• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Social Zombies II: Your Friends Need More Brains

Social Zombies II: Your Friends Need More Brains



In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at ...

In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.



Total Views
Views on SlideShare
Embed Views



11 Embeds 152

http://www.slideshare.net 94
http://www.techgig.com 21
http://thoughts.vivianpein.de 14
http://static.slidesharecdn.com 13
http://www.iweb34.com 3
https://twitter.com 2
https://www.linkedin.com 1
http://www.linkedin.com 1
http://www.lmodules.com 1 1
http://www.makehope.org 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Social Zombies II: Your Friends Need More Brains Social Zombies II: Your Friends Need More Brains Presentation Transcript

    • SOCIAL ZOMBIES II Your Friends Need More Brains
    • Starring...
    • tom Eston
    • Robin Wood
    • Kevin Johnson
    • Social Networks Where are we today?
    • 350 Million Users (how many of these are fake?)
    • 120 Million Login Daily
    • 6.2 million joining Twitter every month
    • End of 2009: 75 Million Users
    • It’s all about trust...
    • Fake accounts? Orly?
    • Who is the most dangerous woman on the Internet?
    • Advanced Persistent Threat
    • What makes a Jessica Biel?
    • Thank You! Prabhu Deva and Nathan Hamiel
    • Lava Roll FTW
    • Still easy to exploit trust! • More difficult to tell a bot from a real account • Accounts are easy to create • Socnet User Verification = FAIL • Twitter “Verified” Accounts? • Connections based on other “friends”
    • New Privacy Concerns
    • New Facebook Privacy Settings • Your info is even more open! • Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all public • “Suggested” settings are set to EVERYONE • Zuckerburg says users don’t want privacy...
    • Really?
    • Epic FAIL?
    • Blippy FTW
    • Blippy FTW
    • "I Joined BLIPPY and all I got was Jacked at the ATM" - Chris Nickerson (@indi303) via Twitter
    • What about the ultimate stalker tool?
    • Geo-Location Tracking
    • Blippy + Foursquare + Facebook + Twitter + LinkedIn = PWNAGE
    • Why the **** would Socnets do this??
    • “The more info you share... ...the more valuable you are”
    • Real Time Search FTW
    • How do pen testers and attackers use this? Thank you Social Networks!
    • Wealth of recon information! • Socnet Search Engines • Maltego (Twitter and Facebook) • Google Hacks • site:facebook.com inurl:group (bofa | "bank of america") • Manual Searching • Status Updates • Real Time Search
    • Infiltrate a company with this information!
    • New Security Concerns
    • Koobface Evolving • Still the #1 socnet worm • Targets all major socnets • Socnet chat vectors • Now with CAPTCHA • Adobe/IE 0day, Zeus Trojans FTL *Screen shots via McAfee Labs/PandaLabs
    • Danger! Social Network Applications
    • Months of Bugs! • July 2009 - Month of Twitter Bugs (Aviv Raff) • September 2009 - Month of Facebook Bugs (theharmonyguy) • Vulnerabilities affecting over 9,700 Facebook applications • Over half of vuln apps had passed the Facebook “Verified” Application program • Six of the hacked applications in the “Top 10” (Farmville and Causes!) • Most could be used with ClickJacking to install
    • More than 218 million Facebook users were vulnerable!
    • Facebook Application Autopwn Demo http://www.youtube.com/watch?v=chvwtGPkAIQ
    • Advanced Social Network Bots
    • More Evil Twitter Bots • Bots that pull trending topics...post malware links • Used recently to promote warez like pirated movies • Easy to code. Twitter API FTW
    • Better Automated Tools • Tools are getting more reliable • CAPTCHA bypass built in, able to off load to outsourced solution • Automated tools are cheap! Why roll your own? (or get it for free via Torrent!)
    • What is it? Command and control system running over social media
    • Written in Ruby as a proof of concept Not optimized. Not stealthy.
    • Currently runs over: •Twitter • JPEG • TinyURL
    • And now...
    • Uses LinkedIn API to read and write the Status field
    • Also new... Windows Support Basic Ruby install with a few gems and off it goes
    • What’s Next? Other media types, possibly non- HTML based. Please give suggestions!
    • New KreiosC2 Demo http://www.vimeo.com/9295657
    • Third Party APIs FTW
    • SocNet APIs • Social network APIs provide a wealth of information • All the big ones offer them • Some play catch up • We get to play with these APIs
    • Im'ma Let You Finish • New front end for Social Butterfly • KanyeWestify allows us to update your wall
    • Westify'ing someone • Select a friend • Drop down helps • Their wall now has the update
    • So what did we do? • Using the API, we grabbed the user's information • And their Friends' data • In this version we used the FQL queries from theHarmonyGuy • Full backup of your account • We also used JS to brute force browser history • We can map visited pages to user's of Facebook! • Marketing FTW!
    • Have the undead won?
    • We need more brains! • User education...yeah, it’s hard • Better privacy controls • End opt-in developer models • Tighter control of APIs
    • Questions? • News, Research, Guides,Video’s SocialMediaSecurity.com • Download KreiosC2 digininja.org • Follow us...if you dare @agent0x0, @digininja, @secureideas