Social Media Basics: Security Loopholes with Twitter & Other Social Media


Published on

Webinar on social media security for both corporations and personal.

Published in: Technology, Business
1 Comment
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :  
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good morning everyone. My name is Tyler Shields; I’m a Senior Researcher at Veracode. My day-to-day responsibilities involve keeping up with the latest attacks and defenses and determining how Veracode can enhance its product offerings to match what we are seeing in the wild. I have what I think is a pretty interesting presentation for you today. We’re going to be going over social media security basics. What are some of the real, in the wild, attack scenarios. What has been compromised, how has it been compromised and how can you keep from being the next target.
  • First let’s start off with a little game. When I was putting this slide together I kept thinking of that song from Seasame Street… “One of these things is not like the other, one of these things is not the same..” Funny enough, they ARE all the same. Facebooks twitter feed, Britney’s, USA TODAY, and even the Dalai Lama himself have all had the same issue.
  • They have all been hacked. That’s right.. each of the previous slides twitter accounts have at some point in the past been hacked. Once hacked, they were generally used as practical jokes or to distribute spam or malware. I only put a sample set of the screen shots on here because I couldn’t fit them all in. You can spend hours reading the funny comments and twitter posts from these hacked accounts with some basic Google searching. However, that all being said.. this is supposed to be an instructional lecture… so let’s move on from the fun and get into some real meat.
  • Since this Webinar series is a back to security basics series, I chose a blackboard theme and even have a syllabus for us to review. For today’s syllabus we’re going to first go over some definition of terms. We’ll touch on a true definition of social media and what the impact of social media is on the security threat landscape. Next we’ll go over the risks of social media. What is there to really be afraid of? What are the risks of compromise and what can be the downside of using (or being abused on) social media sites? Third we’ll look at some of the more common attack scenarios that have happened in the wild and how those scenarios effect the targets. What are the motivations of the attacker and what goals is he trying to achieve. Finally we’ll briefly discuss what can be done to help solve the problem. Sadly there are no silver bullets in these slides, but education is a first step to hopefully making people aware of the issues involved.
  • First let’s begin with an outline of social networking. What is it, what are the associated terms, and why is it a real problem that needs to be secured?
  • When I say “Social Networking”, what are the first companies that come to mind. Nearly everyone thinks of Facebook, LinkedIn, Twitter, and possibly MySpace. That’s about it. These are the big guns. These are the guys that have the huge subscriber counts. The owners of these sites are the guys that have the very difficult decision to make “How many private jets should I buy?” I would argue that these are only a small selection of “social networks” that exist in reality. I would argue that social networking is much much larger than just a few web properties. Let’s expand the picture out a bit more and see what it looks like..
  • So this looks a bit better. We’ve expanded out to include sides such as YouTube,, Apple’s Ping, FourSquare, Vimeo, and even Google. This looks like a much better picture of what the real social networking world entails.  Well again, I would argue that it’s much much more than this. I found one photo online that really depicts what I think the reality of social networking really looks like…
  • THIS picture is much closer to my view of social networking. Social networking really isn’t about web sites. It’s not about mobile apps. Social networking is really a paradigm shift. It’s less about creating individual isolated avenues for people to socialize and is more about adding a social aspect to every piece of technology and modern innovation that we can. The first few pieces of this puzzle have been the social networking sites themselves and more recently followed by the growing adoption of mobile devices. When we take those two components and place them next to cloud based technologies we get a picture of social networking that really is becoming ubiquitous. It’s rapidly approaching a state where social computing is becoming a core component of any successful Internet innovation.
