I like this one the best…

“The main issue is spending the money for software, licenses and equipment. It’s pretty down-to-earth-basic, he said. “You’ve got to start throwing money around to get it to work.”

Huh? Throw money at the problem…classic. Multiple levels of FAIL right? Oh, if you haven’t figured it out yet…read those quotes again. What would a hacker think about after reading this newspaper article? This court/city computer system is a target rich environment to say the least!

While we could talk all day about how the city could implement a better more cost effective solution to the issues, there are two main problems that I see:

Be careful what you say to the media after an incident
The IT manager gave out way too much information to the media about the problems the city is facing with IT security issues. Just by reading this article someone with bad intentions and a bit of technical skill now knows that the city employs non security aware people and the entire network probably hasn’t been patched in years. This would be even more scary if police and fire computer systems were on the same network! However, the article did point out that police and fire systems are on a separate network. Yet, things don’t look good for the police and fire networks if this same IT manager is running those as well! :-/ Local city government should carefully review all media requests for information about an incident.

Local cities, municipal court systems, fire and police networks are left for dead
This doesn’t surprise me but just like a lot of small businesses, small city governments or suburbs don’t spend the money or have the staff to keep systems patched or up-to-date. Especially in a recession! Your IT guy or contracted support is an easy thing to cut for a city. I would think that most city networks are in worse shape then some home PC networks because of outdated equipment, knowledge and lack of funds. Case in point, I wrote about a potentially dangerous vulnerability that was found on another local city network last year. Luckily this city took the vulnerability seriously, resolved the issue and hopefully improved their security.

Imagine the problems that could happen if police, fire and court systems were breached or compromised. Critical infrastructure like police and fire networks are at serious risk with unsecured systems that are not maintained. As a citizen that lives and works in these cities you should question your local city government about how they maintain and manage their networks. I have an email en route to the mayor of this city that will hopefully help them with some ideas and suggestions to get them back on track. However, I think we may only be scratching the surface of the problem. Lets hope your city takes computer and network security more seriously.

Social Media Security on the Streetwise Security Zone Podcast

Tom — Mon, 12 Jan 2009 21:00:00 +0000

Late last week I was a guest on the Streetwise Security Zone Podcast talking about my Facebook Privacy & Security guide, social media security as well as some other interesting security topics.

I highly recommend you check out some of the great things that Scott Wright has put together. He has built a security community focused on security awareness for businesses and you may also know Scott as the creator of the Honey Stick Project. Good stuff to check out! I look forward to working with Scott more in the future.

You can check out the Streetwise Security Zone web site and podcast for more information. Definitely another security podcast to add to your play list!

Maltego 2.0.2 Released with Local Transforms!

Tom — Fri, 09 Jan 2009 16:19:58 +0000

Just a quick blog post about the latest release of Maltego that was just announced. This is great! You can now create custom transforms that will integrate directly with Maltego! This is something that many of us have requested and it’s finally here. From first glance it looks like you can code them in any language as well. Should be interesting to see what the community comes up with in regards to transforms now. I know I have some ideas….

Oh and if that wasn’t enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don’t know about it?
“Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Summary of the Twitter Security Incidents

Tom — Thu, 08 Jan 2009 05:56:05 +0000

I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you.

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0’s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?

First Twitter Phishing Attack of 2009

Tom — Sun, 04 Jan 2009 02:02:12 +0000

Welcome to 2009! As many have said…it was just a matter of time before Twitter had a somewhat significant attack…well, here it is! I just had a post up last week about how many of us that use social media just blatantly trust every site that asks us for Twitter credentials. Well if you don’t look at the URL carefully even the security aware could be fooled by this one. Tonight there was a lot of tweets about the following phishing attack….

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you…
hxxp://jannawalitax.blogspot.com

If you click on blogspot link this is basically a redirect to the following fake Twitter site:

Looks just like an identical copy of the real Twitter site except for the URL! (don’t go to this URL…)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:

Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:

However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then twitter.com. The fake site in this case is twitter.access-logins.com/login. Note that if you take off the “login” at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack…how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however…Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM’s. I’m not 100% sure how DM’s are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.

What’s behind that short URL?

