Social Networking Security Workshop

  • View
    683

  • Download
    5

Embed Size (px)

DESCRIPTION

Social Networking Security Workshop (Facebook and Twitter)

Text of Social Networking Security Workshop

  • www.acisonline.net/snscon2010

    A. Prathan Phongthiproek A. Sharkrit Piyavanich

    SNS M3-0

  • www.acisonline.net/snscon2010 2

    ACIS Professional

    Ce

    Aug-18-10

    RSS feed

    Example of Social Network

  • www.acisonline.net/snscon2010

    Social Network 10

    3

    Social Networking Security Conference 2010

  • www.acisonline.net/snscon2010

    Social Network Phishing Attack Statistic

    ACIS Professional Center

  • www.acisonline.net/snscon2010

    Hi5 Phishing Attack

    ACIS Professional Center

    http://www.hi5.vs

  • www.acisonline.net/snscon2010

    Facebook Phishing Attack ACIS Professional Center

  • www.acisonline.net/snscon2010

    Social Network Worm (Koobface)

    ACIS Professional Center

    Effect various social network site: Facebook Hi5 MySpace Bebo Tagged Friendster Fubar LiveJournal myYearbook Netlog

  • www.acisonline.net/snscon2010

    Koobface Attack Step: 1

    ACIS Professional Center

  • www.acisonline.net/snscon2010

    Koobface Attack Step: 2

    ACIS Professional Center

    Adobe Flash Player

  • www.acisonline.net/snscon2010

    Koobface Attack Step: 3

    ACIS Professional Center

    Worm Koobface

    See The Others in Social Networking Security Live Show

  • www.acisonline.net/snscon2010

    Short Descriptions To Gen-Y

    11

    Social Networking Security Conference 2010

    Pop Culture Own All Gadgets

    Working with PC Eminem/ Britney Fans

    Harry Potter Series Social Networking

  • www.acisonline.net/snscon2010

    Gen-Y Behaviors

    Continually connected Speak their own language Skeptical of authority Influenced by peers Seek recognition and fame Enjoy absurdity and off humor Embrace subcultures Skim text and information quickly Easily bored Expressive and digitally creative

  • www.acisonline.net/snscon2010

    Percentage of staff using their PC for personal reasons

    0 10 20 30 40 50 60 70 80 90

    Email Websites Banking/ Personal Finance

    Social Networking

    Percentage

    Social Networking Security Conference 2010

    13

  • www.acisonline.net/snscon2010

    How do the Gen Y bypass enterprise control to visit social networking?

    Social Networking Security Conference 2010

    14

    See Full Version in Social Networking Security Live Show

    Hack Tools Gen Y

  • www.acisonline.net/snscon2010

    SNS M7-3

  • www.acisonline.net/snscon2010

    What is "Good Sites Gone Bad"?

    The webs greatest accomplishments have become its biggest threats. Compromised sites, user-generated content and social networks challenge traditional domain-based trust mechanisms.

    The growth of the web has outpaced traditional URL filters. Web applications bypass legacy file-based anti-virus

    engines.

    Search engine optimization and trending topics are used by attackers to increase their attack performance.

