Dr. Scott A. Wells Ph.D. [email protected] Facebook: UltimateKnowledge

Dr. Scott A. Wells [email protected]

Facebook: UltimateKnowledgeTwitter: UKI_Twitter

Ultimate Knowledge Institute’s

Social Media Security CourseFocusing on Social Media Foundations and Security Concepts

Welcome

Social Media is the New Medium

By 2010 GenY will outnumber the baby boomers. And 96% of them have joined a Social network.

Social Media has overtaken porn as the #1 activity on the web

Three of the world’s most popular brands online are social-media related and the world now spends over 110 billion minutes on social networks and blog sites.

Socialnomics: How Social Media Transforms the Way We Live and Do Business

Socialnomics: How Social Media Transforms the Way We Live and Do Business

http://blog.nielsen.com/nielsenwire/global/social-media-accounts-for-22-percent-of-time-online/

850 million people using Facebook

account for 1 out of every 5 page views on the internet worldwide

250 million photos are uploaded to Facebook daily

There are an estimated………

These 850 million people……

And ….

Facebook Statistics ………

Facebook Statistics ………

As a country Facebook would be the third most populated country behind China and India

There are over 3 billion videos watched per day on YouTube.

Over 35 hours of video uploaded every minute.

5 billion – Photos hosted by Flickr (September 2010

3000+ – Photos uploaded per minute to Flickr.

and…

and…

25 billion – Number of sent tweets on Twitter

175 million – People on Twitter as of September 2010

and…

Vide

oIm

ages

Twee

tsSome Social Media Statistics by Category ………

Served as Mechanism for political change

Egypt

Tunisia

Yemen

Libya

Assists in disaster notification and response

The Dark Side of Social Media……….

Source: http://www.darkreading.com/insider-threat/167801100/security/privacy/225702468/index.html

Robin Sage gained roughly…….

LinkedIn ----- 148 connectionsFacebook ----- 110 friends Twitter ----- 141 followers.

Over a period of 28 days starting in late December and ending in January of this year.


Attackers are employing reconnaissance techniques to penetrate computer networks

Source: http://www.securecomputing.net.au/News/165600,hackers-ran-detailed-reconnaissance-on-google-employees.aspx

OPERATION AUROA


Attackers are employing reconnaissance techniques to penetrate computer networks

http://www.betanews.com/article/Personal-data-of-170-million-Facebook-users-exposed-collected-and-shared-without-any-hacking/1280439164

People who are using Facebook either do not care about protecting their information or do

not know how. This is a systemic problem across

the majority of Social Media platforms


Source: http://www.nytimes.com/2010/11/29/world/29cables.html?_r=1

Leveraging the Dark Side

The Matrix (1999 film)

Really More Like This

Attack Characterization & Anatomy

Ultimate Knowledge Institute 16

Data Profiling Malware Based Attacks Phishing Attack Evil Twin Identity Theft

Social Media AttacksCharacterization & Anatomy

Ref:

For the next slides we will characterize and walk through some typical attacks associated with Social Media



Data Profiling

Data profiling attacks normally include multiple threat activities defined earlier in this seminar. Data profiling attacks are used as a basis for many other attacks. Lets take a methodology employed in a data profiling attack.

Preparation Phase

Attack Phase

Back out Phase

During the the preparation phase the attacker develops the attack plan that will be used within the attack phase

During the attack phase the attacker employs Social Media focused attack techniques.

During the back out phase the attacker finalizes the attack phase and covers tracks.

1

2

3



Data Profiling Preparation Phase

Engagement Timeline

Create a Dossier Repository

Identify the expected timeline for Social Media Dossier Attack. This will tie into the overall goals of the dossier build and how the information gathered will be used (extortion, blackmail, defamation, reputation attack preface for espionage activity etc….)

The amount of data that will be collected will be immense needs to be searchable. This data should be stored in a database with some form of frontend.




Target Characterization Using open and closed sources identify the target’s personal information. Names, relatives, locations, public records etc. Closed sources include the hiring of private investigators or background investigation services.




Social Media Presence Discovery

Using characterization information conduct a discovery of the individuals Social Media presence and document all Social Media profiles and activity.

Target: John Smith

Search for Presence

Output is a list of social sites

that the target is a member of.



Ref: http://www.paterva.com/web5/

Lets use Maltego-3and some

other internet based tools and do a little Open Source Intelligence Gathering. For this demo will start with a target, create a digital profile of activities, and determine locations and relationships.




Another great source of gathering information is GeoTagging. Many social media photo based websites allow you the ability to strip out geotag coordinates but others do not. Flickr is a great source for geotags.





Document the Targets Social Context

Determine how the individual use Social Media, what type of social presence and the level of social activity.

• Unique Attributes of Social Media Presence• Images and Media• Relationships with people• 3rd Party Applications• External Links and Usage




Determine Tools and Techniques

Identify the expected tools and techniques that will be used during the attack phase. These tools will need to integrate with data repositories




Develop Social Actors• Develop actors that will be used in the Dossier

building.

• These actors should have their own Social Media character profile /context and they should align with the Social media context and profile of the target.

• Actors can assume the role of an individual, application, place or business.

• Time should be allocated to develop Social Media

actors.




Develop Social Actor Activity Plan

• Each actor’s activity should be carefully scripted.

• The activity plan will document the specific roles and activities of each actor when populated within the targets Social Media presence.