Tom — Mon, 29 Dec 2008 15:05:24 +0000

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL’s of shortened URL’s. What is URL shortening? For example…this long URL:

http://www.google.com/maps?f=q&hl=en&geocode=&q=washington+dc&sll=37.0625,-95.677068&sspn=33.764224,56.25&ie=UTF8&ll=38.905996,-77.023773&spn=0.25915,0.439453&z=11&g=washington+dc&iwloc=addr

becomes…

http://tinyurl.com/9lum95

By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don’t freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What’s the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL’s without a mask (even manually typing in strange URL’s as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL’s? TinyURL and others offer you a service to “preview” URL’s but many sites don’t offer this and who is actually going to attempt to manually verify what is behind those links? That’s way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL’s if you hover your mouse over the links. This is great…for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The “Long URL Please” Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL’s on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site’s. No hovering over a link or clicking to a site to preview it. It just shows you the link…no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It’s going to take some work from the developer side to keep up with all of these new services. In addition, this doesn’t help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL’s won’t be going anywhere soon…lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?

JanusPA – Hardware Privacy Adapter

Tom — Tue, 23 Dec 2008 15:45:25 +0000

This is really cool. The guys that brought you the JanusVM Internet Privacy Appliance are about to release instructions on how to make a hardware privacy adapter. What is a hardware privacy adapter you ask?

Via Hack a day:

“It’s a small two port router. You just plug it in-line between your computer’s switch and your internet connection. It will then anonymize all of your traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device.”

Once you buy all the parts you can build your own for about $250. Not too bad for an easy way to anonymize all of your traffic over the Tor network or a VPN. Tor and Privoxy can sometimes be a real pain to configure so something like this would be fantastic to just plug in and configure once. It’s also nice that is can use OpenVPN as well.

My only issue with Tor is that it can be *really* slow for web surfing depending on what relays you connect to and there are some warnings you should be aware of. Also, your Tor installation needs to be updated frequently as the development team is always making updates and improvements. However, Tor is better then nothing if you are concerned with online anonymity.

Kudos to the JanusPA team…looks like I might have a hardware project to work on next year once the instructions get released.

Who are you giving your Twitter account to?

Tom — Tue, 16 Dec 2008 05:00:00 +0000

It’s always interesting to me when I check out a new Twitter application, it always seems to ask you to “verify” your account or ask you to pass your Twitter user name/password to their application. This of course is done without any protections or any way of knowing what happens to your account information on the other end.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to “claim” your profile by putting in your Twitter password. This is where it gets interesting…

To the unsuspecting user it’s tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don’t record your credentials? The disclaimer says they don’t use your password for anything…you trust everyone right?

What’s your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your “rank” on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application…BUT…why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness…we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What’s the fix?
First, social media users need more education. Seriously, don’t just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a “remote key” for all third-party interactions with your account. Of course this isn’t perfect but it’s a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn’t cut it.

Authentication of user credentials and social media is a big problem…(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?

Notacon 6 Speaker Update

Tom — Mon, 15 Dec 2008 14:53:44 +0000

Looks like the Notacon website has updated the speaker list and there looks to be some really good talks so far. Here is the list from the Notacon 6 website and blog post:

Time To Replicate The Real Threat: Client Side Penetration Testing
CG & g0ne

Interactivity with Arduinos, Transducing the Physical World
droops & Morgellon the Lowtek Mystic

Fun With The MSP430 MCU
Travis Goodspeed

Hacking Light – How we came to love Holga and Other Stories of photo hi jinx
Jeon & Treize

“Pilates” for Common Cubicle Injuries
Michele Martaus

Super Jason Scott Presentation 64
Jason Scott

Programming The Sega Genesis For Mad Profit and Crazy Mad Profit
SigFLUP

Hacking Cognition
Tottenkoph & Selkie

Intro to Go
Jason Viers

What is Notacon?
Notacon is one of the most unique conferences you will ever attend! Notacon 6 is April 16th – 19th 2009 held in Cleveland, Ohio. Notacon explores and showcases technologies, philosophy and creativity often overlooked at many “hacker cons”. Registration is open!

