Slapped in the Slapped in the Facebook:Facebook:

The wonders (and security threats) of social The wonders (and security threats) of social networkingnetworking

Presentation for the National Information Presentation for the National Information Security Group (NAISG), May 2009 monthly Security Group (NAISG), May 2009 monthly

meetingmeeting

About the presenter…About the presenter…

About me…About me…

Bill Brenner Bill Brenner (BillBrenner70)(BillBrenner70)On the NAISG Board On the NAISG Board

of Directors since 2006of Directors since 2006

A Facebook/LinkedIn/Twitter junkie A Facebook/LinkedIn/Twitter junkie who is learning to use these tools with who is learning to use these tools with security in mind. security in mind.

Senior Editor at Senior Editor at

With a cameo from…With a cameo from…

Jack Daniel and his sock Jack Daniel and his sock puppetspuppets

One of the top security One of the top security voices voices on Twitter, on Twitter, fellow NAISG fellow NAISG board board membermember

As for the sock puppets, As for the sock puppets, the the man might man might have some issueshave some issues

First, a look at the world we’re living First, a look at the world we’re living in…in…

• Twouble with Twitters: Twouble with Twitters: http://www.youtube.com/watch?v=Phttp://www.youtube.com/watch?v=PN2HAroA12wN2HAroA12w

• Savage Chickens: Savage Chickens:

Usefulness of the medium…Usefulness of the medium…

• Jack’s on Twitter all the time, so it can’t be that insecure, right?Jack’s on Twitter all the time, so it can’t be that insecure, right?

• I’ve gotten a ton of networking value from LinkedIn, and have I’ve gotten a ton of networking value from LinkedIn, and have worked a much wider range of security sources into my content worked a much wider range of security sources into my content as a result. I’ve been able to use Twitter with similar results.as a result. I’ve been able to use Twitter with similar results.

• Many of my security contacts are Facebook friends, but that Many of my security contacts are Facebook friends, but that one has become more about catching up with people I stopped one has become more about catching up with people I stopped caring about in 4caring about in 4thth grade. grade.

• In all, these are great tools to connect with people worth having In all, these are great tools to connect with people worth having in your professional and personal life.in your professional and personal life.

How it’s changing the face of How it’s changing the face of tech mediatech media• It has quickly become a standard requirement for publications It has quickly become a standard requirement for publications

to have a Twitter/Facebook/LinkedIn presenceto have a Twitter/Facebook/LinkedIn presence

• The old days: Reporters rummaged through phone books and a The old days: Reporters rummaged through phone books and a Rolodex. Today: They ask a question in one of these forums, Rolodex. Today: They ask a question in one of these forums, leave their e-mail and phone number, and wait for the leave their e-mail and phone number, and wait for the response to pour inresponse to pour in

• 2004ish: Around this time, people joined e-mail forums to 2004ish: Around this time, people joined e-mail forums to exchange ideas, ask questions, etc.exchange ideas, ask questions, etc.

• Today: It’s all being done in the Web 2.0 social networking Today: It’s all being done in the Web 2.0 social networking realmrealm

• Requires the media to participate in the conversation in real Requires the media to participate in the conversation in real time.time.

What’s out there…What’s out there…

• B-to-B networking, good place to ask B-to-B networking, good place to ask questions and get answers, reach out questions and get answers, reach out to experts in your field. Job board as to experts in your field. Job board as well.well.

My use of LinkedInMy use of LinkedIn

• LinkedIn is my personal favorite because of the sheer number of LinkedIn is my personal favorite because of the sheer number of groups. For security alone, I’m in 30-plus groups that deal with such groups. For security alone, I’m in 30-plus groups that deal with such specialized matters as identity management, vulnerability specialized matters as identity management, vulnerability disclosure, digital forensics, port security, etc. disclosure, digital forensics, port security, etc.

• By asking targeted questions within the discussion threads of these By asking targeted questions within the discussion threads of these individual groups, I’m better able to work the best sources into the individual groups, I’m better able to work the best sources into the particular issue I’m writing about. particular issue I’m writing about.

• In the process, I’ve grown my user/CSO contact base significantly, In the process, I’ve grown my user/CSO contact base significantly, and these sources stay in touch with me about the pain points of and these sources stay in touch with me about the pain points of their jobs.their jobs.

• Goal: Make CSO a true force on these groups, a source people truly Goal: Make CSO a true force on these groups, a source people truly rely on to do their jobs more effectively. So far, so good.rely on to do their jobs more effectively. So far, so good.

What’s out there…What’s out there…

• Great place to connect with business associates, Great place to connect with business associates, colleagues etc. But the more you use it, the more it colleagues etc. But the more you use it, the more it becomes a hang-out for friends and relatives. Not that becomes a hang-out for friends and relatives. Not that there’s anything wrong with that.there’s anything wrong with that.

• Like Twitter, though, I find that Facebook is an excellent Like Twitter, though, I find that Facebook is an excellent tool for proliferating our content. tool for proliferating our content.