  • I’m guessing the majority of the folks on this call today are security practitioners of one type or another. I’m sure we have some security managers, consultants, researchers, and even CSO and CISO title holders on the call. So let’s shift the conversation from social networking as a concept to the security impacts of social networking. I’m sure you have heard this before, but I consider it so important a paradigm shift that it bears repeating whenever possible. The perimeter is dead. When I say dead, I mean completely dead. It’s six feet under and won’t be coming back for Halloween kind of dead. The concept of one external perimeter that we have to secure from a horde of inbound attackers is passé. Thanks to a few specific things, the perimeter has shrunk to the point that it sits on each individual device. The specific things that have driven this change are mobility, the cloud, and social networking. Mobility has taken our devices and made them smaller, lighter, and more nimble. Along with they have become decentralized. Our devices are all now mobile devices, connecting to a WIFI hot spot at Starbucks one afternoon, an airport WIFI the following morning, our corporate network each work morning, and our home network each night.  Next we add in the cloud and we see that the data doesn’t even reside in our networks any longer. Gone are the days when our personal photos reside on our own servers, going away is the time in which we edit documents and store them locally on our machine hard drives. We’re moving all this data into the cloud. We have service providers that hose all of our photos (Flickr), we have service providers that hold all of our personal documents (DropBox, our online bank, etc.). From a corporate standpoint we are moving more and more of our corporate data into the cloud on a daily basis. It’s lower cost of ownership and less overhead… it just makes sense. Finally add to this social networking and all of our personal thoughts, feelings, ideas, etc are all stored externally. Security has become, and will continue to be data centric. We must now look at the location of our sensitive data, and how we can properly secure that data wherever it may reside. This is the reality of today’s interconnected, highly social, Internet world.
  • Along with the destruction of the perimeter comes the issue of viral adoption. Adoption of concepts occurs faster than ever before thanks to technology and in particular social media sites. Viral adoption is one of the core issues in the socially networked world. Previous to the adoption of social interconnections, proliferation of malware would be relatively rate limited. It was only with the advent of contact lists and address books that the majority of really big worms sprang to life. The more interconnected we get, the faster the possible viral adoption rates, and the faster propagation of malicious activities may occur. Add to this the fact that the malware will likely appear to come from a trusted source, and we really see that the viral nature of social media is a perfect breeding ground for a new age of malware.
  • One final term I’d like to identify is the concept of a meme. A meme is basically an idea, concept, symbol, phrase, or story that is passed from one person to another. In the world of social media there are tons of memes. There are even web sites dedicated to knowing what the meme of the day means and where it came from (see From a security perspective, meme’s are a great way to transmit malware. If you can package your malware in the meme, trend, or otherwise hot topic of the day, you will likely have a much higher rate of infection. We’ll see more details on this when we get into some of the later slides.
  • Back to our syllabus. Now that we are all in agreement with what the terms are and what they mean, let’s turn our attention to the risks of social media. Why should we really care at all? Is there really any inherent risk with the adoption of this new paradigm?
  • The first and most obvious risk with regards to social media is malware. Malware authors continually embrace the technologies that will allow them to propagate their code the most effectively. In the last few years we have seen malware code that uses social networking sites as distribution centers. We’ve seen malware that uses social networking sites as a method of executing command control towards their compromised zombie systems. And we’ve also seen malware directly compromising the sensitive data that is saved specifically within social networking systems in an attempt to directly monetize the attacks. This begs the question, why is social networking such a good platform for malware distribution.
  • When I began to think about this question.. I started to think about what makes the best malware distribution system? If I were writing malware and wanted to attempt to distribute my malware as rapidly and as widely as possible, what exactly would I want in my distribution system. I would want a system that was decentralized, I don’t want to have a central system where if my malware is discovered it can easily be shutdown. I would have to have a distribution system that is as interconnected as possible. The more links between social nodes, the faster I can distribute my attack. Mobility would allow me jump network gaps and air boundaries that may exist. And finally I would want a distribution system that would get me as close as possible to sensitive data that I can hopefully eventually make money off of. Social networks do exactly this. Social networks designs are decentralized, highly interconnected, and mobile while allowing super fast content publication and communications. My ideal malware distribution system is decentralized, highly interconnected, mobile, and gets me close to sensitive data. This sounds like a GREAT fit for an attacker.
  • KoobFace. KoobFace (which is an anagram for FaceBook for those that didn’t catch it) is a great example of a social media worm. KoobFace propagated from target to target by sending FaceBook messages to everyone in your FaceBook friends list. It also would periodically put wall posts on your wall so friends of friends that might see your wall also would have the potential to be infected. These links that were spammed out would contain information on an update for Adobe Flash in an attempt to get the target to patch their system. In reality this would infect their system and cause them to FaceBook spam all of their friends. Once infected, a pay per install malware would be installed on the compromised system and the computer would operate in a larger botnet. What makes this really interesting is that the attackers and botnet operators are estimated to have made over 2 million dollars between June of 2009 and June of 2010 alone. Significant numbers variants have continued to be released since then and that monetary estimate is likely low. Social networking malware can be very financially lucrative.