Maltego 2.01 Released

Tom — Wed, 03 Dec 2008 04:55:36 +0000

Looks like the fine folks over at Paterva have released version 2.01 of Maltego. If you don’t know what Maltego is…look here. Check out some of the changes and new features. From the announcement:

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as “import”
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back “Run All Transforms” – you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn’t have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also…the crippled “community edition” is still on the old version for now (updated shortly I am sure). By the way, it’s only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version…well worth it!

Young IT Professionals of Northeast Ohio

Tom — Mon, 01 Dec 2008 16:27:11 +0000

There is a new group forming in Northeast Ohio for IT professionals focused on the younger generation and is an opportunity to network and learn from one another. The first meeting is at the Great Lakes Brewing Company on December 10th @ 6pm (downstairs in the beer cellar). Cost is $15 to help with appetizers but is open bar! Read: Great Lakes has Christmas Ale on tap!

If you plan on attending please RSVP to Devon Campbell (dcampbell2 [aT] mcpc.com).

This event should be a great way to network and meet others in the area! Hope to see some of you locals there!

The Security Bloggers Network has Moved!

Tom — Fri, 28 Nov 2008 15:17:26 +0000

You may have noticed that I removed the SBN (Security Bloggers Network) badge from my blog and that the SBN Feedburner site has not been updated in several weeks. Well, Alan Shimel has officially moved SBN over to Lijit. Lijit is kind of like FriendFeed but is really more about searching, linking searches, and putting your socnets together. It should be interesting to see how Lijit will improve distribution of the SBN site content. You can check out the new SBN here. If you haven’t checked out the large list of blogs that belong to the SBN…you really should! Lot’s of great security bloggers are on the list.

Subscribe to the SBN from here via RSS or OPML.

Analysis of a new Facebook phish

Tom — Wed, 19 Nov 2008 03:30:24 +0000

I just posted an article for Blogsecurify about a new Facebook phish that I stumbled upon. Thanks again to Greg and Tyler for helping out with some of the detailed analysis! You guys rock!

Fighting the good fight!

Tom — Fri, 14 Nov 2008 21:29:06 +0000

Hey…I actually found a few minutes for a quick blog post!

Just a quick post to check out the report that my friend and malware researcher Greg Feezel was mentioned in a report over at Hostexploit.com. He contributed data to this report. The report was on the McColo web hosting firm which is apparently responsible for sending 75% of spam world wide! If you didn’t know, McColo was taken offline a few days ago and there has been a massive decrease in spam across the Internet. If you want more information on McColo check out Brian Kreb’s article here. Brian is actually one of the guys that helped shut this firm down based on some of the reporting he did.

Goes to show you that we can do some good as security professionals if we all work together!

Facebook Privacy & Security Guide Released

Tom — Fri, 31 Oct 2008 02:43:42 +0000

Today at the Ohio Information Security Summit I released my Facebook Security & Privacy Guide. This guide gives you suggested “baseline” security settings that you can use when configuring your Facebook account. Obviously, you can adjust these settings based on your own level of risk but it should give you a good starting point.

How did this project get started?
I have been doing several months of research with my own Facebook account as well as gathering the input of other Facebook users to determine what the privacy and security settings would be without loosing the key features of using a social network website…the networking!

Please feel free to distribute this document to friends and family or use it for any security awareness campaigns. I will hopefully be keeping up with any updates to the document when Facebook changes things. I might be putting together a similar document together for MySpace but MySpace is a totally different animal altogether. We shall see!

You can download a pdf version of the guide here.

Exploit status for MS08-067

Tom — Mon, 27 Oct 2008 21:00:00 +0000

I won’t go into detail about the new Microsoft vulnerability…you all know it’s pretty serious and there are a ton of blogs and websites talking about the dirty details. Hopefully you have all read about it and are getting the word out about patching. However, there are some updates on the status of currently available exploits for the vulnerability that I found interesting.

Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A – Is it a worm or a trojan?
Don’t let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in “targeted” attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a “network-aware” trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities…reliable public exploit code will be out before you know it! Make sure you take your patching seriously…

UPDATE: If you follow HD Moore on Twitter you will see that he has just released MS08-067 PoC code for Metasploit.