What’s out there…What’s out there…

• Micro-blog. Lots of fun. Kind of like being in a crowded bar where you yell to be Micro-blog. Lots of fun. Kind of like being in a crowded bar where you yell to be heard. heard.

• We’re all using it to push out our content, ask questions of the experts we’re We’re all using it to push out our content, ask questions of the experts we’re following, etc.following, etc.

What’s out there…What’s out there…

• Closer in style and purpose to Facebook. Closer in style and purpose to Facebook. Some say it’s trashier. I’m not using it.Some say it’s trashier. I’m not using it.

Like every good Like every good thing…thing…

– There’s a big security There’s a big security risk: people risk: people

who have the who have the access but not the scruples.access but not the scruples.

Exhibit A:Exhibit A:• Slapped in the Facebook: Social Networking Dangers ExposedSlapped in the Facebook: Social Networking Dangers Exposed

• ShmooCon 2009: Two security researchers demonstrate the many ways bad people ShmooCon 2009: Two security researchers demonstrate the many ways bad people can tamper with your Facebook account, MySpace page or LinkedIn profilecan tamper with your Facebook account, MySpace page or LinkedIn profile

• By By Bill BrennerBill Brenner, Senior Editor , Senior Editor • February 07, 2009 — February 07, 2009 — CSOCSO — — • WASHINGTON, D.C. -- For many people, social networking has become as much of a daily routine WASHINGTON, D.C. -- For many people, social networking has become as much of a daily routine

as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it.as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it.• That's because most of the time people spend on That's because most of the time people spend on MySpace, Facebook, LinkedIn, TwitterMySpace, Facebook, LinkedIn, Twitter and and

elsewhere is during work hours -- on work machines.elsewhere is during work hours -- on work machines.• At the At the ShmooCon 2009ShmooCon 2009 security conference in the nation's capital this weekend, two security security conference in the nation's capital this weekend, two security

researchers demonstrated the many reasons why this is bad.researchers demonstrated the many reasons why this is bad.• In a presentation called "Fail 2.0: Further Musings on Attacking Social Networks," In a presentation called "Fail 2.0: Further Musings on Attacking Social Networks," Nathan HamielNathan Hamiel

and and Shawn MoyerShawn Moyer guided attendees through attacks made easy because of the very nature of guided attendees through attacks made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other content with these sites, where users can upload and exchange pictures, text, music and other content with little effort.little effort.

• "Social networking sites are meant to get as many users in one place as possible on one "Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them," Moyer platform, and for attackers there's a lot of return-on-investment in going after them," Moyer said, describing the climate as a perfect storm of social engineering and bad programming.said, describing the climate as a perfect storm of social engineering and bad programming.

• Through a variety of easy tricks, attackers can hijack a person's social network account to use as Through a variety of easy tricks, attackers can hijack a person's social network account to use as a launching pad for additional attacks against other users, other a launching pad for additional attacks against other users, other Web 2.0-based applicationsWeb 2.0-based applications, , and so on. Social networks can also be incorporated into micro botnets and, by rummaging and so on. Social networks can also be incorporated into micro botnets and, by rummaging through a page of misfired direct messages on through a page of misfired direct messages on TwitterTwitter, a motivated attacker can unearth the , a motivated attacker can unearth the cell phone numbers of prominent people.cell phone numbers of prominent people.

Exhibit B:Exhibit B:

• 3 Ways Twitter Security Falls Short3 Ways Twitter Security Falls Short

Social-networking tool Twitter has become this year's "it" Social-networking tool Twitter has become this year's "it" platform. But experts say it still has some work to do on its platform. But experts say it still has some work to do on its securitysecurity

• By By Joan GoodchildJoan Goodchild, Senior Editor , Senior Editor • February 18, 2009 — February 18, 2009 — CSOCSO — — • The popular micro-blogging platform The popular micro-blogging platform TwitterTwitter continues its explosive growth. continues its explosive growth.

Twitter experienced a 900 percent increase in active users in the last year, Twitter experienced a 900 percent increase in active users in the last year, according to a recent blog post from Biz Stone, the company's co-founder. according to a recent blog post from Biz Stone, the company's co-founder. People are increasingly using it to get breaking news updates, to collaborate People are increasingly using it to get breaking news updates, to collaborate with colleagues remotely, and connect with friends on an up-to-the-minute with colleagues remotely, and connect with friends on an up-to-the-minute basis. Some businesses are using it as a new promotion and marketing tool. basis. Some businesses are using it as a new promotion and marketing tool.

• Despite the popularity, Twitter still a lot to do when it comes to securing the Despite the popularity, Twitter still a lot to do when it comes to securing the platform (See:platform (See: Three Ways a Twitter Hack can Hurt You Three Ways a Twitter Hack can Hurt You). We spoke with two ). We spoke with two security experts about three areas where Twitter security experts about three areas where Twitter poses some significant risksposes some significant risks. .