  • How about targeted attacks. What we have discussed so far has really been mass malware, and mass infection style attacks. What if someone really wanted to target your company or your person? What would happen if someone decided to attack my business brand? With the viral nature of social networking negative messaging travels just as quickly as positive messaging. Because of this, it is imperative for businesses to keep a pulse on the social networking world to determine if something that could be detrimental to their brand or company exists. Let alone if your official twitter feed or FaceBook page were to be hacked. What is your follower count?  Target has 117K followersWalmart has 96K followers It’s gets even more dangerous when we talk about personal brand: Tiger Woods has 1.3m followersJustin Bieber has 13m followersBarack Obama has 10m followers When attacks against social networking sites are successful, brand impact can be huge. Additionally we see the issue of follow on social engineering efforts. If a target account is hacked, a smart attacker will be able to leverage this account to facilitate hacks against other accounts by abusing trust relationships between these two accounts. If you were to receive a direct message tweet from your wife, chances are you would believe the source of the message. I mean after all they have to have a password to be able to send a message. Data disclosure is another major issue. We talked a lot about leveraging the attacks from one account target to the next, but what about the data you have within your account directly. Most people don’t clean out their direct messages box on twitter or the messages folders on FaceBook. Some of that information can be damaging to your organization or your personal brand as well. Finally, an attacker could attempt to leverage the compromise as a pivot point into the rest of your organization as a whole.
  • This slide depicts a perfect example of a targeted attack. A blogger by the name of Rakesh posted this a short while ago about a targeted attack that happened to him. Via FaceBook chat he received a message from one of his personal friends, Matt. Matt claimed to be stuck in London after being robbed outside the hotel he was staying at. He no longer has access to his checking account and needs some money to fly back home.  This is a pretty common scam. What makes it exceptionally dangerous is the personal information that was available via Matt’s account. Since the hacker had compromised Matt’s FaceBook account he had access to personal information such as Matt’s wife’s name, potentially his kids names, where he went to school, and who most of his friends were. It is much easier to create a feeling of trust and to create a strong backstory to a con when you have significant personal information about the target. The slide, as you see it, isn’t the entire transcript and I have adapted it somewhat for presentation purposes. The link at the bottom of the slide contains the full transcript as Rakesh recorded it.
  • Back to our syllabus again. Now let’s go over what some of the common attacks are and what we’ve actually seen happen in the wild.
  • Let’s take a look at a timeline of some of the more notable Twitter hacks over the years. The attacks date back to the start of twitter with the first real issues occurring as early as 2007, the year after Twitter was created. By 2008 we began to see the start of Trojan style downloads hitting twitter. In 2009, ClickJacking and XSS style attacks were common place, and in April of 2009, the first major twitter internal hack occurred. This pace continues through 2001 when we see the script_kiddiez hacking group appear and begin to hack twitter accounts at a semi rapid pace. One interesting point on this slide is the fact that as of September 2011, of the top 10 most followed people on twitter, only TWO of those haven’t yet been hacked.
  • So let’s dig into some of the more interesting attacks that Twitter hase seen since 2007. One of the more social networking based attacks it the abuse of twitter trends. Twitter keeps track of what the most trending topics are at any given time and presents these to the users. This allows people to keep up with the meme of the day or the latest news breaks in an easy manner.  Some attackers have begun to abuse the trending topics features by spamming out tweets with these trending topics in them. This places them in the search list fo these trending topics causing people who may be tracking or reading the trending topic to click on the link that is embedded into the tweet. As you might guess, this link is a malware delivery site. A variation of this attack model is using the trending topics to create new domain names that are pertinent to the current hot trend. These domains will host the malware and are most likely to be clicked on based on the sheer interest of the user that receives the link spam.