Information Gathering with Maltego

Tom — Mon, 20 Oct 2008 01:51:00 +0000

Last Wednesday I gave a presentation to the Northeast Ohio Information Security Forum on Maltego which is a fantastic tool for information gathering. The presentation focused on a high level overview of the application and how it can be used for all types of security related work including security assessments, investigations and helping find public information about a company or person.

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on Room362.com or Ethicalhacker.net.

Exploiting trust in social networks

Tom — Mon, 06 Oct 2008 13:05:21 +0000

Over the weekend I posted my first article on Social Network/Media security over at Blogsecurify. You can check out the post here. My next article will talk about the security of third-party applications and widgets for social media applications.

MI6 camera sold on eBay? 007 is pissed!

Tom — Thu, 02 Oct 2008 03:21:33 +0000

This article was just too good and worthy of a blog post…apparently a MI6 digital camera went missing and went up for sale on eBay…for only $30. The kicker is that the camera’s memory card contained the following information:

Via Reuters:

“Its memory had names of al Qaeda members, fingerprints and suspects’ academic records as well as pictures of rocket launchers and missiles, the Sun newspaper reported.”

Opps… So did the camera have a “If lost, please call the following MI6 number” sticker on it? That is one big mistake for the British intel boys…

Malware challenge has started!

Tom — Wed, 01 Oct 2008 05:00:00 +0000

Just a reminder to head over to malwarechallenge.info to start the malware challenge that was mentioned on the last Security Justice podcast as well as a blog post that I did a few days ago. The contest runs from October 1st – 26th and is open to everyone! May the force be with you…

Tom joins the Blogsecurify team!

Tom — Fri, 26 Sep 2008 19:00:00 +0000

I am excited to announce that I am now part of the GNUCITIZEN Blogsecurify social media “tiger team”. I am officially a blogger for Blogsecurify and will be posting about security issues/vulnerabilities in social media applications. As you may already know, I have been doing a lot of research recently into Facebook privacy and security. Blogsecurify/GNUCITIZEN is the perfect outlet for the research I am doing as well as other projects I am about to work on. GNUCITIZEN has always been about cutting edge, progressive thinking security research and I am looking forward to working with others that have a passion for social media security.

Do you have a Wordpress blog? If you do then you really need to check out the Blogsecurify tool. The Blogsecurify tool was basically formed from the wp-scanner project and was a joint effort between GNUCITIZEN and BlogSecurity.net. The tool is an online Wordpress vulnerability scanner. It will scan your Wordpress blog via a plugin that you activate on your end. It will then run a series of checks and let you know the results. I am under the assumption that this scanner will evolve with the ability to scan other types of blogging software and social media applications. If you are interested in helping out with research and/or blogging on Blogsecurify check out this post.

Stay tuned for my Facebook Privacy & Security Guide release and details on other social media security related projects I plan on working on through this site and now blogsecurify.

Malware Challenge begins October 1st!

Tom — Fri, 26 Sep 2008 01:48:09 +0000

Tyler (aka: The Security Shoggoth) announced on the Security Justice podcast last week about the “Malware Challenge” that begins October 1st. I think this is a great idea and is a fantastic way to learn about how malware works and how to analyze it.

Via The Security Shoggoth:

“Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.”

Yes, this is a real piece of malware that you will analyze! More about the malware and the contest:

“Participants in the malware challenge will download the malware, analyze it and answer questions based on their findings. The answers to these questions will be evaluated by the judges in order to determine who the winners are. At a minimum, submissions should include the answers to the questions. However, submissions which also include a narrative on such things as how the malware was analyzed or how the analysis lab was set up will be more likely to win. Be creative.”

What are the prizes? So far they have a Best Buy gift card, IDA Pro Book, Full version of IDA Pro software, Hacker game from Steve Jackson Games and many more prizes as well. For the most up-to-date-list, check here.

Even if you have never analyzed malware before…everyone is encouraged to participate! This is a great way to learn about how malware works and also a way to develop a new emerging skill set! The contest site has some links for you to get started if you never did malware type analysis so you have some place to start. Winners will be announced at the 2008 Ohio Information Security Summit on October 31st. You don’t need to present to win but there will be special prizes for those that can be there. Good luck to everyone participating!

Where is Tom?