    Social Networking Security Conference 2010

    16

  • www.acisonline.net/snscon2010

    Facebook Clickjacking

    Social Networking Security Conference 2010

    17

  • www.acisonline.net/snscon2010

    Facebook Clickjacking

    Social Networking Security Conference 2010

    18

  • www.acisonline.net/snscon2010

    Twitter Clickjacking

    Social Networking Security Conference 2010

    19

  • www.acisonline.net/snscon2010

    Cross Site Scripting Attack on Twitter

    Social Networking Security Conference 2010

    20

  • www.acisonline.net/snscon2010

    Cross Site Scripting Attack on Facebook

    Social Networking Security Conference 2010

    21

  • www.acisonline.net/snscon2010

    Cross Site Scripting Attack on Hi5

    Social Networking Security Conference 2010

    22

  • www.acisonline.net/snscon2010

    Cross Site Scripting Attack on YouTube

    Social Networking Security Conference 2010

    23

  • www.acisonline.net/snscon2010

    Twitter Phishing www.tvvitter.com

    Social Networking Security Conference 2010

    24

  • www.acisonline.net/snscon2010

    Website URL Shortener

    Social Networking Security Conference 2010

    25

  • www.acisonline.net/snscon2010

    Simple URL Shortener bit.ly

    Social Networking Security Conference 2010

    26

  • www.acisonline.net/snscon2010

    Simple URL Shorten on Twitter

    Social Networking Security Conference 2010

    27

  • www.acisonline.net/snscon2010

    Twitter Attack via URL Shortener

    Social Networking Security Conference 2010

    28

  • www.acisonline.net/snscon2010

    Twitter Attack with Drive-By-Download

    Social Networking Security Conference 2010

    29

  • www.acisonline.net/snscon2010

    Drive by Download Java Applet

    Social Networking Security Conference 2010

    30

  • www.acisonline.net/snscon2010

    Drive by download-attack

    Social Networking Security Conference 2010

    31

    Victim

    (4) Download exploit

    (1) Client visit the landing page

    (2) Redirect to get exploit

    (3) Redirect to get exploit

  • www.acisonline.net/snscon2010

    Threats from Bad sites

    Social Networking Security Conference 2010

    32

    Spyware

    Viruses

    Worms

    Trojans

    Potentially unwanted applications

    Adware

    Unwanted/offensive content

    Phishing

  • www.acisonline.net/snscon2010

    How to Protect yourself from Bad sites

    Windows Patch, Browser, Macromedia, Acrobat Update Use a desktop browser that includes anti-phishing and anti-malware blockers. Microsofts Internet Explorer,

    Mozilla Firefox, and Opera all provide security features to block

    malicious sites.

    Enable a firewall and apply all Microsoft operating system updates. Avoid using pirated software

    Social Networking Security Conference 2010

    33

  • www.acisonline.net/snscon2010

    SNS M8-1

  • www.acisonline.net/snscon2010

    Cross Site Scripting (XSS) Attack

    Social Networking Security Conference 2010

    35

  • www.acisonline.net/snscon2010

    Firefox Noscript Add-ons

    Social Networking Security Conference 2010

    36

  • www.acisonline.net/snscon2010

    Noscript-Prevent XSS and Malicious web

    Social Networking Security Conference 2010

    37

  • www.acisonline.net/snscon2010

    Facebook Account Setting

    Social Networking Security Conference 2010

    38

  • www.acisonline.net/snscon2010

    Facebook Account Security

    Social Networking Security Conference 2010

    39

  • www.acisonline.net/snscon2010

    Notify Facebook Account Login

    Social Networking Security Conference 2010

    40

  • www.acisonline.net/snscon2010

    Twitter Verify Account

    Social Networking Security Conference 2010

    41

  • www.acisonline.net/snscon2010

    Twitter Verify Account

    Social Networking Security Conference 2010

    42

  • www.acisonline.net/snscon2010

    Twitter Verify Account

    Social Networking Security Conference 2010

    43

  • www.acisonline.net/snscon2010

    SNS M7-5

  • www.acisonline.net/snscon2010

    Reconnaissance personal information

    Social Networking Security Conference 2010

    45

  • www.acisonline.net/snscon2010

    Reconnaissance personal information

    Social Networking Security Conference 2010

    46

  • www.acisonline.net/snscon2010

    Visualization Tools

    Social Networking Security Conference 2010

    47

  • www.acisonline.net/snscon2010

    Reconnaissance personal information

    Social Networking Security Conference 2010

    48

  • www.acisonline.net/snscon2010

    Facesaerch

    Social Networking Security Conference 2010

    49

  • www.acisonline.net/snscon2010

    Results from tools (Maltego)

    Social Networking Security Conference 2010

    50

  • www.acisonline.net/snscon2010

    Open Source Intelligence for Information Gathering

    Social Networking Security Conference 2010

    51

    Ref: http://www.onstrat.com/osint/

  • www.acisonline.net/snscon2010

    SNS M7-5

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    53

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    54

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    55

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    56

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    57

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    58

    Ref: http://www.onstrat.com/osint/

    Default Setting Can search

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    59

  • www.acisonline.net/snscon2010

    Social Networking Security Conference 2010

    60

  • www.acisonline.net/snscon2010

    Application Social Networking Security Conference 2010

    61

  • www.acisonline.net/snsc