  • By now, this slide is going to feel a bit old. It’s the same thing that’s been said for a while now regarding passwords and the overall concept of passwords. Namely, passwords STINK! There really isn’t any other way to put it. And these horrible passwords are what is leading to a significant number of compromises in the social media world. In 2009, there was a major online property breached that lead to the disclosure of 32 million passwords. The compromised passwords were then analyzed by the security company Imperva and these are the highlights.  30% of all passwords were under 6 characters.60% of the passwords were basic alphanumeric in nature.And half of them were what is considered “easily guessed” by brute force dictionary style attacks. This isn’t the only place where these types of user mistakes have occurred Similar numbers were observed in the lulzsec data dumps of the last 12 months. People don’t choose strong passwords. It’ll never happen. This isn’t only a user problem. Take for example secret questions. Paris Hilton’s phone and Sarah Palins email account were both hacked due to easily guessed secret questions. With the ubiquity of social networking, the personal information that is commonly used in these so called “secret questions” is easily data mined by a determined attacker. Scarlet Johannsens’ naked pictures, Christina Agullira’s and Mila Kuniz email accounts along with up to fifty other celebrities were recently hacked. Just yesterday they arrested the man that attacked these accounts. In nearly every case the attacker used what is being termed “open source information” about the celebrities to break in through the reset password feature of the account. Also, In the last year we’ve seen a big uptake in SQL injection style attacks, and in these attacks a number of the companies weren’t storing their users passwords with any reasonable form of encryption. Additionally most people reuse passwords from site to site. This is a huge mistake. Once a large data breach has occurred, and your password is compromised, it’s trivial for attackers to continue to leverage this data trove for further intrusions.
  • When an attacker gets bored of targeted individual user accounts, they make take a few risks and go straight for the mother load. Since it’s inception in 2006, Twitter has been completely compromised, not once, but TWICE. In these compromises, the attacker had the ability to abuse any account of the system, read private messages between users, even hijack any account of his or her choosing. In both of these case studies, the attacker abused password resets and/or social engineering to gain access to the administrative system. In the early 2009 example, an attacker wrote a script and targeted what he thought was just a highly connected user of the system. He noticed that this particular user was connected to a lot of other highly connected people on the site. He wrote a basic brute force script that used dictionary passwords, let it run over night, and by morning had gained access to the account. It turns out that this account belonged to one of the Twitter admins and he was also granted access to the administrative side of Twitter. A similar event happened later that same year. A French hacker used the password reset and secret questions attack to gain control of the Yahoo email account of a particular targeted Twitter user. Once the user’s email was compromised, the attacker simply reset the users Twitter password and had the new password sent to his email account. From there the administrative panel was again accessible.
  • Picture this scenario. Your best friend has “liked” a video on his Facebook wall. Attached to the like message is some text about how funny this video is and how it will make them “LoL”. You naturally want to see the video so you click it. It redirects you to a web site where you click the play button and watch the video. What you don’t see is the iFrame that is created that holds a hidden like button. This iFrame either sits above or behind the play button of the video, or possibly hovers with the mouse as you move it around the screen. As soon as you click the play button, you also inadvertently “like” the video on your Facebook wall. You’ve been LikeJacked
  • Finally, I wanted to put a little information out there that surrounds what are the most frequently used topics for Facebook Spam. While this certainly isn’t a complete list, it should give you an idea of the types of links and messages that are currently being abused on Facebook. The most frequent attempt at social engineering you into running a spam app or going to a spam site is Stalking – This usually takes the form of “Want to see who is looking at your profile?” The next most common method is free stuff in social games. Many times the spammer will offer you free items in games like FarmVille or CityVille if you click the link. Don’t do it. The third one is very obvious; porn is always a big draw, especially around celebrities. The last two somewhat run together. Spammers often attempt to entice you to click links to get at features or games that aren’t actually offered by Facebook. By leveraging your desire for these additional features, they can spread their spam or malware to your system.
  • And now we are finally onto the last part of our curriculum. “What can be done?”, “How can we protect ourselves”.
  • First and foremost, what can the Vendor do to help secure your data. Right now the major social networking players are actively using data heuristics to attempt to determine if accounts are spamming or otherwise attacking other users of the system. The link at the bottom of the slide is a blog post created by Facebook security that talks, at a high level, about the types of efforts they are putting forth in this area. This is a great start. Let’s do more of it! Another key point to this slide is the concept of short links. Right now there is little being done in the area of analysis of short links. Sites have to consider exploding, analyzing, and securing link shortened URLs as this is a common way for attackers to hide the full URL information from the intended target.  Of course we need to fix passwords and secret questions.. This is without question the most important thing on the list.