Tom — Mon, 22 Sep 2008 16:59:05 +0000

Wow..it’s been really crazy as of late. Sorry for the lack of blog posts but this is “the” busy month of the year for me! Here is what I have going on:

October 11th Ohio LinuxFest
Security Justice will be podcasting live from the Ohio LinuxFest! Dave and myself will be there hanging out with the folks from Notacon and others. If you are there…stop by, say hi and pick up some Security Justice stickers!

October 15th NEO InfoSec Forum
I will be giving a talk on “Information Gathering with Maltego” at the NEO InfoSec Forum. Join us after the meeting at Mavis Winkles for beer and the live recording of the Security Justice podcast.

October 30-31st Ohio Information Security Summit
There are several things that I am doing at this year’s local security summit:

I will be participating in a panel discussion at 2:20pm on October 30th, “Social Networks – Acceptance and Mitigation of Risk in Today’s Workplace”. Later that evening at 6pm I am leading a birds of a feather session entitled “Security & Privacy of Social Networks”. At this session I will be releasing my Facebook Privacy and Security Guide at the session. Look for a blog post about this project soon.

Finally, on October 31st I will be doing a talk entitled “Penetration Testing 2.0: Corporate Tiger Team” at 1:30pm.

If you are local or in the surrounding Ohio area be sure to check out the Information Security Summit. It’s well organized and is only $250 for two full days of talks!

Oh, and if that wasn’t keeping me busy enough…I am working on another Security Justice special edition with another very special guest to take place some time in October. More details soon.

I’ll hopefully get a few posts up in the next few days…I have a few in the “queue” almost ready to launch. Back to work for me and thanks for reading!

Finally a use for Incognito

Tom — Thu, 11 Sep 2008 03:28:11 +0000

Lets say (hypothetically for the sake of this post) that you were able to exploit the system of a Windows domain admin during a pentest. The goal of this attack? Steal the credentials of the domain admin and continue on with owning the domain. Sure, you could use gsecdump, pass-the-hash and do the same thing…however, Incognito (tool to conduct token passing) is nice when you know a system is vulnerable to an exploit and you want to do everything through a nice Metasploit meterpreter shell. The problem with gsecdump is that it would require you to use psexec to run it remotely on the admin’s system. Depending on the scope of your assessment and if you are trying to be covert, gsecdump/psexec may not be the best idea as you may get noticed by either an anti-virus, HIDS alert or some other detection system on the host, including the admin (don’t get me wrong…gsecdump is a GREAT tool and should be part of any pentest toolkit). So here comes Incognito to help you out in this situation…

How does Incognito work? I won’t go into a ton of detail as you can check out CG’s posts over at Carnal0wnage. He did an awesome two part write up about the tool…in detail…you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an “svn update” either…you have to use Subversion and do an “svn co http://metasploit.com/svn/framework3/trunk/”. Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG’s posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again…follow CG’s posts).
5. Continue on with your domain compromise…rinse and repeat with your next client and/or pentest!

The best tool to clone hard drives, is free!

Tom — Tue, 09 Sep 2008 01:37:33 +0000

While not a security related post…I thought I would let everyone know about a really good open source hard drive cloning software that I recently discovered when I needed to clone and image multiple Linux systems. It’s called Clonezilla and works just like Symantec Ghost but faster and free.

From the Clonezilla web site:

“Clonezilla, based on DRBL, Partition Image, ntfsclone, and udpcast, allows you to do bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla server edition. Clonezilla live is suitable for single machine backup and restore. While Clonezilla server edition is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency. At the NCHC’s Classroom C, Clonezilla server edition was used to clone 41 computers simultaneously. It took only about 10 minutes to clone a 5.6 GBytes system image to all 41 computers via multicasting!”

Yeah, it’s fast alright! I have been using the Clonezilla Live to image hard drives and it has been working great. You can also run it off of a USB thumb drive if you are so inclined. So, don’t fork over $$ to that evil empire called “Symantec”…give Clonezilla a try if you want to clone a drive or multiple drives.