2-23-082-23-08

• Hackers ramp up Facebook, Hackers ramp up Facebook, MySpace attacks -- Five-exploit MySpace attacks -- Five-exploit tool kit includes code aimed at tool kit includes code aimed at Image Uploader ActiveX controlImage Uploader ActiveX control

1-6-091-6-09

•Bogus LinkedIn profiles punt Bogus LinkedIn profiles punt malware to foolsmalware to fools

• Beyoncé's not your friend, you berk Beyoncé's not your friend, you berk

• LINKEDIN IS NOT IMMUNE, EITHERLINKEDIN IS NOT IMMUNE, EITHER

““Fail 2.0: Further Musings on Fail 2.0: Further Musings on Attacking Social Networks," by Attacking Social Networks," by Nathan HamielNathan Hamiel and and Shawn MoyerShawn Moyer • At the 2009 ShmooCon conference in At the 2009 ShmooCon conference in

D.C., the duo guided attendees D.C., the duo guided attendees through attacks made easy because through attacks made easy because of the very nature of these sites, of the very nature of these sites, where users can upload and where users can upload and exchange pictures, text, music and exchange pictures, text, music and other content with little effort. other content with little effort.

““Fail 2.0: Further Musings on Fail 2.0: Further Musings on Attacking Social Networks," by Attacking Social Networks," by Nathan Hamiel and Shawn Nathan Hamiel and Shawn MoyerMoyer• The demonstrations the duo ran through included:The demonstrations the duo ran through included:

• Creating imposter profiles on LinkedIn, assuming the identity of someone Creating imposter profiles on LinkedIn, assuming the identity of someone prominent, and friending as many people as possible.prominent, and friending as many people as possible. For the sake of For the sake of experimentation, the researchers created a fake profile for a well-known security experimentation, the researchers created a fake profile for a well-known security leader (with permission) and accumulated 50-plus connections in less than a day, leader (with permission) and accumulated 50-plus connections in less than a day, many of them CSOs and other bigwigs. many of them CSOs and other bigwigs.

• Showing how to sabotage the MySpace page of someone you're not directly Showing how to sabotage the MySpace page of someone you're not directly connected with via the profile of a common connection.connected with via the profile of a common connection. This example involved This example involved fake Myspace pages for rocker Alice Cooper and actors Eva Longoria and Bob Saget. fake Myspace pages for rocker Alice Cooper and actors Eva Longoria and Bob Saget. In this scenario, Cooper and Longoria are connected to Saget but not to each other. In this scenario, Cooper and Longoria are connected to Saget but not to each other. Longoria wants to connect with Cooper, who refuses, and she responds my using Longoria wants to connect with Cooper, who refuses, and she responds my using their common connection to Saget to access and deface Cooper's page. their common connection to Saget to access and deface Cooper's page.

• Rummaging through a site that accumulates old direct messages originally Rummaging through a site that accumulates old direct messages originally sent out through Twitter.sent out through Twitter. With enough patience, the bad guy can find and exploit With enough patience, the bad guy can find and exploit such discoveries as phone numbers, e-mail addresses and other personal such discoveries as phone numbers, e-mail addresses and other personal information that was originally meant for individuals rather than the general information that was originally meant for individuals rather than the general Tweeting public. Tweeting public.

““Fail 2.0: Further Musings on Fail 2.0: Further Musings on Attacking Social Networks," by Attacking Social Networks," by Nathan Hamiel and Shawn Nathan Hamiel and Shawn MoyerMoyer

• "Any application can be used to "Any application can be used to attack other applications and an attack other applications and an application can be used to view your application can be used to view your entire file if the privacy settings are entire file if the privacy settings are off. Even if you put the privacy off. Even if you put the privacy settings in place, you should assume settings in place, you should assume you are screwed." Nathan Hamiel you are screwed." Nathan Hamiel

What to do?What to do?

•LinkedIn, Facebook, LinkedIn, Facebook, Twitter Users BewareTwitter Users Beware

• [FUD Watch with CSO Senior Editor Bill [FUD Watch with CSO Senior Editor Bill Brenner] The headlines are full of doom Brenner] The headlines are full of doom and gloom about attacks against and gloom about attacks against Twitter, Facebook and LinkedIn users. Twitter, Facebook and LinkedIn users. Take this threat seriously, but don't let Take this threat seriously, but don't let the alarming headlines drive you away.the alarming headlines drive you away.

This is like everything that This is like everything that came before…came before…

• E-mail, Web 1.0-2.0 etc.E-mail, Web 1.0-2.0 etc.

• Social engineering never fails the Social engineering never fails the attackerattacker

• User education is keyUser education is key

• Companies might want to start thinking Companies might want to start thinking about social networking cans and can’ts about social networking cans and can’ts in the official user policy.in the official user policy.

And now, a few words from And now, a few words from jack_daniel jack_daniel

• That’s his Twitter handle, BTWThat’s his Twitter handle, BTW

Thanks!Thanks!

• Questions?Questions?

• Comments?Comments?

• Tweets?Tweets?