  • The sad reality is that we can never fully rely on the provider to implement security on our behalf and honestly the enterprise side isn’t much better. As an enterprise we can lockdown access to the major social networking sites and environments, but that is generally easier said than done. The impact on the business culture could be rough and it doesn’t really solve the problem due to the mobility factor. Nothing stops the same people from accessing those sites while at home or mobile and taking your corporate data with them. We could begin to analyze outbound traffic and look at the problem as a data loss prevention issue, but again this doesn’t really get to the core of the issue. Sadly, right now the best defense from a corporate perspective is education. User’s need to be educated and become vigilant to the types of issues and attacks that exist in the socially connected world. This brings me to my final two slides.
  • How can you protect yourself? At the end of the day, security is still a user problem. This is actually why security as a problem can never be solved. That being said, here are the most important things you can do to protect yourself when using socially connected sites and devices. Number one, don’t click random links. This should hopefully be obvious to you by now.The second item is listed here as a problem but does have a real solution. Passwords STINK! Use a password safe, use passwords that are completely random, difficult to guess, and LONG. My passwords are all over 12 characters long, using mixed case and special characters and I never use a password twice. They are completely randomly generated. As such I don’t use the secret hits any longer. I just turn them off completely or put in garbage and forget it later.Next, never trust a message as safe. Question everything.Be very selective with your friends. Only put people you trust into your friends list and go through all of the permissions and tighten them down as much as possible. If there is no need to make something public, then don’t.If possible, don’t use add ons. If you MUST use them, try to choose ones from reputable creators and not just add any random FaceBook app you can to your profile. Last but certainly not least.. ALWAYS remember what I call the social networking golden rule…
  • If you wouldn’t yell it from the rooftops, don’t post it on the Internet. The Internet and especially social media is permanent. Anything that hits the Internet can and will be there forever. If you wouldn’t broadcast your comment on the radio or put your photo on the television for the world to see.. it has no place on social media and the Internet. If you live by this golden rule… you should be just fine.
  • My email address is and my twitter is @txs. Feel free to reach me at either of those places.  Any questions?!
  • Social Media Basics: Security Loopholes with Twitter & Other Social Media

    1. 1. Social Media Security Basics: Tyler ShieldsSecurity Loopholes with Twitter Researcher & Other Social Media Sites October 13, 2011
    2. 2. What is the same with these twitter accounts?
    3. 3. They have all been hacked!
    4. 4. Social Media Security Basics Syllabus• Definition of Terms• What is the Risk?• Common Attacks• What Can Be Done
    5. 5. Social Media Security Basics Syllabus• Definition of Terms• What is the Risk?• Common Attacks• What Can Be Done
    6. 6. Social Networking
    7. 7. Social Networking
    8. 8. Social Networking
    9. 9. The Perimeter is DEAD
    10. 10. Viral Adoption Refers to a system architecture that can be adopted incrementally, and gains momentum as it scales. - Viral Communications, Media Laboratory Research Draft May 19th2003
    11. 11. Meme Acts as a unit for carrying cultural ideas, symbols or practices, which can be transmitted from one mind to another through writing, speech, gestures, rituals or other imitable phenomena.
    12. 12. Social Media Security Basics Syllabus• Definition of Terms• What is the Risk?• Common Attacks• What Can Be Done
    13. 13. Malware• Malware distribution and propagation• Malware command and control• Direct compromise of sensitive data
    14. 14. Social Networking vs Social Malware• Decentralized• Interconnected• Mobile• Quick Content Publishing• Decentralized• Interconnected• Mobile• Has Access to Data
    15. 15. KoobFace• Social media worm• Propagation via Facebook messages• Propagation via Facebook wall posts• Spams your friend list to an “update for Adobe Flash”• Installs pay per install malware on target• Infected computers operate as a botnet
    16. 16. Targeted Attack• Defamation of brand • What is your follower count?• Further social engineering efforts • Leveraging power nodes• Data disclosure • What types of data do you have online?• As a primary point of entry into your organization
    17. 17. Matt (Hacker) Rakesh (Target) Hi, What‟s up?! Hi Matt. Everything OK? Well, I‟m really stuck here in london. I had to visit a resort here in London and I got robbed at the hotel I‟m staying Ack that‟s terrible! Sorry to hear that. We need some help flying back home. All our money is stuck in our checking account and we can‟t get at it! Is this really you? It doesn‟t sound legit… It sure is! Lauren is here with me and so are the kids. We‟re really stuck will you help ?
