Social Zombies II: Your Friends Need More Brains
- 25. Who is the most dangerous
woman on the Internet?
- 37. Still easy to exploit trust!
• More difficult to tell a bot from a real
account
• Accounts are easy to create
• Socnet User Verification = FAIL
• Twitter “Verified” Accounts?
• Connections based on other “friends”
- 39. New Facebook Privacy
Settings
• Your info is even more open!
• Your Name, Profile Picture, Gender, Current
City, Networks, Friend List, and Pages are all
public
• “Suggested” settings are set to EVERYONE
• Zuckerburg says users don’t want privacy...
- 44. "I Joined BLIPPY and all I got
was Jacked at the ATM"
- Chris Nickerson (@indi303) via Twitter
- 55. How do pen testers and
attackers use this?
Thank you Social Networks!
- 56. Wealth of recon
information!
• Socnet Search Engines
• Maltego (Twitter and Facebook)
• Google Hacks
• site:facebook.com inurl:group (bofa | "bank of america")
• Manual Searching
• Status Updates
• Real Time Search
- 59. Koobface Evolving
• Still the #1 socnet
worm
• Targets all major
socnets
• Socnet chat vectors
• Now with CAPTCHA
• Adobe/IE 0day, Zeus
Trojans FTL
*Screen shots via McAfee Labs/PandaLabs
- 61. Months of Bugs!
• July 2009 - Month of Twitter Bugs (Aviv Raff)
• September 2009 - Month of Facebook Bugs
(theharmonyguy)
• Vulnerabilities affecting over 9,700 Facebook
applications
• Over half of vuln apps had passed the Facebook
“Verified” Application program
• Six of the hacked applications in the “Top
10” (Farmville and Causes!)
• Most could be used with ClickJacking to install
- 68. More Evil Twitter Bots
• Bots that pull
trending
topics...post
malware links
• Used recently to
promote warez like
pirated movies
• Easy to code.
Twitter API FTW
- 69. Better Automated Tools
• Tools are getting more reliable
• CAPTCHA bypass built in, able to off load to
outsourced solution
• Automated tools are cheap!
Why roll your own?
(or get it for free via Torrent!)
- 83. SocNet APIs
• Social network
APIs provide a
wealth of
information
• All the big ones
offer them
• Some play
catch up
• We get to play
with these APIs
- 84. Im'ma Let You Finish
• New front end for
Social Butterfly
• KanyeWestify
allows us to
update your wall
- 86. So what did we do?
• Using the API, we grabbed the user's
information
• And their Friends' data
• In this version we used the FQL
queries from theHarmonyGuy
• Full backup of your account
• We also used JS to brute force
browser history
• We can map visited pages to user's
of Facebook!
• Marketing FTW!
- 88. We need more brains!
• User education...yeah, it’s hard
• Better privacy controls
• End opt-in developer models
• Tighter control of APIs
- 89. Questions?
• News, Research, Guides,Video’s
SocialMediaSecurity.com
• Download KreiosC2
digininja.org
• Follow us...if you dare
@agent0x0, @digininja, @secureideas