New Ohio Identity Theft Law: Epic FAIL for Consumers

Tom — Wed, 03 Sep 2008 03:50:44 +0000

I have to give the lawmakers in the state of Ohio some credit for attempting to take identity theft somewhat seriously. It’s actually about time since every other state in the US has had laws for a long time now. Unfortunately, they got it wrong. The problem is that they have made something that is fairly manageable for consumers into another way for the three credit agencies to make more money.

From the Cleveland Plain Dealer:

“When a new Ohio law kicks in on Labor Day, you’ll be able to freeze your credit reports for $5 a pop. Security freezes let you “lock up” your credit report and scores, making it more difficult for an identity thief to open accounts in your name. New account fraud isn’t the most common type of identity theft, but it’s one of the more expensive and time-consuming varieties to clear up. A freeze is an important tool in combating this financial crime.

To get the best protection, you’ll need to freeze your files at all three credit bureaus, meaning you’ll shell out up to $15.”

and to “thaw” your “freeze”…

“You’ll need to temporarily thaw a freeze when you shop for credit, buy insurance or do anything else that requires a credit check. Each thaw costs $5. Ohio’s law lets you thaw for a specific party or, if you’re applying to multiple lenders, for a specific period of time. If you’re thawing for a specific lender, ask which bureau it plans to use so you can minimize the cost and thaw only at that bureau. Make sure you have the lender’s correct name so it can access your report.”

Confused yet? Let me explain….

So fork out your first $15 to get this baby started. Now when you are ready to buy something that requires a credit check…don’t forget to call the credit agencies to “thaw” your “freeze”. But wait! Which one do you call? Not sure? Call all three and fork out another $15. Oh? I need a PIN to thaw my account? Most consumers will forget what the PIN was so thats another $5 to get a PIN reset. Is the freeze a pain in the ass to manage? No problem…fork out another $15 to remove the freeze to permanently thaw your credit.

There are two solutions that provide similar protection:

1. Every 90 days call each of the three credit agency’s and put a fraud alert on your credit reports. This costs nothing and is pretty effective…but a pain to remember.

or better yet…

2. Get a monitoring service like Debix. They will freeze your credit and provide real time monitoring. You can’t beat the service for $24 a year. Between the $15 freeze and if you need to open up your credit one time with all three agency’s, Debix is a cheaper, more reliable and safer with less work. If you want some good information on Debix and how it works check out Rich Mogull’s blog post.

Oh. If you read the full news article…check out the following (funny) information required if you want to hook this up via snail mail:

“By certified mail: Send your full name, with middle initial and generation (for example, Jr. or II); Social Security number; date of birth (month, day and year); current address and previous addresses for the past two years; and $5 fee (not cash) to…”

Good thing identity thieves don’t steal mail these days….who really sends certified mail anyway right?

Remember the BBS?

Tom — Fri, 29 Aug 2008 01:43:44 +0000

Some of you should remember what a BBS is (Bulletin Board System)…

I grew up a child of the 80’s and when I got my first computer (actually an Apple ][e)...all the rage for geeks was connecting to your local BBS and checking out the awesome text based games and reading messages from other users on the BBS (believe me, it was fun back then!). All of this was at a blazing 1200 baud...and that was if you were lucky to own the latest technology (I had started with a 300 baud modem...couldn't fork out the cash for a 2400 baud modem...woo hoo)! Some of you in the Cleveland, Ohio area might remember the "Cleveland Free-Net" which was part of the Free-Net project. Cleveland Free-Net was the first community BBS of it's kind in the country. Funny thing was that I got really into it and ended up running my own n00b BBS called "The Laughing Goblin Inn" with my own dedicated phone line that I convinced my parents that I needed! I also got myself a massive 40 MB (yeah, that's megabytes) external hard drive to hold all my Apple "warez".

Via Hack a Day:

"[Lief Bloomquist] was in need of some geeky nostalgia. He thought making a BBS server on a Commodore 64 would fill that need perfectly. He used a PC running some routing software to make the BBS server available over the net, without any long distance charges. Anyone with an Internet connection can telnet to the BBS and join the fun.”

The setup this guy is using is really simple. It’s basically a Windows PC that is used to bridge between the Internet and the Commodore 64. The PC and Commodore are connected through a null modem cable and a VIC-1011A Terminal adapter. A simple program runs on the PC, listening on tcp port 23. He has the software and links to everything you need via his web site.