    18. 18. Social Media Security Basics Syllabus• Definition of Terms• What is the Risk?• Common Attacks• What Can Be Done
    19. 19. History of Twitter Hacks• 4/2007: SMS updates vulnerable• 8/2008: Trojan download attacks begin• 2/2009: Clickjacking attacks begin• 4/2009: XSS worm released• 4/2009: Internal admin tool hack• 6/2009: Trending topic abuse begins• 7/2009: Koobface• 1/2010: Banned 370 passwords• 5/2010: Force follow bug• 9/2010: Mouseover exploits found• 3/2011: Added option to require SSL• 9/2011: Of top 10 most followed, only 2 have never been hacked• 9/2011: script_kiddiez rampage
    20. 20. Abuse of Trending Topics Observe Twitter‟s trending topics Create an account (or use hacked one)Spam malicious links with trending topic content Unsuspecting users click link… They have been hacked! Variation: Use trending topics to register new malware hosting domains in real-time
    21. 21. Passwords and Password Reuse Passwords STINK!• Passwords < 6 characters long ~30%• Passwords from limited alpha-numeric key set ~60%• Used names, slang words, dictionary words trivial passwords, consecutive digits, etc. ~50%• Not only a user problem• Secret questions – bad idea!• SQL Injection compromises up 43% year over year • HBGary, Xfactor, Fox.Com, PBS, FBI,, … • Sony, Sony, Sony… oh.. Yeah.. SONY! • Password reuse?
    22. 22. Own The Borg, Own The WORLD!In 2009, Twitter gets COMPLETELY owned… TWICE!Brute force password attack of targeted user reveals a password of“Happiness” – User is a Twitter admin… OWNED!A French hacker owns the Yahoo email account of a user on twitter. He thenresets that users twitter password and views the email in the Yahoo account.User is a twitter admin… OWNED!
    23. 23. LikeJacking (Click Jacking with a twist) Your friend “likes” a video This posts a link to it on his wall You click the link…. You get redirected to the video You watch the video Associated with the video is a like buttonYou inadvertently post your “like” of this same video You have been LikeJacked
    24. 24. Top 5 categories for Facebook Spam1) Stalking (Who is looking at your profile?)– 34.7%2) Free stuff social games (Free Farmville dollars!!) –16.2%3) Shocking curiosities (OMG free porn) – 14.1%4) Features that Facebook doesn‟t offer ( “Who „poked‟ methe most”) – 12.5%5) Games not actually offered Facebook (Super MarioBros.) – 8.4%
    25. 25. Social Media Security Basics Syllabus• Definition of Terms• What is the Risk?• Common Attacks• What Can Be Done
    26. 26. The Vendor• Implement better heuristics and anomaly detection• Better warnings and alerts• Lock accounts when appropriate• Explode and analyze shortened links• Fix passwords and secret questions Much more public research should be done in this area – Blog post from Facebook re: their SPAM prevention practices
    27. 27. The Enterprise• Lock down the big players??• Monitor and analyze outbound traffic• EDUCATION Much more public research should be done in this area
    28. 28. How To Protect Yourself• Don’t click random links• Passwords STINK! Use a safe.• Never trust a message as safe• Be selective about your “friends”• Keep to the basics (avoid add-ons) Don’t forget the social networking “Golden Rule”
    29. 29. The Golden Rule
    30. 30. Email: @txs
    31. 31. LINKS – Major worm that used social networking for propagation - Using chat to scam funds – Uses twitter trending topics for malware domain name choiceswhen creating new malware hosting URLs – Blog post from Facebook re: their SPAM prevention practices – wikipedia entry on Likejacking – Aug 18 Facebook Malware –Propagates via FB Chat - Facebook malware movie - news article app watch – deadly sinsof Facebook malware – Uses twitter trending topics for malware domain name choiceswhen creating new malware hosting URLs