• Assurances should be made that each activity plan has a monitoring plan to detect for target anomalies such as switching Social Sites or actor realization.

Populate Social SitesUsing developed actors and activity plans populate Social Media sites



Data Profiling Attack Phase

Develop and Execute Supporting Attacks• The intent is to compromise the targets relationships.

• Supporting attacks include executing web based attacks against targets relations and impersonations (multiple actor types).

• Supporting attacks require dedicated plans and should be conducted outside of the dossier attack plan.

• Support plans should have a mechanism to feed information into the dossier attack plan.

Attacker

Target Target’s Relationships



Ref:http://en.wikipedia.org/wiki/Cross-site_scripting

Malware Based Attacks The Cross Site Scripting Attack is commonly used to propagate Malware.

Persistent Non-Persistent (Reflected)

The code is upload to the vulnerable server within the application. The client

activated the script when the page is loaded

The code is delivered to the victim by the attacker via link embedded with malicious

JavaScript.

1

2

3 4

2

3

1




Reflected

Input

Output




Stored

InputOutput

Source



Ref:http://www.technewsworld.com/rsstory/68946.html

Malware Based Attacks Persistent XSS Attacks and Social Media - Twitter

1

Victim

Attacker Site

Twitter

Attacker

View Infected Profile

3 Establish AJAX Connection

6Steal Auth Token

7 Post Status & Change More

Info. URL

2 Download Malicious JavaScript

5Image Request

4 Forward cookie and username

StalkDaily.ComMichael Mooney



http://www.zdnet.com/blog/security/hackers-selling-25-toolkit-to-create-malicious-facebook-apps/8104

Malware Based Attacks Hackers selling $25 toolkit to create malicious Facebook apps

The do-it-yourself toolkit offers a template for spreading malware, directing users to click-fraud accounts and for pushing Facebook users to bogus surveys to hijack personal information. This commoditization of Facebook malware is further confirmation that social networks are a happy hunting ground for cyber-criminals looking to hijack personal data for use in identity theft attacks.

TINIE VIRAL APP V3.6

Facebook Profile Creeper Tracker Pro

RAMNIT Zues

SpyEye



Ref:http://www.infowar-monitor.net/reports/iwm-koobface.pdfhttp://www.abuse.ch/?p=2103

Malware Based Attacks Koobface

Phase 1

Koobface Attack PhasesPhase 2 Phase 3 Phase 4

Koobface Monetization

Hijacked website with JS Fake Video

with .exe

The Koobface does not just exist for “fun”but for “profit” as well.

Koobface Mothership

Malicious AVAffiliates

Pay Per Click Affiliates

Compromised HostFake posts are

redirected to….

Malicious bit.ly and blogspot URLredirect

to….

User redirected to….

Server that spreads

Koobface



Ref:http://en.wikipedia.org/wiki/Phishing

Phishing Attacks

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication 3.2 Billion Lost in 2010 – Gartner Group

Anatomy of Generic Phishing Attack

Categories of Attacks

• Spearphishing• Phishing• Pharming• Vishing

Categories of Attacks

• Redirect Attacks• Disclosure Attacks• Impersonation• Unauthorized Usage

Phase IRedirect

Phase IIDisclosure

Phase IIIImpersonation

Phase IVUnauthorized Usage

Fraudulent Transaction

Impersonate Victim

Actual Site

Spoofed Site

Victim

Attacker

Steal Identity



Ref:http://en.wikipedia.org/wiki/Phishing

Phishing Attacks Phishing Attacks and Social Media – Facebook App.

User clicks on the link and is presented

with a Facebook login

The attack then returns you to Facebook, installs an app

called “Media Player HD”,and asks you to download the “FLV player” --- Malware!



Ref: http://www.gnucitizen.org/blog/social-networks-evil-twin-attacks/

Impersonation Attacks Impersonation Attacks involve the registering a username with the intent to mislead others as to the identity behind the username.

John Smith

Sam Hacker

Impersonation Individual or Organization

Compromise Relationships

Damage Reputation

Phishing Attack

Confidence attacks

John Smith

John Smith

Conduct Malicious Activities

Identity Theft Activities

37


Ultimate Knowledge Institute

Data LeakageSocial Media Data Leakage is characterized as the unauthorized release of organizational information.

Leak Distribution Propagation



Ref: http://codebutler.com/firesheep

Identity Theft Identity theft is the actual taking over the identity of an individual.

The Firefox plugin “Firesheep” is a tool that automates the capturing of a set of predefined Social Media session cookie’s. This allows an attacker to steal an unsuspecting victims Social Media identity.


OverviewUKI Social Media Program

Ultimate Knowledge Institute is offering both a training and certification program for Social Media Technologies.

Social Media Foundations Course

Social Media Engineering & Security

Course

Social Media for Managers Course

Social Media Practitioner Certification

Social Media Engineering & Security

Certification

Social Media Governance Certification

The Social Media for Managers course and certification encompasses the governance strategies policy development and processes that should be put into place to support Social Media initiatives within an organization.

The Social Media Foundations Course is designed for individuals who must indoctrinate other users and who work with Social Media on a daily basis

The Social Media Engineering and Security Course and Certification is meant for individuals who must design, implement and operate secure Social Media solutions.

Questions# Questions are not limited to one hundred and forty characters

Documents

Dr. Scott A. Wells Ph.D. [email protected] Facebook: UltimateKnowledge