So if you ever ran a BBS or was ever involved in that world back in the day you should check it out (even if you didn’t know what the hell a BBS was…check it out to see what it used to be like)…it brought back some memories for me. Even the slooowness of 1200 baud was there!

Fire up a terminal and connect to bbs.jammingsignal.com port: 23 Enjoy!

Bad hard drive? Don’t let Apple take your data!

Tom — Wed, 20 Aug 2008 02:27:50 +0000

So the hard drive on my wife’s one year old MacBook has officially started to kick the bucket. Random crashes, slow performance and lots of errors like this in the system log:

disk0s2: 0xe0030005 (UNDEFINED).

Yup, we have bad blocks..all indicating imminent drive “FAIL”. I have AppleCare on the MacBook so I call them up and explained the situation. Surprisingly, they didn’t give me a hard time. In the past I have had problems with other computer manufacturers (ummm…Dell) in which I would have to argue with the guy/gal on the other end of the phone that the drive was “really bad” and I didn’t need to spend hours on the phone with them troubleshooting. So far so good with Apple right?

So I am finishing up the call and the tech is explaining how Apple will ship me a box to send the MacBook back to them for repair. Apparently, they don’t do self service hard drive swaps anymore. Weird since it’s easy to replace a hard drive on a MacBook. Anyway, the rest of the conversation went something like this…

Apple guy: “Sir, do you have a password set on your MacBook”?
Me: “Yes. Why do you need that?”
Apple guy: “The tech’s need it to replace your hard drive”
Me: “Huh? Why do you need my password to replace a bad hard drive? Just pull the old drive out and put the new one in.”
Apple guy: “Sorry sir. That’s the procedure.”
Me: “What if I don’t give you the password?”
Apple guy: “Then we can’t repair your laptop”
Me: “grrrr…fine…here is my password..ready? a-p-p-l-e-s-e-c-u-r-i-t-y-F-A-I-L”
Apple guy: “Thank you sir. You will have your shipment box in 24 hours.”

So for every bad hard drive that comes into the Apple repair center they log in to verify that the drive is bad? What do they do with all the drives like mine that are still functional but have bad blocks? Can Apple guarantee that there are no shady people working in the repair center wanting to steal my personal information? What happens to the data? The sad mac fact (note the “sad mac” picture above) is that no one knows!

I did some research on this and apparently Apple doesn’t care too much about your personal data. Dave Winer wrote about this extensively and notes the same problem. The Apple repair “terms and conditions” only states that your information is protected in accordance with the “Apple Customer Privacy Policy” and that you agree that Apple can use your data to perform the “service obligations”. Interesting to also note that on the Apple privacy web site under the AppleCare Repair Agreement it also states the following:

“You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S.“

Huh? People’s Republic of China? That’s nice. I couldn’t find any reference noting what Apple does with your personal “hard drive” data. They only mention your name, address, things you purchased, etc…

So what am I going to do about this? I’m going to completely wipe the drive (Darik’s Boot And Nuke is my favorite disk destruction utility) before sending it back to Apple just to see what happens. I have my doubts that they will actually log in to the MacBook to see if the drive is bad. Let’s see if I get the drive replaced or not…I’m betting it will be replaced, no problem.

Sure, Apple is not the only company doing this with hard drives. This is a problem that needs to be addressed by all computer vendors. What they do with your data should at least be disclosed in their repair and/or privacy policy (at a minimum). In the meantime, encrypt your sensitive data (TrueCrypt works well) and securely remove any data you don’t want people servicing your computer to see. I’ll keep you updated on the repair status…

Are you using strong and unique passwords? You should!

Tom — Fri, 15 Aug 2008 21:41:32 +0000

I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan’s, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.

While these types of attacks are not new…it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have…do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great…but you can still get lazy. We all have the lazy bug…especially with online forums and web sites. One idea that I learned to help combat this was to have a “throw away” password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn’t care if they were compromised. Everything else…use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point…LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it’s a pain in the ass to use a password manager but in the end…it’s well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS’s (and a Blackberry)…KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it’s free…it’s tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it’s a good time to change those passwords to something complex and unique. Don’t forget to use a password manager to help you out!